Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world's biggest companies and no matter how fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. As the FBI's net finally began to tighten, Mitnick went on the run, engaging in an increasingly sophisticated game of hide-and-seek that escalated through false identities, a host of cities, and plenty of close shaves, to an ultimate showdown with the Feds, who would stop at nothing to bring him down.
Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escapes and a portrait of a visionary who forced the authorities to rethink the way they pursued him, and forced companies to rethink the way they protect their most sensitive information.
"Mitnick manages to make breaking computer code sound as action-packed as robbing a bank." NPR
|Publisher:||Little, Brown and Company|
|Product dimensions:||5.40(w) x 8.20(h) x 1.20(d)|
About the Author
Read an Excerpt
Ghost in the WiresMy Adventures as the World's Most Wanted Hacker
By Mitnick, Kevin
Little, Brown and CompanyCopyright © 2011 Mitnick, Kevin
All right reserved.
Physical entry”: slipping into a building of your target company. It’s something I never like to do. Way too risky. Just writing about it makes me practically break out in a cold sweat.
But there I was, lurking in the dark parking lot of a billion-dollar company on a warm evening in spring, watching for my opportunity. A week earlier I had paid a visit to this building in broad daylight, on the pretext of dropping off a letter to an employee. The real reason was so I could get a good look at their ID cards. This company put the employee’s head shot upper left, name just below that, last name first, in block letters. The name of the company was at the bottom of the card, in red, also in block letters.
I had gone to Kinko’s and looked up the company’s website, so I could download and copy an image of the company logo. With that and a scanned copy of my own photo, it took me about twenty minutes working in Photoshop to make up and print out a reasonable facsimile of a company ID card, which I sealed into a dime-store plastic holder. I crafted another phony ID for a friend who had agreed to go along with me in case I needed him.
Here’s a news flash: it doesn’t even have to be all that authentic looking. Ninety-nine percent of the time, it won’t get more than a glance. As long as the essential elements are in the right place and look more or less the way they are supposed to, you can get by with it… unless, of course, some overzealous guard or an employee who likes to play the role of security watchdog insists on taking a close look. It’s a danger you run when you live a life like mine.
In the parking lot, I stay out of sight, watching the glow of cigarettes from the stream of people stepping out for a smoke break. Finally I spot a little pack of five or six people starting back into the building together. The rear entrance door is one of those that unlock when an employee holds his or her access card up to the card reader. As the group single-files through the door, I fall in at the back of the line. The guy ahead of me reaches the door, notices there’s someone behind him, takes a quick glance to make sure I’m wearing a company badge, and holds the door open for me. I nod a thanks.
This technique is called “tailgating.”
Inside, the first thing that catches my eye is a sign posted so you see it immediately as you walk in the door. It’s a security poster, warning not to hold the door for any other person but to require that each person gain entrance by holding up his card to the reader. But common courtesy, everyday politeness to a “fellow employee,” means that the warning on the security poster is routinely ignored.
Inside the building, I begin walking corridors with the stride of someone en route to an important task. In fact I’m on a voyage of exploration, looking for the offices of the Information Technology (IT) Department, which after about ten minutes I find in an area on the western side of the building. I’ve done my homework in advance and have the name of one of the company’s network engineers; I figure he’s likely to have full administrator rights to the company’s network.
Damn! When I find his workspace, it’s not an easily accessible cubicle but a separate office… behind a locked door. But I see a solution. The ceiling is made up of those white soundproofing squares, the kind often used to create a dropped ceiling with a crawl space above for piping, electrical lines, air vents, and so on.
I cell-phone to my buddy that I need him, and make my way back to the rear entrance to let him in. Lanky and thin, he will, I hope, be able to do what I can’t. Back in IT, he clambers onto a desk. I grab him around the legs and boost him up high enough that he’s able to raise one of the tiles and slide it out of the way. As I strain to raise him higher, he manages to get a grip on a pipe and pull himself up. Within a minute, I hear him drop down inside the locked office. The doorknob turns and he stands there, covered in dust but grinning brightly.
I enter and quietly close the door. We’re safer now, much less likely to be noticed. The office is dark. Turning on a light would be dangerous but it isn’t necessary—the glow from the engineer’s computer is enough for me to see everything I need, reducing the risk. I take a quick scan of his desk and check the top drawer and under the keyboard to see if he has left himself a note with his computer password. No luck. But not a problem.
From my fanny pack, I pull out a CD with a bootable version of the Linux operating system that contains a hacker toolkit and pop it into his CD drive, then restart the computer. One of the tools allows me to change the local administrator’s password on his computer; I change it to something I know, so I can log in. I then remove my CD and again restart the computer, this time logging in to the local administrator account.
Working as fast as I can, I install a “remote access Trojan,” a type of malicious software that gives me full access to the system, so I can log keystrokes, grab password hashes, and even instruct the webcam to take pictures of the person using the computer. The particular Trojan I’ve installed will initiate an Internet connection to another system under my control every few minutes, enabling me to gain full control of the victim’s system.
Almost finished, as a last step I go into the registry of his computer and set “last logged-in user” to the engineer’s username so there won’t be any evidence of my entry into the local administrator account. In the morning, the engineer may notice that he’s logged out. No problem: as soon as he logs back in, everything will look just as it should.
I’m ready to leave. By now my buddy has replaced the overhead tiles. On the way out, I reset the lock.
The next morning, the engineer turns on his computer at about 8:30 a.m., and it establishes a connection to my laptop. Because the Trojan is running under his account, I have full domain administrator privileges, and it takes me only a few seconds to identify the domain controller that contains all the account passwords for the entire company. A hacker tool called “fgdump” allows me to dump the hashed (meaning scrambled) passwords for every user.
Within a few hours, I have run the list of hashes through “rainbow tables”—a huge database of precomputed password hashes—recovering the passwords of most of the company’s employees. I eventually find one of the back-end computer servers that process customer transactions but discover the credit card numbers are encrypted. Not a problem: I find the key used to encrypt the card numbers is conveniently hidden in a stored procedure within the database on a computer known as the “SQL server,” accessible to any database administrator.
Millions and millions of credit card numbers. I can make purchases all day long using a different credit card each time, and never run out of numbers.
But I made no purchases. This true story is not a new replay of the hacking that landed me in a lot of hot water. Instead it was something I was hired to do.
It’s what we call a “pen test,” short for “penetration test,” and it’s a large part of what my life consists of these days. I have hacked into some of the largest companies on the planet and penetrated the most resilient computer systems ever developed—hired by the companies themselves, to help them close the gaps and improve their security so they don’t become the next hacking victim. I’m largely self-taught and have spent years studying methods, tactics, and strategies used to circumvent computer security, and to learn more about how computer systems and telecommunication systems work.
My passion for technology and fascination with it have taken me down a bumpy road. My hacking escapades ended up costing me over five years of my life in prison and causing my loved ones tremendous heartache.
Here is my story, every detail as accurate as I can make it from memory, personal notes, public court records, documents obtained through the Freedom of Information Act, FBI wiretap and body-wire recordings, many hours of interviews, and discussions with two government informants.
This is the story of how I became the world’s most wanted computer hacker.
The Making of a Hacker
Max vhlm hy max unl wkboxk ingva B nlxw mh ingva fr hpg mktglyxkl
My instinct for finding a way around barriers and safeguards began very early. At about age one and a half, I found a way to climb out of my crib, crawl to the child gate at the door, and figure out how to open it. For my mom, it was the first wake-up call for all that was to follow.
I grew up as an only child. After my dad left when I was three, my mother, Shelly, and I lived in nice, medium-priced apartments in safe areas of the San Fernando Valley, just over the hill from the city of Los Angeles. My mom supported us with waitressing jobs in one or another of the many delis strung out along Ventura Boulevard, which runs east–west for the length of the valley. My father lived out of state and, though he cared about me, was for the most part only occasionally involved in my life growing up until he moved to Los Angeles when I was thirteen years old.
Mom and I moved so often I didn’t have the same chance to make friends as other kids did. I spent my childhood largely involved in solitary, mostly sedentary pursuits. When I was at school, the teachers told my mom that I was in the top 1 percentile in mathematics and spelling, years ahead of my grade. But because I was hyperactive as a child, it was hard for me to sit still.
Mom had three husbands and several boyfriends when I was growing up. One abused me, another—who worked in law enforcement—molested me. Unlike some other moms I’ve read about, she never turned a blind eye. From the moment she found out I was being mistreated—or even spoken to in a rough way—the guy was out the door for good. Not that I’m looking for excuses, but I wonder if those abusive men had anything to do with my growing up to a life of defying authority figures.
Summers were the best, especially if my mom was working a split shift and had time off in the middle of the day. I loved it when she’d take me swimming at the amazing Santa Monica Beach. She’d lie on the sand, sunning and relaxing, watching me splashing in the waves, getting knocked down and coming up laughing, practicing the swimming I had learned at a YMCA camp that I went to for several summers (and always hated except when they took us all to the beach).
I was good at sports as a kid, happy playing Little League, serious enough to enjoy spending spare time at the batting cage. But the passion that set me on a life course began when I was ten. A neighbor who lived in the apartment across from us had a daughter about my age whom I guess I developed a crush on, which she reciprocated by actually dancing naked in front of me. At that age, I was more interested in what her father brought into my life: magic.
