Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (16 page)

Soon I was transferred to the Federal prison camp at Lompoc. What a difference: there was dormitory housing instead of cells, and not even a fence around the place. I was sharing my new digs with the who’s who of white-collar crime. My fellow inmates even included a former Federal judge who had been convicted of tax evasion.

My weight had spiked back up to 240 while I was in solitary, since I had been living mostly on comfort food from the commissary—goodies like Hershey bars dipped in peanut butter. Hey, when you’re in solitary, anything that makes you feel a little better is a good thing, right?

But now, at Lompoc, another inmate, a cool guy named Roger Wilson,
talked me into doing lots of walking and exercising as well as eating healthier foods such as rice and veggies and the like. It was hard for me to get started, but with his encouragement, I succeeded. It was the beginning of a change in my lifestyle that would remake me, at least in terms of my body image.

Once when I was sitting on a wooden bench, waiting in line to use the phone, Ivan Boesky sat down next to me with a coffee in hand. Everybody knew who he was: a onetime billionaire financial genius who had been convicted of insider trading. And it turned out
he
knew who
I
was, too: “Hey, Mitnick,” he said, “how much money did you make hacking those computers?”

“I didn’t do it for the money; I did it for the entertainment,” I replied.

He said something like, “You’re in prison, and you didn’t make any money. Isn’t that stupid?” Like he was looking down his nose at me. At that exact moment, I happened to spot a roach floating in his coffee. Smiling, I pointed at it and said, “This place isn’t like the Helmsley, is it?”

Boesky never answered. He just got up and walked away.

After almost four months at Lompoc, I was coming up for release to the halfway house, a place called “Beit T’Shuvah.” I was told the name was Hebrew for “House of Return.” Beit T’Shuvah used the 12-step program, designed for people with drug, alcohol, and other addictions.

My imminent move to a halfway house was the good news. The bad news was that a Probation Officer had called Bonnie to make an appointment to “inspect” the apartment she was then living in, explaining that he had to approve my future living arrangements before I was released. For Bonnie, that was the last straw. She felt she had been through enough and couldn’t dance this dance anymore. “You don’t need to inspect my apartment,” she told the guy. “My husband won’t be living here.” On her next visit, she gave me the bad news: she was filing for divorce.

She now says, “It was a very painful time for me. I thought I had failed. It was scary. I was too afraid to leave Kevin, but too afraid to stay. The fear of staying just became too big.”

I was stunned. We had been planning to spend the rest of our lives together, and now she had changed her mind just as I was nearing
release. I felt as if a ton of bricks had been dropped on me. I was really hurt, and totally shocked.

Bonnie agreed to come to the halfway house for a couple of marriage-counseling sessions with me. They didn’t help.

I was deeply disappointed about her decision to end our marriage. What could account for her sudden change of heart? There must be another guy, I thought—somebody else was in the picture. I figured that by checking out the messages on her answering machine, I could find out who it was. I felt bad about doing it, but I needed to know the truth.

I knew Bonnie’s answering machine was a RadioShack product because I recognized the jingle it played to prompt the caller to leave a message. I also knew that with this particular machine, you could retrieve messages remotely, but only if you had the handheld device that came with it, which emitted a special set of tones to turn on the playback. How could I get around that and listen to her messages without the remote beeper?

I called a RadioShack store and described the type of answering machine she had, then added that I had lost my beeper and needed to buy another. The salesman said there were four possible beepers for the various models of that particular answering machine—A, B, C, and D—each of which played a different sequence of tones. I said, “I’m a musician, so I’ve got a good ear.” He wanted me to come down to the store, but I couldn’t leave the halfway house because new arrivals weren’t permitted to leave the premises for the first thirty days they were there. I pleaded with him to open one of each type, put batteries in the remotes, and then play each remote so I could hear it.

My persistence paid off: the guy went to the trouble of setting up the four remotes and playing each of their tones for me. I had a microcassette-tape recorder running the whole time, pressed to the telephone receiver.

Afterward, I called Bonnie’s phone and played back the tones through the receiver. The third one did the trick. I heard Bonnie leave a message on her own phone, presumably from work. After the call had gone to the machine, some guy in her apartment picked up, and the tape recorded both sides of their conversation as she told him about “how great it was to spend time with you.”

Eavesdropping on her messages was a stupid thing for me to do because it just made the pain I was already feeling that much worse. But
it confirmed my suspicions. I was pretty upset that she had been lying to me. I was desperate enough to actually consider sneaking out of the halfway house to see her. Luckily I stopped myself, knowing what a huge mistake that would be.

After that first month, I was allowed to leave the halfway house for some selected appointments and visits. I often went to see Bonnie, trying to win her back. On one of those visits, I noticed that she’d carelessly left her latest phone bill sitting on the table. It showed that she’d been spending hours on the phone with Lewis De Payne, who until that moment I’d still believed was my closest friend.

Well, of course, I had to find out for sure. I casually asked if she ever heard from any of my buddies, like Lewis.

She lied, flatly denying having ever been in touch with him at all—and confirming my worst fear. In my mind, she had completely blindsided me. Where were the faith and trust that I thought I had finally found in her? I confronted her but got nowhere. I was devastated. Licking my wounds, I walked out and cut off all contact with her for a long time.

Soon after, she moved in with Lewis. To me it made no sense at all: she was leaving a guy with a hacking addiction for another guy with the same propensities. But more important was that Bonnie hadn’t been just my girlfriend: she had been my wife. And now she’d taken up with my best friend.

After my release, I traded my hacking addiction for an addiction of a different kind: I became an obsessive gym rat, working out for hours every day.

