Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (5 page)

A
fter I figured out how to obtain unpublished numbers, finding out information about people—friends, friends of friends, teachers, even strangers—held a fascination for me. The Department of Motor Vehicles is a great storehouse of information. Was there any way I could tap it?

For openers, I simply called a DMV office from the pay phone in a restaurant and said something like, “This is Officer Campbell, LAPD, Van Nuys station. Our computers are down, and some officers in the field need a couple of pieces of information. Can you help me?”

The lady at the DMV said, “Why aren’t you calling on the law enforcement line?”

Oh, okay—there was a separate phone number for cops to call. How could I find out the number? Well, obviously the cops at the police station would have it, but… was I really going to call the police station to get information that would help me break the law? Oh, yeah.

Placing a call to the nearest station house, I said I was from the Los Angeles County Sheriff’s Department, we needed to call the DMV, and the officer who had the number for the law enforcement desk was out. I needed the operator to give me the number. Which she did. Just like that.

(As I was recounting this story recently, I thought I still remembered that DMV law enforcement phone number or could still get it. I picked
up the phone and dialed. The DMV has a Centrex phone system, so all the numbers have the same area code and prefix: 916-657. Only the extension number—the last four digits—varies by department. I just chose those last digits at random, knowing I’d get
somebody
at the DMV, and I’d have credibility because I was calling an internal number.

The lady who answered said something I didn’t get.

I said, “Is this the number for law enforcement?”

She said, “No.”

“I must have dialed wrong,” I said. “What’s the number for law enforcement?”

She gave it to me! After all these years, they still haven’t learned.

After phoning the DMV’s law enforcement line, I found there was a second level of protection. I needed a “Requester Code.” As in the past, I needed to come up with a cover story on the spur of the moment. Making my voice sound anxious, I told the clerk, “We’ve just had an urgent situation come up here, I’ll have to call you back.”

Calling the Van Nuys LAPD station, I claimed to be from the DMV and said I was compiling a new database. “Is your Requester Code 36472?”

“No, it’s 62883.”

(That’s a trick I’ve discovered very often works. If you ask for a piece of sensitive information, people naturally grow immediately suspicious. If you pretend you already have the information and give them something that’s wrong, they’ll frequently correct you—rewarding you with the piece of information you were looking for.)

With a few minutes’ worth of phone calls, I had set myself up for getting the driver’s license number and home address of anyone in the state of California, or running a license plate and getting the details such as the owner’s name and address, or running a person’s name and getting details about his or her car registration. At the time it was just a test of my skills; in the years ahead the DMV would be a rich lode that I would use in myriad ways.

All these extra tools I was accumulating were like the sweet at the end of a meal. The main course was still my phone phreaking. I was calling a lot of different Pacific Telephone and General Telephone departments, collecting information to satisfy that “What information can I
get?” urge, making calls to build my knowledge bank of the companies’ departments, procedures, and lingo and routing my calls through some long-distance carriers to make them harder to trace. Most of this from my mom’s phone in our condominium.

Of course phreakers like to score points by showing other phreakers what new things they’ve learned how to do. I loved pulling pranks on friends, phreakers or not. One day I hacked into the phone company switch serving the area where my buddy Steve Rhoades lived with his grandmother, changing the “line class code” from residential to pay phone. When he or his grandmother tried to place a call, they would hear, “Please deposit ten cents.” Of course he knew who had done it, and called to complain. I promised to undo it, and I did, but changed the service to a prison pay phone. Now when they tried to make a call, an operator would come on the line and say, “This will be a collect call. What is your name, please.” Steve called to say, “Very funny—change it back.” I had my laughs; I changed it back.

Phone phreakers had discovered a way to make free phone calls, taking advantage of a flaw in some types of “diverters”—devices that were used to provide call forwarding (for example, to an answering service) in the days before call forwarding was offered by the phone companies. A phreaker would call at an hour when he knew the business would be closed. When the answering service picked up, he would ask something like, “What hours are you open?” When the person who had answered disconnected the line, the phreaker would stay on; after a few moments, the dial tone would be heard. The phreaker could then dial a call to anywhere in the world, free—with the charges going to the business.

The diverter could also be used to receive incoming calls for call-backs during a social-engineering attack.

In another approach with the diverter, the phreaker dialed the “automatic number identification,” or ANI number, used by phone company technicians, and in this way learned the phone number for the outgoing diverter line. Once the number was known, the phreaker could give out the number as “his” callback. To answer the line, the phreaker just called the business’s main number that diverted the call. But this time, when the diverter picked up the second line to call the answering service, it effectively answered the incoming call.

I used this way of talking with my friend Steve late one night. He answered using the diverter line belonging to a company called Prestige Coffee Shop in the San Fernando Valley.

We were talking about phone phreaking stuff when suddenly a voice interrupted our conversation.

“We are monitoring,” the stranger said.

Steve and I both hung up immediately. We got back on a direct connection, laughing at the telephone company’s puny attempt to scare us, talking about what idiots the people who worked there were. The same voice interrupted again:
“We are still monitoring!”

Who were the idiots now?

Sometime later, my mom received a letter from General Telephone, followed by an in-person visit from Don Moody, the head of Security for the company, who warned her that if I didn’t stop what I was doing, GTE would terminate our telephone service for fraud and abuse. Mom was shocked and upset by the idea of losing our phone service. And Moody wasn’t kidding. When I continued my phreaking, GTE did terminate our service. I told my mom not to worry, I had an idea.