He was an accomplished magician whose card tricks, coin tricks, and larger effects fascinated me. But there was something else, something more important: I saw how his audiences of one, three, or a roomful found delight in being deceived. Though this was never a conscious thought, the notion that people enjoyed being taken in was a stunning revelation that influenced the course of my life.
A magic store just a short bike ride away became my spare-time hangout. Magic was my original doorway into the art of deceiving people.
Sometimes instead of riding my bike I’d hop on the bus. One day a couple of years later a bus driver named Bob Arkow noticed I was wearing a T-shirt that said, “CBers Do It on the Air.” He told me he’d just found a Motorola handheld that was a police radio. I thought maybe he could listen in on the police frequencies, which would be very cool. It turned out he was pulling my leg about that, but Bob was an avid ham radio operator, and his enthusiasm for the hobby sparked my interest. He showed me a way to make free telephone calls over the radio, through a service called an “auto patch” provided by some of the hams. Free phone calls! That impressed me no end. I was hooked.
After several weeks of sitting in a nighttime classroom, I had learned enough about radio circuits and ham radio regulations to pass the written exam, and mastered enough Morse code to meet that qualification as well. Soon the mailman brought an envelope from the Federal Communications Commission with my ham radio license, something not many kids in their early teens have ever had. I felt a huge sense of accomplishment.
Fooling people with magic was cool. But learning how the phone system worked was fascinating. I wanted to learn everything about how the phone company worked. I wanted to master its inner workings. I had been getting very good grades all the way through elementary school and in junior high, but around eighth or ninth grade I started cutting classes to hang out at Henry Radio, a ham radio store in West Los Angeles, reading books for hours on radio theory. To me, it was as good as a visit to Disneyland. Ham radio also offered some opportunities for helping out in the community. For a time I worked as a volunteer on occasional weekends to provide communications support for the local Red Cross chapter. One summer I spent a week doing the same for the Special Olympics.
Riding the buses was for me a bit like being on holiday—taking in the sights of the city, even when they were familiar ones. This was Southern California, so the weather was almost always near perfect, except when the smog settled in—much worse in those times than today. The bus cost twenty-five cents, plus ten cents for a transfer. On summer vacation when my mom was at work, I’d sometimes ride the bus all day. By the time I was twelve, my mind was already running in devious channels. One day it occurred to me, If I could punch my own transfers, the bus rides wouldn’t cost anything.
My father and my uncles were all salesmen with the gift of gab. I guess I share the gene that gave me my ability from very early on to talk people into doing things for me. I walked to the front of the bus and sat down in the closest seat to the driver. When he stopped at a light, I said, “I’m working on a school project and I need to punch interesting shapes on pieces of cardboard. The punch you use on the transfers would be great for me. Is there someplace I can buy one?”
I didn’t think he’d believe it because it sounded so stupid. I guess the idea never crossed his mind that a kid my age might be manipulating him. He told me the name of the store, and I called and found out they sold the punches for $15. When you were twelve, could you come up with a reasonable excuse you might have given your mother about why you needed $15? I had no trouble. The very next day I was in the store buying a punch. But that was only Step One. How was I going to get books of blank transfers?
Well, where did the buses get washed? I walked over to the nearby bus depot, spotted a big Dumpster in the area where the buses were cleaned, pulled myself up, and looked in.
I stuffed my pockets with partially used books of transfers—my first of what would be many, many acts of what came to be called “Dumpster-diving.”
My memory has always been way better than average and I managed to memorize the bus schedules for most of the San Fernando Valley. I started to roam by bus everywhere the bus system covered—Los Angeles County, Riverside County, San Bernardino County. I enjoyed seeing all those different places, taking in the world around me.
In my travels, I made friends with a kid named Richard Williams, who was doing the same thing, but with two pretty major differences. For one thing, his free-roaming travels were legal because, as the son of a bus driver, Richard rode for free. The second aspect that separated us (initially, anyway) was our difference in weight: Richard was obese and wanted to stop at Jack in the Box for a Super Taco five or six times a day. Almost at once I adopted his eating habits and began growing around the middle.
It wasn’t long before a pigtailed blond girl on the school bus told me, “You’re kinda cute, but you’re fat. You oughta lose some weight.”
Did I take her sharp but unquestionably constructive advice to heart? Nope.
Did I get into trouble for Dumpster-diving for those bus transfers and riding for free? Again, no. My mom thought it was clever, my dad thought it showed initiative, and bus drivers who knew I was punching my own transfers thought it was a big laugh. It was as though everyone who knew what I was up to was giving me attaboys.
In fact, I didn’t need other people’s praise for my misdeeds to lead me into more trouble. Who would have thought that a little shopping trip could provide a lesson that would set my life on a new course… in an unfortunate direction?
Estd mzzv esle elfrse xp szh ez ncplep yph topyetetpd hspy T hld l acp-eppy
Even many Jewish families that aren’t very religious want their sons to have a bar mitzvah, and I fell into that category. This includes standing up in front of the congregation and reading a passage from the Torah scroll—in Hebrew. Of course, Hebrew uses a completely different alphabet, with and the like, so mastering the Torah portion can take months of study.
I was signed up at a Hebrew school in Sherman Oaks but got booted for goofing off. Mom found a cantor to teach me one-on-one, so I couldn’t get away with reading a technology book under the table. I managed to learn enough to get through the service and read my Torah passage aloud to the congregation with no more than the usual amount of stumbling, and without embarrassing myself.
Afterward my parents chided me for mimicking the accent and gestures of the rabbi. But it was subconscious. I’d later learn that this is a very effective technique because people are attracted to others who are like themselves. So at a very early age, all unaware, I was already practicing what would come to be called “social engineering”—the casual or calculated manipulation of people to influence them to do things they would not ordinarily do. And convincing them without raising the least hint of suspicion.
The typical shower of presents from relatives and from people who attended the reception after the bar mitzvah at the Odyssey Restaurant left me with gifts that included a number of U.S. Treasury bonds that came to a surprisingly handsome sum.
I was an avid reader, with a particular focus that led me to a place called the Survival Bookstore in North Hollywood. It was small and in a seedy neighborhood and was run by a middle-aged, friendly blond lady who said I could call her by her first name. The place was like finding a pirate’s treasure chest. My idols in those days were Bruce Lee, Houdini, and Jim Rockford, the cool private detective played by James Garner in The Rockford Files, who could pick locks, manipulate people, and assume a false identity in a matter of moments. I wanted to be able to do all the neat things Rockford could.
The Survival Bookstore carried books describing how to do all those nifty Rockford things, and lots more besides. Starting at age thirteen, I spent many of my weekends there, all day long, studying one book after another—books like The Paper Trip by Barry Reid, on how to create a new identity by using a birth certificate of someone who had passed away.
A book called The Big Brother Game, by Scott French, became my Bible because it was crammed with details on how to get hold of driving records, property records, credit reports, banking information, unlisted numbers, and even how to get information from police departments. (Much later, when French was writing a follow-up volume, he called to ask me if I would do a chapter on techniques for social-engineering the phone companies. At the time, my coauthor and I were writing our second book, The Art of Intrusion, and I was too busy for French’s project, though amused by the coincidence, and flattered to be asked.)
That bookstore was crammed with “underground” books that taught you things you weren’t supposed to know—very appealing to me since I had always had this urge to take a bite of knowledge from the forbidden apple. I was soaking up the knowledge that would turn out to be invaluable almost two decades later, when I was on the run.
The other item that interested me at the store besides their books was the lockpicking tools they offered for sale. I bought several different kinds. Remember the old joke that goes, “How do you get to Carnegie Hall? Practice, practice, practice”? That’s what I did to master the art of lockpicking, sometimes going down to the area of tenant storage lockers in the garage of our apartment building, where I’d pick open some of the padlocks, swap them around, and lock them again. At the time I thought it was an amusing practical joke, though looking back, I’m sure it probably threw some people into angry fits and put them to a good deal of trouble, plus the expense of a new lock after they had managed to get the old one removed. Only funny, I guess, when you’re a teenager.
One day when I was about fourteen, I was out with my uncle Mitchell, who was a bright star of my life in those years. We swung by the Department of Motor Vehicles and found it packed with people. He left me to wait while he walked straight up to the counter—just like that, walking past everyone standing in line. The DMV clerk, a lady with a bored expression, looked up in surprise. He didn’t wait for her to finish what she was doing with the man at the window but just started talking. He hadn’t said more than a few words when the clerk nodded to him, signaled the other man to step aside, and took care of whatever it was Uncle Mitchell wanted. My uncle had some special talent with people.
And I appeared to have it, too. It was my first conscious example of social engineering.
How did people see me at Monroe High School? My teachers would have said that I was always doing unexpected things. When the other kids were fixing televisions in TV repair shop, I was following in Steve Jobs and Steve Wozniak’s footsteps and building a blue box that would allow me to manipulate the phone network and even make free phone calls. I always brought my handheld ham radio to school and talked on it during lunch and recess.
But one fellow student changed the course of my life. Steven Shalita was an arrogant guy who fancied himself as an undercover cop—his car was covered with radio antennas. He liked to show off the tricks he could do with the telephone, and he could do some amazing things. He demonstrated how he could have people call him without revealing his real phone number by using a phone company test circuit called a “loop-around”; he would call in on one of the loop’s phone numbers while the other person was calling the loop’s second phone number. The two callers would be magically connected. He could get the name and address assigned to any phone number, listed or not, by calling the phone company’s Customer Name and Address (CNA) Bureau. With a single call, he got my mom’s unlisted phone number. Wow! He could get the phone number and address of anyone, even a movie star with an unlisted number. It seemed like the folks at the phone company were just standing by to see what they could do to help him.
