Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (45 page)

My research indicated that while it rained a lot in Seattle, the rare sunny days there were beautiful, especially around Lake Washington. And to top it off, the city offered an abundance of Thai restaurants and
coffee shops. That might seem like an odd factor to weigh in making a decision like this, but I was especially fond of Thai food and coffee then, and I still am today.

And of course, with the Microsoft campus in adjacent Redmond, Seattle had long been a hotbed of technology. Everything considered, it seemed like the town that would best meet my needs. Seattle it would be.

I bought a one-way Amtrak ticket, hugged my mother and grandmother good-bye, and boarded a train, which pulled into Seattle’s King Street Station two days later. My new identity kit included a driver’s license, Social Security card, and my usual items to establish credibility—all made out in my new Brian Merrill name. I found a motel and registered under my new identity.

I had planned to burn the Eric Weiss identity documents but in the end decided to keep them as a backup, in case I ever needed to quickly abandon the Brian Merrill persona for some reason. I stuffed them in a sock, which I stowed at the bottom of my suitcase.

Denver had been good to me except for that bad last chapter. The last chapter in Seattle would trump it in spades.

O
n my very first day in Seattle, my pager goes off at 6:00 a.m., scaring the shit out of me: nobody but De Payne and my mother have my pager number, and Lewis knows better than to wake me this early. Whatever it is, it can’t be good news.

Bleary-eyed, I reach over to the bedside table, grab the pager, and look at the screen. “3859123-3,” it reads. The first string of digits I know by heart: the phone number of the Showboat Hotel and Casino.

The final “3” means code 3:
EMERGENCY
.

Grabbing my cell phone, programmed as always to a new cloned number that can’t be traced back to me, I call the hotel and ask the operator to page “Mary Schultz.” My mother must be standing by the hotel phones waiting for the page, because she comes on the line in less than a minute.

“What’s wrong?” I ask.

“Kevin, go get a copy of the
New York Times
right now. You’ve got to go
right now
.”

“What’s going on?”

“You’re on the front page!”

“Shit! Is there a photograph?”

“Yes, but it’s an old picture—it doesn’t look like you at all.”

Not as bad as it might have been, I decide.

I go back to sleep, thinking,
This makes no sense. I haven’t stolen millions from a bank electronically, like Stanley Rifkin. I haven’t crippled the
computers of any company or government agency. I haven’t stolen credit card data and run up bills on other people’s cards. I’m not on the FBI’s Ten Most Wanted list. Why would the country’s most prestigious newspaper be running a story about me?

At about 9:00 a.m., I wake up again and go out to find someplace that carries the
New York Times—
not so easy in the part of Seattle of my by-the-week motel room.

When I finally see the paper, I’m stunned. The headline jumps off the page at me:

I start reading the article and can’t believe my eyes. Only the first phrase of the story is pleasing to me, crediting me with “technical wizardry.” From there, John Markoff, the
Times
reporter who has written the article, goes on to say that “law-enforcement officials cannot seem to catch up with him,” which is sure to burn Agent Ken McGuire and company and embarrass the hell out of them with their superiors—
and make them all the more focused on finding me
.

This false and defamatory article then claims that I wiretapped the FBI—I didn’t. And that, foreshadowing the 1983 movie
War Games
, I broke into a North American Aerospace Defense Command (NORAD) computer—not only something I never, ever did but also a near impossible proposition for anyone, given that the agency’s mission-critical computers are not connected to the outside world, and thus immune from being hacked by an outsider.

Markoff has labeled me “cyberspace’s most wanted” and “one of the nation’s most wanted computer criminals.”

And all of this on Independence Day, when red-blooded Americans feel greater national fervor than on any other day of the year. How people’s fear of computing and technology must have been brought to the boil as they ate their sunny-side-ups or their oatmeal and read about this kid who was a threat to the safety and security of every American.

I would find out later that one source of these and other blatant lies was a highly unreliable phone phreaker, Steve Rhoades, who had once been a friend of mine.

I remember being in a state of semishock after reading the article, trying to take in one statement after another that simply wasn’t true. With this one piece, Markoff single-handedly created “the Myth of Kevin Mitnick”—a myth that would embarrass the FBI into making the search for me a top priority and provide a fictional image that would influence prosecutors and judges into treating me as a danger to national security. I couldn’t help recalling that five years earlier I had refused to participate in a book Markoff and his-then wife, Katie Hafner, wanted to write about me and some other hackers, because they wanted to make money from my story while I myself would make no money from it. It also brought back memories of John Markoff telling me in a phone call that if I didn’t agree to an interview, anything anyone else said about me would be considered truthful since I wasn’t there to dispute it.

It was scary as hell to discover I had become such an important target for the Feds.

At least the photograph was a gift. The
Times
had used a copy of my mug shot from 1988, the one taken after I had been held in Terminal Island Federal Prison for three days without a shower, a shave, or a change of clothes—my hair a mess, me looking grubby and unkempt and like some homeless street person. The guy staring back at me from the front page of the newspaper was puffy-faced, weighing maybe ninety or a hundred pounds more than I did on that July Fourth.

Even so, the article ratcheted my paranoia level up more than a few notches. I started to wear sunglasses religiously, even indoors. If anyone asked, “What’s with the shades?” I just said that my eyes had become ultrasensitive to light.

