Authors: Kevin D. Mitnick,William L. Simon
Tags: #Computer Hackers, #Computer Security, #Computers, #General, #Security
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (2 page)
Steve Wozniak and Sharon Akers have given much of their time to assist me and are always there to help me out. The frequent rearranging of your schedules to be there to support me is much appreciated and it warms me to call both of you my friends. Hopefully, now that this book is com- pleted, we will have more time to get together for some gadget quality time. Steve -- I'll never forget the time that you, Jeff Samuels, and I drove through the night in your Hummer to get to DEFCON in Las Vegas, switching drivers constantly so that we could all check our e-mail and chat with friends over our GPRS wireless connections.
And as I write these acknowledgments, I realize I have so many people to thank and to express appreciation to for offering their love, friendship, and support. I cannot begin to remember the names of all the kind and generous people that I've met in recent years, but suffice to say, I would need a large USB flash drive to store them all. There have been so many people from all over the world who have written me words of encour- agement, praise, and support. These words have meant a great deal to me, especially during the times I needed it most.
I'm especially thankful to all my supporters who stood by me and spent their valuable time and energy getting the word out to anyone that would listen, voicing their concern and objection over my unfair treatment and Acknowledgments xv
the hyperbole created by those who sought to profit from the "The Myth of Kevin Mitnick."
I'm eager to thank those people who represent my professional career and are dedicated in extraordinary ways. David Fugate, of Waterside Productions, is my book agent who went to bat for me on many occa- sions before and after the book contract was signed.
I very much appreciate the opportunity that John Wiley & Sons has given me to author another book, and for their confidence in our ability to develop a best seller. I wish to thank the following Wiley people who made this dream possible: Ellen Gerstein; Bob Ipsen; Carol Long, who always promptly responds to my questions and concerns (my number one contact at Wiley and executive editor); and Emilie Herman and Kevin Shafer (developmental editors), who have both worked with us as a team to get the job done.
I have had too many experiences with lawyers, but I am eager to have a place to express my thanks for the lawyers who, during the years of my negative interactions with the criminal justice system, stepped up and offered to help me when I was in desperate need. From kind words to deep involvement with my case, I met many who don't at all fit the stereotype of the self-centered attorney. I have come to respect, admire, and appreciate the kindness and generosity of spirit given to me so freely by so many. They each deserve to be acknowledged with a paragraph of favorable words; I will at least mention them all by name, for every one of them lives in my heart surrounded by appreciation: Greg Aclin, Fran Campbell, Lauren Colby, John Dusenbury, Sherman Ellison, Omar Figueroa, Jim French, Carolyn Hagin, Rob Hale, David Mahler, Ralph Peretz, Alvin Michaelson, Donald C. Randolph, Alan Rubin, Tony Serra, Skip Slates, Richard Steingard, Honorable Robert Talcott, Barry Tarlow, John Yzurdiaga, and Gregory Vinson.
Other family members, personal friends, business associates who have given me advice and support, and have reached out in many ways, are important to recognize and acknowledge. They are JJ Abrams, Sharon Akers, Matt "NullLink" Beckman, Alex "CriticalMass" Berta, Jack Biello, Serge and Susanne Birbrair, Paul Block, Jeff Bowler, Matt "404" Burke, Mark Burnett, Thomas Cannon, GraceAnn and Perry Chavez, Raoul Chiesa, Dale Coddington, Marcus Colombano, Avi Corfas, Ed Cummings, Jason "Cypher" Satterfield, Robert Davies, Dave Delancey, Reverend Digital, Oyvind Dossland, Sam Downing, John Draper, Ralph Echemendia, Ori Eisen, Roy Eskapa, Alex Fielding, Erin Finn, Gary Fish and Fishnet Security, Lisa Flores, Brock Frank, Gregor Freund, Sean Gailey and the whole Jinx crew, Michael and Katie Gardner, xvi The Art of Intrusion
Steve Gibson, Rop Gonggrijp, Jerry Greenblatt, Thomas Greene, Greg Grunberg, Dave Harrison, G. Mark Hardy, Larry Hawley, Leslie Herman, Michael Hess and everyone at Roadwired bags, Jim Hill, Ken Holder, Rochell Hornbuckle, Andrew "Bunnie" Huang, Linda Hull, Steve Hunt, all the great people at IDC, Marco Ivaldi, Virgil Kasper, Stacey Kirkland, Erik Jan Koedijk, the Lamo Family, Leo and Jennifer Laporte, Pat Lawson, Candi Layman, Arnaud Le-hung, Karen Leventhal, Bob Levy, David and Mark Litchfield, CJ Little, Jonathan Littman, Mark Loveless, Lucky 225, Mark Maifrett, Lee Malis, Andy Marton, Lapo Masiero, Forrest McDonald, Kerry McElwee, Jim "GonZo" McAnally, Paul and Vicki Miller, Elliott Moore, Michael Morris, Vincent, Paul and Eileen Navarino, Patrick and Sarah Norton, John Nunes, Shawn Nunley, Janis Orsino, Tom Parker, Marco Plas, Kevin and Lauren Poulsen, Scott Press, Linda and Art Pryor, Pyr0, John Rafuse, Mike Roadancer and the entire security crew from HOPE 2004, RGB, Israel and Rachel Rosencrantz, Mark Ross, Bill Royle, William Royer, Joel "ch0l0man" Ruiz, Martyn Ruks, Ryan Russell, Brad Sagarin, Martin Sargent, Loriann Siminas, Te Smith, Dan Sokol, Trudy Spector, Matt Spergel, Gregory Spievack, Jim and Olivia Sumner, Douglas Thomas, Cathy Von, Ron Wetzel, Andrew Williams, Willem, Don David Wilson, Joey Wilson, Dave and Dianna Wykofka, and all my friends and supporters from the boards on Labmistress.com and 2600 magazine.
