Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (53 page)

That night Koball looked at his next-day edition of the
New York Times
and saw a page-one story in the Business section by John Markoff, under the headline “Taking a Computer Crime to Heart.” The story included this:

The next day, Koball phoned Markoff, who put him in touch with Shimmy. It didn’t take long to confirm that most of the mysterious files stored in the CFP account were from the Christmas Day attack on Shimmy’s computers. This was his first big break. Now he had a lead to follow.

Around this same time, my cousin Mark Mitnick, whom I had become close to, was going to be vacationing at Hilton Head, South Carolina, with his father. Mark invited me to join them.

Mark was running a company in Sacramento called Ad Works, and had offered to help me get set up on the East Coast using the same business model. He provided businesses like major supermarkets with free cash-register tape, which was printed on the back with ads; Mark earned his money by finding companies that would pay to have their ads on the back of the tape. I needed a steady income, and the idea of having my cousin Mark help me get started in my own business sounded very attractive, even though it wasn’t computer-related.

We met in Raleigh and drove through several cities on our way to Hilton Head so he could make a number of sales calls. He invited me along to teach me the business. I liked the idea of always being on the move because it would make me harder to find.

I would have enjoyed our trip more if it hadn’t been for an item that turned up during one of my routine online checks for any indication that the Feds were getting closer to me. There were stories all over the media about a press release just issued by the U.S. Department of Justice. The title of one story was, “U.S. Hunts Master Computer Cracker.” In part, it read:

This hit me like a ton of bricks. I was surprised, shocked, and in near panic. The Feds and the media had turned a supervised release
violation into a global manhunt. I couldn’t leave the country even if I’d wanted to—I suspected that the Feds must have already asked Interpol to issue a “Red Notice” launching a global watch for me. And my only passport, which I had stashed away, unused, was in the Mitnick name.

When Mark and his dad returned to the hotel from playing golf, I showed them the news story. Both looked shocked. I was worried I had done the wrong thing in showing it to them, afraid they would tell me I had to leave because my presence could put them at risk. Fortunately, they never mentioned the subject but my paranoia had been driven up a few notches. The heat was being turned up on finding me. Did the Feds suspect I was the one who had hacked Shimmy?

On January 29, Super Bowl Sunday, the San Francisco 49ers were playing the San Diego Chargers. Mark and his dad were excited about watching the game, but I couldn’t have cared less. I had a lot on my mind and just wanted to relax. Rather than going back to the room for some more online activities, I decided to take a walk on the beach to get a breath of fresh air.

I decided to give Jon Littman a call. “I’m walking on the beach here and relaxing,” I told him.

“On the beach? Are you really on the beach?”

“Yeah, I’ll let you go. I’m sure you’re getting ready to watch the game.”

Littman told me the game hadn’t started yet. He asked, “What do the waves look like?”

Why would he ask me such a stupid question? I wasn’t going to tell him the surf conditions and give him a clue to my current location.

I said, “I can’t tell you, but you can listen to them,” and held the cell phone up in the air.

I asked if he’d heard about the U.S. Marshals’ UPI press release asking for the public’s help in finding me. I complained that there was a lot of bullshit in the article, including the same old Markoff myth that I had hacked NORAD.

Littman asked if I’d read Markoff’s story of the previous day. When I said I hadn’t, he read it to me over the phone, I suppose listening to gauge my reaction. I pointed out that the U.S. Marshals’ plea for help had been published the day after Markoff broke the story about Shimmy’s
Christmas Day attack. It didn’t feel like a coincidence to me. “It felt like part of a planned strategy to leverage the public’s fears about cyberspace against me,” I told him.

“Markoff has been asking questions about you,” Littman said. “And he thinks he knows where you’re hiding.” I pressed him to tell me more, but he wouldn’t budge. I changed tactics and asked him to take his own guess about where I might be.

“Are you living somewhere in the Midwest?”

Happily, he was way off. Yet it appeared that Markoff had some information that was important to me, and I needed to think about finding out how much he knew.

A few days later, it occurred to me that if the Feds were trying that hard to track me down, they might have tapped my grandmother’s phone in Las Vegas. That was what I would’ve done.

Centel’s Line Assignment Group had information about every phone line in Las Vegas. I knew the number off the top of my head. Posing as a technician in the field, I asked one of the clerks to pull up my grandmother’s telephone number on her computer. I asked her to read me the “cabling information,” and as I’d suspected, there was “special equipment” recently connected to her line.

The clerk said the order had been placed a few days earlier by a Centel security agent named Sal Luca. I felt like turning the tables on Luca by tapping
his
line, but I knew it wouldn’t yield any valuable information. My next thought was to feed my pursuers disinformation by calling my grandmother with some cock-and-bull story that I was in the Great White North. But I didn’t want to put her under any more stress than she was already dealing with.

While I was thinking over my next move, I had to continue building my new identity. On February 2, I had an appointment to take the driving test to upgrade my learner’s permit to a driver’s license under my G. Thomas Case identity. To do that, though, I would need to find a car that didn’t have any connection to any of my past names.