I was fascinated, intrigued, and I instantly became his companion, eager to learn all those incredible tricks. But Steven was only interested in showing me what he could do, not in telling me how all of this worked, how he was able to use his social-engineering skills on the people he was talking to.
Before long I had picked up just about everything he was willing to share with me about “phone phreaking” and was spending most of my free time exploring the telecommunications networks and learning on my own, figuring out things Steven didn’t even know about. And “phreakers” had a social network. I started getting to know others who shared similar interests and going to their get-togethers, even though some of the “phreaks” were, well, freaky—socially inept and uncool.
I seemed cut out for the social-engineering part of phreaking. Could I convince a phone company technician to drive to a “CO” (a central office—the neighborhood switching center that routes calls to and from a telephone) in the middle of the night to connect a “critical” circuit because he thought I was from another CO, or maybe a lineman in the field? Easy. I already knew I had talents along these lines, but it was my high school associate Steven who taught me just how powerful that ability could be.
The basic tactic is simple. Before you start social engineering for some particular goal, you do your reconnaissance. You piece together information about the company, including how that department or business unit operates, what its function is, what information the employees have access to, the standard procedure for making requests, whom they routinely get requests from, under what conditions they release the desired information, and the lingo and terminology used in the company.
The social-engineering techniques work simply because people are very trusting of anyone who establishes credibility, such as an authorized employee of the company. That’s where the research comes in. When I was ready to get access to nonpublished numbers, I called one of the phone company’s business office representatives and said, “This is Jake Roberts, from the Non-Pub Bureau. I need to talk to a supervisor.”
When the supervisor came on the line, I introduced myself again and said, “Did you get our memo that we’re changing our number?”
She went to check, came back on the line, and said, “No, we didn’t.”
I said, “You should be using 213 687-9962.”
“No,” she said. “We dial 213 320-0055.”
“Okay,” I told her. “We’ll be sending a memo to a second-level”—the phone company lingo for a manager—“regarding the change. Meanwhile keep on using 320-0055 until you get the memo.”
But when I called the Non-Pub Bureau, it turned out my name had to be on a list of authorized people, with an internal callback number, before they would release any customer information to me. A novice or inept social engineer might have just hung up. Bad news: it raises suspicions.
Ad-libbing on the spot, I said, “My manager told me he was putting me on the list. I’ll have to tell him you didn’t get his memo yet.”
Another hurdle: I would somehow have to be able to provide a phone number internal to the phone company that I could receive calls on!
I had to call three different business offices before I found one that had a second-level who was a man—someone I could impersonate. I told him, “This is Tom Hansen from the Non-Pub Bureau. We’re updating our list of authorized employees. Do you still need to be on the list?”
Of course he said yes.
I then asked him to spell his name and give me his phone number. Like taking candy from a baby.
My next call was to RCMAC—the Recent Change Memory Authorization Center, the phone company unit that handled adding or removing customer phone services such as custom-calling features. I called posing as a manager from the business office. It was easy to convince the clerk to add call forwarding to the manager’s line, since the number belonged to Pacific Telephone.
In detail, it worked like this: I called a technician in the appropriate central office. Believing I was a repair tech in the field, he clipped onto the manager’s line using a lineman’s handset and dialed the digits I gave him, effectively call-forwarding the manager’s phone to a “loop-around” circuit. (In those days, the loop-around was one of my favorite tools. The phone company technicians used it for line testing. For me it was a very useful tool for setting up an “authorized” callback number when social engineering my targets.)
I dialed into the loop-around circuit and three-wayed in a number that would just ring, ring, and ring, so when Non-Pub called back to the authorized manager’s line, the call would be forwarded to the loop-around, and the caller would hear the ringing. I let the person hear a few rings and then I answered, “Pacific Telephone, Steve Kaplan.”
At that point the person would give me whatever Non-Pub information I was looking for. Then I’d call back the frame technician and have the call-forwarding deactivated.
The tougher the challenge, the greater the thrill. This trick worked for years and would very likely still work today!
In a series of calls over a period of time—because it would seem suspicious to ask Non-Pub to look up the numbers of several celebrities—I got the phone numbers and addresses of Roger Moore, Lucille Ball, James Garner, Bruce Springsteen, and a bunch of others. Sometimes I’d call and actually get the person on the line, then say something like, “Hey, Bruce, what’s up?” No harm done, but it was exciting to find anyone’s number I wanted.
Monroe High offered a computer course. I didn’t have the required math and science courses to qualify, but the teacher, Mr. Christ (pronounced to rhyme with “twist”), saw how eager I was, recognized how much I had already learned on my own, and admitted me. I think he came to regret the decision: I was a handful. I got his computer password to the school district’s minicomputer every time he changed it. In desperation, thinking to outfox me, he punched out his password on a piece of computer paper tape, which was the type of storage used in those pre-floppy-drive days; he would then feed that through the tape reader whenever he wanted to sign on. But he kept the short piece of punched tape in his shirt pocket, where the holes were visible through the thin cloth. Some of my classmates helped me figure out the pattern of holes on the tape and learn his latest password every time he changed it. He never did catch on.
Then there was the telephone in the computer lab—the old kind of phone, with a rotary dial. The phone was programmed for only calling numbers within the school district. I started using it to dial into the USC computers to play computer games, by telling the switchboard operator, “This is Mr. Christ. I need an outside line.” When the operator started to get suspicious after numerous calls, I switched to phone-phreaker tactics, dialing into the phone company switch and turning off the restriction so I could just dial into USC whenever I wanted. Eventually he figured out that I had managed to make unrestricted outgoing calls.
Soon after he proudly announced to the class how he was going to stop me from dialing into USC once and for all, and held up a lock made especially for dial telephones: when locked in place in the “1” hole, it prevented the dial from being used.
As soon as he had the lock in place, with the whole class watching, I picked up the handset and started clicking the switch hook: nine fast clicks for the number “9” to get an outside line, seven fast clicks for the number “7.” Four clicks for the number “4.” Within a minute, I was connected to USC.
To me it was just a game of wits. But poor Mr. Christ had been humiliated. His face a bright red, he grabbed the phone off the desk and hurled it across the classroom.
But meanwhile I was teaching myself about RSTS/E (spoken as “RIS-tisEE”), the operating system manufactured by Digital Equipment Corporation (DEC) used on the school’s minicomputer located in downtown Los Angeles. The nearby Cal State campus at Northridge (CSUN) also used RSTS/E on its computers. I set up an appointment with the chairman of the Computer Science Department, Wes Hampton, and told him, “I’m extremely interested in learning about computers. Could I buy an account to use the computers here?”
“No, they’re only for our registered students.”
Giving up easily isn’t one of my character traits. “At my high school, the computer lab shuts down at the end of the school day, three o’clock. Could you set up a program so the high school computer students could learn on your computers?”
He turned me down but called me soon after. “We’ve decided to give you permission to use our computers,” he said. “We can’t give you an account because you’re not a student, so I’ve decided to let you use my personal account. The account is ‘5,4’ and the password is ‘Wes.’ ”
This man was chairman of the Computer Science Department, and that was his idea of a secure password—his first name? Some security!
I started teaching myself the Fortran and Basic programming languages. After only a few weeks of computer class, I wrote a program to steal people’s passwords: a student trying to sign on saw what looked like the familiar login banner but was actually my program masquerading as the operating system, designed to trick users into entering their account and password (similar to phishing attacks today). Actually, one of the CSUN lab monitors had given me a hand debugging my code—they thought it was a lark that this high schooler had figured out how to steal passwords. Once the little program was up and running on the terminals in the lab, whenever a student logged in, his or her username and password were secretly recorded in a file.
Why? My friends and I thought it would be cool to get everyone’s password. There was no sinister plan, just collecting information for the hell of it. Just because. It was another of those challenges I repeatedly put to myself throughout the entire early part of my life, from the time I saw my first magic trick. Could I learn to do tricks like that? Could I learn to fool people? Could I gain powers I wasn’t supposed to have?
Sometime later one of the lab monitors ratted me out to the system administrator. Next thing I knew, three campus police officers stormed the computer lab. They held me until my mom came to pick me up.
The department chairman, who had given me permission to use the lab and let me log in on his own account, was furious. But there wasn’t much he could do: in those days, there were no computer laws on the books so there was nothing to charge me with. Still, my privileges were canceled, and I was ordered to stay off the campus.
My mom was told, “Next month a new California law goes into effect making what Kevin is doing a crime.” (The U.S. Congress wouldn’t get around to passing a federal law about computer crime for another four years, but a litany of my activities would be used to convince Congress to pass the new law.)
In any case, I wasn’t put off by the threat. Not long after that visit, I found a way to divert calls to Directory Assistance from people in Rhode Island, so the calls would come to me instead. How do you have fun with people who are trying to get a phone number? A typical call in one of my routines went like this:Me:
What city, please?Caller:
What is the name, please?Caller:
Is this a business or a residence?Caller:
The number is 836, 5 one-half 66.
