The Fugitive Game: Online With Kevin Mitnick (38 page)

Sometime after noon, the long rambling series of cellular phone calls
from Mitnick winds to a close. I grab a quick bite to eat, and then call
back Markoff. He hasn't phoned me half a dozen times in my whole
life. Why would he suddenly phone me twice in the space of an hour?

The secretary says he's on another call, but Markoff quickly jumps
on the line. He thanks me for calling back, and then asks me if some
guy named Angel Santana has phoned me.

I don't know who or what he's talking about.

"He's with Star Productions in Vegas," Markoff continues. "He's
almost been driven out of business. His calls were routed to his
competitors. He's sending his girls to rooms and finding other girls
are there first."

Markoff believes Mitnick did this humorous hack years ago for a
prostitute that Markoff profiled in
Cyberpunk.
But something tells
me the
New York Times
isn't calling just to tell me about Angel. Why
not ask John Markoff about the real reason he called me twice this
morning?

So I ask him about the Shimomura
Newsweek
story, and the odd
reference to cellular phones. He comes back with a stunning revelation.

"Somebody hit a different Tsutomu machine last summer and the
NSA was pissed," Markoff tells me. "They freaked out. There's no
question about it."

Why didn't he mention this in his
New York Times
stories? Why
create the false appearance Shimomura was first hacked Christmas
Day?

"But it was a different machine?" I ask.

"Am I being interviewed here?"

It strikes me as an odd question. Markoff was the one who called
me twice in the space of an hour. Who's interviewing whom?

"Let's get on the same wavelength," Markoff suggests. "I'm glad to

share this stuff with you, but I want to know where it's going to show
up. 'Cuz I'm pretty close to Shimo and it's an issue for me."

Before I can respond, he starts talking about Shimomura again.

"I wrote that profile of Tsutomu because after I mentioned him in
the bottom of my story ["Data Threat"] I basically outed him and a
million reporters were all over him."

"He wasn't happy about that?"

"No, Tsutomu
loves
it," Markoff says. "He's playing his own
games.

"I'll tell you it's unclear what was taken [referring to the Christmas
hack], and point two, I can send you a public posting by an Air Force
information warfare guy who described what was taken and their
assessment of the damage.

"And there are lots of little snips of code that a brilliant hacker
could probably use. But Tsutomu's mind works in very cryptic ways.
It's not clear that without Tsutomu you're going to be able to do
anything with it.

"Now in this breakin I don't actually think a lot of stuff was
taken."

This
breakin? Just how many times was Shimomura hacked before
Christmas?

But I ask a different question. "Why would an Air Force guy post
something?"

"Oh, Tsutomu," Markoff casually replies. "He produced a lot of
software for the Air Force."

"Where would he post this?"

"Oh, to a mailing list. A lot of people were concerned about what
was taken from his [Shimomura's] machine. What they [the hacker]
got was a lot of his electronic mail. Some of it's kind of embarrassing.
[But] I don't think people are going to find new ways to attack the
network based on this particular attack.

"There is another issue," Markoff cautions in a serious tone.

"Tsutomu is a very sharp guy, and it is not impossible that that was
a bait machine, which is why I stayed away from the issue."

Is Markoff implying Shimomura, a rumored NSA spy, laid a trap?
And what about Markoff's
New York Times
articles? Were they part
of the trap, too?

"Think about it for a second," Markoff pauses dramatically. "And
you get into this wilderness-of-mirrors kind of world. And a lot of people
that are writing don't know everything, and I don't know everything.

"I've been protecting him [Shimomura] for five years. I get the pro-
file and the
[Wall Street] Journal
is on him. They don't know how
close he is to the military. It would make perfect sense. Who knows
what's in the code? The guy is in the counterintelligence business."

■ ■ ■

I feel uncomfortable. Markoff has revealed incredible information to
me about Shimomura, just hours after the
Los Angeles Times Maga-
zine
has asked me to do a cover story on the cybersleuth himself. I'm
tempted to write the story, but I'm overcommitted.

The next day I phone Markoff to tell him about the
L.A. Times offer. Obviously that paper competes with the
New York Times.
It's
hard for me to reach him, and when I finally do, in contrast to yester-
day's generosity, he seems gruff and angry.

When I tell him about the
L.A. Times
story proposal and say I'm
probably not going to do it, he responds with sarcasm. "Don't worry
about it," he says. "I already knew about it."

I puzzle over these two conversations and wonder why, if Mark-
off thought I was about to write a newspaper story on Shimomura,
he would share his astonishing inside information.

The only source I have that Markoff wants is Mitnick. Was he
trading Shimomura for Mitnick?

"Hey, I got that magazine!"

It's Mitnick talking about
Newsweek,
just a couple of hours after
my conversation with Markoff.

"I'm going to get a blowup of that picture and make it a Tsutomu
dartboard. Yeah, hitting the sword will be the bull's-eye," Mitnick
chuckles.

■ ■ ■

So far, John Markoff is my only source that Shimomura has recently
been compromised at least twice to the dismay of his NSA handlers.

But without any prompting, Mitnick confirms the story. He knows a
hacker who "did" Tsutomu. The way Mitnick tells it, hackers have
been "doing" Shimomura for some time.

"A guy named Chris" — Nug is his handle — "did Tsutomu last
year," Mitnick reveals in a chatty tone. "He used a different tech-
nique. He did it about a year ago."

"Where did you hear this?"

"On IRC." IRC is the Internet Relay Channel, a kind of chat line
for hackers and Netaphiles.

