In "The Fugitive Game: Online with Kevin Mitnick," Jonathan Littman tells the story of the most wanted criminal in the history of cyberspace.  The story is deeply ambivalent.  It seems that crime in cyberspace isn't always what it might seem.  Mr. Mitnick, while clearly breaking the law and putting security concern in the headlines, may have been more of a nuisance than a deep threat to society that he and other hackers are often made out to be.

Mr. Littman lays out the standard version of Mr. Mitnick's exploits by quoting from a January 1989 piece in the Los Angeles Times following Mr. Mitnick's arrest for, among other things, allegedly doing $4 million of damage to Digital Equipment Corp.'s computer systems:

    "Mitnick was a colorful figure, using the name 'Condor,' for a Robert Redford movie character who outwits the government.  The final digits of his unlisted home phone were '007,' reportedly billed to the name 'James Bond,' (A friend says) Mitnick broke into the North American Air Defense Command in Colorado Springs, Colorado, in 1979.  The 1983 movie 'War Games' is based upon a similar incident, in which a young hacker nearly starts World War III."

Mr Littman adds, "Over time, newspapers codified the legend.  Soon, the unchecked allegations of Mitnick's incredible feats were treated as fact.  Kevin Mitnick was the 'Condor,' the dark-side hacker, enemy of the government and the public, a hacker to dangerous to be allowed near a computer or phone."

But Mr. Littman notes that most of the government allegations faded away.  The claim of $4 million in damage was reduced to $160,000, and the government acknowledged that even the smaller figure represented the effort it took to find and strengthen the weak spots through which Mr. Mitnick had entered DEC's computers.  There was, in fact, no damage to the computers.  No proof was ever found of the stories that he broke into the North American Air Defense computers, that he compromised the security of the National Security Agency, and that he changed the credit report of a judge.  Assistant U.S. Attorney James R. Asperger is quoted as saying, "A lot of the stories we originally heard just didn't pan out." 

Still, Mr. Mitnick-25 years old at the time of his arrest-had broken any number of laws and spent a year in prison, much of it in solitary confinement.  After getting out, he began hacking again.  The FBI began watching him, then looking for him.  He went on the run.  Mr. Mitnick vaulted into the headlines again in late 1994, in stories saying that he had broken into the computer of a government security expert and gained access to billions of dollars of commercial trade secrets.  The security expert raised the stakes by saying that, as a matter of honor, he would capture Mr. Mitnick.  In February 1995, after what was portrayed as a massive manhunt, the FBI, assisted by the security expert, captured Mr. Mitnick.

As it happens, Mr. Littman had made contact with the fugitive Mr. Mitnick as part of research for a book on a different hacker, and Mr. Mitnick had called Mr. Littman frequently during 1994.  Mr. Mitnick often talked for hours at a time, unburdening himself.

Mr. Littman uses those conversations to provide an extraordinary look into the mind of a hacker.  As you might imagine, this is not the story you read in the newspapers.

STEALING BUS TRANSFERS

Mitnick's parents divorced when he was three, and he lived in a series of unmemorable apartments in the San Fernando Valley.  Although Kevin saw his father rarely, he liked him and looked up to him.  The Mitnick men were salesmen, smooth-tongued, sharp and successful.  Mitnick said his dad worked for Capitol Records, and then sold home improvement contracts.  Los Angeles Magazine would list him as one of the most successful businessman in the San Fernando Valley, but court records told another story.  Alan Mitnick filed for bankruptcy in the mid-1980s, and Los Angeles criminal filings included charges for forgery, grand theft, and battery.

Kevin was a loner, uninterested in sports and too shy for girls.  At 13, he learned how to punch out his own bus transfers, and after school he'd ride out toward San Bernardino and the desert, or down the coast to Long Beach.  No one in the family would think to scold him for tricking the transit district out of bus fare.

Bob Arkow, a bus driver, struck up a conversation with the kid on his empty bus one day.  Mitnick told him he was into citizen's band radio, and the driver asked him if he'd heard about ham radio outlet, picked up some books, and in no time earned his spam radio license.

The parallels to hacking were great.  Mitnick didn't have to pay for his radio messages.  His call sign was his identity, or "handle," and he was part of a worldwide community of radio enthusiasts.  Though cellular phones were years off into the future, he was already mastering the basic principle-radio.

To Arkow, Mitnick was just another 13-year-old boy with a new toy, making on-air personal attacks on other ham radio operators.  Soon, he was able to manipulate the phone system to harass people, too.  He began rummaging through phone company dumpsters for discarded manuals and reading Bell technological journals at the library.  Just as Mitnick rode L.A. buses for free, he could travel the long distance lines whenever and however he pleased.

FOOLING THE FBI

It's January of 1992, Mitnick is talking on the phone from his dad's apartment in Calabasas, and he's got an awful pang in his gut.  Kevin Mitnick trusts instincts.  He decides he'd better check to see if the line is being tapped. 

Mitnick phones the remote Pac Bell central office in Calabasas.  "You have one of our boxes there," he informs the technician.

Mitnick's launching another social engineering attack [meaning that he is manipulating someone into giving him information he wants.  "Social engineering," not computer trickery, is how to break into computer systems].

