|
||
 |
||
|
In "The Fugitive Game: Online with Kevin Mitnick," Jonathon Littman tells the story of the most wanted criminal in the history of cyberspace. The story is deeply ambivalent. It seems that crime in cyberspace isn't always what it might seem. Mr. Mitnick, while clearly breaking the law and putting security concerns in the headlines, may have been more of a nuisance than the deep threat to society that he and other hackers are made out to be. Mr. Littman lays out the standard version of Mr. Mitnick's exploits by quoting from a Jaunuary 1989 piece in the Los Angeles Times following Mr. Mitnick's arrest for, among other things, allegedly doing $4 million of damage to Digital Equipment Corp.'s computer systems: "Mitnick was a colorful figure, using the name 'Condor,' for a Robert Redford movie character who outwits the government. The final digits of his unlisted home phone were '007,' reportedely billed to the name 'James Bond.' (A friend says) Mitnick broke into the North American Air Defense Command in Colorado Springs, Colorado, in 1979. The 1983 movie, 'War Games' is based upon a similar incident, in which a young hacker nearly starts World War III." Mr. Littman adds, "Over time, newspapers codified the legend. Soon, the unchecked allegations of Mitnick's incredible feats were treated as fact. Kevin Mitnick was the 'Condor,' the dark-side hacker, enemy of the government and public, a hacker too dangerous to be allowed near a computer or phone." But Mr. Littman notes that most of the government allegations faded away. The claim of $4 million in damage was reduced to $160,000, and the government acknowledged that even the smaller figure represented the effort it took to find and strengthen the weak spots through which Mr. Mitnick had entered DEC's computers. There was, in fact, no damage to the computers. No proof was ever found of the stories that he broke into the North American Air Defense computers, that he compromised the security of the National Security Agency, and that he changed the credit report of a judge. Assistant U.S. Attorney James R. Asperger is quoted as saying, "A lot of the stories we originally heard just didn't pan out." Still, Mr. Mitnick-25 years old at the time of his arrest-had broken any number of laws and spent a year in prison, much of it in solitary confinement. After getting out, he began hacking again. The FBI began watching him, then looking for him. He went on the run. Mr. Mitnick vaulted into the headlines again in late 1994, in stories saying that he had broken into the computer of a government security expert and gained access to billions of dollars of commercial trade secrets. The security expert raised the stakes by saying that, "as a matter of honor, he would capture Mr. Mitnick. In February 1995, after what was portrayed as a massive manhunt, the FBI, assisted by the security expert, captured Mr. Mitnick. As it happens, Mr. Littman had made contact with the fugitive Mr. Mitnick as part of research for a book on a different hacker, and Mr. Mitnick had called Mr. Littman frequently during 1994. Mr. Mitnick often talked for hours at a time, unburdening himself. Mr. Littman uses those conversations to provide an extraordinary look into the mind of a hacker. As you might imagine, this is not the story you read in the newspapers.
Mitnick's parents divorced when he was three, and he lived in a series of unmemorable apartments in the San Fernando Valley. Although Kevin saw his father rarely, he liked him and looked up to him. The Mitnick men were salesmen, smooth-tongued, sharp and successful. Mitnick said his dad worked for Capitol Records, and then sold home improvement contracts. Los Angeles Magazine would list him as one of the most successful businessman in the San Fernando Valley, but court records told another story. Alan Mitnick filed for bankruptcy in the mid-1980's, and Los Angeles criminal filings included charges for forgery, grand theft, and battery. Kevin was a loner, uninterested in sports and too shy for girls. At age 13, he learned how to punch out his own bus transfers and after school he'd ride out toward San Bernardino and the desert, or down the coast to Long Beach. No one in the family would think to scold him for tricking the transit district out of bus fare. Bob Arkow, a bus driver, struck up conversation with the kid on his empty bus one day. Mitnick told him he was into citizen's band radio, and the driver asked him if he'd heard about ham radio. That's all it took. Mitnick went to the ham radio outlet, picked up some books, and in no time earned his own ham radio license. The parallels to hacking were great. Mitnick didn't have to pay for his radio messages. His call sign was his identity, or "handle identity," and he was part of a worldwide community of radio enthusiasts. Though cellular phones were years off into the future, he was already mastering the basic principle—radio. To Arkow, Mitnick was just another 13-year-old boy with a new toy, making on-air personal attacks on other ham radio operators. Soon, he was able to manipulate the phone system to harass people, too. He began rummaging through phone company dumpsters for discarded manuals and reading Bell technological journals at the library. Just as Mitnick rode L.A. buses free, he could travel the long distance lines whenever he pleased.