I hailed a cab. “Hey, you wanna make an easy hundred bucks?” I asked the driver. He responded with a grin that revealed his missing teeth and answered with something that sounded like “Teek, teekuh” followed by “Sure, okay.” The foreign words turned out to be Hindi for
more or less the same thing. (Damn, I should have offered him fifty instead!) We agreed that he would pick me up the next day, and he gave me his pager number.

At the DMV the following day, when the examiner realized I was going to take the test in a cab, he tossed me a suspicious look. We got in and I put down the flag, telling him, “I’m going to have to charge you for the ride.” The expression on his face was priceless. When he saw I was laughing, he laughed, too, and we got off to a great start.

B
y Tuesday, February 7, a posse was being formed to catch me. Assistant U.S. Attorney Kent Walker now stepped into the case, meeting with Shimmy and his girlfriend Julia Menapace, Shimmy’s assistant Andrew Gross, two FBI agents, and the Well’s vice president and system administrator, as well as its attorney, John Mendez, who had some special clout in the room since he had previously been with the U.S. Attorney’s Office and had been Walker’s boss.

Walker was based in Northern California and had no previous connection to my case, and according to the record, would be bending rules and crossing some lines to give Shimmy an extraordinary role through the following days. It was like some Wild West posse of old, where the U.S. Marshal deputized civilians to assist him in tracking down a wanted man.

Apparently Walker made a secret arrangement to provide Shimmy with confidential trap-and-trace information, as well as confidential information from the FBI files on me. Shimmy could intercept my communications without a warrant, under the pretense that he was not assisting the government but rather working only for the Internet service providers. (The Feds would never charge me with hacking Shimomura; I believe this was because they couldn’t afford to expose their gross misconduct, which appeared to violate Federal wiretapping statutes.)

It seems Shimmy appeared to be put in charge of the investigation as
a de facto government agent. This was unprecedented. Perhaps the Feds figured they would never find me without Shimmy’s vigilante persistence.

My conversation with Littman kept nagging at me. After talking to Markoff, Littman thought he knew what part of the country I was in. It was time for me to get access to Markoff’s email and find out what he knew.

Tracing the path was simple: all emails addressed to his “nyt.com” address were sent to Internex, a small Internet service provider in Northern California. After probing the Internex Solaris server for a few minutes, I sighed with relief. The idiot administrating the system exported everyone’s home directory (using Sun’s Network File System) to everyone on the Internet, meaning I could remotely mount any user’s home directory—that is, make the entire directory accessible to my local system. I uploaded a .rhosts file to a user’s directory—which I configured to trust any user connecting in from any host, meaning I was able to log in to his or her account without needing a password. Once logged in, I was able to exploit another vulnerability to gain root access. It took a total of ten minutes. I almost wanted to send the system admin a thank-you letter for leaving the system wide open.

Just that easily, I had access to Markoff’s emails. Unfortunately, he had set up his email client software to delete the messages after he retrieved them. Several messages had been left on the server, but they didn’t contain any information related to me.

I added a little configuration change so any new email sent to Markoff would also be forwarded to another email address under my control. I was hoping to uncover his sources—people who might have told him where they thought I was. I was also eager to find out more about the extent of his involvement in my case.

While I was doing this, I later learned, Shimmy and his team were watching. They had been passively monitoring incoming network traffic at both the Well and Netcom. It was a very easy thing to pull off because the Internet service providers had given his team full access to their networks.

After setting up surveillance at Netcom around February 7, Shimmy asked one of the network admins to search the system accounting records
of Netcom, looking for any users who had been logged in at times when the Well’s accounts were being illicitly accessed by some user at Netcom. The admin searched through the accounting records by matching the log-ins and log-outs that had occurred during the intrusions, and was eventually able to track down one of the accounts accessing the Well from Netcom’s network. It was the “gkremen” account, and it was mostly being used to dial in to Netcom through the company’s modems in Denver and Raleigh.

The next day, when I was searching Markoff’s email for anything related to me, I ran a search for the string “itni” (since searching for the name “Mitnick” would have been a dead giveaway). But Shimmy and his team were watching me in real time, and when they saw this search, it confirmed their suspicions that I was their intruder.

Shimmy contacted Kent Walker and let him know that the intruder was coming in through dial-up modems in Denver and Raleigh. Shimmy asked Walker to put a trap-and-trace on the dial-up number to Netcom in Denver that I had been using. (This was, again, a very unusual request for a civilian to make of an assistant U.S. attorney: ordinarily, only law enforcement agencies make such requests.)

Walker contacted the FBI in Denver, and Denver checked with the Los Angeles FBI office for an okay. But the LA office wanted Denver to stay out of it. Instead, in what sounds like an intra-agency turf war, an agent at the LA office told the people in Denver they were not to assist with setting up a trap-and-trace. They all wanted a piece of me. If I’d known about the squabbling at the time, I might have been able to use it to my advantage.