At this point the caller was usually either baffled or indignant.Caller:
How do I dial one-half?!Me:
Go pick up a new phone that has uh-half on it.
The reactions I got were hilarious.
In those days, two separate phone companies served different parts of the Los Angeles area. General Telephone and Electronics Corporation (GTE) served the northern part of the San Fernando Valley, where we lived; any calls over twelve miles were charged at a long-distance rate. Of course I didn’t want to run up my mom’s phone bill, so I was making some calls using a local ham radio auto patch.
One day on the air I had heated words with the control operator of the repeater over what he labeled “weird calls” I was making. He had noticed I was regularly keying in a long series of digits when I was using the auto patch. I wasn’t about to explain that those digits I was entering allowed me to make free long-distance calls through a long-distance provider called MCI. Though he had no clue about what I was actually doing, he didn’t like the fact that I was using the auto patch in a strange way. A guy listening in contacted me afterward on the air, said his name was Lewis De Payne, and gave me his phone number. I called him that evening. Lewis said he was intrigued by what I was doing.
We met and became friends, a relationship that lasted for two decades. Of Argentinean heritage, Lewis was thin and geeky, with short-cropped black hair, slicked down and brushed straight back, and sporting a mustache that he probably thought made him look older. On hacking projects, Lewis was the guy I would come to trust most in the world, though he came with a personality filled with contradictions. Very polite, but always trying to have the upper hand. Nerdy, with his out-of-fashion clothing choice of turtlenecks and wide-bottomed trousers, yet with all the social graces. Low-key yet arrogant.
Lewis and I had similar senses of humor. I think any hobby that doesn’t provide some fun and a few laughs now and then probably isn’t worth the time and effort you put into it. Lewis and I were on the same wavelength. Like our “McDonald’s hacks.” We found out how to modify a two-meter radio so we could make our voices come out of the speaker where customers placed their orders at the drive-through of a fast-food restaurant. We’d head over to a McDonald’s, park nearby where we could watch the action without being noticed, and tune the handheld radio to the restaurant’s frequency.
A cop car would pull in to the drive-through lane, and when it got up to the speaker, Lewis or I would announce, “I’m sorry. We don’t serve cops here. You’ll have to go to Jack in the Box.” Once a woman pulled up and heard the voice over the speaker (mine) tell her, “Show me your titties, and your Big Mac is free!” She didn’t take it well. She turned off the car, grabbed something out of her trunk, and ran inside… wielding a baseball bat.
“Complimentary apple juice” was one of my favorite gags. After a customer placed an order, we’d explain that our ice machine was broken, so we were giving away free juice. “We’ve got grapefruit, orange, and… oh, sorry, looks like we’re out of grapefruit and orange. Would you like apple juice?” When the customer said yes, we’d play a recording of someone peeing into a cup, then say, “Okay. Your apple juice is ready. Please drive forward to the window and pick it up.”
We thought it would be funny if we drove people a little nuts by making it impossible to place their order. Taking over the speaker, each time a customer pulled up and placed an order, a friend of ours would repeat the order, but in a strong Hindi accent with hardly a word understandable. The customer would say he couldn’t understand, and our friend would say something else just as impossible to understand, over and over—driving customers crazy, one after the other.
The best part was that everything we said at the drive-through also blared out over the speaker outside, but the employees couldn’t override it. Sometimes we’d watch the customers sitting outside at the tables, eating their burgers and laughing. No one could figure out what was going on.
One time, a manager came out to see who was messing with the speaker. He glanced around the parking lot, scratching his head. There was no one around. The cars were empty. No one was hiding behind the sign. He walked over to the speaker and leaned in close, squinting, as if he expected to see a tiny person inside.
“What the fuck are you looking at?!” I shouted in a raspy voice.
He must’ve jumped back ten feet!
Sometimes when we were playing these pranks, the people who lived in the apartments nearby would stand on their balconies, laughing. Even people on the sidewalk were in stitches. Lewis and I actually brought friends along with us several times, because it was so hilarious.
Okay, childish, but I was only sixteen or seventeen at the time.
Some of my escapades weren’t quite as innocent. I had a personal rule about not entering any phone company facilities, tempting though it would be to actually gain access to the systems and maybe read some phone company technical manuals. But, as they say, it was less like a rule for me than a guideline.
One night in 1981, when I was seventeen, I was hanging out with another phone-phreaker buddy, Steven Rhoades. We decided to sneak into Pacific Telephone’s Sunset-Gower central office, in Hollywood. Since we were already phone phreaking, strolling into the phone company in person was the ultimate hack. Access was by pressing the right code numbers on the outside door’s keypad, and we social-engineered the code without a problem, letting us walk right in.
My God—how exciting! For us, it was the ultimate playground. But what should we look for?
A large man in a security guard’s uniform was making his rounds of the building and came upon us. He was built like a nightclub bouncer or an NFL lineman—very intimidating. Just standing quietly, hands at his sides, he could scare the pants off you. Yet somehow, the tighter the situation, the calmer I seem to get.
I didn’t really look old enough to pass for a full-time employee. But I dived in anyway. “Hi,” I said. “How’re you tonight?”
He said, “Fine, sir. May I see your company ID badges please?”
I checked my pockets. “Damn. I must have left it in the car. I’ll just go get it.”
He wasn’t having any of that. “No, you’re both coming upstairs with me,” he said.
We didn’t argue.
He brings us to the Switching Control Center on the ninth floor, where other employees are working.
Heart pounding. Chest heaving.
A couple of switch techs come over to see what’s going on. I’m thinking that my only option is to try to outrun the rent-a-cop, but I know there’s slim chance of getting away. I’m desperate. It feels like there’s nothing between me and jail but my social-engineering skills.
By now I know enough names and titles at Pacific Telephone to try a ploy. I explain, “I work at the COSMOS in San Diego, and I’m just showing a friend what a central office looks like. You can call my supervisor and check me out.” And I give him the name of a COSMOS supervisor. Thank God for a good memory, yet I know we don’t look like we belong there, and the story is lame.
The guard looks up the supervisor’s name in the intercompany directory, finds her home phone number, and places the call. Ring, ring, ring. He starts with an apology for calling so late and explains the situation.
I say, “Let me talk to her.”
He hands me the phone, which I press hard against my ear, praying he won’t be able to hear her voice. I ad-lib something along the lines of, “Judy, I’m really sorry about this—I was giving my friend a tour of the switching center and left my company ID card in the car. The security guard is just verifying I’m from the COSMOS center in San Diego. I hope you won’t hold this against me.”
I pause a few beats, as if listening to her. She’s ranting. “Who is this? Do I know you? What are you doing there?!”
I start in again. “It was just that I had to be here in the morning anyway, for the meeting on that new training manual. And I have a review session with Jim on Monday at eleven, in case you want to drop in. You and I are still having lunch on Tuesday, right?”
Another pause. She’s still ranting.
“Sure. Sorry again for disturbing you,” I say.
And then I hang up.
The guard and switch techs look confused; they were expecting me to hand the phone back to the security guard so she could tell him it was okay. You could just see the look on the guard’s face: Did he dare disturb her a second time?
I tell him, “She sure was upset at being woken up at two thirty in the morning.”
Then I say, “There’s just a couple other things I want to show my friend. I’ll only be another ten minutes.”
I walk out, Rhoades following close behind.
Obviously I want to run but know I can’t.
We reach the elevator. I bang the button for the ground floor. We sigh with relief when we get out of the building, scared shitless because it was such a close call, happy to be out of there.
But I know what’s happening. The lady is calling around desperately, trying to find somebody who knows how to get the phone number for the guard’s desk at the Sunset-Gower CO, in the middle of the night.
We get to the car. I drive a block away without turning on my headlights. I stop and we sit there, watching the front door of the building.
After about ten minutes, the burly guard comes out, looking around in every direction but knowing damned well we’re long gone. Of course, he’s wrong.
I wait until he goes back inside, then drive away, turning on my headlights after rounding the first corner.
That was too close. If he had called the cops, the charge would have been breaking and entering, or even worse, burglary. Steve and I would have been headed to Juvenile Hall.
I wouldn’t be going back into a telephone company facility again anytime soon, but I was keen to find something else—something big—to challenge my ingenuity.
pbzfsobp dkfobtpkx lq pbkfi ppbkfpry aoxtolc iixz lq abpr bobt pbzfsba cl bmvq obail bpbeQ
After I figured out how to obtain unpublished numbers, finding out information about people—friends, friends of friends, teachers, even strangers—held a fascination for me. The Department of Motor Vehicles is a great storehouse of information. Was there any way I could tap it?
For openers, I simply called a DMV office from the pay phone in a restaurant and said something like, “This is Officer Campbell, LAPD, Van Nuys station. Our computers are down, and some officers in the field need a couple of pieces of information. Can you help me?”
The lady at the DMV said, “Why aren’t you calling on the law enforcement line?”
Oh, okay—there was a separate phone number for cops to call. How could I find out the number? Well, obviously the cops at the police station would have it, but… was I really going to call the police station to get information that would help me break the law? Oh, yeah.
Placing a call to the nearest station house, I said I was from the Los Angeles County Sheriff’s Department, we needed to call the DMV, and the officer who had the number for the law enforcement desk was out. I needed the operator to give me the number. Which she did. Just like that.
