pbzfsobp dkfobtpkx lq pbkfi ppbkfpry aoxtolc iixz lq abpr bobt pbzfsba cl bmvq obail bpbeQ
After I figured out how to obtain unpublished numbers, finding out information about people—friends, friends of friends, teachers, even strangers—held a fascination for me. The Department of Motor Vehicles is a great storehouse of information. Was there any way I could tap it?
For openers, I simply called a DMV office from the pay phone in a restaurant and said something like, “This is Officer Campbell, LAPD, Van Nuys station. Our computers are down, and some officers in the field need a couple of pieces of information. Can you help me?”
The lady at the DMV said, “Why aren’t you calling on the law enforcement line?”
Oh, okay—there was a separate phone number for cops to call. How could I find out the number? Well, obviously the cops at the police station would have it, but… was I really going to call the police station to get information that would help me break the law? Oh, yeah.
Placing a call to the nearest station house, I said I was from the Los Angeles County Sheriff’s Department, we needed to call the DMV, and the officer who had the number for the law enforcement desk was out. I needed the operator to give me the number. Which she did. Just like that.
(As I was recounting this story recently, I thought I still remembered that DMV law enforcement phone number or could still get it. I picked up the phone and dialed. The DMV has a Centrex phone system, so all the numbers have the same area code and prefix: 916-657. Only the extension number—the last four digits—varies by department. I just chose those last digits at random, knowing I’d get somebody at the DMV, and I’d have credibility because I was calling an internal number.
The lady who answered said something I didn’t get.
I said, “Is this the number for law enforcement?”
She said, “No.”
“I must have dialed wrong,” I said. “What’s the number for law enforcement?”
She gave it to me! After all these years, they still haven’t learned.)
After phoning the DMV’s law enforcement line, I found there was a second level of protection. I needed a “Requester Code.” As in the past, I needed to come up with a cover story on the spur of the moment. Making my voice sound anxious, I told the clerk, “We’ve just had an urgent situation come up here, I’ll have to call you back.”
Calling the Van Nuys LAPD station, I claimed to be from the DMV and said I was compiling a new database. “Is your Requester Code 36472?”
“No, it’s 62883.”
(That’s a trick I’ve discovered very often works. If you ask for a piece of sensitive information, people naturally grow immediately suspicious. If you pretend you already have the information and give them something that’s wrong, they’ll frequently correct you—rewarding you with the piece of information you were looking for.)
With a few minutes’ worth of phone calls, I had set myself up for getting the driver’s license number and home address of anyone in the state of California, or running a license plate and getting the details such as the owner’s name and address, or running a person’s name and getting details about his or her car registration. At the time it was just a test of my skills; in the years ahead the DMV would be a rich lode that I would use in myriad ways.
All these extra tools I was accumulating were like the sweet at the end of a meal. The main course was still my phone phreaking. I was calling a lot of different Pacific Telephone and General Telephone departments, collecting information to satisfy that “What information can I get?” urge, making calls to build my knowledge bank of the companies’ departments, procedures, and lingo and routing my calls through some long-distance carriers to make them harder to trace. Most of this from my mom’s phone in our condominium.
Of course phreakers like to score points by showing other phreakers what new things they’ve learned how to do. I loved pulling pranks on friends, phreakers or not. One day I hacked into the phone company switch serving the area where my buddy Steve Rhoades lived with his grandmother, changing the “line class code” from residential to pay phone. When he or his grandmother tried to place a call, they would hear, “Please deposit ten cents.” Of course he knew who had done it, and called to complain. I promised to undo it, and I did, but changed the service to a prison pay phone. Now when they tried to make a call, an operator would come on the line and say, “This will be a collect call. What is your name, please.” Steve called to say, “Very funny—change it back.” I had my laughs; I changed it back.
Phone phreakers had discovered a way to make free phone calls, taking advantage of a flaw in some types of “diverters”—devices that were used to provide call forwarding (for example, to an answering service) in the days before call forwarding was offered by the phone companies. A phreaker would call at an hour when he knew the business would be closed. When the answering service picked up, he would ask something like, “What hours are you open?” When the person who had answered disconnected the line, the phreaker would stay on; after a few moments, the dial tone would be heard. The phreaker could then dial a call to anywhere in the world, free—with the charges going to the business.
