Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (25 page)

Alex nonchalantly said, “I’m not with Pacific Bell. I’m a sales associate on the way to a Pacific Bell meeting downtown. They asked me, as a favor, if I would swing by and pick this up.”

The man looked at him for a moment.

Alex said, “It’s okay—if it’s a problem, it’s no big deal,” and he turned as if he were going to start walking away.

The guy said, “Oh, no, no—here,” and held the package out to Alex.

Alex was wearing an “I did it!” grin when he presented me with the binder containing all the dial-up numbers for the SAS units at every central office in Southern California.

After we had copied the pages, Alex went to a public Pacific Bell customer billing office and convinced a secretary to put the package into intracompany mail to be returned to the man who’d let him borrow it—covering our tracks by avoiding having any questions raised about a missing binder that could lead to a discovery SAS had been compromised, while at the same time leaving Alex untraceable.

One day, I had a gut feeling that Lewis could also be the target of an investigation. Checking just as a precaution, I discovered intercepts on all the phone lines at the company where Lewis worked, Impac Corporation. Why? Could Eric have anything to do with this? Lewis and I decided to phone Eric and see if we could trap him into revealing anything about it.

Lewis handled the call, with me listening and prompting.

Eric mostly responded with a noncommittal
Hmm
sound. Finally he said, “Sounds like you guys got some problems.” Well, thanks. That wasn’t any help.

Eric asked, “What’s one of the monitor numbers? I’d like to call in and see what I get.” Lewis gave him the monitor number that was in use for intercepting one of the Impac lines: 310 608-1064.

Lewis told him, “Another strange thing—I now have an intercept on the phone in my apartment as well.”

“Pretty weird,” Eric replied.

Lewis said, “What do you think is going on, Eric? Kevin keeps asking me these questions. He would like you to speculate. Could there be law enforcement involvement?”

“I don’t know.”

Lewis pushed: “Just say yes, so he’ll quit asking.”

Eric said, “I would think no. I think it’s just the phone company.”

“Well, if they’re going to monitor all the lines at the place I work, they’re going to have to listen to thousands of calls a month,” Lewis answered.

The next day, with me listening over speakerphone, Eric called Lewis, who started by asking, “Are you calling from a secure line?”

Eric answered, “Yes, I’m calling from a pay phone,” and then launched into another of his “You’ve got to respect my privacy” complaints.

Then, seemingly out of the blue, he asked Lewis, “Have you installed any of the CLASS features at work?”

He was referring to “custom local area signaling services” such as caller ID, selective call forwarding, return call, and other features that weren’t available to the general public. If Lewis said yes, he would be confessing to an illegal act.

Before Lewis had a chance to deny it, we heard a call waiting signal on Eric’s end.

I said to Lewis, “Since when do pay phones have call waiting!?”

Eric muttered that he had to get off the line for a minute. When he came back on, I challenged him about whether he was calling from a pay phone. Eric changed his story, now saying he was calling from a girlfriend’s.

While Lewis continued the conversation, I called Eric’s apartment. A man answered. I tried again, in case I had misdialed. Same man. I told Lewis to press him about it.

Lewis said, “Some guy is answering your home phone. What the hell is this all about, Eric?”

He said, “I don’t know.”

But Lewis kept pressing. “Who’s in your apartment, Eric?”

“Well, I don’t know what’s going on. No one’s supposed to be in my apartment. I’m going to go check it out,” he answered. “With all the stuff that’s happening, I’m going into secure mode. Keep me posted.” And he hung up.

So many lies about little things that didn’t matter.

Eric was becoming a mystery to solve, equal to the mystery of the intercept boxes. So far, all I had on that was three numbers originating from somewhere in Oakland that were connected to the boxes.

Where, physically, were the monitor calls originating from? Not very difficult to find out. I simply called MLAC, the Mechanized Loop Assignment Center, provided one of the phone numbers, and was given the physical address where the telephone line was located: 2150 Webster Street, Oakland, the offices of Pacific Bell’s Security Department. They had previously been located in San Francisco but had since moved across the bay.

Great. But that was just one of the numbers. I wanted to know
all
of
the numbers Pacific Bell Security was using to connect to its secret monitoring boxes. I asked the MLAC lady to look up the original service order that had established the one phone number I had already discovered. As I expected, the order showed that multiple other phone numbers—about thirty of them—had been set up at the same time. And they were originating from what I thought of as the “wiretapping room,” where they were recording the intercepts. (Actually, I would find out much later that there was no dedicated wiretapping room; when a call started on any of the lines being monitored, it would be captured on a voice-activated recorder on the desk of whichever security investigator was handling that case, to be listened to whenever he or she had the opportunity.)

Now that I had the monitor numbers, I needed to figure out where each one was calling out to. First I called each of the numbers, knowing that any of them that didn’t give me a busy signal must not be actively in use for wiretapping; those, I ignored.

For all the others, the ones that were currently in use for intercepts, I called the Oakland SCC and social-engineered a switch tech into performing a query call memory (QCM) command on the DMS-100 switch serving that number (a QCM gives the last phone number called from that phone). With this new information, I now had a list of dial-up monitor numbers for each active Pacific Bell wiretap in the state of California.

The area code and prefix of the monitor number identified which central office the wiretap was in. If Lewis or I knew anyone who had a phone number served out of a CO where a wiretap was active, I would call the central office, say I was from PacBell Security, and explain, “We have one of our boxes there. I need you to trace out the connection.” After a couple of steps I would have the target phone number that the intercept was placed on. If it didn’t belong to anybody I knew, I’d go on to explore the next one.