(As I was recounting this story recently, I thought I still remembered that DMV law enforcement phone number or could still get it. I picked up the phone and dialed. The DMV has a Centrex phone system, so all the numbers have the same area code and prefix: 916-657. Only the extension number—the last four digits—varies by department. I just chose those last digits at random, knowing I’d get somebody at the DMV, and I’d have credibility because I was calling an internal number.
The lady who answered said something I didn’t get.
I said, “Is this the number for law enforcement?”
She said, “No.”
“I must have dialed wrong,” I said. “What’s the number for law enforcement?”
She gave it to me! After all these years, they still haven’t learned.)
After phoning the DMV’s law enforcement line, I found there was a second level of protection. I needed a “Requester Code.” As in the past, I needed to come up with a cover story on the spur of the moment. Making my voice sound anxious, I told the clerk, “We’ve just had an urgent situation come up here, I’ll have to call you back.”
Calling the Van Nuys LAPD station, I claimed to be from the DMV and said I was compiling a new database. “Is your Requester Code 36472?”
“No, it’s 62883.”
(That’s a trick I’ve discovered very often works. If you ask for a piece of sensitive information, people naturally grow immediately suspicious. If you pretend you already have the information and give them something that’s wrong, they’ll frequently correct you—rewarding you with the piece of information you were looking for.)
With a few minutes’ worth of phone calls, I had set myself up for getting the driver’s license number and home address of anyone in the state of California, or running a license plate and getting the details such as the owner’s name and address, or running a person’s name and getting details about his or her car registration. At the time it was just a test of my skills; in the years ahead the DMV would be a rich lode that I would use in myriad ways.
All these extra tools I was accumulating were like the sweet at the end of a meal. The main course was still my phone phreaking. I was calling a lot of different Pacific Telephone and General Telephone departments, collecting information to satisfy that “What information can I get?” urge, making calls to build my knowledge bank of the companies’ departments, procedures, and lingo and routing my calls through some long-distance carriers to make them harder to trace. Most of this from my mom’s phone in our condominium.
Of course phreakers like to score points by showing other phreakers what new things they’ve learned how to do. I loved pulling pranks on friends, phreakers or not. One day I hacked into the phone company switch serving the area where my buddy Steve Rhoades lived with his grandmother, changing the “line class code” from residential to pay phone. When he or his grandmother tried to place a call, they would hear, “Please deposit ten cents.” Of course he knew who had done it, and called to complain. I promised to undo it, and I did, but changed the service to a prison pay phone. Now when they tried to make a call, an operator would come on the line and say, “This will be a collect call. What is your name, please.” Steve called to say, “Very funny—change it back.” I had my laughs; I changed it back.
Phone phreakers had discovered a way to make free phone calls, taking advantage of a flaw in some types of “diverters”—devices that were used to provide call forwarding (for example, to an answering service) in the days before call forwarding was offered by the phone companies. A phreaker would call at an hour when he knew the business would be closed. When the answering service picked up, he would ask something like, “What hours are you open?” When the person who had answered disconnected the line, the phreaker would stay on; after a few moments, the dial tone would be heard. The phreaker could then dial a call to anywhere in the world, free—with the charges going to the business.
The diverter could also be used to receive incoming calls for call-backs during a social-engineering attack.
In another approach with the diverter, the phreaker dialed the “automatic number identification,” or ANI number, used by phone company technicians, and in this way learned the phone number for the outgoing diverter line. Once the number was known, the phreaker could give out the number as “his” callback. To answer the line, the phreaker just called the business’s main number that diverted the call. But this time, when the diverter picked up the second line to call the answering service, it effectively answered the incoming call.
I used this way of talking with my friend Steve late one night. He answered using the diverter line belonging to a company called Prestige Coffee Shop in the San Fernando Valley.
We were talking about phone phreaking stuff when suddenly a voice interrupted our conversation.
“We are monitoring,” the stranger said.
Steve and I both hung up immediately. We got back on a direct connection, laughing at the telephone company’s puny attempt to scare us, talking about what idiots the people who worked there were. The same voice interrupted again: “We are still monitoring!”
Who were the idiots now?
Sometime later, my mom received a letter from General Telephone, followed by an in-person visit from Don Moody, the head of Security for the company, who warned her that if I didn’t stop what I was doing, GTE would terminate our telephone service for fraud and abuse. Mom was shocked and upset by the idea of losing our phone service. And Moody wasn’t kidding. When I continued my phreaking, GTE did terminate our service. I told my mom not to worry, I had an idea.
The phone company associated each phone line with a specific address. Our terminated phone was assigned to Unit 13. My solution was pretty low-tech: I went down to the hardware store and sorted through the collection of letters and numbers that you tack up on your front door. When I got back to the condo, I took down the “13” and nailed up “12B” in its place.
Then I called GTE and asked for the department that handled provisioning. I explained that a new unit, 12B, was being added to the condominium complex and asked them to adjust their records accordingly. They said it would take twenty-four to forty-eight hours to update the system.
When I called back, I said I was the new tenant in 12B and would like to order phone service. The woman at the phone company asked what name I’d like the number listed under.
“Jim Bond,” I said. “Uh, no… why not make that my legal name? James.”
“James Bond,” she repeated, making nothing of it—even when I paid an extra fee to choose my own number: 895-5… 007.
After the phone was installed, I took down the “12B” outside our door and replaced it with “13” again. It was several weeks before somebody at GTE caught on and shut the service down.
Years later I would learn that this was when GTE started a file on me. I was seventeen years old.
About the same time, I got to know a man named Dave Kompel, who was probably in his midtwenties but had not outgrown teenage acne that was so bad it disfigured his appearance. In charge of maintaining the Los Angeles Unified School District’s PDP-11/70 minicomputer running the RSTS/E operating system, he—along with a number of his friends—possessed computer knowledge I highly prized. Eager to be admitted into their circle so they would share information with me, I made my case to Dave and one of his friends, Neal Goldsmith. Neal was an extremely obese guy with short hair who appeared to be coddled by his wealthy parents. His life seemed to be focused only on food and computers.
Neal told me they’d agreed to allow me into their circle, but I had to prove myself first. They wanted access to a computer system called “the Ark,” which was the system at Digital Equipment used by the development group for RSTS/E. He told me, “If you can hack into the Ark, we’ll figure you’re good enough for us to share information with.” And to get me started, Neal already had a dial-up number that he had been given by a friend who worked on the RSTS/E Development Team.
He gave me that challenge because he knew there was no way in the world I’d be able to do it.
Maybe it really was impossible, but I sure was going to try.
The modem number brought up a logon banner on the Ark, but of course you had to enter a valid account number and password. How could I get those credentials?
I had a plan I thought might work, but to get started I would need to know the name of a system administrator—not someone in the development group itself but one of the people who managed the internal computer systems at Digital. I called the switchboard for the facility in Merrimack, New Hampshire, where the Ark was located, and asked to be connected to the computer room.
“Which one?” the switchboard lady asked.
Oops. I hadn’t ever thought to research which lab the Ark was in. I said, “For RSTS/E development.”
“Oh, you mean the raised-floor lab. I’ll connect you.” (Large computer systems were often mounted on raised floors so all the heavy-duty cabling could be run underneath.)
A lady came on the line. I was taking a gamble, but they wouldn’t be able to trace the call, so even if they got suspicious, I had little to lose.
“Is the PDP-11/70 for the Ark located in this lab?” I asked, giving the name of the most powerful DEC minicomputer of the time, which I figured the development group would have to be using.
She assured me it was.
“This is Anton Chernoff,” I brazenly claimed. Chernoff was one of the key developers on the RSTS/E Development Team, so I was taking a big risk that she wouldn’t be familiar with his voice. “I’m having trouble logging in to one of my accounts on the Ark.”
“You’ll have to contact Jerry Covert.”
I asked for his extension; she didn’t hesitate to give it to me, and when I reached him, I said, “Hey, Jerry, this is Anton,” figuring that even if he didn’t know Chernoff personally, he was almost certain to know the name.
“Hey, how’re you doing?” he answered jovially, obviously not familiar enough with Chernoff in person to know that I didn’t sound like him.
“Okay,” I said, “but did you guys delete one of my accounts? I created an account for testing some code last week, and now I can’t log in.” He asked what the account log-in was.
I knew from experience that under RSTS/E, account numbers were a combination of the project number and the programmer number, such as 1,119—each number running up to 254. Privileged accounts always had the project number of 1. And I had discovered that the RSTS/E Development Team used programmer numbers starting at 200.
I told Jerry that my test account was “1,119,” crossing my fingers that it wasn’t assigned to anyone.
It was a lucky guess. He checked and told me there wasn’t any 1,119 account. “Damn,” I answered. “Somebody must have removed it. Can you re-create it for me?”
What Chernoff wanted, Chernoff got. “No problem,” Jerry said. “What password do you want?”
I spotted a jar of strawberry jelly in the kitchen cabinet across from me. I told him, “Make it ‘jelly.’ ”
In hardly more than a blink, he said, “Okay, all done.”
I was stoked, the adrenaline running high. I could hardly believe it could’ve been so easy. But would it really work?
From my computer, I called the dial-in number my would-be mentor Neal had given me. The call connected and this text appeared:
RSTS V7.0-07 * The Ark * Job 25 KB42 05-Jul-80 11:17 AM
Damn, damn, damn. I dialed Jerry Covert back, again as Chernoff. “Hey, I’m dialing in from home, and it’s asking for a dial-up password.”