By Bill Simon In doing our first book, The Art of Deception, Kevin Mitnick and I forged a friendship. While writing this one, we continually found new ways of working together while deepening our friendship. So, my first words of appreciation go to Kevin for being an outstanding "travel companion" as we shared this second journey.
David Fugate, my agent at Waterside Productions and the man respon- sible for bringing Kevin and me together in the first place, tapped into his usual store of patience and wisdom to find ways of solving those few mis- erable situations that cropped up. When the going gets tough, every writer should be blessed with an agent who is as wise and as good a friend. Ditto for my longtime friend Bill Gladstone, the founder of Waterside Productions and my principal agent. Bill remains a key factor in the success of my writing career and has my everlasting gratitude.
My wife Arynne continues to inspire me anew each day with her love and her dedication to excellence; I appreciate her more than I can say in words. She has increased my proficiency as a writer because of her intel- ligence and willingness to be forthright by telling me straight out when Acknowledgments xvii
my writing has missed the mark. Somehow she gets through the steam of wrath that is my usual initial response to her suggestions, but in the end I accept the wisdom of her suggestions and do the rewrite.
Mark Wilson lent a helping hand that made a difference. Emilie Herman was a champion of an editor. And I can't overlook the work of Kevin Shafer, who took over after Emilie left.
Even a sixteenth book accumulates a debt to people who along the way have been more than a little helpful; of the many, I especially want to mention Kimberly Valentini and Maureen Maloney of Waterside, and Josephine Rodriguez. Marianne Stuber did her usual fast turnaround transcribing (not easy with all those strange technical terms and hacker slang) and Jessica Dudgeon kept the office on an even keel. Darci Wood was a champ about the time her Kevin dedicated to getting this book done.
Special thanks to daughter Victoria and son Sheldon for their under- standing, and to my twin grandchildren Vincent and Elena, all of whom I trust I will be able to see more once this manuscript is delivered.
To the many who offered us stories, and especially to those whose com- pelling stories we chose to use, Kevin and I are deeply indebted. They came forward despite significant risks. Had their names been revealed, in many cases they would have faced being dragged away by the men in blue. Even those whose stories weren't used showed courage in their will- ingness to share, and deserve to be admired for it. We do, indeed, admire them.
Hacking the Casinos
for a Million Bucks Every time [some software engineer] says, "Nobody will go to the trouble of doing that," there's some kid in Finland who will go to the trouble.
-- Alex Mayfield
T
here comes a magical gambler's moment when simple thrills
magnify to become 3-D fantasies -- a moment when greed
chews up ethics and the casino system is just another mountain waiting to be conquered. In that single moment the idea of a foolproof way to beat the tables or the machines not only kicks in but kicks one's breath away.
Alex Mayfield and three of his friends did more than daydream. Like many other hacks, this one started as an intellectual exercise just to see if it looked possible. In the end, the four actually beat the system, taking the casinos for "about a million dollars," Alex says.
In the early 1990s, the four were working as consultants in high-tech and playing life loose and casual. "You know -- you'd work, make some money, and then not work until you were broke."
Las Vegas was far away, a setting for movies and television shows. So when a technology firm offered the guys an assignment to develop some software and then accompany it to a trade show at a high-tech conven- tion there, they jumped at the opportunity. It would be the first in Vegas for each of them, a chance to see the flashing lights for themselves, all expenses paid; who would turn that down? The separate suites for each in a major hotel meant that Alex's wife and Mike's girlfriend could be
1 2 The Art of Intrusion
included in the fun. The two couples, plus Larry and Marco, set off for hot times in Sin City.
Alex says they didn't know much about gambling and didn't know what to expect. "You get off the plane and you see all the old ladies play- ing the slots. It seems funny and ironic, and you soak that in."
