Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (10 page)

Obviously I couldn’t drive, since the only license I had was in my real name, and there was a warrant out for my arrest. So to get around the neighborhood, I bought a bike.

I’d ride to the local library and spend hours reading. For something else to keep my mind engaged, I signed up for a course at the local
college—in Criminal Justice. The instructor was a sitting criminal court judge in Butte County. During the course, he played tapes of confessions. And then lectured how naive the suspects were to talk to the police without a lawyer. He once said, “Most criminals believe they can talk their way out of trouble.” I smiled, knowing that was great advice. It amused me to wonder what he would have thought if he had found out that a student sitting in the front row of the class had a fugitive warrant out for him.

I stuck with the
Green Acres
lifestyle for four months, until a call to my attorney confirmed that he had received a copy of the CYA discharge paper indicating they no longer had jurisdiction over me. The attorney pointed out that it was a “dishonorable” discharge. I just laughed. Who’d give a damn if it was dishonorable? It was never that honorable to start with. It’s not like I’d left the armed forces.

Within days, I was back in Los Angeles, full of anticipation. Lenny DiCicco had landed a job at Hughes Aircraft as a computer operator and he was eager for me to come over and visit. Even better, Lenny said he had something to share with me, something he didn’t want to tell me over the phone. I wondered what it could be.

I
n his time at Hughes Aircraft, Lenny DiCicco told me, he had become buddy-buddy with a lady security guard. I was to come see him on a night when this lady would be on duty, and say I was a DEC employee. When I showed up, she signed me in with a wink, not asking to see any ID.

Lenny arrived to escort me from the lobby, barely able to control his excitement, but still arrogant and full of himself. He led me to a Hughes VAX computer that had access to the Arpanet, linking a collection of universities, research labs, government contractors, and the like. Typing commands, he told me he was accessing a computer system called Dockmaster, which was owned by the National Computer Security Center (NCSC), a public arm of the supersecret National Security Agency. We were elated, knowing that this was the closest we’d ever come to establishing a real connection to the NSA.

Bragging about his social engineering, Lenny said he had pretended to be a member of the National Computer Security Center’s IT Team and conned a worker there named T. Arnold into revealing his credentials to the system. Lenny was practically dancing with pride. He was still such a geek, it seemed like he must be high on some great dope when he boasted, “I’m as good a social engineer as you are, Kevin!”

We fished around for maybe an hour but came up only with uninteresting information.

Much later, that hour would come back to haunt me.

I was sure there was some way I could fast-track my computer skills to something that could land me a job I coveted: working for General Telephone. I found out the company was actively recruiting graduates from a technical school called the Computer Learning Center. It was an easy drive from my place and I could earn a certificate by going to school there for only six months.

A Federal Pell Grant plus a student loan paid my way, and my mom came up with the bread for some of the extra expenses. The school required male students to wear a suit and tie to class every day. I hadn’t dressed like that since my bar mitzvah at age thirteen, and now, since I was twenty-three and fairly beefed out, that suit would have been a pretty miserable fit. Mom’s cash paid for two new suits.

I really enjoyed programming in “assembler language,” more challenging because the programmer has to master many technical details, but yielding much more efficient code that uses a much smaller memory footprint. Coding in this lower-level language was fun. It felt like I had more control over my applications: I was coding much closer to the machine level than using a higher-level programming language such as COBOL. The classwork was routine to somewhat challenging, but also fascinating. I was doing what I loved: learning more about computer systems and programming. When the subject of hacking came up every now and then, I played dumb, just listening.

But of course, I was continuing to hack. I had been playing cat-and-mouse games with Pacific Bell, as the former Pacific Telephone had restyled itself. Every time I figured out a new way of getting into the company’s switches, somebody there would eventually figure out a way of blocking my access. I’d use the dial-up numbers that RCMAC was using to connect to various switches to process service orders and they’d catch on, then change the dial-up numbers or restrict them so I couldn’t dial in. And then I would remove the restriction when they weren’t paying attention. It went back and forth for months. Their constant interference had gotten to the point where hacking into Pacific Bell switches was getting to be more like work.

Then I got the idea of trying out a higher-level approach: attacking
their Switching Control Center System, or SCCS. If I could do that, I’d have just as much control as if I’d been sitting in front of the switches themselves, able to do whatever I wanted without having to social-engineer clueless technicians day after day. Ultimate access and power could be mine.

I started with an attack aimed at the SCCS at Oakland, in Northern California. On my first call, I planned to say I was from ESAC (the Electronic Systems Assistance Center), providing support for all the SCCS software deployed throughout the company. So I did my research, coming up with the name of a legit ESAC worker, then claiming, “I need to get into the Oakland SCCS but our Data kit equipment is down for maintenance, so I’ll have to get access through dial-up.”

“No sweat.”

The man I had reached gave me the dial-up number and a series of passwords, and stayed on the line with me, talking me through each step.

Oops, this was a system with “dial back” security: you had to enter a phone number and wait for the computer to ring you back. What now?

“Look, I’m off-site at a remote office,” I said off the top of my head. “So I won’t be able to take a callback.”

I had magically hit on a reasonable-sounding excuse. “Sure, I can program it to bypass the dial back when you log in with your username,” he assured me—defeating the company’s elaborate security that would otherwise have required that I be at an authorized callback number.

Lenny joined me in the SCCS break-in effort. Each one we got into gave us access to five or six central-office switches, with full control over them, so we were able to do anything a tech who was in the CO could do, sitting at the switch. We could trace lines, create new phone numbers, disconnect any phone number, add/remove custom calling features, set up traps-and-traces, and access logs from traps-and-traces. (A trap-and-trace is a feature placed on a line that captures incoming numbers, usually placed on customers’ lines if they are the victim of harassing phone calls.)