I kept checking on intercepts as a precaution, watching my back while focused on the crucial task of trying to figure out what Eric was really up to. One approach came to mind that hadn’t occurred to me before. I called the Switching Control Center that managed the switch providing Eric’s telephone service and convinced the tech to perform a line-history block, or LHB, a way of getting a report on the last phone number dialed from a phone line served by a 1A ESS switch.

After that I started calling for LHBs on him up to several times a day, to find out what numbers he was calling.

One of the numbers made me break out in a cold sweat. Eric had called 310 477-6565. I didn’t need to do any research. It was seared into my memory:

The Los Angeles headquarters of the FBI!

Fuuuck
.

I called Lewis at work from my cloned cell phone and said, “Turn on your ham radio.” He knew that meant something entirely different: it meant, “Turn on your cloned cell phone.” (He was the kind of person who liked to focus on one thing at a time; when he was addressing the task at hand, he’d turn off his cell phone and pager so they wouldn’t interrupt his train of thought.)

When I got him on the safe cell phone, I told him, “Dude, we’re in trouble. I did an LHB on Eric’s line. He’s fucking calling the FBI.”

He didn’t seem concerned. Entirely without emotion.
Whaaaat?!

Well, maybe there was someone else in the office, and he couldn’t react. Or maybe it was that arrogance of his, that attitude of superiority, the notion that he was invulnerable.

I said, “You need to get your floppy disks and notes out of your apartment and office. Anything to do with SAS, you need to stash somewhere safe. I’m gonna be doing the same.”

He didn’t seem to think one phone call to the FBI was such a big deal.

“Just do it!”
I told him, trying not to shout.

Common sense dictated my next call, to Pacific Bell’s Customer Name and Location Bureau. The effort was routine but produced an unexpected result. A cheerful young lady took my call and asked for my PIN; I used one that I had nabbed a few months earlier by hacking into the CNL database, then gave her the two phone numbers in Eric’s apartment.

“The first one, 310 837-5412, is listed to a Joseph Wernle, in Los Angeles,” she told me. “And it’s non-pub”—short for “non-published,” meaning a number that the information operator won’t give out. “The second, 310 837-6420, is also listed to Joseph Wernle, and it’s also non-pub.” I had her spell the name for me.

So the “Eric Heinz” name was a phony, and his real name was
Joseph Wernle. Or Eric had a roommate… which didn’t actually seem too likely for a guy who claimed to have a different sleepover every night. Or maybe he had just registered the phone under a fake name.

Most likely Eric Heinz was a phony name and Joseph Wernle his real name. I needed to find out who this guy
really
was, and I needed to do it
fast
.

Where to start?

The rental application he’d filled out at his apartment complex might have some background information—references or whatever.

The Oakwood Apartments, where Lewis and I had paid him that surprise visit, turned out to be just one in a national string of rental properties owned by a real estate conglomerate. The places were rented to companies putting employees up on a temporary assignment, or people recently transferred to a new city and needing a place to live while looking for new digs. Today the company describes itself as “the world’s largest rental housing solution company.”

To set things up, I found the fax number for Oakwood’s worldwide headquarters, then hacked into a phone company switch and temporarily forwarded the phone line so any incoming fax calls would be transferred to the fax machine at a Kinko’s in Santa Monica.

On a call to Oakwood’s corporate headquarters, I asked for the name of a manager, then dialed the rental office at Eric’s building. The call was answered by a young lady with a pleasant voice and a helpful manner. Identifying myself as the manager whose name I had gotten, I said, “We’ve had a legal issue come up about one of the tenants there. I need you to fax me the rental application for Joseph Wernle.” She said she’d take care of it right away. I made sure the fax number she had for corporate was the same one I had just diverted to Kinko’s.

I waited until I thought the fax had been sent, then called the Kinko’s it was being forwarded to. I told the manager there that I was a supervisor at another Kinko’s location and explained, “I have a customer here who’s waiting for a fax. He just realized it was sent to the wrong Kinko’s.” I asked him to locate the fax and resend it to “my” Kinko’s. This second step would make it harder for any Feds to unravel my work. I call it “laundering a fax.”

Half an hour later, I stopped by the local Kinko’s and picked up the fax, paying cash.

But after all that effort, the application didn’t clear up anything. It only added to the mystery. The owners of corporate rental buildings usually require background information to make sure their new tenants don’t pose any financial risk. But in this case Oakwood had rented to a guy who had provided hardly any information at all. No references. No bank accounts. No previous addresses.

And most significantly, no mention of Eric’s name. The apartment had been rented in the same name the telephone service was under, Joseph Wernle. The only other piece of information on the entire application was a work phone number, 213 507-7782. And even that was curious: it was not an office number but, as I easily determined, a cell phone with service provided by PacTel Cellular.

Yet at least it gave me a lead to follow.

A call to PacTel Cellular gave me the name of the store that had sold the cell phone listed on Eric’s rental application: One City Cellular, in the Westwood neighborhood of Los Angeles, the area that includes the campus of UCLA. I made a pretext call to the store and said I wanted some information about “my” account.

“What’s your name, sir?” the lady on the other end asked.

I told her, “It should be under ‘U.S. Government’ ”—hoping she would correct my error… hoping it
was
an error. And at the same time hoping she would be helpful enough to give the name on the account.

She did. “Are you Mike Martinez?” she asked.

What the hell?!

“Yes, I’m Mike. By the way, what’s my account number again?”

That was taking a chance, but she was a retail clerk at a cell phone store, not a knowledgeable customer service rep at the cell phone company. She wasn’t the least bit suspicious and just read off the account number for me.

Heinz… Wernle… Martinez. What the fuck was going on?