The diverter could also be used to receive incoming calls for call-backs during a social-engineering attack.
In another approach with the diverter, the phreaker dialed the “automatic number identification,” or ANI number, used by phone company technicians, and in this way learned the phone number for the outgoing diverter line. Once the number was known, the phreaker could give out the number as “his” callback. To answer the line, the phreaker just called the business’s main number that diverted the call. But this time, when the diverter picked up the second line to call the answering service, it effectively answered the incoming call.
I used this way of talking with my friend Steve late one night. He answered using the diverter line belonging to a company called Prestige Coffee Shop in the San Fernando Valley.
We were talking about phone phreaking stuff when suddenly a voice interrupted our conversation.
“We are monitoring,” the stranger said.
Steve and I both hung up immediately. We got back on a direct connection, laughing at the telephone company’s puny attempt to scare us, talking about what idiots the people who worked there were. The same voice interrupted again: “We are still monitoring!”
Who were the idiots now?
Sometime later, my mom received a letter from General Telephone, followed by an in-person visit from Don Moody, the head of Security for the company, who warned her that if I didn’t stop what I was doing, GTE would terminate our telephone service for fraud and abuse. Mom was shocked and upset by the idea of losing our phone service. And Moody wasn’t kidding. When I continued my phreaking, GTE did terminate our service. I told my mom not to worry, I had an idea.
The phone company associated each phone line with a specific address. Our terminated phone was assigned to Unit 13. My solution was pretty low-tech: I went down to the hardware store and sorted through the collection of letters and numbers that you tack up on your front door. When I got back to the condo, I took down the “13” and nailed up “12B” in its place.
Then I called GTE and asked for the department that handled provisioning. I explained that a new unit, 12B, was being added to the condominium complex and asked them to adjust their records accordingly. They said it would take twenty-four to forty-eight hours to update the system.
I waited.
When I called back, I said I was the new tenant in 12B and would like to order phone service. The woman at the phone company asked what name I’d like the number listed under.
“Jim Bond,” I said. “Uh, no… why not make that my legal name? James.”
“James Bond,” she repeated, making nothing of it—even when I paid an extra fee to choose my own number: 895-5… 007.
After the phone was installed, I took down the “12B” outside our door and replaced it with “13” again. It was several weeks before somebody at GTE caught on and shut the service down.
Years later I would learn that this was when GTE started a file on me. I was seventeen years old.
About the same time, I got to know a man named Dave Kompel, who was probably in his midtwenties but had not outgrown teenage acne that was so bad it disfigured his appearance. In charge of maintaining the Los Angeles Unified School District’s PDP-11/70 minicomputer running the RSTS/E operating system, he—along with a number of his friends—possessed computer knowledge I highly prized. Eager to be admitted into their circle so they would share information with me, I made my case to Dave and one of his friends, Neal Goldsmith. Neal was an extremely obese guy with short hair who appeared to be coddled by his wealthy parents. His life seemed to be focused only on food and computers.
Neal told me they’d agreed to allow me into their circle, but I had to prove myself first. They wanted access to a computer system called “the Ark,” which was the system at Digital Equipment used by the development group for RSTS/E. He told me, “If you can hack into the Ark, we’ll figure you’re good enough for us to share information with.” And to get me started, Neal already had a dial-up number that he had been given by a friend who worked on the RSTS/E Development Team.
He gave me that challenge because he knew there was no way in the world I’d be able to do it.
Maybe it really was impossible, but I sure was going to try.
The modem number brought up a logon banner on the Ark, but of course you had to enter a valid account number and password. How could I get those credentials?
I had a plan I thought might work, but to get started I would need to know the name of a system administrator—not someone in the development group itself but one of the people who managed the internal computer systems at Digital. I called the switchboard for the facility in Merrimack, New Hampshire, where the Ark was located, and asked to be connected to the computer room.
“Which one?” the switchboard lady asked.
