Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (52 page)

Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online

Authors: Kevin Mitnick,Steve Wozniak,William L. Simon

Tags: #BIO015000

BOOK: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
13.23Mb size Format: txt, pdf, ePub

In a half whisper, he said, “The FBI called us and told us there’s a guy who will probably be targeting us—a superhacker who broke into Motorola and stole their source code. They think this guy is gonna want a compiler for the Motorola code, and he’s gonna target us next!”

So the Feds had figured out I’d want the compiler, and they’d called Intermetrics to head me off? Hey, I had to give them some credit: that was good thinking.

“He broke into the CIA and got Level Three access,” Marty was telling me. “Nobody can stop this guy! He’s always one step ahead of the FBI.”

“Unbelievable—you’re putting me on! Sounds like that kid in
WarGames
.”

“Listen, the FBI told us we better take those compilers offline, or he’ll get to them for sure.”

I blinked. After I got the Motorola code, it had taken me a few days even to come up with that idea. And the FBI had thought of it before I did? That really
was
unbelievable.

“Jeez, I need to test my demo tonight so I’ll be ready for my client in the morning. What do I do now? Is there any way I could get a copy from you?”

Marty thought it over. “Well… I’ll tell you what,” he said. “I’ll put the compiler on my workstation just long enough for you to get it.”

“Great. As soon as it’s up, I’ll transfer it to removable media so it won’t be on my workstation either. Then I’ll call you back to let you know I’m done,” I said. “And Marty?”

“Yeah?”

“I’ll keep it secret. I promise.”

Marty gave me the hostname of his workstation so I could use FTP to transfer the file. To my surprise, he had enabled anonymous FTP access so I didn’t even need an account to get the files.

Like taking candy from a baby.

As far as I know, Marty never knew he was duped and will find out only if he reads it here.

Still high from the success of getting the compiler, I woke up to find that my phone was dead. I’d done something really stupid that put my freedom at risk.

Not willing to risk making business calls associated with my new identity from a cloned cell phone, I got dressed and went to the closest pay phone and called the phone company, Southern Bell, to find out why my phone wasn’t working. After keeping me waiting for a long time, a supervisor came on the line and began asking a lot of questions. Then she told me, “A Michael Stanfill called us from Portland and said you’re using his identity.”

“That guy must be mistaken,” I told her. “I’ll fax you a copy of my driver’s license tomorrow to prove my identity.”

Suddenly I realized what had happened. The Raleigh power company, Carolina Power & Light, required a large deposit. If you had references from your former utility company, you could avoid paying it, so I’d called the power company that Michael Stanfill used in Oregon—Portland General Electric—and asked for a reference letter to be faxed. I told the lady on the other end of the line that I still wanted to keep my account in Oregon but was buying property in Raleigh. When they sent the letter to me, they had apparently sent a courtesy copy to the
real
Stanfill, as well. I felt like a total idiot: by trying to save a $400 deposit, I’d completely blown my cover.

I had to move
now
.

I had to get a new identity
now
.

I had to get the hell out of my apartment
now!

I’d never even had a chance to attend one of those all-residents’ parties or managed to meet a cute girl.

Finding a job had of course been one of my first priorities. I’d mailed out job résumés and cover letters as Michael Stanfill to more than twenty places—most of the potential employers in the area. Now, with my phone disconnected, none of these prospective employers would be able to reach me! Worse, it would be too risky to try the same places again under a different name. This put me at an extreme disadvantage.

I’d signed a six-month lease, so I told the round-faced lady in the rental office, “I really like this place, but I’ve had a family medical emergency and have to leave.”

She said, “If it’s an emergency, the company will let you out of the
lease. But they aren’t going to refund you anything on this month’s rent.” I felt like saying, “Forget the refund, consider it a payoff, and if the Feds show up asking questions, I was never here.”

The next day, I took a new place across town at the Friendship Inn to live in while I searched for a new apartment. Even with my relatively few possessions, it took me several frustrating, nerve-racking trips in my compact rental car to move everything to my new temporary digs. The pressure of having to find a new job and build a new identity was weighing on me.

