The Fugitive Game: Online With Kevin Mitnick (35 page)

I don't have any doubt. It's the same hack. But who was the
hacker?

Why didn't Mitnick tell me earlier of the Christmas Day attack on
Shimomura? Perhaps because he didn't know about it earlier. Or
perhaps because he wanted a cover for his advance knowledge,
something like CERT's planned public announcement. If the latter
was true it provided a convenient pretext. How could I know for
certain whether or not Mitnick had merely intercepted news of the
federal Computer Emergency Response Team's plans?

But then I think back. If Mitnick hadn't played a role in the hack
why was he so pleased by Shimomura's predicament? Would he be

so gleeful if he had simply been a spectator to some rival hacker's
feat? Would his voice be tinged with pride?

And as I reread Markoff's article, it's easy to understand why
Mitnick may have been proud. The hack threatens the future of the
Internet, the privacy of millions of individuals, and the security of
millions of dollars of emerging cybercommerce, at least according to
the
New York Times.
By describing the hack as an obscure theoreti-
cal "flaw" never before demonstrated, Markoff's
Times
story treats
the feat almost as an original work of art.

The unknown mystery hacker is by implication a master burglar
who has single-handedly lifted a masterpiece from the Louvre. Shi-
momura, the master of security, was stripped of his premier Internet
security programs and tools. But Markoff implies that every business
and every individual may be at risk. The sky — cyberspace itself —is
falling. And if there are any nonbelievers, Markoff quotes James
Settle, the same retired FBI agent he quoted in his last front page
Times
hacker story, who has these four words of warning:

"Essentially everyone is vulnerable."

a • •

It's dark when Mitnick phones, and I tell him the Federal Bureau of
Prisons' official line: as far as the government is concerned, the
hacker's eight months of solitary never happened. Mitnick isn't sur-
prised. He's accustomed to nobody believing his story. And then he
makes an extraordinary offer. Mitnick suggests sending me a release
in his name with his fingerprint to help me learn the facts of his case.

"So, I was thinking of getting you a fingerprint card with an FOI
release," Mitnick says. "Lets you take care of requesting all the re-
leases you want. It's me doing the release and I think it has more
power than you doing it."

I tell him I appreciate the offer, but I don't see why it should be
hard to determine whether he really did eight months in solitary.

Mitnick disagrees. He thinks the government will misrepresent
the facts of his case. "What do they care? They have one mad moth-
erfucker out here and they don't care because I'm a bad guy in their
eyes anyway. They don't give a shit. I didn't like that treatment.
That's one of the reasons I'm out here like this, because I know they
would do it again."

I tell Mitnick I saw the movie
Murder in the First.

"Yeah," Mitnick sighs. "The hole in Alcatraz wasn't like the hole
at MDC. But it's still the same. You're still in a locked little room,
you get forty-five minutes of fresh air. They shackle you everywhere
you go.... It's where the snitches are. They go into administrative
detention because they'll get killed."

"So this was a portion of Eight North that was for administrative
detention?"

"No. They didn't have a section for it. The whole floor was lock-
down."

"OK, but how could the Federal Bureau of Prisons change this
fact?"

"I don't have to sit here and prove it!" Mitnick snaps, nearly
shouting. "Maybe they had a new law or something that says that
you can't hold anyone for a certain period of time and then they
fixed the computers so they can't get blamed."

Mitnick suddenly flips channels on me, momentarily shutting out his
solitary-confinement flashbacks, to tell me about a crime he could
have easily committed. Is this Mitnick's anger too? Hints about the
damage he could do if he really wanted to be a criminal?

"You know who I met there were the guys who did the big ATM
fraud, Scott Koenig and Mark Koenig. They're the guys that
masterminded — he [Scott] worked for GTE Federal systems and
they used the Star system — they mastered the network, so he actu-
ally told me exactly how he pulled it off."

By now, I know Mitnick well enough to anticipate what's coming.
Mitnick's going to give me a primer on how to make millions in
ATM fraud, and then tell me he, as a true hacker, would never
dream of committing such a crime. "Apparently, they had these Itala
encryption boxes. When an ATM is used, this Itala box contains a
master encryption key. It encrypts the session key, sends it down to
the ATM, then the ATM decrypts it with its session key. Then it
takes that key and it encrypts the user's account number and PIN
and all that shit, sends it back over the landline, and then the Itala
box has the session key, it decrypts it, uses the master key, and
comes back to the plain text pin, right?"

Sure, I got it.

"And what he realized was those
idiots
on the Plus system — the
crux of the security is this Itala box which holds the master key.
Well, apparently, it was set up to default zero through nine, a
through f. They took it out of the box, set it up, and never set the
key. So he was able to decrypt all the traffic going over the Net."

"It was on the
default?"
I say, incredulous GTE wouldn't have
bothered to set unique keys for its encryption.

"Yeah, they left it on the default. Like you take something out of
the box, your answering machines are usually zero, zero, zero. Well,
that's what those idiots did. You know, they had all these account
numbers and PINs. So then he borrowed one of those things that
burn the information on the mag [magnetic] strip. He took one
home and took his tape and cards and made thousands of clones of
people's accounts and the PINs. He wrote the PIN on each card.

"So like one three-day weekend his plot was to go around and
have his friends and him take all the money they can over the three-
day holiday, right? So one of his girlfriend's friends snitched, told the
Secret Service what's going on. They busted him before they did it
and [he was sentenced], like, four years for the attempt.

"That was totally criminal," declares the most wanted man in
cyberspace. "That's not hacking, you know."

