The Fugitive Game: Online With Kevin Mitnick (42 page)

#69

This is the story from November:

... a user (name I don't recall) called for assist on downloading an
ftped [a common protocol for sending large files over the Internet]
document. I checked his home dir for the doc, which wasn't there.
He said "it will be." Puzzled, I looked again, and the file — a
HUGE file was being put in his home dir. I asked him if anyone
knew his password — he said no — but "Someone has yours". He
told me [the person] had the root password or root access ... I
watched a new ftp [File Transfer Protocol] session start up and
another large file get dumped into his account [clear evidence that

an unknown intruder had gained total, or 'root,' access at the
Well].

At the same time Pei/I [Hua-Pei Chen, the Well's technical man-
ager] were noticing a LOT of ftp activity in/out of the WELL which
couldn't be accounted for ... I reported the whole incident to
WELL Support — all staff at the time knew of the situation — and
... nothing more came of it.

There's probably email floating around in staff accounts or in the
Support archive ... late Oct to early Nov.

By 5:23 p.m., Chip Bayers of
Hotwired,
the online 'zine published by
Wired
magazine, notes that the FBI press release makes no claims
that Mitnick stole software but instead alleges he caused "significant
damage and stole proprietary information." Minutes later, another
contributor to the thread issues a general word of caution on FBI
claims. When it comes to government or corporate press releases,
Bill Mandel warns, "significant damage" means little, citing the
FBI's hyped Bell South case.

The Bell South debacle had made headlines a few years back. In
the highly publicized case the federal government claimed a "stolen"
proprietary manual was worth $70,000. It nearly succeeded. But at
trial, the defense showed the manual could be ordered for $17 and
the case was promptly dismissed. Ever since, sophisticated cyber-
citizens have viewed federal hacking indictments with skepticism.

But the lessons of the Bell South case must have grown hazy in the
minds of most Well regulars. They seem to take the FBI's press re-
lease at face value. There's no sense of "innocent till proven guilty,"
no sense that the government's claims might not be supported by
fact. At 5:44, Bruce Koball, who helps organize the Computers,
Freedom and Privacy conferences, begins to tell his inside story.
There's an irony to the group's involvement in Mitnick's arrest that
seems to go unnoticed.

CFP is famous for putting on conferences that encourage open
dialogue between FBI agents, hackers, libertarians and journalists
about hacking, freedom, and privacy in cyberspace. It's considered
the Switzerland of cyberspace, a free zone for ideas. Hackers are

featured attendees, and a common topic is the invasion of rights in
cyberspace by overzealous feds. But all that seems to be forgotten in
the excitement of the moment, as Koball proudly tells of his small
role in the hacker's capture.

#85

Since this hits the press tomorrow, I might as well tell my little part
of the story. . ..

On Fri 27 Jan of this year Jim Warren and I got mail from Gail [a
Well conference manager] asking about an unusually large amount
of storage (over 150 MB) in a comp account that had been granted
to the Computers, Freedom and Privacy conference. ...

. . . The files contained email addressed to
[email protected]
I
didn't recognize the name until later that evening when the 2.8 Jan
issue of the New York Times landed on my door step.

On the front page of the biz section was an article by John Markoff
detailing the break in that had been suffered by Tsutomu Shimo-
mura... .

Well, alarm bells went off in my head, and I immediately contacted
Gail, who put me in touch with Pei [Chen]. I also contacted Mark-
off. ... He immediately put me in touch with Shimomura. . . .

I then put Shimomura in direct contact with Pei and advised Pei
that law enforcement should probably be called in as well. From
there on, Shimomura, who was already on a crusade to catch the
intruder, worked closely with Pei and the tech staff to help law
enforcement catch him... .

. . . WELL management acted in an exemplary fashion in a difficult
situation, striking a balance between the interests of the users of
this system and a sense of duty to heip law enforcement deal with a
serious threat to the entire Net community.. ..

At 7:32 p.m. Chris Goggans questions whether Mitnick was the first
or the last hacker to crack the Well. Goggans ought to know. He's

the editor of the online hacker quarterly
Phrack,
and is renowned
online as Bloodaxe, a notorious Legion of Doom hacker:

#114

Here is my question regarding these events (which are by no means
over with the sole bust of kevin mitnick since he was not even
CLOSE to being the sole perp [perpetrator] with regards to hacking
The WELL)....

Now that we have all openly admitted that the well was cracked
WIDE OPEN, will all of the happy admins, please reassure all of us
that THE ENTIRE SYSTEM will be reinstalled from distribution
CD's, and that patches will be reinstalled on ALL WELL MA-
CHINES before the event grows fuzzy in peoples recollections?

... Telling everyone to change their passwords now is like telling
everyone that its over. It aint...."

At 7:3 5 p.m Hua-Pei Chen, the Well's technical manager, rejects the
story that the Well was broken into last November.

#116

I SINCERELY do not remember you [Lewis] mentioned anything
about root access/passwords on the well....

Again, I don't think any SPECULATION is going to help us at all.
Spreading rumors or doubts will also help nothing....

But an hour later at 8:36 p.m. Lewis stands firm. The Well had been
hacked last November. He's sure of it.

#138

Pei:

Everything I posted is very above-board. Not one word was made up.

At the time it was clear that the individual I spoke ... [to] was
*convinced* that the individual in question had access to many
parts of the WELL. Other things that were known at the time: there
were unreasonably high LAVs [load averages] which at the time

were *specifically* related to multiple ftp sessions. Some of those ftp
sessions we could not identify the source of. . ..

This I reported. I created a temporary directory in the support home
directory and deposited the files in question there, waiting for any-
one who wanted to look at them . .. and I decided after three days to
remove said temporary files after no resolution had been made.

