Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (47 page)

I couldn’t get off the phone fast enough to try it out. It worked!

From then on, I would never have to social-engineer the DMV for information again. I could get everything I wanted, quickly, cleanly, and safely.

Austin’s sharing of this hack put my mind to rest about whether he might really be a snitch trying to get information to help the Feds find me. If he were an informant, the Feds would never have allowed him to give me access to protected DMV records. I was convinced that he was safe to deal with.

During my investigation of Eric, I had spent countless hours online and on the phone with a well-known Dutch hacker who went by the hacker name “RGB,” working to figure out bugs and hack into different systems. He had been busted in May 1992, arrested at his home in Utrecht, the Netherlands, by government agents posing as salesmen for a computer company—a combined force made up of local police and the PILOT team, a law enforcement group formed to battle hacking-related offenses. RGB told me the police had hundreds of pages of transcripts of his conversations with me.

When he was released from detention, we went back to hacking together again. RGB started probing systems at Carnegie Mellon University and monitoring their network traffic using a program called “tcpdump.” After weeks of monitoring, he finally intercepted a CERT staff member’s password. As soon as he confirmed that the password worked, he contacted me, full of pure excitement, and asked for my help in finding anything of interest, most particularly any reported security vulnerabilities that we could leverage in our hacking.

The Computer Emergency Response Team, CERT, based at Carnegie Mellon University, in Pittsburgh, was a federally funded research and development center established in November 1988, after the Morris Worm brought down 10 percent of the Internet. CERT was intended to prevent major security incidents by setting up a Network Operations Center to communicate with security experts. The Center created a vulnerability disclosure program with the mission of publishing advisories about security vulnerabilities, usually after the software manufacturer had developed a patch or created a work-around to mitigate the risk of the security flaw. Security professionals relied on CERT to protect their clients’ systems and networks from intrusions. (CERT’s functions would be taken over by the Department of Homeland Security in 2004.)

Now think about this for a moment: if someone discovered and reported a security hole, CERT would issue an advisory. Most CERT security advisories focused on “exposed network services”—operating system elements that could be accessed remotely—but they also reported security holes that could be exploited by “local users,” people who already had accounts on the system. The vulnerabilities were usually associated with the Unix-based operating systems–including SunOS, Solaris, Irix, Ultrix, and others—that made up most of the Internet back then.

New security bug reports were often sent to CERT, sometimes in unencrypted emails. These were what RGB and I were after, new bugs that we could leverage to get into systems, almost as if we had a master key to the server. Our goal was to leverage the “window of exposure,” the time lapse until the manufacturer came up with a patch and companies could get it installed. Such security holes had a limited shelf life: we would have to make use of them before they were fixed or otherwise blocked.

I had known about RGB’s plan but doubted he would be able to capture the credentials to a CERT staff member’s account. Yet he had pulled it off in a short time. I was shocked but happy to share the spoils with him. As a team, we hacked into the workstations of several other CERT staff members and grabbed everyone’s email spools, meaning all their email messages. And we hit the mother lode, because many of those emails contained unencrypted messages disclosing so-called zero-day vulnerabilities—meaning that they had just been discovered, and the software manufacturers had not yet developed or distributed patches to fix the problems.

When RGB and I found that most bugs were sent “in the clear”—unencrypted—we could hardly contain ourselves.

As I said, that had all happened a couple of years earlier. But now, sometime around September 1994, an unexpected message popped up from RGB, drawing my attention back to CERT:

He wanted to get back into CERT again!

One day in early October 1994, not long after RGB’s email, I went out to lunch carrying a small package containing a defective OKI 900 cell phone that I was planning to mail back to the store that day. As was almost always the case when I was out on foot, I was talking on my cell phone. I walked down Brooklyn Avenue toward the heart of the U District. When I crossed 52nd Street, about two blocks from my apartment, I heard the faint sound of a helicopter.

The sound gradually grew louder, then was suddenly
very
loud and right overhead, very low, as the helicopter evidently headed for a landing at a nearby schoolyard.

But it didn’t land.

As I walked, it stayed right over my head and appeared to be descending.
What the fuck is going on?
My thoughts started churning.
What if—what if the chopper is looking for
me? I felt my palms start to sweat and my heart begin to pound. Anxiety was running through my veins.

I ran into the courtyard of an apartment complex, where I hoped some tall trees would block me from view of the chopper. I tossed my package in the bushes and started running full bore, ending my cell phone call as I pounded along. Once again my daily workouts on the StairMaster were paying off.

As I ran, I calculated an escape route: get to the alley, turn left, then run like hell for two blocks, across 50th Street and into the business district.

I figured they had ground support on the way, and at any moment I’d begin to hear the yowling wail of police car sirens.

I turned into the alley. I ran on the left side of the alley, next to the apartment complexes that would provide good cover.

Fiftieth Street just ahead. Heavy traffic.

I was going on pure adrenaline.

I ran into the street, dodging between cars to get across.