It's January of 1992. Mitnick is talking on the phone from his dad's apartment in Calabasas, and he's got an awful pang in his gut. Kevin Mitnick trusts his instincts. He decides he'd better check to see if the line is being tapped. Mitnick phones the remote Pac Bell central office in Calabasas. "You have one of our boxes there," he informs the technician. Mitnick's launching another social engineering attack [meaning that he is manipulating someone into giving him the information he wants. "Social engineering," not computer trickery, is how most hackers learn how to break into computer systems]. Mitnick listens to the tech walk down the frame and then return. "Yeah, here it is." "And the monitor number on the box was?" Kevin Mitnick knows exactly what questions to ask. He knows that when Pac Bell wants to wiretap somebody they first create a new phone line, what they call a "monitor number" in the local central office. On the steel and wire frame where the phone lines run, Pac Bell connects the monitor line to the target line through a special interface box. Next, Pac Bell security personnel in Oakland phone the monitor line and enter the touchtone security code 1-2-3-4 to activate the wiretap. Mitnick's got the monitor number. One more phone call and he figures he'll get the number of the actual wiretap. His car radio's playing a familiar ad as he cruises with his cell phone. "This is Tom Bodette for Motel Six, and we'll leave the light on for you." Mitnick dials Pac Bell security in San Francisco. "Hi, this Tom Bodette," Mitnick drawls. I can't believe I used that name! We've got a box here with your name and number. I'm going to have to disconnect it," Bodette continues. The security is being very helpful. And why not? She's one of the half dozen phone company professionals in California that makes sure citizens are being properly wiretapped. Intercepts. That's what Pac Bell calls them. It sounds less threatening than a wiretap. "Do you need to do it now?" the security woman asks. "Yeah. You ready?" primes Bodette. "Go ahead." "OK. Hold on a minute. I'll be right back." This is the fun part. Mitnick cups his hand over the phone a couple of minutes and works himself into character. "I HUFF, HUFF, disconnected it. HUFF, HUFF. Can you give me some help connecting it back to the frame?" The Pac Bell security woman rattles of the LEN, the line equipment number, of the wires the box has to be tied back into. "I don't have Cosmos handy," Bodette casually offers, mentioning the Pac Bell computer database. "What's the phone number?" Kevin Mitnick is so smooth that the security professional doesn't even pause. "It's 55-" Hook, line, and sinker. [He's not being tapped, but getting the phone number lets him play games with the FBI later on.] Mitnick boots up the laptop he's linked to the scanner. [Using information he's gathered largely through social engineering], he's entered his "hot list" of 15 cellular numbers into the program: FBI agents, Pac Bell security agents, [FBI informant] Eric Heinz; in short, the people trying to stick him back in jail. Mitnick's scanning gear isn't unique. Some of the best law enforcement agencies in the country use it to pursue drug dealers, mobsters, and other big-time criminals. Kevin Mitnick uses it to track the FBI. Mitnick's program constantly scans for his "hot list." If the FBI makes a cellular call in an area he's monitoring, it pops up automatically onto his screen. He watches the FBI movements and monitors who they call. The agents might as well be wearing electronic dog collars. Fully aware that the Fed's are tapping Mitnick's phone, his boss at Teltec [a detective agency] sees an opportunity to throw the Feds a curveball. He prepares an impromptu script [for Mitnick to read on the phone], including the names and numbers of competing detective firms. What better way to level the playing field than to trick the FBI into investigating his competitors? [The FBI raids the home of Mitnick friend Lewis DePayne and seizes some electronic equipment and a microcassette that had been carefully hidden. But Mitnick was well ahead of authorities.] The best part of the prank will be revealed in the days and weeks ahead. Soon the FBI will play DePayne's tape and hear its own informant, Eric Heinz, talking about how he's tapping people's phones and breaking into phone company central offices. Then, the FBI will get to the matter of DePayne's encrypted hard disk. Without the codes, the FBI may need to send the encrypted files to Washington, D.C. There the Bureau could arrange for some supercomputing time to begin the tedious process of decrypting the codes. And if the Bureau spends enough time and enough money, it will peel away the first encrypted mask to reveal another encrypted layer. And another and another and another. For when you encrypt garbage upon garbage, in the end, even the FBI can only find garbage.