I was also able to find a short-term job as a tech-support person for a firm called Case Care, but that lasted only three months. When it ended, I obtained permission from the Probation Office to relocate to Las Vegas, where my mom had moved and would welcome me living with her until I could get my own place.

Over a period of months, I dropped a hundred pounds. That put me in the best shape of my life. And I wasn’t hacking. I was feeling great, and if you had asked me then, I would have said the hacking days were all behind me.

That was what I thought.

I
magine a trade-show floor with 2 million square feet of space, packed with 200,000 people crammed wall to wall, sounding like they’re all talking at once, mostly in Japanese, Taiwanese, and Mandarin. That’s what the Las Vegas Convention Center was like in 1991 during CES, the annual Consumer Electronics Show—a candy store, drawing one of the biggest crowds in the world.

I had traveled across town to be there one day during the show, but not just to visit the booths or see the new electronic gadgets that would dazzle buyers the next Christmas. I was there for the background noise. It was essential for an air of believability on the phone call I was about to place.

This was the challenge: I had a Novatel PTR-825 cell phone, which back then was one of the hottest phones on the market. I wanted to feel safe talking to my friends on it, and not have to wonder if somebody from the FBI or local law enforcement was listening in. I knew a way that might be possible. Now I was trying to find out if what I had in mind could really work.

My plan was based on a trick involving the phone’s electronic serial number, or “ESN.” As every phone hacker knows, each cell phone has a unique ESN, which gets transmitted along with the mobile phone number, or MIN, to the nearest cell tower. It’s part of how the cell phone company validates that a caller is a legitimate subscriber, and part of how it knows whom to charge calls to.

If I could keep changing my phone so it would transmit the MINs and ESNs of legitimate subscribers, then my calls would be completely safe: every attempt to trace a call would lead to some stranger, the person who owned the real phone associated with the ESN that I was using at the moment. (Okay, the customer would also have to explain to the phone company that he hadn’t made the extra calls he was being charged for, but he wouldn’t be responsible for paying the charges for those unauthorized calls.)

From a Convention Center pay phone, I dialed a number in Calgary, Alberta, Canada. “Novatel,” a lady’s voice came down the line.

“Hi,” I said. “I need to talk to someone in Engineering.”

“Where are you calling from?” she wanted to know.

As always, I had done my research. “I’m with Engineering in Fort Worth.”

“You should be speaking to the engineering manager, Fred Walker, but he’s not in today. Can I take your number and have Mr. Walker call you tomorrow?”

“It’s urgent,” I said. “Let me speak to whoever’s available in his department.”

Moments later, a man with a Japanese accent came on the line and gave his name as Kumamoto.

“Kumamoto-san, this is Mike Bishop, from Fort Worth,” I said, using a name I had read off a Consumer Electronics Show electronic message board only moments earlier. “I usually talk to Fred Walker, but he’s not in. I’m at CES in Vegas.” I was counting on the actual background noise to lend credence to the claim. “We’re doing some testing for a demonstration. Is there a way to change the ESN from the phone’s keypad?”

“Absolutely not. It’s against FCC regulations.”

That was a bummer. My great idea had just gotten shot down.

No, wait. Kumamoto-san was still talking.

“We do have a special version of the firmware, version 1.05. It lets you change the ESN from the phone keypad if you know the secret programming steps.”

Suddenly I was back in the game. A phone’s “firmware” is its operating system, embedded on a special kind of computer chip called an EPROM.

The trick at a moment like this is not to let your excitement come through in your voice. I asked a question that would sound like a challenge: “Why does it allow changing the ESN?”

“The FCC requires it for testing,” he said.

“How can I get a copy?” I thought maybe he’d say he would send me a phone with that version of the firmware.

“I can send a chip,” he said. “You can replace it in the phone.”

Fantastic. This might be even better than getting a whole new phone, if I could just push the guy a little further.

“Can you burn four or five of the EPROMs for me?”

“Yes.”

Excellent, but now I had hit a snag: how was I going to have them sent to me without giving my real name and a delivery address that could be tracked?

“Burn them for me,” I told him. “I’ll call you back.”

I was pretty sure those chips would make me the only person outside Novatel who could change the number of his Novatel cell phone just by pressing the buttons on his keypad. Not only would it let me talk for free, but it would give me a cloak of invisibility, guaranteeing my conversations would be private. And it would also give me a safe callback number anytime I wanted to social-engineer a target company.

But how was I going to get that package sent to me without being caught?

If you were in my shoes at this point, how would you arrange to get hold of those chips? Think about it for a minute.

The answer wasn’t all that hard. It was in two parts, and it came to me in an instant. I called Novatel again and asked for the secretary to Kumamoto-san’s manager, Fred Walker. I told her, “Kumamoto-san from Engineering is going to drop off something for me. I’m working with our people at the booth at CES, but I’m here in Calgary for the day. I’ll come by and pick it up this afternoon.”

Kumamoto-san was already busy burning the chips for me when I got him back on the phone and asked him to pack them up when they were ready and drop them off with Walker’s secretary. After spending a couple of hours wandering the convention floor, soaking up what was new in the world of electronics and cell phones, I was ready for my next step.

About twenty minutes before quitting time (Calgary is an hour ahead of Las Vegas), I got the secretary on the phone again. “I’m at the
airport on the way back to Las Vegas unexpectedly—they were having problems at the booth. That package Kumamoto-san left for me, can you FedEx it to my hotel there? I’m staying at Circus Circus.” I had already made a reservation for the next day at Circus Circus under the name “Mike Bishop”; the clerk hadn’t even asked for a credit card. I gave the secretary the address of the hotel and spelled the Mike Bishop name just to be sure she had it right.