“You didn’t get it in your email? It’s ‘buffoon.’ ”
I tried again and I was in!
Before anything else, I started grabbing all the passwords for the guys in the development team.
When I got together with Neal, I told him, “Getting into the Ark was a snap. I have every RSTS/E developer’s password.” He rolled his eyes with an expression that said, What’s this guy been smoking?
He dialed the modem number and got to the Ark’s log-in banner. Telling him to “move over,” I typed the log-on credentials and got the “Ready” prompt.
“Satisfied, Neal?” I asked.
He couldn’t believe what he was seeing. It was like I had shown him a winning lottery ticket. After they had picked my brain for details of how I had gained access, Neal, Dave, and a few other friends went to a company called PSI near Culver City, where they had the newest, fastest modems, running at 1,200 baud—four times as fast as the 300-baud modems the rest of us had. The guys started downloading the RSTS/E source code.
The old adage says there’s no honor among thieves. Instead of taking me into their confidence and sharing information, they downloaded the source code for RSTS/E and kept it to themselves.
I learned later that these bastards actually called DEC and told them the Ark had been hacked, and gave my name as the hacker. Total betrayal. I had no suspicion these guys would dream of snitching on me, especially when they had reaped such rich rewards. It was the first time of many instances to come when the people I trusted would betray me.
At seventeen, I was still in high school but dedicated to working on what might be called a PhD in RSTS/E hacking. I would find targets by checking want ads for companies looking to hire a computer person experienced with RSTS/E. I’d call, claiming to be from DEC Field Support, and was usually able to talk a system administrator into revealing dial-up numbers and privileged account passwords.
In December 1980, I ran into a kid named Micah Hirschman, whose father happened to have an account with a company called Bloodstock Research, which used a RSTS/E system; I assume the company kept historical records on the bloodlines of racehorses for breeders and bettors. I used the Hirschman account to connect to Bloodstock Research so I could exploit a security flaw and gain access to a privileged account, then Micah and I played with the operating system to teach ourselves about it, basically for kicks.
The episode blew up in our faces. Micah logged in late one night without me, and Bloodstock spotted the break-in and alerted the FBI, telling them that the attack had been through the Hirschman account. The Feds paid Mr. Hirschman a visit. He denied knowing anything about the attack. When they pressured him, he fingered his son. Micah fingered me.
I was in my bedroom on the second floor of our condo, online, hacking into the Pacific Telephone switches over a dial-up modem. Hearing a knock at the front door, I opened my window and called down, “Who is it?” The answer was one that I would come to have nightmares about: “Robin Brown, FBI.”
My heart began pounding.
Mom called to me, “Who is it?”
“A man who says he’s from the FBI,” I called back.
Mom just laughed. She didn’t know who it was but she didn’t think it could possibly be the FBI.
I was in a panic, already hanging up the phone from the computer modem cradle and stashing under the bed the TI-700 computer terminal Lewis De Payne had lent me for a few weeks. Back then, before the days of the personal computer, all I had was a terminal and a modem that I was using to connect to a system at a company or university. No computer monitor: the responses to my commands would print out on a long roll of thermal paper.
I was flashing on the fact that I had a ton of that thermal paper under my bed, filled with data that would show I had been hacking for many hours a week into telephone company computers and switches, as well as a load of computers at private firms.
When I went downstairs, the agent offered me his hand, and I shook it. “I busted Stanley Rifkin,” he told me, understanding that I’d know whom he was talking about: the guy who had pulled off the biggest theft of its kind in history, stealing $10 million from Security Pacific National Bank by a wire-transfer ruse. The agent thought that would scare me, except I knew that Rifkin had been caught only because he had returned to the States and then blabbed about what he had done. Otherwise he’d still be living abroad in luxury.
But this guy was a Fed, and there still weren’t any federal laws covering the kind of computer break-ins I was doing. He said, “You can get twenty-five years if you continue messing with the phone company.” I knew he was powerless, just trying to scare me.
It didn’t work. As soon as he left, I went right back online. I didn’t even burn the printouts. Yes, it was stupid. I was already incorrigible.
If the agent’s visit didn’t give me any chills, my mother’s reaction was not what you might expect. To her, the whole thing was like a dumb joke: What harm could a boy come to just from playing with a computer at home? She had no concept of what I was up to.
The thrill and satisfaction of doing things I wasn’t supposed to do were just too great. I was consumed by a fascination with the technology of phones and computers. I felt like an explorer, traveling cyberspace without limitations, sneaking into systems for the pure thrill and satisfaction, outsmarting engineers with years of experience, figuring out how to bypass security obstacles, learning how things worked.
It wasn’t long before I began experiencing some turbulence from the authorities. Micah had left shortly after for a trip to Paris. The Air France flight had been in the air for a couple of hours when an announcement came over the PA system: “Mr. Micah Hirschman, please turn on your stewardess call button.” When he did, a stewardess came to him and said, “The pilot wants to speak with you in the cockpit.” You can just imagine his surprise.
He was led to the cockpit. The copilot spoke into the radio to say Micah was present, then handed him a microphone. A voice over the radio said, “This is FBI Special Agent Robin Brown. The Bureau has learned that you have left the country, headed for France. Why are you going to France?”
The whole situation made no sense. Micah gave his answer, and the agent grilled him for a few minutes. It turned out the Feds thought that Micah and I were pulling off some Stanley Rifkin–style big computer hack, maybe setting up a phony transfer of millions from a U.S. bank to some other bank in Europe.
It was like a scene from a caper movie, and I loved the thrill of it.
After getting a taste of that kind of excitement, I was hooked—and I hungered for more. In high school my brain was so occupied with hacking and phreaking that I had little attention or motivation left for the classroom. Happily, I discovered a solution that was one big step better than becoming a dropout or waiting for the Los Angeles School District to show its displeasure by kicking me out.
Passing the GED exam would give me the equivalent of a high school diploma without wasting any more of my time or my teachers’ time. I signed up for the exam, which turned out to be way easier than I had expected—about an eighth-grade level, I thought.
What could be better than becoming a college student studying computers, working toward a degree while feeding my insatiable thirst for computer knowledge? In the summer of 1981, at the age of seventeen, I enrolled at Pierce College, a two-year school in nearby Woodland Hills.
The school’s computer-room manager, Gary Levi, recognized my passion. He took me under his wing, giving me special status by allowing me to have a “privileged account”—on the RSTS/E system.
His gift had an expiration date. He left the school; not long after, the Computer Science chair, one Chuck Alvarez, noticed I was logged in to a privileged account and told me to sign off immediately. I explained that Levi had given me permission, but it didn’t wash; he booted me from the computer lab. My dad went in with me for a meeting with Alvarez, who offered as an excuse, “Your son already knows so much about computers that there is nothing Pierce College can teach him.”
I dropped out.
I had lost my access to a great system, but in the late 1970s and the beginning of the 1980s, the world of personal computing went through a dramatic transition period, bringing the first desktop machines that included a monitor or even had one built in. The Commodore PET, the Apple II, and the first IBM PC began to make computers a tool for everyone, and to make computers much more convenient for heavy users… including computer hackers. I couldn’t have been happier.
Lewis De Payne had been my closest hacking and phreaking partner just about from that first time he called and said he wanted to get together and learn from me. Even though he was five years older—which at that stage of life makes quite a difference—we shared the same boyish exhilaration from phone phreaking and hacking. And we shared the same goals: access to companies’ computers, access to passwords, access to information that we weren’t supposed to have. I never damaged anyone’s computer files or made any money from the access I gained; as far as I know, Lewis didn’t either.
And we trusted each other—even though his values were, well, different from mine. A prime example was the U.S. Leasing hack.
I got into U.S. Leasing’s system using a tactic that was so ridiculously easy I should have been embarrassed to try it. It went like this.
I would call the company I’d targeted, ask for their computer room, make sure I was talking to a system administrator, and tell him, “This is [whatever fictitious name popped into my head at that moment], from DEC support. We’ve discovered a catastrophic bug in your version of RSTS/E. You could lose data.” This is a very powerful social-engineering technique, because the fear of losing data is so great that most people won’t hesitate to cooperate.
With the person sufficiently scared, I’d say, “We can patch your system without interfering with your operations.” By that point the guy (or, sometimes, lady) could hardly wait to give me the dial-up phone number and access to the system-manager account. If I got any pushback, I’d just say something like, “Okay, we’ll send it to you in the mail” and move on to try another target.
The system administrator at U.S. Leasing gave me the password to the system manager account without a blink. I went in, created a new account, and patched the operating system with a “backdoor”—software code that sets me up so I’d be able to gain covert access whenever I want to get back in.
I shared details of the backdoor with Lewis when we next spoke. At the time Lewis was dating a wannabe hacker who sometimes went by the name of Susan Thunder and who later told one interviewer that in those days she had sometimes worked as a prostitute, but only to raise money for buying computer equipment. I still roll my eyes when I think about that line. Anyway, Lewis told Susan that I had broken into U.S. Leasing and gave her the credentials. Or maybe, as he later claimed, he didn’t give them to her but she saw them written on a notepad he had left alongside his computer.
