Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (28 page)

T
he California Department of Motor Vehicles would turn out to be one of my greatest sources of information and also, later on, the source of one of my narrowest escapes. How I got access to the DMV is a story in itself.

First step: find out what phone number the cops used for official calls to the DMV. I phoned the Orange County sheriff’s station, asked for the Teletype Unit, and told the deputy who answered, “I need the DMV number to find out about a Soundex I requested a couple of days ago.” (In DMV terminology, curiously, when you want a copy of someone’s driver’s license photo, what you ask for is a Soundex.)

“Who are you?” he asked.

“This is Lieutenant Moore,” I said. “I was calling 916 657-8823, but that number doesn’t seem to work anymore.” Three things were pulling in my favor here. First, I had reached the deputy on an internal number that he would presume wasn’t available to anybody outside the Sheriff’s Department. Second, taking a small but reasonable gamble, I had given him a wrong phone number with what I was almost certain was the correct area code and prefix, because at the time (as I noted earlier) the DMV was assigned the entire 657 prefix, making it highly likely that the number used by law enforcement would also be a 916 657-XXXX number. The deputy would notice that I had everything right except the last four digits. And third, I had elevated myself to the rank of lieutenant.
People in a police department or a sheriff’s outfit think like people in the military: nobody wants to say no to somebody with bars on his shoulders.

He gave me the correct phone number.

Next I needed to know how many phone lines there were in the office that handled law enforcement calls, and the phone number for each line. I had found out that the State of California used a telephone switch from Northern Telecom, the DMS-100. I called the State of California Telecommunications Department and said I needed to talk to a technician who worked with the DMS-100 switch. The technician I was transferred to accepted my claim that I was with Northern Telecom’s Technical Assistance Support Center, in Dallas, so I launched into my spiel: “In the current release of the software, we have an intermittent issue where calls get routed to the wrong number. We’ve come up with a patch—it’s a small fix, and you won’t have any problems with it. But in our customer support database, I can’t find the dial-up number to your switch.”

Now I was down to the tricky part. I liked to get this piece of it done by using wording that left the other person no opportunity to object. I said, “So what’s the dial-in number, and when’s a good time to apply the patch?”

The tech was glad to give me the dial-in number to the switch so he wouldn’t have to do the update himself.

Even in those days, some telephone switches, like corporate computer systems, were password-protected. The default account name was all too easy to figure out: “NTAS,” the abbreviation for “Northern Telecom Assistance Support.” I dialed the number the technician had given me, entered the account name, and started trying passwords.

“ntas”? Nope.

“update”? Nothing doing.

How about “patch”? No luck.

So I tried one that I had found being used on Northern Telecom switches for other Regional Bell Operating Companies: “helper.”

Jackpot!

Because Northern Telecom had wanted to make things easy for its own support technicians, every switch was accessible using the
same
support password. How stupid is that?! But great for me.

With the account name and password, I now had full access to the switch, and I had gained control of all the phone numbers belonging to the DMV in Sacramento.

From my computer, I queried the phone number I had been given for law enforcement access and found that the unit in fact had twenty lines in a “hunt group”—meaning that when the number given out to cops was in use, the next call would automatically roll over to the next available number in the group of twenty. The switch would simply “hunt” for the next line that wasn’t busy.

I decided to set myself up with the eighteenth number on the list (because with a high number I would get calls only when they were very busy, while with a low number I’d likely be bothered with calls almost nonstop). I entered commands on the switch to add the call forwarding feature and then to actively forward calls that came in on that line so they would instead be routed to my cloned cell phone.

I guess not everybody would have the guts I had in those days. Calls started coming in from the Secret Service, the Bureau of Land Management, the DEA, and the Bureau of Alcohol, Tobacco, and Firearms.

And get this: I even fielded calls from
FBI agents—
guys who had the authority to put me in handcuffs and send me back to jail.

Each time one of these folks called, thinking he was talking to somebody at the DMV, I would ask for the list of required credentials—name, agency, Requester Code, driver’s license number, date of birth, and so on. But I wasn’t really risking anything, since none of them had any clue that the guy on the other end of the line wasn’t really with the DMV.

I’ll admit when one of these calls would come in, especially from someone in law enforcement, I’d usually answer it suppressing a grin.

Once I got one of these calls when I was having lunch with three others at Bob Burns, a classy steakhouse in Woodland Hills. I shushed everyone at the table when my cell phone rang, and they all looked at me like, “What’s your problem?” Then they heard me answer, “DMV, how can I help you?” Now they were swapping “What’s Mitnick up to now?” looks. Meanwhile I was listening and drumming on the table with the fingers of my left hand to make it sound like I was typing on a keyboard.

The other people at the table were slowly catching on, their jaws dropping open.

Once I’d gotten enough sets of credentials, I dialed back into the
switch, temporarily deactivating the call forwarding until the next time I needed more credentials.

Finally cracking the DMV put a big smile on my face. It was a supervaluable tool that was to come in very handy later on.

But I was still desperate to figure out how much the Feds knew, what evidence they had, how much trouble I was in, and if there was any way for me to get out of it. Could I still save my ass?

I knew it would be stupid to keep up my investigation of Eric. Yet as so often in the past, I was intrigued by the seduction of adventure and intellectual challenge.

It was a puzzle I needed to solve. And I wasn’t going to stop.

Mark Kasden of Teltec called and invited me to have lunch with him and Michael Grant, the son part of the father-son team that owned the company.