Oops. I hadn’t ever thought to research which lab the Ark was in. I said, “For RSTS/E development.”
“Oh, you mean the raised-floor lab. I’ll connect you.” (Large computer systems were often mounted on raised floors so all the heavy-duty cabling could be run underneath.)
A lady came on the line. I was taking a gamble, but they wouldn’t be able to trace the call, so even if they got suspicious, I had little to lose.
“Is the PDP-11/70 for the Ark located in this lab?” I asked, giving the name of the most powerful DEC minicomputer of the time, which I figured the development group would have to be using.
She assured me it was.
“This is Anton Chernoff,” I brazenly claimed. Chernoff was one of the key developers on the RSTS/E Development Team, so I was taking a big risk that she wouldn’t be familiar with his voice. “I’m having trouble logging in to one of my accounts on the Ark.”
“You’ll have to contact Jerry Covert.”
I asked for his extension; she didn’t hesitate to give it to me, and when I reached him, I said, “Hey, Jerry, this is Anton,” figuring that even if he didn’t know Chernoff personally, he was almost certain to know the name.
“Hey, how’re you doing?” he answered jovially, obviously not familiar enough with Chernoff in person to know that I didn’t sound like him.
“Okay,” I said, “but did you guys delete one of my accounts? I created an account for testing some code last week, and now I can’t log in.” He asked what the account log-in was.
I knew from experience that under RSTS/E, account numbers were a combination of the project number and the programmer number, such as 1,119—each number running up to 254. Privileged accounts always had the project number of 1. And I had discovered that the RSTS/E Development Team used programmer numbers starting at 200.
I told Jerry that my test account was “1,119,” crossing my fingers that it wasn’t assigned to anyone.
It was a lucky guess. He checked and told me there wasn’t any 1,119 account. “Damn,” I answered. “Somebody must have removed it. Can you re-create it for me?”
What Chernoff wanted, Chernoff got. “No problem,” Jerry said. “What password do you want?”
I spotted a jar of strawberry jelly in the kitchen cabinet across from me. I told him, “Make it ‘jelly.’ ”
In hardly more than a blink, he said, “Okay, all done.”
I was stoked, the adrenaline running high. I could hardly believe it could’ve been so easy. But would it really work?
From my computer, I called the dial-in number my would-be mentor Neal had given me. The call connected and this text appeared:
RSTS V7.0-07 * The Ark * Job 25 KB42 05-Jul-80 11:17 AM
# 1,119
Password:
Dialup password:
Damn, damn, damn. I dialed Jerry Covert back, again as Chernoff. “Hey, I’m dialing in from home, and it’s asking for a dial-up password.”
“You didn’t get it in your email? It’s ‘buffoon.’ ”
I tried again and I was in!
Before anything else, I started grabbing all the passwords for the guys in the development team.
When I got together with Neal, I told him, “Getting into the Ark was a snap. I have every RSTS/E developer’s password.” He rolled his eyes with an expression that said, What’s this guy been smoking?
He dialed the modem number and got to the Ark’s log-in banner. Telling him to “move over,” I typed the log-on credentials and got the “Ready” prompt.
“Satisfied, Neal?” I asked.
He couldn’t believe what he was seeing. It was like I had shown him a winning lottery ticket. After they had picked my brain for details of how I had gained access, Neal, Dave, and a few other friends went to a company called PSI near Culver City, where they had the newest, fastest modems, running at 1,200 baud—four times as fast as the 300-baud modems the rest of us had. The guys started downloading the RSTS/E source code.
The old adage says there’s no honor among thieves. Instead of taking me into their confidence and sharing information, they downloaded the source code for RSTS/E and kept it to themselves.
I learned later that these bastards actually called DEC and told them the Ark had been hacked, and gave my name as the hacker. Total betrayal. I had no suspicion these guys would dream of snitching on me, especially when they had reaped such rich rewards. It was the first time of many instances to come when the people I trusted would betray me.
At seventeen, I was still in high school but dedicated to working on what might be called a PhD in RSTS/E hacking. I would find targets by checking want ads for companies looking to hire a computer person experienced with RSTS/E. I’d call, claiming to be from DEC Field Support, and was usually able to talk a system administrator into revealing dial-up numbers and privileged account passwords.
