Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (19 page)

Meanwhile I was also piecing together a picture of people Uncle Mitchell had been talking to in the hours before Adam’s death. I was able to social-engineer employees at PacTel Cellular and get his call detail records, hoping these would show me whether Mitchell had been making calls one after another, suggesting a sense of urgency or panic, or calls to other friends he might have been asking for help.

Nothing.

I tried PacTel Cellular again, hoping to find out which cell phone sites Mitchell’s calls had been relayed through, which might show whether he had been near Echo Park, where Adam’s body had been abandoned. But I couldn’t find anyone who knew how to access the records I wanted. Either PacTel wasn’t storing that data, or I just wasn’t
managing to find the people who knew which system had access to the database it was in and how to retrieve it.

All in a good but ultimately worthless cause, I had slipped back into my full-blown hacker way of life.

My road had come to a dead end. I had tried every tactic I knew and gotten nowhere: I didn’t have much more insight into Adam’s death than I’d had when my father first called me about it. I was angry and frustrated, miserable at not being able to give my father and myself the satisfaction of having discovered at least some morsels of useful information.

Closure to this sad episode would come only many years later.

My dad stopped talking to Mitchell, convinced he was responsible for Adam’s death. The two brothers would not speak to each other again until the very end of my father’s life, when he was suffering the ravages of lung cancer.

As I write this, Uncle Mitchell has just died. At the family gathering, one of his ex-wives took me aside. In embarrassment, she said, “I’ve been wanting to tell you this for a long time. Mitchell wasn’t a nice man. The night that Adam died, Mitchell called me. He was so upset I could hardly understand him. He said he and Adam had been shooting up together and Adam had gotten too big a dose and keeled over. Mitchell panicked. He shook Adam, he put him in the shower, but nothing helped.

“He called me to ask for help. I refused to be involved. So he called a drug dealer he knew, who helped get Adam’s shoes on and carry the body into Adam’s car. They drove in two cars to Echo Park, left Adam dead in his car, and drove away.”

So my father had been right all along. Instead of calling 911, Mitchell had sacrificed a nephew he loved to save his own neck.

I can feel myself getting angry again as I write this.

I had believed all along that Mitchell was somehow involved, yet now, hearing the truth, I felt sick to my stomach that he had been capable of such a thing, and that he had died without ever admitting it. This man whom I had loved and respected and looked up to had not been able, even on his deathbed, to tell me the truth.

I
had become so wrapped up in investigating Adam’s death that I needed a break—something else to focus my attention on that wasn’t so emotional. For me, the diversion I needed wasn’t hard to find: I would go back and tackle Neill Clift, the Brit who had been finding all the security holes in DEC’s VMS operating system. How could I trick him into giving me all the security bugs he had found?

From messages I had been reading, I knew that Clift had long craved a job at DEC; maybe that could be my opening. I duped British Telecom into giving me his unlisted home telephone number and called him, introducing myself as Derrell Piper, the name of an actual Digital software engineer in VMS Development. I told him, “We’ve got a hiring freeze right now, but despite that we may be hiring some security engineers. Your name came up because you’ve been so helpful in finding security vulnerabilities and sharing them with us.” And I went on to talk to him about some DEC manuals I knew he wanted.

At the end of the call, I said, “Well, nice talking to you, it’s been a long time.”

Oops—big mistake. The two men had never spoken before.

Later I would learn that Neill called well-known security consultant Ray Kaplan, who he knew had interviewed me on his “Meet the Enemy” conference series. Ray played a portion of the tape.

Neill had to listen for only a few moments before confirming, “Yes—the
guy who called me was Kevin Mitnick.” The next time we spoke, Ray told me, “I guess you’re still doing some social engineering.”

Confused, I asked, “What do you mean?”

“Neill called me. I played a piece of the interview I did with you. He recognized your voice and said you’ve been calling him.”

Of course, all this time I was also still in contact with Eric Heinz, who kept bringing up Kevin Poulsen’s name. I had never met Poulsen but had read enough and heard enough to admire his hacking achievements. It was strange that we had never met, never hacked together, because we were close to the same age and had grown up just a few miles apart. He would later explain that he started learning about phone phreaking some time after I did—I was already famous in the hacker community when he was still a neophyte.

Lewis and I were both eager to find out more from Eric about what he and Poulsen had been doing together. In one phone conversation, Eric again rattled off the names of Pacific Bell systems he and Poulsen had gained control over. The list was familiar, all except one that I had never heard of: “SAS.”

“What’s SAS?” I asked.

“It’s an internal testing system that can be used to monitor a line.”

In phone company lingo, “monitor” is a tactful word for wiretap.

I told Eric, “With switch access, you can monitor a line anytime.” I figured he’d understand: the phone company’s 1A ESS switches had a “talk & monitor” feature that let you pop in on a line and listen to the conversation.

Eric said, “SAS is better.”

He claimed that he and Poulsen had made a nighttime visit to the Sunset central office in West Hollywood. But their visit had turned up some things they hadn’t seen before. They found the place strange: unlike other COs, it was equipped with unusual computer terminals and tape drives, “looking like something from an alien planet.” One refrigerator-sized box had various types of equipment humming inside it. They came across a manual identifying the device as a Switched Access Services unit—SAS for short. When Poulsen started leafing through the manual, he realized that SAS was meant for line testing, which sounded like it meant you could connect onto any phone line.

But was it just for checking that the line was working? Or could you pick up conversations?

Poulsen started fiddling with the SAS control terminal. Punching in the number of a pay phone he sometimes used, he confirmed that, yes, you could drop in on a line and hear the conversation.

