Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (54 page)

As soon as “gkremen” logged on from Raleigh, Shimmy’s team asked an FBI agent to contact General Telephone, the telephone company that provisioned Netcom’s dial-up numbers in Research Triangle Park, and request that the call be traced in real time. After a couple of attempts, General Telephone’s technicians completed a successful trace. They passed on the number to the FBI and advised that it was originating from Sprint’s cellular network.

But this wasn’t information that would lead my pursuers anywhere. To provide an extra layer of protection, I had previously set up what I call a “cut-out number.” The first part of this involved hacking into a phone company switch, finding an unused phone number, and adding call forwarding
to the line. Then I set a different billing number in the switch so any calls placed from that number would appear to be originating from the billing number rather than the actual number. Why? I had discovered a flaw in the switch software: it would sometimes report not the actual phone number that a call was originating from, but the
billing
number. So if phone company techs tried to trace some of my calls, they might not immediately discover my cut-out number—the number I was routing my calls through—but instead would come up with a phone number assigned to some random customer I chose. I knew that some switch technicians were not even aware that a trace might report the billing number, which gave me an extraordinary extra level of protection. In any case, in my experience, the phone companies never caught on to my using a cut-out number to make it harder to trace where my calls were originating from, because it never occurred to them that someone might have hacked into their switch.

Several weeks earlier, JSZ had set up an account for me on “escape.com” (which was owned by his buddy Ramon Kazan) so the two of us could communicate directly through that system. This had become another of many entry points I used to connect to the Internet. Since I had root access, I also stashed numerous hacking tools, exploits, and source code from various companies I had recently been hacking into. (My account on escape.com was named “marty,” after the character in the movie
Sneakers
.)

Whenever I logged in to my account on escape.com, there was always a notification displaying the date and time of my previous log-in. The first thing I did each time I logged in was truncate the log entries to eliminate any trace of my comings and goings. But this time when I logged in, I immediately noticed that someone else had logged in to my account… from the Well. Someone else had been there. What the fuck?

I immediately went to the Well and started poking around, but didn’t find anything that led me to the mystery spy.

I disconnected immediately, feeling like I was being watched.

Meanwhile, a Sprint engineer was trying to make sense of the number that GTE had traced as originating from the Sprint network. When he searched through the company’s customer records, the number didn’t come up, which seemed strange. But then the engineer realized it wasn’t a Sprint number at all—in fact, it didn’t even have a cellular prefix. Shimmy
asked the FBI to set up a conference call so he could discuss this oddity with the engineer at Sprint. Then he decided to try calling the number himself, to see if anyone would answer. As soon as the call connected, he began to hear a
kerchunk-
ing noise that would get quieter and quieter until the call was dropped. This was intriguing to him and the engineers. It appeared that I had set up a fail-safe to prevent them from tracing me back, and they wondered if I could have tampered with the switch.

My using Sprint’s cellular network to dial in to Netcom through my cut-out number made it look as if the cut-out number was originating from Sprint’s network when it really wasn’t. This was because both the cut-out number and Netcom’s dial-up number were in the same switch. The Sprint engineer now decided to change tactics and perform what’s known as a “terminating number search.” Rather than looking for calls placed
from
the traced number, he looked for any subscriber calls
to
that number.

It didn’t take him long to hit pay dirt. His search through the call detail records indicated that the traced number had been called numerous times from a Sprint cell phone—or rather, from the cell number I was using to dial in to Netcom, a phone with a Raleigh area code.

The technician noticed that the calls were usually being routed through the same cellular phone tower. That meant that the phone on the other end was likely in a fixed location. So they now knew where I was: Raleigh.

As soon as the engineer told Shimmy what he had figured out, Shimmy hopped on a plane, destination Raleigh.

I tried calling and emailing JSZ in Israel several times to rule out the unlikely possibility that he had recently accessed my “escape.com” account from the Well. On Sunday afternoon, while Shimmy was winging his way to Raleigh, JSZ sent me a message that left me up in the air:

Growing more and more nervous, I immediately logged on to the phone company switch that serviced the dial-up numbers to Netcom through Research Triangle Park—one of the routes I had been using in Raleigh for Internet access. It was in fact my preferred route because cell phone calls direct to Netcom in Denver and elsewhere were not of good quality for long dial-up sessions.

When I examined the Netcom dial-up number in the switch, it indicated that the modem number had a trap-and-trace activated! I started getting an anxious feeling in the pit of my stomach. Now I was really worried.

My pursuers were getting too close. How much had they figured out?

I needed to know whether the trap had been in place long enough to capture any of my calls.

General Telephone has a Network Operations Center in Texas that handles switch surveillance outside of regular working hours. I call and pretend to be from GTE Security. I ask to be transferred to the person handling the Durham Parkwood switch in Raleigh. A lady comes on the line.

“Listen, I’m working on a suicide case,” I tell her. “The phone number is 558-8900. What time did the trap go up?”

She says she’ll find out. I wait. And wait. And wait some more, meanwhile getting more alarmed. Finally, after about five minutes, the call is picked up again—not by the same lady, but by a man.

I ask, “Did we get any information yet?”

He starts asking a series of questions: What’s my callback number? Who do I work for? I’ve done my homework and feed him appropriate answers.

“Have your manager call me,” he says.

“He won’t be in till morning,” I say. “I’ll leave a message for him to call you.”