In December 1980, I ran into a kid named Micah Hirschman, whose father happened to have an account with a company called Bloodstock Research, which used a RSTS/E system; I assume the company kept historical records on the bloodlines of racehorses for breeders and bettors. I used the Hirschman account to connect to Bloodstock Research so I could exploit a security flaw and gain access to a privileged account, then Micah and I played with the operating system to teach ourselves about it, basically for kicks.
The episode blew up in our faces. Micah logged in late one night without me, and Bloodstock spotted the break-in and alerted the FBI, telling them that the attack had been through the Hirschman account. The Feds paid Mr. Hirschman a visit. He denied knowing anything about the attack. When they pressured him, he fingered his son. Micah fingered me.
I was in my bedroom on the second floor of our condo, online, hacking into the Pacific Telephone switches over a dial-up modem. Hearing a knock at the front door, I opened my window and called down, “Who is it?” The answer was one that I would come to have nightmares about: “Robin Brown, FBI.”
My heart began pounding.
Mom called to me, “Who is it?”
“A man who says he’s from the FBI,” I called back.
Mom just laughed. She didn’t know who it was but she didn’t think it could possibly be the FBI.
I was in a panic, already hanging up the phone from the computer modem cradle and stashing under the bed the TI-700 computer terminal Lewis De Payne had lent me for a few weeks. Back then, before the days of the personal computer, all I had was a terminal and a modem that I was using to connect to a system at a company or university. No computer monitor: the responses to my commands would print out on a long roll of thermal paper.
I was flashing on the fact that I had a ton of that thermal paper under my bed, filled with data that would show I had been hacking for many hours a week into telephone company computers and switches, as well as a load of computers at private firms.
When I went downstairs, the agent offered me his hand, and I shook it. “I busted Stanley Rifkin,” he told me, understanding that I’d know whom he was talking about: the guy who had pulled off the biggest theft of its kind in history, stealing $10 million from Security Pacific National Bank by a wire-transfer ruse. The agent thought that would scare me, except I knew that Rifkin had been caught only because he had returned to the States and then blabbed about what he had done. Otherwise he’d still be living abroad in luxury.
But this guy was a Fed, and there still weren’t any federal laws covering the kind of computer break-ins I was doing. He said, “You can get twenty-five years if you continue messing with the phone company.” I knew he was powerless, just trying to scare me.
It didn’t work. As soon as he left, I went right back online. I didn’t even burn the printouts. Yes, it was stupid. I was already incorrigible.
If the agent’s visit didn’t give me any chills, my mother’s reaction was not what you might expect. To her, the whole thing was like a dumb joke: What harm could a boy come to just from playing with a computer at home? She had no concept of what I was up to.
The thrill and satisfaction of doing things I wasn’t supposed to do were just too great. I was consumed by a fascination with the technology of phones and computers. I felt like an explorer, traveling cyberspace without limitations, sneaking into systems for the pure thrill and satisfaction, outsmarting engineers with years of experience, figuring out how to bypass security obstacles, learning how things worked.
It wasn’t long before I began experiencing some turbulence from the authorities. Micah had left shortly after for a trip to Paris. The Air France flight had been in the air for a couple of hours when an announcement came over the PA system: “Mr. Micah Hirschman, please turn on your stewardess call button.” When he did, a stewardess came to him and said, “The pilot wants to speak with you in the cockpit.” You can just imagine his surprise.
He was led to the cockpit. The copilot spoke into the radio to say Micah was present, then handed him a microphone. A voice over the radio said, “This is FBI Special Agent Robin Brown. The Bureau has learned that you have left the country, headed for France. Why are you going to France?”
The whole situation made no sense. Micah gave his answer, and the agent grilled him for a few minutes. It turned out the Feds thought that Micah and I were pulling off some Stanley Rifkin–style big computer hack, maybe setting up a phony transfer of millions from a U.S. bank to some other bank in Europe.
It was like a scene from a caper movie, and I loved the thrill of it.