He went back into the CO on another night with a tape recorder so he could capture the data being sent out from the SAS equipment. He wanted to try to reverse-engineer the protocol at home and give himself the same capabilities.

I had to have access to this system. But when I asked for details, Eric clammed up and quickly changed the subject.

I started researching it the very next day.

The mysterious SAS was just what I had been lacking in my life: a puzzle to be solved, an adventure with hazards. It was unbelievable that in my years of phone phreaking, I had never heard about it. Intriguing. I felt,
Wow, I gotta figure this out
.

From my earlier nocturnal visits to phone company offices, as well as reading every telephone company manual I could get my hands on and social-engineering phone company employees since I was in high school, I had a well-developed knowledge of the different departments, processes, procedures, and phone numbers within Pacific Bell. There probably weren’t a lot of people inside the company who knew the structure of the working organization better than I did.

I began calling various internal departments. My line was, “I’m with Engineering. Does your group use SAS?” After half a dozen calls, I found a guy in an office in Pasadena who knew what I was talking about.

For most people, I guess, the toughest part of a ruse like this would be figuring out a way to get hold of the desired knowledge. I wanted to know how to gain access to SAS, as well as the commands that would let me take control of it. But I wanted to go about it in a safer way than Eric and Kevin Poulsen had done; I wanted to do it without having to physically enter a Pacific Bell facility.

I asked the guy in Pasadena who knew about SAS to pull a copy of the manual off the shelf for me. When he came back on the line with it, I asked him to open it up and read me the copyright notice.

The
copyright
notice?

Sure—that gave me the name of the company that had developed the product. But from there, I hit a snag. The company had gone out of business.

The LexisNexis database maintains massive online files of old newspaper and magazine articles, legal records, and corporate material. As you might guess, the fact that a company has gone out of business doesn’t mean that LexisNexis has deleted the files about it. I found the names of some individuals who had worked for the company that had developed SAS, including one of its officers. The company had been based in Northern California. I did a telephone directory search in that area and came up with the officer’s phone number.

He was home when I called. I told him I was with Pacific Bell Engineering, that we wanted to make some customized improvements to our “SAS infrastructure,” and that I needed to talk to someone who knew the technology. He wasn’t the least bit suspicious. He said it would take him a couple of minutes, then came back on the phone and gave me the name and phone number of the guy who had been the lead engineer in charge of the product development team.

One more thing to do before placing the crucial phone call. At that time, Pacific Bell internal phone numbers began with the prefix 811; anybody who had done business with the company might know that. I hacked into a Pacific Bell switch and set up an unused 811 number, then added call forwarding and forwarded it to the cloned cell phone number I was using that day.

The name I gave when I called the developer was one I still remember: Marnix van Ammers, the name of a real Pacific Bell switching engineer. I gave him the same story about needing to do some integration with our SAS units. “I’ve got the user’s manual,” I told him, “but it doesn’t help for what we’re trying to do. We need the actual protocols that are used between the SAS equipment in our testing centers and the central offices.”

I had dropped the name of an executive at his old company and was using the name of a real Pacific Bell engineer. And I didn’t sound nervous; I wasn’t stumbling over my words. Nothing about my call set off alarm bells. He said, “I might still have the files on my computer. Hang on.”

After a couple of minutes, he came back on the line. “Okay, I found them. Where do you want me to send them?”

I was too impatient for that. “I’m under the gun here,” I said. “Can you fax them?” He said there was too much material for him to fax the whole thing, but he could send a fax with the pages he thought would be most useful, and then mail or FedEx me a floppy with the complete files. For the fax, I gave him a phone number I knew by heart. It wasn’t to a fax machine at Pacific Bell, of course, but it was in the same area code. It was the fax number for a convenient Kinko’s. This was always a little risky because many machines, when they’re sending a fax, display the name of the machine they’re connecting to. I always worried someone would notice the tag saying “Kinko’s store #267” or whatever: dead giveaway. But as far as I can recall, no one ever did.

The FedEx was almost as easy. I gave the engineer the address of those places where you could rent a mailbox and have packages held for you, and I spelled out the name of the Pacific Bell employee I was claiming to be, Marnix van Ammers. I thanked him, and we chatted for a bit. Chatting is the kind of extra little friendly touch that leaves people with a good feeling and makes after-the-fact suspicions that much less likely.

Even though I had been practicing the art of social engineering for years, I couldn’t help but be amazed and a little dazzled by how easy this had been. One of those moments when you feel that runner’s high, or as if you’d won a jackpot in Vegas—the endorphins are rushing through your body.

That same afternoon, I drove to the mailbox rental store to set up a box in Van Ammers’s name. They always require ID for this. No problem. I explained, “I’ve just moved here from Utah, and my wallet was stolen. I need an address where they can mail me a copy of my birth certificate so I can get a driver’s license. I’ll show you the ID as soon as I get it.” Yes, they were violating postal regulations by renting me a box without seeing my ID, but these places are always eager for new business; they don’t really want to turn anybody away. A decent explanation is often all it takes.

By that evening, I had the fax in my hands—the basic information that I hoped would allow me to wiretap any Pacific Bell phone in all of Southern California. But we still had to figure out how to use the SAS protocols.

Lewis and I attacked the puzzle of trying to figure out how SAS worked from a number of different angles. The system gave a technician the ability to connect to any phone line, so he could run tests to find out why a customer was hearing noise on his line or whatever the problem was. The tech would instruct SAS to dial in to the particular CO that handled the telephone line to be tested. It would initiate a call to a part of the SAS infrastructure at the CO known as a “remote access test point,” or RATP.