Mitnick listens to the tech walk down the frame and then return.  "Yeah, here it is."  "And the monitor number on that box was?"

Kevin Mitnick knows exactly what questions to ask.  He knows that when Pac Bell wants to wiretap somebody they first create a new phone line, what they call a "monitor number" in the local central office.  On the steel and wire frame where the phone lines run, Pac Bell connects the monitor line to the target line through a special interface box.  Next, Pac Bell security personnel in Oakland phone the monitor line and enter the touchtone security code 1-2-3-4 to activate the wiretap.

Mitnick's got the monitor number.  One more phone call and he figure's he'll get the number of the actual wiretap.

His car radio's playing a familiar as he cruises with his cell phone.  "This Tom Bodette for Motel Six, and we'll even leave the light on for you."

Mitnick dials Pac Bell security in San Francisco.  "Hi, this is Tom Bodette," Mitnick drawls. I can't believe I used that name! We've got a box here with your name and number.  I'm going to have to disconnect it," Bodette continues The security investigator is being very helpful.  And why not?  She's one of the half dozen phone company professionals in California that makes sure citizens are being properly wiretapped.  Intercepts.  That's what Pac Bell calls them.  It sounds less threatening than a wiretap.

"Do you need to do it now?" the security woman asks.  "Yeah.  You ready?" primes Bodette.  "Go ahead."  "OK. Hold on a minute.  I'll be right back."

This is the fun part.  Mitnick cups his hands over the phone for a couple of minutes and works himself into character.

"I, HUFF, HUFF, disconnected it.  HUFF, HUFF.  Can you give me some help connecting it back to the frame?"

The Pac Bell security woman rattles of the LEN, the line equipment number, of the wires the box has to be tied back into.  "I don't have Cosmos handy," Bodette casually offers, mentioning the Pac Bell computer database.  "What's the phone number?"

Kevin Mitnick is so smooth that even security professional doesn't even pause.  "It's 55-"  Hook, line, and sinker.  [He's not being tapped, but getting the phone number lets him play games with the FBI later on.]

Mitnick boots up the laptop he's linked to the scanner.  [Using information he's gathered largely through social engineering], he's entered his "hot list" of 15 cellular numbers into the program: FBI agents, Pac Bell security agents, [FBI informant] Eric Heinz; in short, the people trying to stick him back in jail.  Mitnick's program constantly scans for his "hot list."  If the FBI makes a cellular call in an area he's monitoring, it pops automatically onto his screen.  He watched the FBI movements and monitors who they call.  The agents might as well be wearing dog collars.

Fully aware that the Feds are tapping Mitnick's phone, his boss at Teltec [a detective agency] sees an opportunity to throw the Feds a curveball.  He prepares an impromptu script [for Mitnick to read on the phone], including the names and numbers of competing detective firms.  What better way to level the playing field than to trick the FBI into investigating his competitors?

[The FBI raids the home of Mitnick friend Lewis DePayne and seizes some electronic equipment and a microcassette that had been carefully hidden.  But Mitnick was well ahead of the authorities.]

The best part of the prank will be revealed in the days and weeks ahead.  Soon the FBI will play DePayne's secret tape and hear its own informant, Eric Heinz, talking about how's he's tapping people's phones and breaking into phone company central offices.  Then, the FBI will get to the matter of DePayne's encrypted hard disk.  Without the codes, the FBI may need to send the encrypted files to Wahington, D.C.  There the Bureau could arrange for some supercomputer time to begin the tedious processs of decrypting the codes.  And if the Bureau spends enough time and money, it will peel away the first encryption mask to reveal another encrypted layer.  And another and another and another.

For when you encrypt garbage upon garbage, in the end, even the FBI can only find garbage.

Calling the Author

[After Mitnick barely escapes an attempt by FBI agents to catch him, he starts calling the author to explain himself.]  "I would never snag somebody'd credit card and [buy things with it], unless it would be a phone card or something like that.  I must admit I did that type of thing in the past; I did that five years ago and more."

Five years just happens to be the statute of limitations on most federal crimes.  Is this the cyberfugitive's standard disclaimer, the small print at the bottom of the computer screen?  Does Kevin Mitnick really think I believe that everything he did happened at least five years ago?

"I kind of used it as a way to mask my location."  Mitnick continues.  "But as far as actually ordering equipment or getting cash from people's cards, that was a line I did not cross."

"With DEC, all I did was take it [the company's latest source code to it VMS operating system] to learn and figure out the holes in it.  There was no ulterior motive to wreak havoc or anything.  I kind of justified to myself that's OK."

Mitnick offers me an analogy to put wht he's done in perspective, to explain how he believes the government has overblown his crimes. 

"If I went to Ralph's supermarket and took a 49-cent Bic pen, would they say I stole something they spent four million to develop and three million to market, and therefore the penalty will be seven million and they will have to hire three new security guards to watch the pens?"

"It's crazy," he fumes.  "They charge the hacker with the time it takes to make security better." 

"Why you, I ask. 

"They prefer to go after somebody already painted with a bad history.  They'd prefer to use a  scapegoat rather than somenody new." 

Mitnick's getting emotional.  Suddenly, he starts telling me he wishes it never happened, that he'd never set eyes on a computer or a cellular phone.  It's the closet he's got to telling me about his past, his childhood.