[After Mitnick barely escapes an attempt by FBI agents to catch him, he starts calling the author to explain himself.] "I would never snag somebody's credit card and [buy things with it], unless it would be a phone card or something like that. I must admit I did that type of thing in the past; I did that five years ago and more." Five years just happens to be the stature of limitations on most federal crimes. Is the cyberfugitive's standard disclaimer, the small print at the bottom of the computer screen? Does Kevin Mitnick really think I believe that everything he did happened at least five years ago? "I kind of used it as a way to mask my location," Mitnick continues. "But as far as actually ordering equipment or getting cash from people's cards, that was a line I didn't cross." "With DEC, all I did was take it [the company's latest source code to its VMS operating system] to learn and figure out the holes in it. There was no ulterior motive to wreak havoc or anything. I kind of justified to myself that's OK." Mitnick offers me an analogy to put what he's done in perspective, to explain how he believes the government has overblown his crimes. "If I went into Ralph's supermarket and took a 49-cent Bic pen, would they say I stole something they spent four million to develop and three million to market, and therefore will have to hire three new security guards to watch the pens?" "It's crazy," he fumes. "They charge the hacker with the time it takes to make security better." "Why you?" I ask. "They prefer to go after somebody already painted with a bad history. They'd prefer to use a scapegoat rather than somebody new." Mitnick's getting emotional. Suddenly, he starts telling me he wishes it had never happened, that he'd never set eyes on a computer or a cellular phone. It's the closest he's gotten to telling me about his past, his childhood. Now he's telling me why he can't resist the temptation. "People who use computers are very trusting, very easy to manipulate. I know the computer systems of the world are not as safe as they think," Mitnick proclaims with obvious pride. "Information is not safe. Only military computers are secure." Kevin Mitnick worships technology. "I believe it's fascinating, the marvel of communications and technology. A little palmtop that can store masses of data or do intense calculations. The ability to walk down the street and talk to someone at the other end of the world. "I have the ability to find anybody I want to find. I'm very good at what I do. I was teaching private investigators. They were amazed. High-tech private investigator firms aren't what they are cracked up to be. They go and pay somebody off at the DMV, or at the IRS. They grease the palm, I do it with a laptop and a cell phone." Mitnick's all revved up, jumping rapidly from thought to thought. "It's been a unique learning experience. My philosophy, it's hard to explain. It's like a high-tech game, figuring out how to crack a computer. How to actually outwit opponents." Suddenly Mitnick's depressed. Maybe the thought of his opponent just reminded him he's a wanted man. "Why do you think the government is taking you so seriously? I asked. "They're afraid because the technology is new. They [the FBI agents] are not up on it. They are used to old-fashioned, stick'em up crime. This is something new, something they can be violated with. They've convinced the public they are in great danger." "So do you think you're a criminal?" "No, I don't think of myself as a criminal. But if the technology laws are like Singapore, where it's illegal to chew gum…." Mitnick sighs. "I guess I'm a criminal." "I'm the type who's a master safecracker. I would read your will, your diary, put t back, not take the money, shut the safe, and do it so you never knew I was there. I'd do it because it's neat, because it's a challenge. I love the game."
The author says: "The simple, unglamorous truth was that Kevin Mitnick, whatever his threat to cyberspace and society, was not that hard to find." Once again, many of the concerns raised by cybercrime was overblown. An Assistant U.S. Attorney's assertion that billions of dollars of trade secrets were at stake was cut to millions, and Mr. Littman says that even those claims were suspect. He quotes one story saying that Mr. Mitnick stole a piece of software valued at $500,000 to $1 million—but that software was on the Internet for free. While Mr. Mitnick allegedly stole valuable software from cellular phone companies, he was apparently trying to decipher it for personal use and wasn't trying to sell it. Motorola, one of the victims, characterized Mr. Mitnick's theft as a nuisance, not a major loss. One story said Mr. Mitnick had nearly wiped out a venerable on-line community, the Well, by erasing all of its accounting records. The Well said, however, that he had accidentally erased one file. The Well had backups for all files. Still, by being the poster child for hacking, Mr. Mitnick had raised enough concerns about security that he surely helped slow any move toward electronic commerce. And he had certainly broken the law. He is still in jail, preparing for trial. <
|