After a quick run-through of the Apartments for Rent listings in the local paper, I decided to look for something in the “U District,” near the University of Washington, expecting it might be like LA’s attractive, lively Westwood area, adjacent to UCLA. I settled on a basement apartment, telling myself that even though it was dumpier than the motel I was in, it made sense for the time being because it was cheap. The building was owned by a single proprietor named Egon Drews and managed by his son David. Happily, Egon was a trusting soul who wasn’t going to bother with a credit or background check that a management company would have required.

The neighborhood turned out not to be a very good choice. This was no pleasant, sunny Westwood but instead a down-scale, seedy section of town, full of street beggars. Maybe I could do better once I had a steady job. But at least there was a YMCA nearby so I could keep up my almost daily workouts.

One of the few highlights of the U District for me was a clean and inexpensive Thai restaurant that offered tasty food and a cute Thai waitress. She was friendly, with a warm smile, and we dated a few times. But my old fear still lingered—the danger that in a close relationship, or in the glow after a few minutes of passion, I might let slip something that would give me away. I continued eating at the restaurant but told her I was too busy for a relationship.

No matter what else I was doing, I always had hacking to keep my mind occupied. That was how I discovered that Neill Clift, the finder of bugs in DEC’s VMS operating system, was using an email account on a system called Hicom, at Loughborough University in England.

Interesting! I had almost given up on Clift because I had discovered that DEC had given him a Vaxstation 4000 and was paying him 1,200 British pounds annually (that’s cheap) to find security bugs with it. After that, I hadn’t expected him to use any other systems except maybe at work or at home for email. Maybe this was my lucky break.

After a little digging around, I learned that Hicom was a public-access system and that anyone could apply for an account. Once I was set up with my own account, I exploited a security hole that Neill evidently didn’t know about, gaining full control of the system, with the same rights and privileges as a system administrator. I was very excited but didn’t anticipate that I would find much, since I doubted he would be careless enough to send DEC his security findings from a public system.

The very first thing I did was grab a copy of Neill’s email directory and look through each and every file. Damn! Nothing interesting—no bugs! I was disappointed. So close and yet so far. And then I had an idea: maybe he was sending emails and then deleting the messages immediately afterward. So I checked the system mail logs.

My eyes lit up: the mail log files showed that Neill was sending messages to some guy named Dave Hutchins at DEC, sometimes two or three of them in a single week. Shit! I really wanted to see the contents of those messages. At first I figured I would examine all the deleted file
space on the system’s disk looking for the deleted emails to Hutchins, but then I came up with a better plan.

By reconfiguring the mail exchanger on Hicom, I could rig it so that whenever Neill sent a message to any email address at DEC, it would be redirected to an account I had hacked at USC. It was like adding call forwarding on all “dec.com” email addresses to forward to my account at USC. So I actually would be catching all emails sent to any “dec.com” address from
anyone
on Hicom.

My next challenge was to find an effective means of “spoofing” emails to Clift so they would look as if they were coming from DEC. Rather than spoofing messages over the Internet—a step that could be spotted if Neill looked closely at the email headers—I wrote a program that forged the email from the local system so I could spoof all the headers as well, making the deception virtually undetectable.

Every time Neill sent a report of a security hole to Dave Hutchins at DEC, the email would be redirected to me (and only me). I would soak up every detail and then send back a “thank-you” message that would appear to have been sent by Hutchins. The beauty of this particular hack—known as a “man-in-the-middle” attack—was that the real Hutchins, and DEC, would never receive the information Neill sent them. This was so exciting because it meant, in turn, that DEC would not be fixing the holes anytime soon, since the developers wouldn’t know about the problems—at least not from Neill.

After spending several weeks waiting for Neill to get busy with his bug hunting, I became impatient. What about all the security bugs I’d already missed? I wanted every one of them. Attempts to break into his system over dial-up were unlikely to work because there wasn’t much I could do at a log-in prompt but guess passwords, or maybe try to find a flaw in the log-in program itself, and he surely had security alerts enabled for log-in failures.

A social-engineering attack via the telephone was out of the question because I knew Neill would recognize my voice from a couple of years earlier. But sending believable fake emails could win me all the trust and credibility I would need to get him to share his bugs with me. There was a downside, of course: if he caught on, I would lose access to all his future bugs because he would certainly figure out that I had compromised Hicom.

But what the hell? I was a risk taker. I wanted to see if I could pull it off.

I sent Neill a fake message from Dave Hutchins, advising that Derrell Piper from VMS Engineering—the same guy I’d pretended to be when I called him the last time—wanted to communicate with him via email. VMS Engineering was ramping up its security processes, I wrote, and Derrell would be heading up the project.

Neill had in fact communicated with the
real
Derrell Piper several months earlier, so I knew the request would sound plausible.

Next I sent another faked email to Neill posing as Derrell, and spoofing his real email address. After we exchanged several messages back and forth, I told Neill that “I” was putting together a database to track every security issue so DEC could streamline the resolution process.

To build further credibility, I even suggested to Neill that we should use PGP encryption because we didn’t want someone like Mitnick reading our emails! Soon thereafter we had exchanged PGP keys to encrypt our email communications.

At first I asked Neill to send me just a
list
of all the security holes he had forwarded to DEC over the past two years. I told him I was going to go through the list and mark the ones I was missing. I explained that VMS Engineering’s records were disorganized—the bugs had been sent to different developers, and a lot of old emails had been deleted—but our new security database would organize our efforts to address these problems.