After getting a taste of that kind of excitement, I was hooked—and I hungered for more. In high school my brain was so occupied with hacking and phreaking that I had little attention or motivation left for the classroom. Happily, I discovered a solution that was one big step better than becoming a dropout or waiting for the Los Angeles School District to show its displeasure by kicking me out.
Passing the GED exam would give me the equivalent of a high school diploma without wasting any more of my time or my teachers’ time. I signed up for the exam, which turned out to be way easier than I had expected—about an eighth-grade level, I thought.
What could be better than becoming a college student studying computers, working toward a degree while feeding my insatiable thirst for computer knowledge? In the summer of 1981, at the age of seventeen, I enrolled at Pierce College, a two-year school in nearby Woodland Hills.
The school’s computer-room manager, Gary Levi, recognized my passion. He took me under his wing, giving me special status by allowing me to have a “privileged account”—on the RSTS/E system.
His gift had an expiration date. He left the school; not long after, the Computer Science chair, one Chuck Alvarez, noticed I was logged in to a privileged account and told me to sign off immediately. I explained that Levi had given me permission, but it didn’t wash; he booted me from the computer lab. My dad went in with me for a meeting with Alvarez, who offered as an excuse, “Your son already knows so much about computers that there is nothing Pierce College can teach him.”
I dropped out.
I had lost my access to a great system, but in the late 1970s and the beginning of the 1980s, the world of personal computing went through a dramatic transition period, bringing the first desktop machines that included a monitor or even had one built in. The Commodore PET, the Apple II, and the first IBM PC began to make computers a tool for everyone, and to make computers much more convenient for heavy users… including computer hackers. I couldn’t have been happier.
Lewis De Payne had been my closest hacking and phreaking partner just about from that first time he called and said he wanted to get together and learn from me. Even though he was five years older—which at that stage of life makes quite a difference—we shared the same boyish exhilaration from phone phreaking and hacking. And we shared the same goals: access to companies’ computers, access to passwords, access to information that we weren’t supposed to have. I never damaged anyone’s computer files or made any money from the access I gained; as far as I know, Lewis didn’t either.
And we trusted each other—even though his values were, well, different from mine. A prime example was the U.S. Leasing hack.
I got into U.S. Leasing’s system using a tactic that was so ridiculously easy I should have been embarrassed to try it. It went like this.
I would call the company I’d targeted, ask for their computer room, make sure I was talking to a system administrator, and tell him, “This is [whatever fictitious name popped into my head at that moment], from DEC support. We’ve discovered a catastrophic bug in your version of RSTS/E. You could lose data.” This is a very powerful social-engineering technique, because the fear of losing data is so great that most people won’t hesitate to cooperate.
With the person sufficiently scared, I’d say, “We can patch your system without interfering with your operations.” By that point the guy (or, sometimes, lady) could hardly wait to give me the dial-up phone number and access to the system-manager account. If I got any pushback, I’d just say something like, “Okay, we’ll send it to you in the mail” and move on to try another target.
The system administrator at U.S. Leasing gave me the password to the system manager account without a blink. I went in, created a new account, and patched the operating system with a “backdoor”—software code that sets me up so I’d be able to gain covert access whenever I want to get back in.
I shared details of the backdoor with Lewis when we next spoke. At the time Lewis was dating a wannabe hacker who sometimes went by the name of Susan Thunder and who later told one interviewer that in those days she had sometimes worked as a prostitute, but only to raise money for buying computer equipment. I still roll my eyes when I think about that line. Anyway, Lewis told Susan that I had broken into U.S. Leasing and gave her the credentials. Or maybe, as he later claimed, he didn’t give them to her but she saw them written on a notepad he had left alongside his computer.
Shortly after, the two of them had a falling-out and parted company, I guess with some bad feelings. She then took revenge on me. To this day, I don’t know why I was the target, unless perhaps she thought Lewis had broken up with her so he could spend more time with me, hacking, and so blamed me for the breakup.