■ * ■

I think back to the copy of the
New York Times
I picked up on my
front step a few hours ago, and wonder, how did Markoff get this
dry security story on the front page of the
Times}

News. That's what makes something a front-page story, and the
news that made the IP Spoof hack a page-one story is danger. Dan-
ger to the Internet's zo million users, and danger to its future as a
vehicle of commerce. But of course, it's only a new danger if those
users were previously safe. That's not what Kevin Mitnick and all
the other hackers I talk to say. It's not what countless articles in
newspapers and magazines say. It's not even what John Markoff
used to say. Every cyberspace journalist worth his memory chips
knows security on the Internet is an illusion, and always has been.

The Internet is about as safe as a convenience store in East L.A. on
Saturday night.

January 29,1995

It's Super Bowl Sunday, a
couple of hours before kickoff,
and though I'm not a big football fan, I plan on watching the San
Francisco 49ers demolish the San Diego Chargers.

I pick up the phone, thinking it's my friend, the one who's sup-
posed to bring the guacamole, but instead it's Kevin Mitnick. It's
been six days since his last call.

"I'm walking along the beach here relaxing," Mitnick bubbles,
sounding euphoric.

"On the
beach?
You're kidding. Are you really on the beach?"
"Yeah. So, I'll let you go because you're watching the —" Mitnick
begins.

"No. I'm not watching the game. It hasn't started yet."
"I know. That reminds me. I've gotta get to where my friends are
because they're gonna want to watch it."

Amazing. Mitnick's just told me he's on a beach, and he's got
friends too. I thought Mitnick couldn't trust anybody.

"The game isn't for two hours. What do the waves look like?"
"I can't tell you, but you could listen to them," Mitnick quips.
"Hey! Did you hear about that little UPI release? Now the U.S. Mar-
shals have released a [plea for] public help thing. This was Tuesday.
They just said all this shit. That I got into NOR AD, that I have done

all these terrible things, and that I'm always one step ahead of them
and now they need the public's help."

"Did they name the marshal?"

"Yeah, it was the bull dike that keeps harassing my family and
keeps getting referred to attorneys. Kathleen Cunningham. I dunno.
I don't have much luck with Kathleens these days," Mitnick mopes.

Mitnick is being hunted by not only Kathleen Cunningham of the
U.S. Marshals office in Los Angeles, but Kathleen Carson of the FBI.

"Did you see the thing in the
New York Times
yesterday?"

"No."

I can't believe Mitnick missed it. Yesterday the
Times
led its busi-
ness section with a long feature.

"Let me read you a few things," I tell Mitnick. "The title is, 'Tak-
ing a Computer Crime to Heart.' It's by Markoff, and it's got a big
picture of Shimomura. And it says, 'Added motivation for a detec-
tive. He was the victim.'

"I'll read you the lead, 'It was as if the thieves, to prove their
prowess, had burglarized a locksmith. Which is why Tsutomu Shi-
momura, the keeper of the keys in this case, is taking the breakin as
a personal affront —' "

Mitnick bursts out laughing.

—" 'and why he considers solving the crime a matter of
honor,' " I finish.

"This guy's an idiot because he actually believes —" Mitnick
stammers, catching himself. "I mean you've got to take into account
he's dealing with hackers. The grapevine believes this person who
left the message on his voice mail is the one that did the hacking. I
don't have any idea, of course."

Is Mitnick implying that the person who left the voice mail mes-
sage was not the person who hacked Shimomura?

"There was an amusing message left on his voice mail?"

"They [the grapevine] said it's on the Internet, they actually have
an audio file on the Internet, which anybody can get —"

"OK, let me read you more of the
Times
story, '... more than
anything, Shimomura wants to help the government catch the
crooks. And while he acknowledges that the thieves were clever, Mr.
Shimomura has also uncovered signs of ineptitude that he says will

be the intruder's eventual undoing. "Looks like the ankle biters have
learned to read technical manuals," he said derisively. "Somebody
should teach them some manners." ' "

Mitnick chuckles.

" 'Mr. Shimomura .. . was not home on Christmas Day because
he was on his way to the Sierra Nevada where he spends most of the
winter as a self-described ski bum. He says ail the more reason he
derides the geeks who have nothing better to do on Christmas than
to sit at a computer and pry into his electronic life.' "

"He doesn't sound too happy."

I keep reading. " ' "Gentlemen are not supposed to read each
other's mail," he said.' "

"Oh well," Mitnick chuckles, struggling to contain his laughter.
"He was an idiot to keep stuff online."

"Uh-huh, and I heard a rumor he had GIF [graphic] files and stuff.
Have you heard this rumor?"

Mitnick laughs. "I have no comment."

Maybe Mitnick really did do it.

"The story ends with him saying he's working on a software filter to
make it impossible for an outsider to gain entry to his system....
' "The ankle biters," he warned, "will test it at their peril." ' "

Mitnick's amused. "He sounds like he's taking it personally. I'm
surprised Markoff wrote it," Mitnick chuckles. "It sounds like the
guy is out to protect his Japanese honor. He's been had, like you see
in the old karate movies."

Mitnick does his best kung fu master imitation. "You dishonored
my family. You will die! I'll meet you . .. and we fight to the death."

Mitnick sounds like he's doubling over with laughter.

"But he's good," Mitnick cautions, no longer laughing, his voice
suddenly contemplative. "I'm surprised, especially him being a
spook and everything, that he would take it public."

"The U.S. Marshals are seeking public assistance. I wonder what
egged them on at this time? It's the same time this shit went out — it
sounds like a weird coincidence. When did the
New York Times [January 23 data threat] story on Shimomura come out?"
"Monday," I say.

"And this comes out on Tuesday? That's kinda weird, wouldn't
you say?" Mitnick asks.