Damn! Almost hit—close call.

I ran into a Walgreen’s pharmacy, now feeling waves of nausea. My heart was pounding, sweat was running down my face.

Then out of the drugstore again and into another alley. No helicopter—what a relief! But I kept going. Jogging toward University Avenue.

Feeling safer at last, I ducked into a store, and placed another cell phone call.

It wasn’t five minutes before I heard the sound of the helicopter getting louder and louder and louder.

It flew until it was right over the store, then hovered there. I felt like Dr. Richard Kimble in
The Fugitive
. My stomach was churning again, my anxiety rapidly returning. I needed to escape.

Out the store through the back entrance. Run a couple blocks, duck into another store.

Every time I turned on my cell phone and placed a call, the damned helicopter would reappear. Son of a bitch!

I turned off the phone and ran.

With the phone off, the helicopter wasn’t following me anymore. I
knew then. No question. They were tracking me by my cell phone transmissions.

I stopped under a tree and leaned against its solid trunk to catch my breath again. People walking past looked at me with suspicion written all over their faces.

After a few minutes with still no helicopter, I began to calm down.

I found a pay phone and called my dad. “Go to the pay phone at Ralph’s,” I told him, naming the supermarket near his apartment. Again my curious, uncanny memory for phone numbers came in handy.

When I reached him, I told him the story about the helicopter chase. I longed for his sympathy and support, his understanding.

What I got was something else:

“Kevin, if you think somebody was chasing you in a helicopter, you really need help.”

I
f the Feds had a problem with my hacking, would they also have a problem if I was hacking another hacker?

A guy named Mark Lottor, who was under indictment and awaiting trial as one of Kevin Poulsen’s coconspirators, had a company called Network Wizards, marketing what he called a “Cellular Telephone Experimenter’s Kit.” It had been designed for enabling hackers, phone phreaks, and fraudsters to control the OKI 900 and OKI 1150 cell phones from their personal computers. Some people were convinced that Lottor had the source code for the OKI 900; others thought he might have reverse-engineered the firmware to develop his kit. I wanted to get a copy of whatever he had—source code or reverse-engineering details.

Through my research, I found the name of Mark’s girlfriend: Lile Elam. And whadda ya know? She worked at Sun! Perfect, couldn’t be better. I still had access to Sun’s internal network through some of the systems I had hacked into in Canada, and by that route it didn’t take me long to hack into Lile’s workstation at Sun. Setting up a “sniffer”—a program that would capture all her network traffic—I waited patiently for her to connect to either Mark’s system or her own home system. Finally I hit pay dirt:

PATH: Sun.COM(2600) => art.net(telnet)

STAT: Thu Oct 6 12:08:45, 120 pkts, 89 bytes [IDLE TIMEOUT]

DATA:

lile

m00n$@earth

The last two lines are her log-in name, followed by her password, allowing me to log in to her account on her server at home and, using an unpatched local exploit, gain root privileges.

I set up another sniffer on her home system, “art.net,” and after a few more days, she logged in to Mark’s system, giving me her log-in and password for getting into his server. I waited until the very early hours of the morning, logged in, and got root by exploiting the same security flaw I had used to get into her workstation.

I immediately searched Mark’s file system for “*oki*”; (an asterisk is a wild card that in this case means “look for any filenames that have the character string ‘oki’ in them”). An examination of the files turned up by this search revealed that Mark didn’t have the source code for the OKI 900 but was indeed reverse-engineering it—and that he was getting help from another hacker.

And who was helping Lottor with this project? Surprise: of all people, it was Tsutomu Shimomura, that computer security expert with a big reputation and a bigger ego, who worked at the San Diego Supercomputer Center. Odd: at the time, Lottor was under Federal indictment in the Kevin Poulsen case, and yet here he was, getting help from a computer security expert who did contract work for the
government
. What was
that
about?

I had encountered Shimomura once before, something he never found out. The previous year, in September 1993, after getting into Sun’s network, I had discovered that he had been finding and reporting security bugs he uncovered in SunOS, one of Sun’s flagship operating systems. I wanted the information, so I targeted his server. By hacking into a host called “euler” at the University of California, San Diego (UCSD), I was able to get root and install a network sniffer.

The stars must have been lined up in my favor. Within several hours, I intercepted a user, “david,” logging into “ariel,” one of Shimomura’s servers. By capturing david’s password using my network wiretap, I accessed Shimomura’s system and was into it for several days before I was noticed and booted off. Shimomura eventually realized that david had been hacked, and tried tracking me but hit a dead end. In hindsight,
he was probably monitoring his own network traffic and saw what was going on.

Before getting booted, I was able to grab a lot of files. Most of the interesting stuff had eluded me, but I knew I would return at some point. Now my interest in doing that had been stirred up, thanks to Lottor.

As I was probing Lottor’s system, I discovered a file that listed the instructions for changing an ESN from the keypad of an OKI phone.