Now I’m extremely suspicious: they’ve been warned that somebody might call. This has all the earmarks of a national security investigation. Is someone getting close to pinpointing my location?

As a precaution, I immediately clone my cell phone to a
different
cellular phone provider—Cellular One—just in case someone really has been tracking me.

As soon as Shimmy arrived in Raleigh, he was picked up by a Sprint technician, who drove him to the cell site. At the cell site, the techs had a Cellscope 2000 for radio direction finding, the same type of unit that the investigators in Seattle had used to track my location. Technicians at Cellular One had been alerted to watch for any strange activity coming from their network. When I placed a cellular call to Netcom, Cellular One identified a data call in progress and informed the posse. They jumped into a vehicle and started driving around, following clues from the Cellscope 2000 to hunt down the origin of my cellular radio signal. Within minutes, Shimmy and other team members were driving around the Players Club looking for any apartments with their lights still on at this early-morning hour.

A while later they got a lucky break. The Sprint technician running the surveillance equipment picked up a conversation. John Markoff, who had just arrived in Raleigh to join the chase, recognized one of the voices. It was the well-known founder of the magazine
2600: The Hacker Quarterly
, Eric Corley (though he preferred going by his chosen handle, Emmanuel Goldstein, after a character in the novel
1984
). Moments later, above the hiss and static and intermittent reception, they heard the voice on the other end of the conversation. Markoff recognized that one, too.

“It’s him,”
Markoff shouted.
“It’s Mitnick!”

F
ebruary 14, Valentine’s Day. I wrote up some more résumés and cover letters, then, later in the evening, started poking around again in the accounts of all the system administrators at the Well. I was looking for any evidence that I was being watched or that my stash of software had been discovered. I didn’t find anything that set off alarm bells.

Feeling like taking a break, at about 9 p.m., I headed for the gym and spent an hour on the StairMaster and then another hour lifting weights. After a long, relaxing shower, I went to grab some dinner at a twenty-four-hour restaurant. I was a vegetarian at the time, so the menu wasn’t all that appealing to me, but it was the only place open so late.

A little after midnight, I rolled into the parking lot at the Players Club. The lights were off in most of the apartments. I was oblivious to the surveillance net the Feds had set up while I was out.

I logged on to the Well to take a look around. As I changed the passwords on several new dormant accounts just for insurance, again I had a creepy feeling that someone had been watching me. I decided to go into partial cleanup mode, but first I wanted to make sure I had created copies of all the files I’d moved to the Well. Because I didn’t have a safe storage locker other than the systems I had been using over the past several
weeks, I decided to copy the files to different dormant accounts on the Well. Once those were secured, I would find some other site to move them to.

Then I noticed that several of the backdoors I’d been using to access various systems had mysteriously disappeared.

The Feds worked very slowly. Even if a call of mine had been traced, it would usually take them days or weeks to investigate. Someone appeared to be hot on my trail, but I still had plenty of time. Or so I thought.

As I was working on moving files around, I had a very, very uncomfortable sensation, a sinking feeling in my stomach that something bad was about to happen. Maybe I was just being paranoid. Who had logged in to my escape.com account? Why had traps been placed on Netcom’s dial-ups? Had Netcom filed a hacking complaint with the Feds? Several different scenarios were running through my mind.

An hour later, I was still in a stew. I thought it was a little crazy, but my gut kept telling me something wasn’t right. No one knew where I was, but I couldn’t overcome the feeling that danger lurked nearby.

I had to convince myself that there was nothing to it, that I was just letting myself get spooked. My apartment door opened onto an outside corridor that gave a good view of the parking lot. I walked to the door, opened it, and scanned the lot. Nothing. Just my imagination. I closed the door and went back to my computer.

That peek out the door would prove to be my undoing. The Feds had tracked my cell phone signals to the Players Club apartments earlier in the evening but had apparently concluded, incorrectly, that the signals were coming from an apartment on the other side of the building. When I returned to the complex after dinner, I drove into the Players Club parking lot and walked from my car right through the FBI’s surveillance net. But when I poked my head out the door, a deputy U.S. Marshal caught a glimpse of me and thought it was suspicious that so late at night someone would look out of an apartment, peer around, and then vanish inside again.

Thirty minutes later, at around 1:30, I hear a knock on my door. Without realizing how late it is, I automatically yell, “Who is it?”

“FBI.”

I freeze. Another knock. I call out, “Who are you looking for?”

“Kevin Mitnick. Are you Kevin Mitnick?”

“No,” I call back, trying to sound annoyed. “Go check the mailboxes.”

It gets quiet. I begin to wonder if they really have sent someone to check the mailboxes. Do they think I’d have a “MITNICK” label on the little door of my box?

Not good! Obviously I’ve underestimated how long it would take the Feds to pinpoint my location. I look for an escape route. I go out on my balcony and don’t see anyone outside covering the back of the building. I look around inside for something that can serve as a makeshift rope. Bed sheets? No, it’d take too long to tie them into a rope. And besides, what if one of the agents actually tried to shoot me as I was climbing down?

More knocking.

I phone my mom at home. No time for our “go to a casino” arrangement. “I’m in Raleigh, North Carolina,” I tell her. “The FBI is outside the door. I don’t know where they’ll take me.” We talk for a few minutes, each of us trying to reassure the other. She’s beside herself, really upset, distraught, knowing I’m headed back to jail. I tell her I love her and Gram, and to be strong, that eventually one day this whole thing will be behind us.