Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (46 page)

Neill sent me the list of bugs I requested, but I asked for only one or two of the detailed bug reports at a time to avoid any suspicion on his part.

In an effort to build even more credibility, I told Neill I wanted to share some sensitive vulnerability information with him since he had been so helpful. I had the details of a security hole that another Brit had found and reported to DEC a while back. The bug had made big news when it hit the media, and DEC had frantically sent out patches to its VMS customers. I had found the guy who discovered it and persuaded him to send me the details.

Now I sent the data to Clift, reminding him to keep it confidential because it was DEC proprietary information. For good measure, I sent him two more bugs that exploited other security issues he didn’t know about.

A few days later, I asked him to reciprocate. (I didn’t directly use that
word, but I was counting on the effectiveness of reciprocity as a strong influence technique.) I explained it would make my life much easier if, in addition to the list, he could send me all the detailed bug reports he had submitted to DEC over the last two years. Then, I said, I could just add them to the database in chronological order. My request was very risky. I was asking Neill to send me everything he had; if that didn’t raise his suspicions, nothing would. I waited a couple of days on pins and needles, and then I saw an email from him, forwarded to my USC mailbox. I opened it up anxiously, half-expecting it to say, “ ‘Good try, Kevin.’ ” But it contained everything! I had just won the VMS bug lottery!

After getting a copy of his bug database, I asked Neill to take a closer look at the VMS log-in program, Loginout. Neill already knew that Derrell had developed the Loginout program and I was curious to know whether he could find any security bugs in it.

Neill emailed me back some technical questions about Purdy Polynomial, the algorithm used to encrypt VMS passwords. He had spent months, maybe even years, trying to defeat the encryption algorithm—or rather, optimizing his code to crack VMS passwords. One of his queries was a yes/no question about the mathematics behind the Purdy algorithm. Rather than research it, I just guessed the answer—why not? I had a fifty-fifty chance of getting it right. Unfortunately, I guessed wrong. My own laziness resulted in revealing the con.

Instead of tipping me off, though, Neill sent me an email claiming that he had found the
biggest
security bug to date—in the very VMS log-in program I had asked him to analyze. He confided that it was so sensitive that he was willing to send it to me only
in the post
.

How stupid did he think I was? I just responded with Derrell’s real mailing address at DEC, knowing the jig was up.

The next time I logged in to Hicom to check the status quo, a message popped up on my display:

Ring me up, Mate.

Neill.

That made me smile. But what the hell? I figured: he already knew he had been hustled, so I had nothing to lose.

I called.

“Hey, Neill, what’s up?”

“Hey, mate.” No anger, no threats, no hostility. We were like two old friends.

We spent hours talking, and I shared all the intricate details of how I’d hacked him over the years. I decided I might as well tell him, since it wasn’t likely to work on him again.

We became telephone buddies, sometimes spending hours on the phone together over several days. After all, we shared similar interests: Neill loved finding security bugs, and I loved using them. He told me that the Finnish National Police had contacted him about my hacking into Nokia. He offered to teach me some of his clever bug-hunting techniques, though not until I acquired a better understanding of the “internals” of VMS—that is, the inner workings of the operating system, the details of what was “under the hood.” He said I had spent too much time hacking into stuff instead of educating myself on the internals. Amazingly, he even gave me some exercises to work on, to learn more about this, and then he went over my efforts and critiqued them. The VMS bug hunter training the hacker—how ironic was that?

Later, I would intercept an email that I suspected Neill had sent to the FBI. It read:

This log showed the dates and times when I was sending emails from my account on Hicom to one of the accounts I had on a public-access system in Denver called “nyx.” And who was the “Kathleen” the message was addressed to? I figured there was a 99 percent likelihood it was, once again, Special Agent Kathleen Carson.

The email message was clear evidence that Neill had been working with the FBI. I wasn’t surprised; after all, I had drawn first blood and gone after him, so maybe I deserved it. I had enjoyed our conversations and picking his brain; it was disappointing to learn that he had just been playing along in the hope that he might be able to help the Feds nail me. Even though I had always exercised precautions when calling him, I decided it would be best to cut off all contact, to avoid giving the FBI any more leads.

In a criminal prosecution, as you probably know, the government is required to share its evidence with the defendant. Among the documents later turned over to me was one that revealed both the extent of Neill’s cooperation and its importance to the FBI. When I first read a copy of this letter, I was surprised.