After the four had finished doing the trade show, they and the two ladies were sitting around in the casino of their hotel playing slot machines and enjoying free beers when Alex's wife offered a challenge:
"Aren't these machines based on computers? You guys are into
computers, can't you do something so we win more?"
The guys adjourned to Mike's suite and sat around tossing out ques- tions and offering up theories on how the machines might work.
Research That was the trigger. The four "got kinda curious about all that, and we started looking into it when we got back home," Alex says, warming up to the vivid memories of that creative phase. It took only a little while for the research to support what they already suspected. "Yeah, they're com- puter programs basically. So then we were interested in, was there some way that you could crack these machines?"
There were people who had beaten the slot machines by "replacing the firmware" -- getting to the computer chip inside a machine and substi- tuting the programming for a version that would provide much more attractive payoffs than the casino intended. Other teams had done that, but it seemed to require conspiring with a casino employee, and not just any employee but one of the slot machine techies. To Alex and his bud- dies, "swapping ROMs would have been like hitting an old lady over the head and taking her purse." They figured if they were going to try this, it would be as a challenge to their programming skills and their intellects. And besides, they had no advanced talents in social engineering; they were computer guys, lacking any knowledge of how you sidle up to a casino employee and propose that he join you in a little scheme to take some money that doesn't belong to you.
But how would they begin to tackle the problem? Alex explained:
We were wondering if we could actually predict something about
the sequence of the cards. Or maybe we could find a back door
[software code allowing later unauthorized access to the program]
that some programmer may have put in for his own benefit. All
programs are written by programmers, and programmers are Chapter 1 Hacking the Casinos for a Million Bucks 3
mischievous creatures. We thought that somehow we might stumble
on a back door, such as pressing some sequence of buttons to change
the odds, or a simple programming flaw that we could exploit.
Alex read the book The Eudaemonic Pie by Thomas Bass (Penguin, 1992), the story of how a band of computer guys and physicists in the 1980s beat roulette in Las Vegas using their own invention of a "wear- able" computer about the size of a pack of cigarettes to predict the out- come of a roulette play. One team member at the table would click buttons to input the speed of the roulette wheel and how the ball was spinning, and the computer would then feed tones by radio to a hearing aid in the ear of another team member, who would interpret the signals and place an appropriate bet. They should have walked away with a ton of money but didn't. In Alex's view, "Their scheme clearly had great potential, but it was plagued by cumbersome and unreliable technology. Also, there were many participants, so behavior and interpersonal rela- tions were an issue. We were determined not to repeat their mistakes."
Alex figured it should be easier to beat a computer-based game "because the computer is completely deterministic" -- the outcome based on by what has gone before, or, to paraphrase an old software engi- neer's expression, good data in, good data out. (The original expression looks at this from the negative perspective: "garbage in, garbage out.")
This looked right up his alley. As a youngster, Alex had been a musi- cian, joining a cult band and dreaming of being a rock star, and when that didn't work out had drifted into the study of mathematics. He had a tal- ent for math, and though he had never cared much for schooling (and had dropped out of college), he had pursued the subject enough to have a fairly solid level of competence.
Deciding that some research was called for, he traveled to Washington, DC, to spend some time in the reading room of the Patent Office. "I fig- ured somebody might have been stupid enough to put all the code in the patent" for a video poker machine. And sure enough, he was right. "At that time, dumping a ream of object code into a patent was a way for a patent filer to protect his invention, since the code certainly contains a very complete description of his invention, but in a form that isn't terri- bly user-friendly. I got some microfilm with the object code in it and then scanned the pages of hex digits for interesting sections, which had to be disassembled into [a usable form]."
Analyzing the code uncovered a few secrets that the team found intriguing, but they concluded that the only way to make any real progress would be to get their hands on the specific type of machine they wanted to hack so they could look at the code for themselves. 4 The Art of Intrusion
As a team, the guys were well matched. Mike was a better-than- competent programmer, stronger than the other three on hardware design. Marco, another sharp programmer, was an Eastern European immigrant who looked like a teenager. But he was something of a dare- devil, approaching everything with a can-do, smart-ass attitude. Alex excelled at programming and was the one who contributed the knowl- edge of cryptography they would need. Larry wasn't much of a pro- grammer and because of a motorcycle accident couldn't travel much, but was a great organizer who kept the project on track and everybody focused on what needed to be done at each stage.
After their initial research, Alex "sort of forgot about" the project. Marco, though, was hot for the idea. He kept insisting, "It's not that big a deal, there's thirteen states where you can legally buy machines." Finally he talked the others into giving it a try. "We figured, what the hell." Each chipped in enough money to bankroll the travel and the cost of a machine. They headed once again for Vegas -- this time at their own expense and with another goal in mind.