Whatever the reason, she reportedly used the stolen credentials to get into the U.S. Leasing computer systems. The later stories about the incident said she had destroyed many of their files. And that she had sent messages to all their printers to print out, over and over until they ran out of paper:
MITNICK WAS HERE
MITNICK WAS HERE
FUCK YOU
FUCK YOU
What really burned me about this whole affair was that in a later plea agreement, the government insisted on including this act that I didn’t commit. I was faced with a choice between confessing to this abusive, ridiculous act and going to juvenile prison.
Susan waged a vendetta against me for some time, disrupting my phone service, and giving the phone company orders to disconnect my telephone number. My one small act of revenge came about by chance. Once, in the middle of a phone company hack, I needed one telephone line that would ring and ring, unanswered. I dialed the number of a pay phone I happened to know by heart. In one of those small-world coincidences that happen to most of us now and then, Susan Thunder, who lived nearby, was walking past that particular phone booth just at that moment. She picked up the telephone and said hello. I recognized her voice.
I said, “Susan, it’s Kevin. I just want you to know I’m watching every move you make. Don’t fuck with me!”
I hope it scared the hell out of her for weeks.
I’d been having fun, but my evading the law wasn’t going to last forever.
By May 1981, still age seventeen, I had transferred my extracurricular studies to UCLA. In the computer lab, the students were there to do homework assignments or to learn about computers and programming. I was there to hack into remote computers because we couldn’t afford a computer at home, so I had to find computer access at places like universities.
Of course, the machines in the student computer lab had no external access—you could dial out from the modem at each station, but only to another campus phone number, not to an outside number—which meant they were essentially worthless for what I wanted to do.
No sweat. On the wall of the computer room was a single telephone with no dial: it was for incoming calls only. Just as I had in Mr. Christ’s computer lab in high school, I would pick up the handset and flick the switch hook, which had the same effect as dialing. Flashing nine times in quick succession, equivalent to dialing the number “9,” would get me a dial tone for an outside line. Then I would flash ten times, equivalent to dialing “0,” for an operator.
When the operator came on the line, I’d ask her to call me back at the phone number for the modem at the computer terminal I was using. The computer terminals in the lab at that time did not have internal modems. Instead, to make a modem connection, you had to place the telephone handset into an adjacent acoustic coupler, which sent signals from the modem into the telephone handset and out over the phone lines. When the operator called back on the modem telephone, I’d answer the call and ask her to dial a phone number for me.
I used this method to dial in to numerous businesses that used DEC PDP-11’s running RSTS/E. I was able to social-engineer their dial-ups and system credentials using the DEC Field Support ruse. Since I didn’t have a computer of my own, I was like a drifter moving from one college campus to another to get the dose of computer access that I so desperately wanted. I felt such an adrenaline rush driving to a college campus to get online. I would drive, over the speed limit, for forty-five minutes even if it meant only fifteen minutes of computer time.
I guess it just never occurred to me that a student at one of these computer labs might overhear what I was doing and blow the whistle on me.
Not until the evening when I was sitting at a terminal in a lab at UCLA. I heard a clamor, looked up, and saw a swarm of campus cops rushing in and heading straight for me. I was trying hard to appear concerned but confident, a kid who didn’t know what the fuss was all about.
They pulled me up out of the chair and clamped on a pair of handcuffs, closing them much too tightly.
Yes, California now had a law that criminalized hacking. But I was still a juvenile, so I wasn’t facing prison time.
Yet I was panicked, scared to death. The duffel bag in my car was crammed with printouts revealing all the companies I had been breaking into. If they searched my car and found the treasure trove of printouts and understood what it was, I’d be facing a lot worse than any punishment they might hand out for using the school’s computers when I wasn’t a student.
One of the campus cops located my car after seizing my car keys and found the bag of hacking contraband.
From there, they hustled me to a police station on campus, which was like being under arrest, and told me I was being detained for “trespassing.” They called my mom to come get me.
In the end, UCLA didn’t find anybody who could make sense of my printouts. The university never filed any charges. No action at all beyond referring my case to the county Probation Department, which could have petitioned Juvenile Court to hear the case… but didn’t.
Perhaps I was untouchable. Perhaps I could keep on with what I was doing, facing a shake-up now and then but never really having to worry. Though it had scared the hell out of me, once again I had dodged a bullet.