"[Chris] likes to brag about his feats," Mitnick continues. "He's
a teenager. He started dumping Tsutomu's files on IRC. A lot of
people log [capture and record] IRC. I hear he did it last year. He got
into another [Tsutomu] box."

Interesting. Not one but two Shimomura computers have been
compromised, and his files dumped on the Internet for all to see. So
much for Shimomura's great security.

"Some guys from the [military] brass went to San Diego. There
was a big security hole. Someone who took his shit might be able to
reconstruct some of the stuff he's working on."

Mitnick seems to be recounting Markoff's tale about Shimomura
being hacked last year and chastised by the NSA. Could this be the
motivation behind Shimomura's public pledge to solve the crime "as
a matter of honor"? Is he trying to save face with U.S. military intel-
ligence?

"Where'd you hear this?"

"It was a post [an Internet message posted publicly to a newsgroup
that follows a particular interest, in this case probably security]. I
could dig up the post."

Could this be the post Markoff mentioned?

Suddenly I hear voices in the background.

"Where are you?"

"I'm in a magazine shop."

Mitnick's searching for articles about himself.

"I think the NSA is a crock. Everybody knows about them,"
Mitnick banters, as he peruses the titles. "They are not as covert as
they think," he says, pausing. "What I'm saying is I'm sure there are
other agencies we don't know about."

"Did you ever read
The Puzzle Palace?"
I ask, mentioning the
bestseller on the intelligence agency.

"Yeah. I'm very interested in cryptography. I always wanted to get
a job with the NSA," Mitnick says. "I even called the NSA once. Hey,
I wonder if they [the NSA] fingerprint? You know there are ways to
change your fingerprint. They look at each print and come up with a
hash. You can take a soldering iron. Look at your thumb. See the
wedges and the loops? You can take a soldering iron and kind of burn
yourself."

■ * ■

The last two days have been confusing.

The Shimomura attack has become national news, springing from
the front pages of the
New York Times
to the pages of
Newsweek. Meanwhile, no one has connected Kevin Mitnick to the breakins.
Indeed, the only article even to mention Mitnick was the U.S. Mar-
shals' plea for help the day after Markoff's page-one story, and that
never hinted at any connection between the hacker and the security
man.

I have no direct evidence Mitnick executed the attack, but I do
know that Mitnick knows a tremendous amount about Shimomura.
He says Shimomura had hacker's software with which he could avoid
cellular charges. He says Shimomura was hacked last year and the
military was angry. And that last claim John Markoff has confirmed.

But the most fascinating thing was Mitnick's declaration that
Shimomura was "working for the Air Force, working on a design to
do strategic attacks on enemy foreign computer systems." An out-
landish claim coming from a hacker, but John Markoff had said that
Shimomura produced software for the Air Force.

Perhaps the untold story is as Kevin Mitnick hypothesized, that the
"government uses this code to look at other people's stuff in the
intelligence community and they don't want things fixed." No one
may ever know, but I'm wondering what software drew the intruder
to Tsutomu Shimomura's machine, and what might have been its
ultimate purpose.

February 5-9, 1995

Sunday evening I e-mail myself
at the Well. The only problem
is I don't remember sending the message, let alone writing it.

Date: Sun, Feb
5
1995
20:25:24
From: Jon Liftman To:
jlittman

Tsutomu and I discussed this attack in depth, over dinner . . .
Tsutomu Shimomura and I were on the system vulnerabilities ses-
sion of the conference referenced in the article — and it was his
system that was attacked. We discussed, privately, the attack at
length. The 'tools' that were stolen are far less significant than
might be expected for three reasons:

(1) this attack, in an even more elementary form, was launched,
successfully, on his system last summer and most of the tools were
originally pilfered then — not now.

(2) the tools were mere snippets of code that require the original
code architect to string them together and compile and execute.

(3) the crackers don't necessarily need sophisticated tools, and will
be loath to use pilfered, and very complicated (i.e. easily attributed)

ones if they're intelligent, because if caught intruding it will also be
evidence they broke into a research system in San Diego... .

AF testing has verified that 50% of the systems on the net, within
the .
af.mil
domain, are vulnerable to penetration with the simplest
techniques. On 80% of those 50% my team can get root.. . [with]
simple techniques. Although the IP spoofing is interesting let's
work the math ... data indicates that sendmail is still wide open on
most systems, even if you prevent IP spoofing sendmail is still
vulnerable. This is important because you'll have stopped one IP
spoofer, but 95 other crackers will have snatched the code
you built using sendmail ... We need to identify the top ten
problems, and proactively prevent them. I know, metrically, what
the Air Force's top ten are and we are working on the short term
solution.

... IP spoofing is bad, but . . . our systems (yours and mine) are
vulnerable to the most elementary attacks and as long as that
stands, the exotic ones should be counted but not obsessed over.

. . . Often times I'm reluctant to post anything ... It just seemed like
everyone was thinking the same thing I was so I decided to
'share'. . .

Kevin

* *
* *
Hey John, Kevin is a good name :-)

Capt Kevin ]. Ziese
[email protected]

Chief, Countermeasures Development
1-210-377-0477 Voice

AF Information Warfare Center
1-210-377-1326 Fax

1100 NW Loop 410, Suite 607
1-800-217-0570 Pager
San Antonio, Texas 78213

m
m
■

On Monday morning, I don't even read this bizarre piece of e-mail.
In fact, it's not until Tuesday, when I'm browsing through a host of
new messages in my Well account, that it finally hits me.