I was very vocal about my perception of the situation at the time. I
mentioned it to most of the staff — and specifically all of Sup-
port. ... In my mind, there is no doubt that the WELL has been
insecure since that time.. ..

■ ■ •

It's hard to imagine why a former Well employee would make this
up, and I know he isn't. Lewis is talking about my Well account. I
told him that I believed a hacker had root access at the Well, and he
didn't dismiss my claim out of hand. He acknowledged the ease with
which a hacker could crack an inherently insecure Internet site like
the Well.

Now it's clear from his public post that he independently wit-
nessed a hacker gain root access at the Well. But in August of 1994,
Well employees told me a very different story. Then, they claimed it
was impossible to hack universal, root access.

Somehow I think Kevin Mitnick and a lot of other hackers would
disagree.

New York Times, February 16, 1995

A MOST-WANTED CYBERTHIEF IS CAUGHT IN HIS OWN WEB

By John Markoff

Special to the New York Times

Raleigh, N.C., Feb, 15 — After a search of more than two years, a
team of FBI agents early this morning captured a 31-year-old com-
puter expert accused of a long crime spree that includes the theft of
thousands of data files and at least 20,000 credit card numbers
from computer systems around the nation.

"He was clearly the most wanted computer hacker in the world,"
said Kent Walker, an assistant United States attorney in San Fran-
cisco who helped coordinate the investigation. "He allegedly had
access to corporate trade secrets worth billions of dollars. He was a
very big threat."

I'm sitting in the Atlanta airport, eating my runny eggs and chalky
biscuits after a sleepless, red-eye flight, staring at the dark brooding
eyes of Kevin Mitnick.

The hacker had joked with me that the government would turn
his case into a billion-dollar heist and he was right on the money.

The onetime parole violator is now the world's first billion-dollar
hacker, his mug glaring out from the
New York Times
front page for
the second time in a little more than six months. But Mitnick's multi-
billion-dollar crimes are only half the story. Tsutomu Shimomura's
dramatic detective work is what makes the Mitnick saga a digital
confrontation of cybergalactic proportions. Above the image of Mit-
nick on the front page, Markoff recounts yesterday's hearing in
Raleigh, when Mitnick met Shimomura for the first time in person.

"Hello, Tsutomu," Mr. Mitnick said. "I respect your skills."
Mr. Shimomura .. . nodded silently.

I skim the 1,500-plus-word story, looking for Mitnick's billion-
dollar crimes, but all I find is the small print on the 20,000 credit
card numbers: The FBI has no evidence Mitnick used any of the
cards. Could Mitnick, described in the
Times
as a grifter, a burglar, a
hardened computer criminal, have had 20,000 credit cards and not
charged even a dollar?

Markoff's cyberbust coverage is overwhelming: a good chunk of
the top left corner of the front page and virtually an entire inside
page — easily a hundred inches of newsprint. There's not just the
1,500-plus-word news story. There's another 2,100-word feature
that profiles Shimomura's role in the hunt. There's even an illus-
trated 300-plus-word sidebar headlined "Tactics of a High-Tech De-
tective," a step-by-step depiction of Shimomura's detective work,
that includes illustrations of the car Shimomura and his team drove
and a cartoon of Mitnick behind bars.

Impressive work, considering Markoff had to file the nearly 4,000
words within twelve hours of Mitnick's arrest. The writing is pol-
ished, especially Markoff's detailed profile of Shimomura's deft de-
tective work.

HOW A COMPUTER SLEUTH TRACED A DIGITAL TRAIL

By John Markoff

Raleigh, N.C., Feb. 15 — It takes a computer hacker to catch one.

Mr. Shimomura, who is 30, is a computational physicist with a
reputation as a brilliant cybersleuth ... made it his business to use

his considerable hacking skills to aid the Federal Bureau of Investi-
gation's inquiry into the crime spree....

The story of the investigation, particularly Mr. Shimomura's role, is
a tale of digital detective work in the ethereal world known as cy-
berspace.

Markoff's "Computer Sleuth" article reads like a cyberthriller. Two
dozen times the reporter repeats Shimomura's name. There's no
doubt who's the star. The FBI agents and Sprint technicians who
worked the case are unnamed bit players.

But while Markoff skims over the roles played by the FBI and the
phone company in the capture, he finds plenty of space to speculate
on Mitnick's crimes. He even finds room to name the companies he
believes Mitnick hacked.

Among the programs found at the Well ... was the software that
controls the operations of cellular telephones made by Motorola,
NEC, Nokia, Novatel, Oki. ...

Oki? That was the software Markoff previously had claimed was
hacked by Mark Lottor, the federally indicted hacker, with the help of
an unnamed accomplice. Was the Oki software part of the billions of
dollars of swiped trade secrets alleged by the Assistant U.S. Attorney?

The
Times
presents its facts in an odd fashion. For instance, the
main story and sidebar conflict on the "crime" that led the
Times coverage. Markoff says the 20,000 "stolen" credit cards are from
"computer systems from around the nation." But next to a graphic of
dozens of credit cards, the sidebar reveals the numbers are in fact
from Netcom, a single Internet provider based in San Jose.

I return to the part of "Computer Sleuth," where Markoff de-
scribes the San Francisco Assistant U.S. Attorney's role in the capture.

Subpoenas issued by Kent Walker, an assistant United States attor-
ney in San Francisco, had begun to yield results from telephone
company calling records. And now came data from Mr. Walker
showing that telephone calls had been placed to Netcom's dial-in
phone bank in Raleigh through a cellular telephone modem.