I joined Mark and Michael at a Coco’s restaurant near their offices. Michael was a pudgy man who seemed very pleased with himself, to the point of being a bit cocky. The two found it entertaining to draw me into telling stories about my experiences. I made it clear how successful I had been at social engineering, which they also used, though they called it “gagging.” They were impressed that I knew as much as I did about computers and especially about the phone company. They were even more impressed by my vast experience in tracking down people’s addresses, phone numbers, and so on. Finding people seemed to be an important part of their business, a process they referred to as a “locate.”

After lunch they took me to their offices, on the second floor of a building in a strip mall. There was an entry area complete with a receptionist, then a set of individual offices for each of the three PI’s and three bosses.

A day or two later, Mark dropped by my dad’s to tell me, “We want you to come work for us.” The salary wasn’t anything to brag about, but it was plenty enough to live on.

They gave me the title of “Researcher” so as not to raise any suspicions with my Probation Officer.

I was given my own small office, about as sparse as it could be: desk, chair, computer, and phone. No books, no decorations, completely bare walls.

I found Michael to be intelligent, someone I could easily talk to. Our conversations often boosted my self-esteem because when I showed him things I could do that his other employees couldn’t, he would reward me by expressing his admiration at a “wow factor” level.

What Mark and Michael wanted me to focus on first was a situation they told me they didn’t understand. Those phone taps I had uncovered on Teltec’s lines—why in the world would law enforcement be suspicious of anything they were doing?

They had the names of two people they thought might be working the case from the other side: Detective David Simon, with the Los Angeles County Sheriff’s Department, and Darrell Santos, of Pacific Bell Security. “Do you know how to tap the detective’s phone?” one of my bosses asked.

I said, “Sure, but that’s too risky.”

“Well, see what you can find out about this investigation,” I was told.

I would discover, in time, what the Teltec honchos were hiding from me: the detective had led a team that had raided the PI firm a few months earlier for using unauthorized passwords to access TRW credit reports.

Good thing I wasn’t willing to investigate a cop—but taking on PacBell Security was a different story. It sounded like a fun test of my ingenuity, a challenge I might thoroughly enjoy.

S
ince Lewis had cut way back on his hacking time to keep Bonnie happy, I fell into hacking with a buddy of his. Terry Hardy was definitely not your everyday sort of guy. Tall and with a high forehead, he talked in a monotone, like a robot. We nicknamed him “Klingon,” after the race of aliens in
Star Trek
, because we thought he shared some of their physical characteristics. A variety of savant, he could carry on a conversation looking you in the eye while at the same time typing eighty-five words a minute on the computer. It was incredible to watch, and distinctly unnerving.

One day when Terry, Lewis, and I were with Dave Harrison at Dave’s office, I said, “Hey, let’s see if we can get Darrell Santos’s voicemail password.” This could be a way of proving myself to the people at Teltec. If I could actually pull it off.

I called the frame that served the telephone numbers at the offices of PacBell Security, and had the tech look up the cable-and-pair for a phone number I gave him: the number for PacBell Security Investigator Darrell Santos.

My goal was to get an SAS connection put up on Santos’s line, but I wanted it done in a special way. From my research into SAS, I had learned about something called an “SAS shoe,” a physical connection that had the advantage of letting you drop in on a line and stay on, listening to any
calls the subscriber made or received. And with this method, there was no audible
click
on the line when the SAS connection was established.

What would the tech have thought if he’d known that the phone tap he was setting up was on a line belonging to PacBell Security!?

My timing couldn’t have been better. As soon as I popped onto the line, I heard a recorded female voice saying, “Please enter your password.” Terry Hardy happened to be next to me at the time. Another of his unusual abilities was that he had perfect pitch, or at least some variety of that rare aptitude: he could listen to the touch tones of a phone number being keyed in and tell you what number had just been called.

I shouted across the room for Lewis and Dave to be quiet, then said, “Terry,
listen, listen!
” He got closer to the speakerphone just in time to hear the touch tones as Santos entered his voicemail password.

Terry just stood there, as if lost in thought. For maybe twenty seconds. I didn’t dare interrupt.

Then: “I think it’s ‘1313,’ ” he said.

For the next two or three minutes, we all stood there frozen while Santos—and the four of us—listened to his voicemail messages. After he hung up, I called his voicemail access number and entered “1313” as his password.

It worked.

We were stoked! Dave, Lewis, Terry, and I all jumped around high-fiving one another.

Terry and I went through the same process and eventually got Lilly Creek’s voicemail password as well.

I began making it a daily routine to check both their voicemails, always after hours, when I could be fairly certain they wouldn’t be trying to call in at the same time themselves: getting a message that their voicemail box was in use would be a huge red flag.

Over the next several weeks, I listened to a series of messages left by Detective Simon, updating Santos on his investigation of Teltec. It was reassuring for my bosses to know that the detective wasn’t coming up with anything new. (In another of those improbable small-world coincidences, Detective Simon—still with the LA Sheriff’s Department, now as a Reserve Chief—is the twin brother of my coauthor, Bill Simon.)

In the middle of all this, every now and then I’d recall that tantalizing piece of information I’d been given about one of the charges against Kevin Poulsen, for a hack that Eric said he had taken part in: the radio contest that had supposedly won Eric a Porsche, and Poulsen himself two more. At other odd moments, I’d remember the contest I’d heard on the radio while driving to Vegas that dreary day not long after my half-brother’s death. Finally those two items collided in my brain.