Alex says, "To buy a slot machine, basically you just had to go in and show ID from a state where these machines are legal to own. With a driver's license from a legal state, they pretty much didn't ask a lot of questions." One of the guys had a convenient connection to a Nevada resident. "He was like somebody's girlfriend's uncle or something, and he lived in Vegas."
They chose Mike as the one to talk to this man because "he has a sales-y kind of manner, a very presentable sort of guy. The assumption is that you're going to use it for illegal gambling. It's like guns," Alex explained. A lot of the machines get gray-marketed -- sold outside accepted channels -- to places like social clubs. Still, he found it surprising that "we could buy the exact same production units that they use on the casino floor."
Mike paid the man 1,500 bucks for a machine, a Japanese brand. "Then two of us put this damn thing in a car. We drove it home as if we had a baby in the back seat."
Developing the Hack Mike, Alex, and Marco lugged the machine upstairs to the second floor of a house where they had been offered the use of a spare bedroom. The thrill of the experience would long be remembered by Alex as one of the most exciting in his life.
We open it up, we take out the ROM, we figure out what proces-
sor it is. I had made a decision to get this Japanese machine that
looked like a knockoff of one of the big brands. I just figured the Chapter 1 Hacking the Casinos for a Million Bucks 5
engineers might have been working under more pressure, they
might have been a little lazy or a little sloppy.
It turned out I was right. They had used a 6809 [chip], similar
to a 6502 that you saw in an Apple II or an Atari. It was an
8-bit chip with a 64K memory space. I was an assembly language
programmer, so this was familiar.
The machine Alex had chosen was one that had been around for some 10 years. Whenever a casino wants to buy a machine of a new design, the Las Vegas Gaming Commission has to study the programming and make sure it's designed so the payouts will be fair to the players. Getting a new design approved can be a lengthy process, so casinos tend to hold on to the older machines longer than you would expect. For the team, an older machine seemed likely to have outdated technology, which they hoped might be less sophisticated and easier to attack.
The computer code they downloaded from the chip was in binary form, the string of 1's and 0's that is the most basic level of computer instructions. To translate that into a form they could work with, they would first have to do some reverse engineering -- a process an engineer or programmer uses to figure out how an existing product is designed; in this case it meant converting from machine language to a form that the guys could understand and work with.
Alex needed a disassembler to translate the code. The foursome didn't want to tip their hand by trying to purchase the software -- an act they felt would be equivalent to going into your local library and trying to check out books on how to build a bomb. The guys wrote their own dis- assembler, an effort that Alex describes as "not a piece of cake, but it was fun and relatively easy."
Once the code from the video poker machine had been run through the new disassembler, the three programmers sat down to pour over it. Ordinarily it's easy for an accomplished software engineer to quickly locate the sections of a program he or she wants to focus on. That's because a person writing code originally puts road signs all through it -- notes, comments, and remarks explaining the function of each section, something like the way a book may have part titles, chapter titles, and subheadings for sections within a chapter.
When a program is compiled into the form that the machine can read, these road signs are ignored -- the computer or microprocessor has no need for them. So code that has been reverse-engineered lacks any of these useful explanations; to keep with the "road signs" metaphor, this recovered code is like a roadmap with no place names, no markings of highways or streets. 6 The Art of Intrusion
They sifted through the pages of code on-screen looking for clues to the basic questions: "What's the logic? How are the cards shuffled? How are replacement cards picked?" But the main focus for the guys at this juncture was to locate the code for the random number generator (RNG). Alex's guess that the Japanese programmers who wrote the code for the machine might have taken shortcuts that left errors in the design of the random number generator turned out to be correct; they had.
Rewriting the Code Alex sounds proud in describing this effort. "We were programmers; we were good at what we did. We figured out how numbers in the code turn into cards on the machine and then wrote a piece of C code that would do the same thing," he said, referring to the programming language called "C."
We were motivated and we did a lot of work around the clock. I'd
say it probably took about two or three weeks to get to the point
where we really had a good grasp of exactly what was going on in
the code.
You look at it, you make some guesses, you write some new code,
burn it onto the ROM [the computer chip], put it back in the
machine, and see what happens. We would do things like write
routines that would pop hex [hexadecimal] numbers on the screen
on top of the cards. So basically get a sort of a design overview of
how the code deals the cards.
It was a combination of trial and error and top-down analysis;
the code pretty quickly started to make sense. So we understood
everything about exactly how the numbers inside the computer
turn into cards on the screen.
Our hope was that the random number generator would be rela-
tively simple. And in this case in the early 90's, it was. I did a lit-
tle research and found out it was based on something that
Donald Knuth had written about in the 60's. These guys didn't
invent any of this stuff; they just took existing research on Monte
Carlo methods and things, and put it into their code.
We figured out exactly what algorithm they were using to gener-
ate the cards; it's called a linear feedback shift register, and it was