Little did I know that I had bigger things to worry about. I couldn’t begin to imagine how the net was beginning to close around me.

After settling in at the Friendship Inn, using my Portland State University file, I chose another temporary name: Glenn Thomas Case. Since he, like Stanfill, was a living person and so riskier to borrow an identity from, I decided to go by “G. Thomas Case” to change things up a bit.

Three days later, the certified birth certificate I had requested arrived in my newly rented mailbox. I went to the DMV and walked out with my new North Carolina learner’s permit, but I still had a lot of work ahead of me to secure the other forms of ID I would need.

The day after getting my learner’s permit, I found a studio apartment in a complex called the Players Club, which was suitable but nowhere near as appealing as my previous place. It was small but cozy; I didn’t have the luxury of being picky. The rent was $510 a month, meaning I had six months before my money would run out. Provided I didn’t have too much trouble finding a job, it was an acceptable risk.

Around the same time, the newspapers were carrying new stories about hacker Kevin Poulsen. He had been transferred from custody in Northern California and was being held in a place all too familiar to me: the Metropolitan Detention Center in Los Angeles. He was being charged with hacking offenses and gathering national defense information, an espionage-related offense.

I was determined to talk to him—an ambition in keeping with my lifelong penchant for scheming to accomplish the impossible. I liked nothing better than to set myself a challenge that I didn’t think could be done, then see if I could do it.

Visiting Poulsen was obviously out of the question. For me, the Metropolitan Detention Center was like the Hotel California in the old Eagles song: I could check out anytime I wanted, but I could never leave.

My conversations with him would have to be by phone. But inmates couldn’t receive calls, and besides, all inmate calls are monitored or recorded. Given the charges Poulsen was facing, the prison staff had likely flagged him as high risk and were keeping him closely monitored.

Still
, I told myself,
there’s always a way
.

Each housing unit at the MDC had a “Public Defender’s phone,” a telephone with what the phone companies call “direct-connect” service: when an inmate picked up the handset, he would be connected directly to the Federal Public Defender’s Office. I knew these were the only phones available to prisoners that weren’t subject to monitoring—because of attorney-client privilege. But they were also programmed at the phone company switch so that they couldn’t be used for incoming calls (“deny terminate,” in telco lingo), and couldn’t connect to any numbers other than the main telephone number at the Public Defender’s Office. I’d cross that bridge when I came to it.

First I needed to get the numbers. It took me only twenty minutes to social-engineer Pacific Bell and learn the ten direct-connect service numbers working in the prison.

Next I called the Recent Change Memory Authorization Center (“RCMAC”). I said I was calling from Pacific Bell’s business office and requested that “deny terminate” be immediately removed from those ten numbers. The RCMAC clerk gladly complied.

Then, taking a deep breath, I called the Receiving and Discharge Office at the prison itself.

“This is Unit Manager Taylor at Terminal Island,” I said, trying to sound like a bored, frustrated prison drone. Using the name of the Bureau of Prisons’ main computer system along with Poulsen’s inmate registration number, I went on. “Sentry is down here. Can you look up reg number 95596-012 for me?”

When the guy at the prison looked up Poulsen’s number, I asked what housing unit he was in. “Six South,” he said.

That narrowed it down, but I still didn’t know which of the ten phone numbers was located on Six South.

On my microcassette player, I recorded a minute or so of the ringing sound that you hear on the phone when you call someone. This would only work if an inmate picked up the phone to call his public defender during those two or three minutes when I was calling into the phone. I would have to try many, many times before someone picked up. Another of those times when it helped to be patient and doggedly determined.

When I hit it just right and an inmate picked up the receiver, I’d let him hear a few rings on my microcassette player, then I’d stop the ringing and say, “Public Defender’s Office, may I help you?”

When the inmate asked for his lawyer, I’d say, “I’ll see if he’s available,” then pretend to go off the line for a minute. I’d come back on, tell him his attorney wasn’t in at the moment, and ask his name. Then, nonchalantly, as if I were taking down all the relevant information, I’d ask, “And what housing unit are you in?”

