Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (26 page)

I called the cell phone store back. The same young lady answered. I hung up, waited a bit, and tried again. This time I got a guy. I gave him “my” name, phone number, and account number. “I lost my last three invoices,” I said, and asked him to fax them to me right away. “I accidentally erased my address book off my cell phone and I need my bills to reconstruct it,” I said.

Within minutes, he was faxing the invoices. Driving a little too fast but not, I hoped, fast enough to get myself pulled over, I sped to Kinko’s. I wanted to know as soon as possible what was in those bills.

The fax turned out to be far more expensive than I expected. When I looked at Martinez’s bills, my jaw dropped. Each of the three monthly bills was nearly twenty pages long, listing well over a hundred calls. Many of them were to area code 202—Washington, DC—and there also were
lots
of calls to 310 477-6565, the Los Angeles headquarters of the FBI.

Oh, shit! One more confirmation Eric must be an FBI agent. The situation was getting more and more worrisome every time I turned over a new rock. Every lead I followed took me toward the people I most wanted to stay away from.

Hold on now. That wasn’t the only possibility. My new “friend” Eric Heinz might indeed be an agent himself, but on second thought, that was hard to believe—I’d found out by then that he wasn’t just hanging out at rock-and-roll clubs. The crowd he kept company with included our initial intermediary, Henry Spiegel, who had told me he once employed Susan Headley, aka Susan Thunder, that hacking hooker who had pointed a finger at me for breaking into the COSMOS center and once physically cut all the phone lines going to my mom’s condominium complex as an act of vengeance. And there were Eric’s own stories of having sex with a different stripper every night.

No, he sure didn’t sound like a kind of guy who would pass the FBI’s vetting process for would-be agents. So I figured that he probably wasn’t an agent at all. Maybe he was just a guy the Feds had something on, whom they had put to work as a confidential informant—a snitch. But why?

Only one explanation made sense: the FBI was trying to round up some hackers.

The Feds had targeted me before, and made sure the arrest got big media coverage. And now, if my suspicions were correct, the Bureau was dangling a carrot in front of me. By introducing Eric into my life, the agents were doing the equivalent of sticking a bottle of Scotch under the nose of a “reformed” alcoholic to see if they could bump him off the wagon.

Four years earlier, in 1988,
USA Today
had even superimposed my face over a huge picture of Darth Vader on the front page of its Money
section, tarring me as “the Darth Vader of the hacking world” and digging up the old label of “the Darkside Hacker.”

So maybe it shouldn’t seem surprising that the FBI might have decided to make me into a priority.

And it wouldn’t be hard. After all, when I was still just a young man, prosecutors had felt justified in manipulating a judge with that absurd story about my being able to launch a nuclear missile by calling NORAD and whistling into the phone. I felt damned certain they wouldn’t hesitate to do it again now if they had the chance.

The address on Mike Martinez’s cell phone bill turned out to be some attorney’s office in Beverly Hills.

I called the office claiming to be from One City Cellular, Martinez’s cell provider. “Your bill is past due,” I told the girl who answered. “Oh, we don’t pay those bills,” she said. “We just forward them to a post office box in Los Angeles,” and she gave me the box number and the address—the Federal Building at 11000 Wilshire Boulevard. Not good.

My next call was to the U.S. Postal Inspection Service, in Pasadena. “I need to send a complaint,” I said. “Who is the inspector for the Westwood area of Los Angeles?”

Using the inspector’s name, I called the post office in the Federal Building, asked for the postmaster, and said, “I need you to look up the application for this P.O. box and give me the name and address of the applicant.”

“That post office box is registered to the FBI here at 11000 Wilshire.”

The news didn’t come as a surprise.

So who was the person who was passing himself off as Mike Martinez? What was his relationship with the FBI?

Even though I was desperate to know how much the government had on me, probing further just didn’t make any sense. It would mean getting deeper and deeper into the situation, making it all the more likely that I would eventually be rounded up and sent back to prison. I couldn’t face that. But could I really resist the urge?

H
ave you ever walked down a dark street or through a shopping center parking lot late at night when nobody else is around and had the feeling somebody was following you or watching you?

I bet it sent chills up your spine.

That was how I felt about the mystery of the Wernle and Martinez names. Real people, or aliases of Eric Heinz’s?

I knew I had to give up the search and not chance getting caught hacking again… but maybe I could get just one more piece of the puzzle before I did. The Martinez phone bill had shown me the numbers of the people he was calling. Maybe I could get some clues by finding out who was calling
him
.

I needed to do what I call a “traffic analysis.” The process begins with looking at the call detail records (CDRs) of one person whose phone number you’ve identified and pulling information from those records. Whom does he call frequently? Who calls him? Does he sometimes make or receive a series of calls in close succession to or from certain people? Are there some people he mostly calls in the morning? In the evening? Are calls to certain phone numbers especially long? Especially short? And so on.

And then you do the same analysis of the people this person calls most often.

Next you ask, whom do
those
people call?

You’re beginning to get the picture: this effort was humongous, a process that was going to take up much of my spare time, hours a day. But I needed to know. There was no way around it: this effort was essential, regardless of the risk.

I felt my future depended on it.

I already had the last three months of Martinez’s cell phone records. For openers, I’d have to hack into PacTel Cellular and find out where all their real-time call detail records were located within the network, so I could search for any PacTel customer who had been calling Eric’s pager, voicemail, and home phone.