Lenny and I put a huge amount of time into this, from late 1985 through much of 1986. We eventually got into the switches for all of Pacific Bell, then Manhattan, then Utah and Nevada, and in time many others throughout the country. Among these was the Chesapeake and Potomac Telephone Company, or C&P, which served the Washington,
DC, area, including all of the DC-based departments of the Federal government as well as the Pentagon.

The National Security Agency temptation was an itch I couldn’t resist. NSA’s telephone service was provided through a phone company switch in Laurel, Maryland, which we had already gained access to. Directory assistance listed the agency’s public phone number as 301 688-6311. After randomly checking out several numbers with the same prefix, I proceeded on the reasonable hunch that NSA was assigned the entire prefix. Using a test function for switch technicians called “Talk & Monitor,” I was able to set up a circuit to listen to random calls in progress. I popped in on one line and heard a man and a woman talking. Hardly able to believe I was actually listening in on the NSA, I was thrilled and nervous at the same time. The irony was great—I was wiretapping the world’s biggest wiretappers.

Okay, I’d proved I could do it… time to get out, in a hurry. I didn’t stay on long enough to hear what they were talking about, and I didn’t want to know. If the call had been really sensitive, I’m sure it would have been on a secure line, but even so, it was way too risky. The likelihood of my getting caught was slim if I just did it once and didn’t ever go back.

The government never found out I had gained this access. And I wouldn’t be including it here, except the statute of limitations has long run its course.

For Lenny and me, it was thrilling every time we compromised another SCCS—like getting into higher and higher levels of a video game.

This was the most significant hacking of my career because of the immense control and power it gave us over the phone systems of much of the United States. And yet we never made any use of it. For us, the thrill lay simply in knowing we had gained the power.

Pacific Bell eventually found out about the access we had gained. Yet we were never arrested and charged because, I later learned, company management was afraid of what would happen if others found out what I had been able to do and started trying to duplicate my efforts.

Meanwhile Lenny’s accessing of Dockmaster had not gone unnoticed. NSA traced the break-in back to Hughes, which in turn traced it back to the computer room where Lenny was working on the night I visited. Security at Hughes questioned him first, then the FBI summoned
him for an official interview. Lenny hired an attorney who accompanied him to the meeting.

Lenny told the agents he and I had never done anything with Dockmaster. He was grilled several times by Hughes management. He stood his ground and wouldn’t point a finger at me. Much later, though, to save his own neck, he claimed that I had hacked into Dockmaster while I visited Hughes that evening. When they asked why he’d lied about my not being involved in the first place, he said he’d been afraid because I’d threatened to kill him if he gave me up. Clearly, he was desperately trying to come up with an excuse why he lied to Federal agents.

The visitors’ log showed that a Kevin Mitnick had indeed signed in as a guest of Lenny’s. Of course he was summarily canned from Hughes.

Two years later I would be accused of possessing secret access codes for the NSA, when I actually only had the output of a “whois” command—which showed the names and telephone numbers of registered users with accounts on Dockmaster—something readily available to anyone with access to the Arpanet.

Meanwhile, back at the computer school, the students weren’t all guys. One of the girls was a cute, petite coed named Bonnie. I wasn’t exactly the most attractive guy around, carrying all the extra weight I had put on ever since that friend from my preteen bus-riding days had introduced me to junk food as a basic food group. I was weighing in at around fifty-five pounds overweight. “Obese” would have been a more-than-polite term.

Still, I thought she was really cute. When we were both in the computer room working on school projects, I started sending messages to her across the room, asking her not to stop any of my programs that were running at a higher priority, and her replies were friendly enough. I asked her out to dinner. She said, “I can’t. I’m engaged.” But I had learned from my hacking not to give up easily; there’s usually a way. A couple of days later I asked again about dinner, and told her she had a beautiful smile. And whaddaya know? This time she accepted.

Later, she told me she thought her fiancé might be lying to her about his finances—what cars he owned and how much he owed on them. I told her, “I can find out if you want.” She said, “Yes, please.”

I had lucked my way into accessing TRW, the credit-reporting company, while still in high school. Nothing clever about this. One night I
went out to the back of Galpin Ford in the San Fernando Valley and dug through the trash. It took about fifteen minutes, but my little Dumpster-diving expedition paid off. I found a bunch of credit reports on people buying cars from the dealership. Incredibly, printed out on each report was Galpin’s access code for TRW. (Even more incredible: they were still printing out the access code on each credit report
years
later.)

In those days, TRW was very helpful to its clients. If you called in and gave a merchant’s name and the correct access code, and explained that you didn’t know the procedure, the nice lady would talk you through every step of getting a person’s credit report. Very helpful to real clients, very helpful as well to hackers like me.

So when Bonnie said she’d like me to look into what her boyfriend was really up to, I had all the tricks I needed. A call to TRW and a few hours on the computer gave me his credit report, his bank balance, his property records. Suspicions confirmed: he was nowhere near as well-off as he had been claiming, and some of his assets were frozen. DMV records showed he still had a car he told Bonnie he had sold. I felt bad about all this—I wasn’t trying to undermine her relationship. But she broke off their engagement.

Within two or three weeks, when she had gotten over her initial emotions about the breakup, we started dating. Though six years older than I was and considerably more experienced at this game, she thought I was smart and good-looking, despite my weight. This was my first serious relationship; I was soaring.