Then I’d say, “Try calling back in an hour or two,” so no one would notice that a lot of public defenders never seemed to get their messages. Each time an inmate did answer, I was able to identify another housing unit and take that number off my list. Jotting down the details on a notepad, I was slowly constructing a map of which phone numbers connected to which inmate housing units. At last, after several days of dialing phone numbers, I reached an inmate on Six South.

I remembered the internal extension for Six South from when I was in solitary confinement at MDC. Among the things I had done during that time to keep my mind active and preserve my sanity was to listen to announcements over the prison’s PA system and store in my memory every phone extension I heard. If an announcement said, “C.O. Douglas, call Unit Manager Chapman on 427,” I’d make a mental note of the name and number. As I’ve said, I seem to have an uncanny memory for phone numbers. Even today, years later, I still know quite a few of the phone numbers at that prison, as well as many dozens, perhaps hundreds, of numbers for friends, phone company offices, and others that I’ll probably never have any use for again but that were seared into my brain anyway.

What I needed to do next seemed impossible. I had to find a way to call the prison itself and make arrangements for a phone call with Kevin Poulsen that would not be monitored.

Here’s how I went about it: I called the main number of the prison, identified myself as “a unit manager at TI” (Terminal Island Federal Prison), and asked for extension 366, the number to the Six South guard. The operator put me through.

A guard answered, “Six South, Agee.”

I knew this guy from when I had been a prisoner there myself. He had gone out of his way to make my life miserable. But I had to keep my anger in check. I said, “This is Marcus, in R and D,” meaning Receiving and Discharge. “Do you have Inmate Poulsen there?”

“Yeah.”

“We have some personal property of his that we wanna get out of here. I need to find out where he wants it shipped.”


Poulsen!
” the guard screamed, much louder than necessary.

When Kevin came on the line, I said, “Kevin, act like you’re talking to someone in R and D.”

“Yeah,” he said in a completely flat tone.

“This is Kevin,” I said. We had never met, but I knew him by reputation and figured he’d know about me the same way. And I figured he’d know there wasn’t any other Kevin who could be calling him in prison!

I told him, “Be at the Public Defender’s phone at exactly one o’clock. Pick up the phone, but keep flashing the switch hook every fifteen seconds until I connect.” (Since the ringer was turned all the way down, he wouldn’t know the exact moment when I would be calling in.) “Now, give me your home address so Agee hears it. I told him I was shipping your property there.” After all the trouble Agee had caused me, it was sweet to have tricked him into getting Poulsen on the line.

At exactly one o’clock, I called the Public Defender’s phone in Six South. Because Poulsen hadn’t said much in the first call and I wasn’t familiar with his voice, I wanted to be sure I was really talking to him when I called back, so I tested him. “In C, give me a syntax for incrementing a variable.”

He easily gave the correct answer, and we chatted at leisure, free from any concerns about Federal agents listening to our conversation. I was amused to think that as I was evading the Feds, I was also hacking into a prison to speak to an inmate charged with espionage.

On January 27, a lucky break provided Shimmy and his team with the first strand of the net they would weave in the hope of closing in on me. The Well had an automated “disk hog” program that would periodically send emails to users who were using a lot of disk space. One of these messages went to Bruce Koball, who had a role in staging an annual public-policy event called the Computers, Freedom and Privacy Conference (CFP).

The email message noted that the conference’s account was taking up more than 150 megabytes on the Well’s servers. Koball checked the account and discovered that none of the files belonged to CFP. Looking at files that contained emails, he saw that all were addressed to [email protected].

Other books

The Rebel by Amelia Atwater-Rhodes
Con Job by Laura VanArendonk Baugh
The Rancher Next Door by Betsy St. Amant
Citizen Emperor by Philip Dwyer
Murdering Ministers by Alan Beechey
Las Vegas Layover by Eva Siedler
Heart of Fire by Linda Howard