Shortly after, the two of them had a falling-out and parted company, I guess with some bad feelings. She then took revenge on me. To this day, I don’t know why I was the target, unless perhaps she thought Lewis had broken up with her so he could spend more time with me, hacking, and so blamed me for the breakup.
Whatever the reason, she reportedly used the stolen credentials to get into the U.S. Leasing computer systems. The later stories about the incident said she had destroyed many of their files. And that she had sent messages to all their printers to print out, over and over until they ran out of paper:
MITNICK WAS HERE
MITNICK WAS HERE
What really burned me about this whole affair was that in a later plea agreement, the government insisted on including this act that I didn’t commit. I was faced with a choice between confessing to this abusive, ridiculous act and going to juvenile prison.
Susan waged a vendetta against me for some time, disrupting my phone service, and giving the phone company orders to disconnect my telephone number. My one small act of revenge came about by chance. Once, in the middle of a phone company hack, I needed one telephone line that would ring and ring, unanswered. I dialed the number of a pay phone I happened to know by heart. In one of those small-world coincidences that happen to most of us now and then, Susan Thunder, who lived nearby, was walking past that particular phone booth just at that moment. She picked up the telephone and said hello. I recognized her voice.
I said, “Susan, it’s Kevin. I just want you to know I’m watching every move you make. Don’t fuck with me!”
I hope it scared the hell out of her for weeks.
I’d been having fun, but my evading the law wasn’t going to last forever.
By May 1981, still age seventeen, I had transferred my extracurricular studies to UCLA. In the computer lab, the students were there to do homework assignments or to learn about computers and programming. I was there to hack into remote computers because we couldn’t afford a computer at home, so I had to find computer access at places like universities.
Of course, the machines in the student computer lab had no external access—you could dial out from the modem at each station, but only to another campus phone number, not to an outside number—which meant they were essentially worthless for what I wanted to do.
No sweat. On the wall of the computer room was a single telephone with no dial: it was for incoming calls only. Just as I had in Mr. Christ’s computer lab in high school, I would pick up the handset and flick the switch hook, which had the same effect as dialing. Flashing nine times in quick succession, equivalent to dialing the number “9,” would get me a dial tone for an outside line. Then I would flash ten times, equivalent to dialing “0,” for an operator.
When the operator came on the line, I’d ask her to call me back at the phone number for the modem at the computer terminal I was using. The computer terminals in the lab at that time did not have internal modems. Instead, to make a modem connection, you had to place the telephone handset into an adjacent acoustic coupler, which sent signals from the modem into the telephone handset and out over the phone lines. When the operator called back on the modem telephone, I’d answer the call and ask her to dial a phone number for me.
I used this method to dial in to numerous businesses that used DEC PDP-11’s running RSTS/E. I was able to social-engineer their dial-ups and system credentials using the DEC Field Support ruse. Since I didn’t have a computer of my own, I was like a drifter moving from one college campus to another to get the dose of computer access that I so desperately wanted. I felt such an adrenaline rush driving to a college campus to get online. I would drive, over the speed limit, for forty-five minutes even if it meant only fifteen minutes of computer time.
I guess it just never occurred to me that a student at one of these computer labs might overhear what I was doing and blow the whistle on me.
Not until the evening when I was sitting at a terminal in a lab at UCLA. I heard a clamor, looked up, and saw a swarm of campus cops rushing in and heading straight for me. I was trying hard to appear concerned but confident, a kid who didn’t know what the fuss was all about.
They pulled me up out of the chair and clamped on a pair of handcuffs, closing them much too tightly.
Yes, California now had a law that criminalized hacking. But I was still a juvenile, so I wasn’t facing prison time.
Yet I was panicked, scared to death. The duffel bag in my car was crammed with printouts revealing all the companies I had been breaking into. If they searched my car and found the treasure trove of printouts and understood what it was, I’d be facing a lot worse than any punishment they might hand out for using the school’s computers when I wasn’t a student.
One of the campus cops located my car after seizing my car keys and found the bag of hacking contraband.
From there, they hustled me to a police station on campus, which was like being under arrest, and told me I was being detained for “trespassing.” They called my mom to come get me.
In the end, UCLA didn’t find anybody who could make sense of my printouts. The university never filed any charges. No action at all beyond referring my case to the county Probation Department, which could have petitioned Juvenile Court to hear the case… but didn’t.
Perhaps I was untouchable. Perhaps I could keep on with what I was doing, facing a shake-up now and then but never really having to worry. Though it had scared the hell out of me, once again I had dodged a bullet.
Over Memorial Day Weekend, 1981, Lewis De Payne and I joined a bunch of phone phreakers who were gathering for a “party.” The quotation marks are because who besides a six-year-old having a birthday or a bunch of geeks would choose a Shakey’s pizza parlor as a place to gather and frolic?
Something like two dozen people showed up, each one almost as much of a nerd as the worst of the ham radio enthusiasts. But some of them had good technical know-how, which made me feel I wasn’t entirely wasting my time.
The conversation inevitably got around to one of my favorite targets, COSMOS, the Computer System for Mainframe Operations, the Pacific Telephone mission-critical system that could bestow so much power on any phreaker who could access it.
Lewis and I already had access to COSMOS, one of the first Pacific Telephone computers I had hacked into, but probably only a few of the others had gotten in at the time, and I wasn’t going to tell them how I had. As we started talking, I realized the building that housed COSMOS was nearby, only a few miles away. I figured if a few of us went over there and had a go at a little Dumpster-diving, we might find some useful information.
Lewis was always ready for just about anything. We invited only one other guy, a fellow named Mark Ross, who was very familiar with phone systems and someone we thought we could trust.
En route, we swung by an all-night pharmacy and picked up gloves and flashlights, then on to the COSMOS building. The Dumpster-diving turned up a few interesting items but nothing of real value. After about an hour, discouraged, I suggested, “Why don’t we see if we can get inside?”
They both wanted me to go in, see if I could social-engineer the guard, and then send a touch-tone signal from my handheld ham radio. Nothing doing—we were going to be the Three Musketeers or nothing.
We walked in. The guard was a young guy, the kind who looked like he might enjoy a toke pretty often. I said, “Hey, how you doing? We’re out late, I work here, I wanted to show my friends where I work.”
“Sure,” he said. “Just sign in.” Didn’t even ask for ID. Smooth.
We had been calling departments, analyzing phone company operations for so long that we knew where the COSMOS employees worked: “Room 108” kept coming up in Pacific Telephone communications. We found our way to it.
COSMOS. The mother lode. The jackpot.
A folder on the wall held sheets of paper listing dial-up numbers for every wire center in Southern California. They looked exactly like those glossy brochures in a doctor’s office, where the sticker says “Take One!” I couldn’t believe our luck. This was a real treasure, one of the things I most coveted.
Each central office has one or more wire centers. The telephone exchanges in each central office are assigned to a particular wire center. Armed with the list of dial-up numbers for each wire center, and log-in credentials, I’d have the ability to control any phone line in Pacific Telephone’s Southern California service area.
It was an exciting find. But I needed passwords to other administrative accounts as well. I wandered through the offices around the COSMOS room, opening folders and looking into desk drawers. I opened one folder and found a sheet labeled “Passwords.”
Fantastic. I was grinning from ear to ear.
We should have left then.
But I spotted a set of COSMOS manuals that would be crammed with gotta-have information. The temptation was irresistible. These manuals could tell us everything we needed to know, from how to make inquiries with the cryptic commands used by phone company personnel to every aspect of how the system worked. Today you would be able to find all this with a Google search, but back then, it was stored only in these manuals.
I told the guys, “Let’s take the manuals to a copy shop, run off a copy for each of us, and then return the manuals before people start coming back to work in the morning.”
The guard didn’t even comment that we had come in empty-handed and were leaving with several manuals, including several stuffed into a briefcase that Lewis had spotted in one of the offices.
It was the most stupid decision of my early life.
We drove around looking for a copy shop but couldn’t find one. And of course the ordinary copy shops weren’t open at 2:00 a.m. And then we decided it was too risky anyway to go back into the building a second time to return the manuals, even after the shift change—my ever-reliable plausible-story-on-the-spot mechanism wasn’t coming up with a single believable explanation to offer.
So I took the manuals home with me. But I had a bad feeling about them. Into several Hefty trash bags they went, and Lewis took possession for me and hid them somewhere. I didn’t want to know.
Even though Lewis wasn’t hooked up with Susan Thunder anymore, he was still associating with her, and he still had that big mouth of his. Somehow incapable of keeping quiet even about things that could get him or his friends in deep trouble, he told her about the manuals.
She ratted us out to the phone company. On a hot summer evening several days later, as I pull out of the parking lot to drive home from my job, as a telephone receptionist at the Steven S. Wise Temple, I pass a Ford Crown Victoria with three men inside. (Why do law enforcement guys always drive the same model of car? Did nobody ever figure out that it makes them as obvious as if they had “UNDERCOVER COPS” painted on the side?)
I speed up to see if they’ll U-turn and follow.
Yes. Shit. But maybe it’s just a coincidence.
I pick up speed, rolling onto the ramp for the I-405 headed for San Fernando Valley.
The Crown Vic is catching up.
As I watch in my rearview mirror, an arm reaches out and places a set of cop-car flashers on the roof, and the lights start blinking. Oh shit! Why are they pulling me over? The thought of gunning it races through my mind. A high-speed chase? Insane.