Wait, even better: if I was going to hack into PacTel anyway, I could also get the customer service records for every phone number Martinez called within their network, and I’d be able to discover who owned the phone being called.

I didn’t know much about the company’s naming conventions for internal systems, so I started with a call to the public customer service phone number used by people who wanted to sign up for a calling plan. Claiming to be from PacTel’s internal help desk, I asked, “Are you using CBIS?” (the abbreviation used in some telcos for “Customer Billing Information System”).

“No,” the customer service lady said. “I’m using CMB.”

“Oh, okay, thanks anyway.” I hung up, now possessing a key piece of information that would gain me credibility. I then called the internal Telecommunications Department, gave the name I had obtained of a manager in Accounting, and said we had a contractor coming to work on-site who would need a number assigned to him so he could receive voicemail. The lady I was talking to set up a voicemail account. I dialed it and set “3825” as a password. Then I left an outgoing voicemail message: “This is Ralph Miller. I’m away from my desk, please leave a message.”

My next call was to the IT Department to find out who managed CMB; it was a guy named Dave Fletchall. When I reached him, his first question was, “What’s your callback?” I gave him the internal extension number for my just-activated voicemail.

When I tried the “I’ll be off-site and need remote access” approach,
he said, “I can give you the dial-in, but for security reasons, we’re not allowed to give passwords over the telephone. Where’s your desk?”

I said, “I’m going to be out of the office today. Can you just seal it in an envelope and leave it with Mimi?”—dropping the name of a secretary in the same department, which I had uncovered as part of my information reconnaissance.

He didn’t see any problem with that.

“Can you do me a favor?” I said. “I’m on my way into a meeting, would you call my phone and leave the dial-up number?”

He didn’t see a problem with that, either.

Later that afternoon I called Mimi, said I was stuck in Dallas, and asked her to open the envelope Dave Fletchall had left and read the information to me, which she did. I told her to toss the note in the trash since I no longer needed it.

My endorphins were running and my fingers were flying. This was exciting stuff.

But it was always in the back of my mind that the people I was social-engineering might catch on partway through and feed me bogus information, hoping to catch me.

This time, no worries. As usual, it worked.

Oh, well—not entirely. I got to the CMB system, which handily turned out to be a VAX running my favorite operating system, VMS. But I wasn’t really a PacTel Cellular employee, so I didn’t have a legitimate account on the machine.

In a call to the Accounting Department, I posed as an IT staffer and asked to speak to someone who was currently logged in to CMB.

Melanie came on the line. I told her I worked with Dave Fletchall in IT and said we were troubleshooting a problem with CMB—did she have a few minutes to work with me?

Sure.

I asked her, “Have you changed your password lately? Because we’ve just done an upgrade to the software for changing passwords, and we want to make sure it’s working.”

No, she hadn’t changed her password lately.

“Melanie, what’s your email address?” At PacTel Cellular, an employee’s
email address was also his or her username, and I was going to need her username to log in to the system.

I asked her to close all her open applications, log out of the system, and then log back in, so I could determine whether she could access the operating system command line interface. Once I confirmed she could, I asked her, “Please type ‘set password.’ ”

She would then be looking at a prompt reading “Old password.”

“Type your old password, but don’t tell me what it is,” and I gave her a gentle lecture about never telling anyone her password.

At that point she would be looking at the “New password” prompt.

By now I was dialed in and standing by.

“Now enter ‘pactel1234,’ and when you get the next prompt, enter that password again. And hit Enter.”

The instant I heard her finish typing, I logged in with her username and the “pactel1234” password.

Now for multitasking in split-brain mode. I was feverishly typing away, entering a fifteen-line program that would exploit an unpatched VMS vulnerability, then compile and run it, setting myself up with a new account, and providing the account with full system privileges.

Meanwhile, through all of this, I was simultaneously feeding instructions to Melanie. “Now please log off your account…. Now log in again with the new password…. You got in okay? Great. Now open all the applications you were using before and check to make sure they’re working the way they should…. They are? Fine.” And I walked her through the “set password” process again, once more cautioning her not to tell me or anyone else the new password she was setting up.

I had now gained full access to PacTel’s VMS cluster, which meant I could access customer account information, billing records, electronic serial numbers, and much more. This was a major coup. I told her how much I appreciated her help.

It wasn’t as if I was home free now. I spent the next couple of days finding out where the CDRs were stored and maneuvering for access to the customer service applications, so I’d be able to probe at leisure to find the name, the address, and all sorts of other information on every phone account.

The CDRs were on a
huge
disk, storing near real-time data on every
call to and from customers in the LA market for the previous thirty days or so—a bunch of very large files. I could search right on the system, though every search took me something like ten to fifteen minutes.

Since I already had Eric’s pager number, that was my entry point. Had anyone on PacTel called Eric’s pager, 213 701-6852? Of the half dozen or so calls I found, two jumped out at me. Here are the listings, exactly as they appeared on the PacTel records:

2135077782 0 920305 0028 15 2137016852 LOS ANGELE CA

2135006418 0 920304 1953 19 2137016852 LOS ANGELE CA

The “213” numbers at the beginning of each line are the calling numbers. The number groups starting with “92” indicate the year, date, and time—so the first call was made on March 5, 1992, at twenty-eight minutes past midnight.