The phone company associated each phone line with a specific address. Our terminated phone was assigned to Unit 13. My solution was pretty low-tech: I went down to the hardware store and sorted through the collection of letters and numbers that you tack up on your front door. When I got back to the condo, I took down the “13” and nailed up “12B” in its place.

Then I called GTE and asked for the department that handled provisioning. I explained that a new unit, 12B, was being added to the condominium complex and asked them to adjust their records accordingly. They said it would take twenty-four to forty-eight hours to update the system.

I waited.

When I called back, I said I was the new tenant in 12B and would like to order phone service. The woman at the phone company asked what name I’d like the number listed under.

“Jim Bond,” I said. “Uh, no… why not make that my legal name? James.”

“James Bond,” she repeated, making nothing of it—even when I paid an extra fee to choose my own number: 895-5…
007
.

After the phone was installed, I took down the “12B” outside our door and replaced it with “13” again. It was several weeks before somebody at GTE caught on and shut the service down.

Years later I would learn that this was when GTE started a file on me. I was seventeen years old.

About the same time, I got to know a man named Dave Kompel, who was probably in his midtwenties but had not outgrown teenage acne that was so bad it disfigured his appearance. In charge of maintaining the Los Angeles Unified School District’s PDP-11/70 minicomputer running the RSTS/E operating system, he—along with a number of his friends—possessed computer knowledge I highly prized. Eager to be admitted into their circle so they would share information with me, I made my case to Dave and one of his friends, Neal Goldsmith. Neal was an extremely obese guy with short hair who appeared to be coddled by his wealthy parents. His life seemed to be focused only on food and computers.

Neal told me they’d agreed to allow me into their circle, but I had to prove myself first. They wanted access to a computer system called “the Ark,” which was the system at Digital Equipment used by the development group for RSTS/E. He told me, “If you can hack into the Ark, we’ll figure you’re good enough for us to share information with.” And to get me started, Neal already had a dial-up number that he had been given by a friend who worked on the RSTS/E Development Team.

He gave me that challenge because he knew there was no way in the world I’d be able to do it.

Maybe it really was impossible, but I sure was going to try.

The modem number brought up a logon banner on the Ark, but of course you had to enter a valid account number and password. How could I get those credentials?

I had a plan I thought might work, but to get started I would need to know the name of a system administrator—not someone in the development group itself but one of the people who managed the internal computer systems at Digital. I called the switchboard for the facility in Merrimack, New Hampshire, where the Ark was located, and asked to be connected to the computer room.

“Which one?” the switchboard lady asked.

Oops. I hadn’t ever thought to research which lab the Ark was in. I said, “For RSTS/E development.”

“Oh, you mean the raised-floor lab. I’ll connect you.” (Large computer systems were often mounted on raised floors so all the heavy-duty cabling could be run underneath.)

A lady came on the line. I was taking a gamble, but they wouldn’t be able to trace the call, so even if they got suspicious, I had little to lose.

“Is the PDP-11/70 for the Ark located in this lab?” I asked, giving the name of the most powerful DEC minicomputer of the time, which I figured the development group would have to be using.

She assured me it was.

“This is Anton Chernoff,” I brazenly claimed. Chernoff was one of the key developers on the RSTS/E Development Team, so I was taking a big risk that she wouldn’t be familiar with his voice. “I’m having trouble logging in to one of my accounts on the Ark.”

“You’ll have to contact Jerry Covert.”

I asked for his extension; she didn’t hesitate to give it to me, and when I reached him, I said, “Hey, Jerry, this is Anton,” figuring that even if he didn’t know Chernoff personally, he was almost certain to know the name.

“Hey, how’re you doing?” he answered jovially, obviously not familiar enough with Chernoff in person to know that I didn’t sound like him.

“Okay,” I said, “but did you guys delete one of my accounts? I created an account for testing some code last week, and now I can’t log in.” He asked what the account log-in was.

I knew from experience that under RSTS/E, account numbers were a combination of the project number and the programmer number, such as 1,119—each number running up to 254. Privileged accounts always had the project number of 1. And I had discovered that the RSTS/E Development Team used programmer numbers starting at 200.

I told Jerry that my test account was “1,119,” crossing my fingers that it wasn’t assigned to anyone.

It was a lucky guess. He checked and told me there wasn’t any 1,119 account. “Damn,” I answered. “Somebody must have removed it. Can you re-create it for me?”

What Chernoff wanted, Chernoff got. “No problem,” Jerry said. “What password do you want?”

I spotted a jar of strawberry jelly in the kitchen cabinet across from me. I told him, “Make it ‘jelly.’ ”

In hardly more than a blink, he said, “Okay, all done.”

I was
stoked
, the adrenaline running high. I could hardly believe it could’ve been so easy. But would it really work?

From my computer, I called the dial-in number my would-be mentor Neal had given me. The call connected and this text appeared:

RSTS V7.0-07 * The Ark * Job 25 KB42 05-Jul-80 11:17 AM

# 1,119

Password:

Dialup password:

Damn, damn, damn. I dialed Jerry Covert back, again as Chernoff. “Hey, I’m dialing in from home, and it’s asking for a dial-up password.”

“You didn’t get it in your email? It’s ‘buffoon.’ ”

I tried again and
I was in!