No way am I going to try to run. I pull over.
The car pulls up behind me. The three guys leap out. They start running toward me.
They’re drawing their guns!!!
They’re shouting, “Get out of the car!”
In an instant, I’m in handcuffs. Once again they’re closed painfully tight.
One of the guys shouts in my ear, “You’re gonna stop fucking around with the phone company! We’re gonna teach you a lesson!” I’m so scared I start crying.
Another car pulls up. The driver hops out and runs toward us. He’s shouting at the cops, “Search his car for the bomb! He’s got a logic bomb!!”
Now I’m practically laughing through my tears. A logic bomb is a piece of software, but these guys don’t seem to know that. They think I’m carrying something that can blow everybody up!
They start grilling me. “Where are the manuals?”
I tell them, “I’m a juvenile, I want to call my lawyer.”
Instead they treated me like a terrorist, taking me to a police station in Pasadena, about a forty-five-minute drive away, and parading me to a holding cell. No bars, just a small room like a cement coffin, with a huge steel door that no sounds could penetrate. I tried to get my one phone call, but the cops refused. Apparently juveniles didn’t have any constitutional rights.
Finally a Probation Officer showed up to interview me. Although he had the power to release me to my parents, the cops convinced him that I was what today might be described as the Hannibal Lecter of computer hacking. I was transferred in handcuffs to Juvenile Hall in East Los Angeles overnight, and brought into court for an appearance the next day. My mom and dad were there, both trying to get me released.
The Pasadena Star-News ran a lengthy article about me. That was followed by an even bigger story in the Sunday Los Angeles Times. Of course, since I was a juvenile, they weren’t allowed to publish my name.
They did anyway, and it would have consequences for me later.
(As a side note to this story, I would later find out that the guy shouting about the logic bomb was Steve Cooley, the assistant district attorney assigned to my case; today, he is top dog, the district attorney for Los Angeles County. My aunt Chickie Leventhal, who has long run an operation called Chickie’s Bail Bonds, knows Cooley; some years ago, after my book The Art of Deception was published, she offered it as one of the prizes for a fund-raiser to benefit a children’s charity that Cooley attended. When she told him I was her nephew, he said he wanted a copy of the book. He asked if I’d sign it and write in it, “We’ve both come a very long way.” Indeed we have. I was glad to do it for him.)
The Juvenile Court judge who heard my case seemed puzzled: I was charged with being a hacker, but I hadn’t stolen and used any credit card numbers, nor had I sold any proprietary software or trade secrets. I had just hacked into computers and phone company systems for the sheer entertainment. The judge didn’t seem to understand why I would do such things without profiting from my actions. The idea that I was doing it for fun didn’t seem to make sense.
Since he wasn’t sure exactly what I was doing once I got into the computers and phone systems, he figured maybe he was missing something. Maybe I was taking money or making a profit in some high-tech way he didn’t comprehend. The whole thing probably made him suspicious.
The truth was, I broke into the phone system for the same reason another kid might break into an abandoned house down the block: just to check it out. The temptation to explore and find out what’s in there was too great. Sure, there might be danger, but taking a risk was part of the fun.
Because this was the first hacking case ever, there was more than a little confusion over exactly what the district attorney could charge me with. While some of the charges were legitimate, having to do with my breaking into and entering the phone company, others were not. The prosecutor claimed that in my hacking I had damaged computer systems at U.S. Leasing. I hadn’t, but it wouldn’t be the last time I was accused of this.
The Juvenile Court judge sent me to the California Youth Authority (CYA) reception facility in Norwalk, California, for a ninety-day psychological evaluation to determine whether I was suited for incarceration in that agency’s facilities. I’ve never been so intimidated. The other kids were there for crimes like assault, rape, murder, and gang hits. These were juveniles, sure, but they were even more violent and dangerous because they felt invincible.
We each had our own room and were kept locked up in it, let out in small groups for only three hours each day.
I wrote a daily letter home, beginning each with “Kevin Mitnick held hostage–Day 1,” “Day 2,” “Day 3.” Even though Norwalk is actually in LA County, it was an hour and a half drive for my mom and her mother, my “Gram.” Loyal beyond my deserving, they came every weekend, bringing food; they would always leave their homes early enough to be the first in line.
My eighteenth birthday came and went while I was being held in Norwalk. Though the California Youth Authority would still have custody of me for some time, I was no longer a juvenile. I knew that for any further offenses, I would be charged as an adult and could, if convicted, be sent to prison.
At the end of my ninety days, the California Youth Authority recommended that I be released to go home on probation, and the judge accepted the recommendation.
My assigned Probation Officer was an extraordinarily obese lady named Mary Ridgeway, who I thought found pleasure only in eating and in lashing out at the kids in her charge. Her phone stopped working one day; months later, I learned that after the phone company fixed her line, they told her they didn’t know why it had gone dead. She figured it must have been me and put a notation in my record that would become accepted as fact and used against me. Too many times in those days, unexplained failures in technology anywhere would be attributed to me.
Along with probation came psychological counseling. I was sent to a clinic that treated sex offenders and other hardcore addicts. My counselor was a doctoral intern from Great Britain named Roy Eskapa. When I explained that I was on probation for phone phreaking, his eyes lit up. “Have you heard about ITT?”(The initials stood for International Telephone and Telegraph.)
“Of course,” I said.
“Do you know where I can get any codes?”
He was asking me about ITT access codes. Once you had a code, you could simply dial a local ITT access number and punch in the access code, followed by the long-distance number you wanted to call. If you used someone else’s code, your call would be billed to that poor subscriber, and you wouldn’t have to pay a cent.
I smiled. Roy and I were going to get along just fine.
During my court-ordered counseling sessions in 1981 and 1982, we basically just chatted and became good friends. Roy told me that what I had been doing was exceedingly tame compared to the crimes of his other patients. Years later, in 1988, when I got into trouble again, he wrote a letter to the judge, explaining that I was driven to hack not by malicious or criminal motives, but by a compulsive disorder. I was, he said, “addicted” to hacking.
As far as my attorney and I have been able to determine, this was the first time that hacking had ever been labeled that way and placed on par with a drug, alcohol, gambling, or sex addiction. When the judge heard the diagnosis of addiction and realized that I suffered from an ailment, she accepted our plea agreement.
On December 22, 1982, three days before Christmas, nearly midnight, I was in the computer room in Salvatori Hall on the campus of USC, the University of Southern California, near downtown LA, with my hacking buddy Lenny DiCicco, a lanky, athletic six-footer who was to become a close, trusted hacking partner… and future double-crosser.
We had been hacking into the USC systems over dial-up modems but were frustrated with their slow speeds. A little exploring had turned up the tempting fact that a building called Salvatori Hall had a group of DEC TOPS-20 mainframes that were connected to the Arpanet, the precursor of the Internet. Being on campus would give us much faster access to systems on campus.
Using a newly discovered vulnerability that Lenny had managed to pickpocket from Dave Kompel at a DECUS (Digital Equipment Computer Users’ Society) conference we attended a week earlier, we had already gained full system (or “wheel”) privileges on all of the student DEC 20s. But we wanted to get as many passwords as possible. Even though we had system administrator privileges, the system was configured to encrypt all passwords.
No sweat. I started searching through the email accounts of staff members who had wheel privileges. Hunting around inside the system led me to the mail of the accounting department, which was responsible for issuing usernames and passwords. When I searched that account’s email, it was chock-full of messages handing out usernames and passwords in plain text. Jackpot!
Knowing it was risky, I sent the entire email file to the printer. About fifteen minutes after I gave the Print command, an operator dropped a thick printout into the student bin. In a roomful of students at computer terminals, how do you check that you’re not being watched, but do it in a way that doesn’t make you look suspicious? Doing my best, I picked up the printout and carried it back to where Lenny and I were working.
Excerpted from Ghost in the Wires by Mitnick, Kevin Copyright © 2011 by Mitnick, Kevin. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
Foreword Steve Wozniak xiii
Part 1 The Making of a Hacker
1 Rough Start 3
2 Just Visiting 7
3 Original Sin 20
4 Escape Artist 34
5 All Your Phone Lines Belong to Me 44
6 Will Hack for Love 53
7 Hitched in Haste 62
8 Lex Luthor 72
9 The Kevin Mitnick Discount Plan 94
10 Mystery Hacker 102
Part 2 Eric
11 Foul Play 111
12 You Can Never Hide 116
13 The Wiretapper 126
14 You Tap Me, I Tap You 131
15 "How the Fuck Did You Get That?" 143
16 Crashing Eric's Private Party 149
17 Pulling Back the Curtain 153
18 Traffic Analysis 163
19 Revelations 169
20 Reverse Sting 174
21 Cat and Mouse 187
22 Detective Work 187
23 Raided 198
24 Vanishing Act 206
Part 3 On the Run
25 Harry Houdini 217
26 Private Investigator 226
27 Here Comes the Sun 237
28 Trophy Hunter 249
29 Departure 264
30 Blindsided 280
31 Eyes in the Sky 289
32 Sleepless in Seattle 306
Part 4 An End and a Beginning
33 Hacking the Samurai 323
34 Hiding in the Bible Belt 331
35 Game Over 347
36 An FBI Valentine 354
37 Winning the Scapegoat Sweepstakes 362
38 Aftermath: A Reversal of Fortune 384
Reading Group Guide 415