Rereading this now, I’m struck by how frustrated Special Agent Carson sounds about not being able to catch me—and how willing she was to admit that in writing.

In my job-hunting efforts in Seattle, I found a newspaper ad for a Help Desk analyst at the Virginia Mason Medical Center. I went in for an interview, which lasted for a couple of hours and led, a few days later, to a job offer. It didn’t sound like something that was going to present the same challenges that my job in the law firm in Denver had. But my apartment was depressing, and I didn’t want to commit to a better place until I was set with an income and knew which part of town I’d be working in, so I took the job despite the drawbacks.

When I picked up the new-employee package from Human Resources, I found that the application form asked for a print of my index finger.

Bad news. Did those prints get sent out to be checked against FBI records? I made another of my pretext calls, this one to the Washington State Patrol, claiming I was with the Oregon State Police Identification Division.

“Our department is setting up a program to aid city and county organizations by screening their job applicants for criminal records,” I said. “So I’m looking for some guidance. Do you ask for fingerprints?”

“Yes, we do.”

“Do you just run the prints against state files, or do you send them to the FBI?”

“We don’t submit to any outside agencies,” the guy on the other end of the line told me. “We check state records only.”

Excellent! I didn’t have any criminal record in Washington State, so I knew it’d be safe for me to hand in the application with my fingerprint on it.

I started work a few days later, sharing an office with a tall, very detail-oriented guy named Charlie Hudson and one other coworker. The job wasn’t even moderately interesting; my work consisted mostly of answering Help Desk questions from doctors and other hospital staff members who brought to mind those jokes about users so numskulled about technology that they attempted to copy floppy disks on a Xerox machine.

Practically all the employees in the place, for example, were using their Social Security number as the secret question for resetting their computer passwords. I tried to talk to my boss about how unsafe that was, but he blew me off. I thought for a minute about giving him a little demonstration of how easy it was to obtain anyone’s Social Security number, but then realized that would be a very bad idea. When I started writing scripts on the VMS system to solve some technical support problems, I was told that the project was beyond my job responsibilities, and I should quit working on it.

My mental attitude was in pretty good shape. In all the time I had been on the run, I had never had any alarming events that made me fear for my security. But I could never let my guard down completely. One day I walked out of my apartment building and saw a Jeep Cherokee parked across the street. What caught my attention was that there were almost no cars parked on the street at that hour, yet this one was stopped at a place that wasn’t convenient to any house or apartment building entrance. And there was a man sitting in it. As a kind of challenge, I stared straight at him. We made eye contact briefly and then he glanced
away, showing no interest. It made sense to be cautious but I decided I was being a little paranoid, and continued on my way.

About two months after I moved to Seattle, Lewis put me in touch with Ron Austin, Poulsen’s one-time hacking buddy, a guy I knew about but had never talked to. My main topic of conversation with Ron was Justin Petersen, who had touched all three of our lives by snitching on us. Austin and I started communicating frequently. He had provided me with a list of pay-phone numbers in the West Los Angeles area, and I would let him know which phone number I’d be calling him on and at what time.

I was routing all my calls from Seattle to switches in Denver, Portland, Sioux Falls, and Salt Lake City, and adding another layer of protection by manipulating the switch software so it would be very time-consuming for anyone to trace my calls. Although I didn’t trust Austin, I felt safe talking to him because we used so many pay phones, a different one each time.

There was another reason I felt safe with him: he shared with me a very powerful research tool he had learned about from Justin. In a bizarre coincidence, Justin—long before I met him—had snuck into a building I was very familiar with: 5150 Wilshire Boulevard, where Dave Harrison had his offices. Justin was interested in stealing credit card data as it was sent to the card processor for verification, and he was targeting the same GTE Telenet network that I had gone after, though with a different intent.

When Justin started playing back the recording of the modem tones through a setup that translated them into text on the computer screen, he realized that among all the other data was the sign-on credentials of some agency that was accessing California DMV records—credentials he and any other hacker could use to retrieve any information from the DMV. Incredible! I could just picture Justin’s jaw dropping. He probably couldn’t believe his good luck, and began using these credentials himself to run license plates and driver’s licenses.

Ron wasn’t just telling me a story about Justin. He was actually sharing the details with me: “The GTE Telenet address is 916268.05. As soon as the display goes blank, you type ‘DGS.’ The password is ‘LU6.’ And you’re in!”