bmFtZXRoZWNvbXBhbnl3aGVyZWJvbm5pZXdhc2VtcGxve WVkd2hlbndlc3RhcnRlZGRhdGluZw = =
In his time at Hughes Aircraft, Lenny DiCicco told me, he had become buddy-buddy with a lady security guard. I was to come see him on a night when this lady would be on duty, and say I was a DEC employee. When I showed up, she signed me in with a wink, not asking to see any ID.
Lenny arrived to escort me from the lobby, barely able to control his excitement, but still arrogant and full of himself. He led me to a Hughes VAX computer that had access to the Arpanet, linking a collection of universities, research labs, government contractors, and the like. Typing commands, he told me he was accessing a computer system called Dockmaster, which was owned by the National Computer Security Center (NCSC), a public arm of the supersecret National Security Agency. We were elated, knowing that this was the closest we’d ever come to establishing a real connection to the NSA.
Bragging about his social engineering, Lenny said he had pretended to be a member of the National Computer Security Center’s IT Team and conned a worker there named T. Arnold into revealing his credentials to the system. Lenny was practically dancing with pride. He was still such a geek, it seemed like he must be high on some great dope when he boasted, “I’m as good a social engineer as you are, Kevin!”
We fished around for maybe an hour but came up only with uninteresting information.
Much later, that hour would come back to haunt me.
I was sure there was some way I could fast-track my computer skills to something that could land me a job I coveted: working for General Telephone. I found out the company was actively recruiting graduates from a technical school called the Computer Learning Center. It was an easy drive from my place and I could earn a certificate by going to school there for only six months.
A Federal Pell Grant plus a student loan paid my way, and my mom came up with the bread for some of the extra expenses. The school required male students to wear a suit and tie to class every day. I hadn’t dressed like that since my bar mitzvah at age thirteen, and now, since I was twenty-three and fairly beefed out, that suit would have been a pretty miserable fit. Mom’s cash paid for two new suits.
I really enjoyed programming in “assembler language,” more challenging because the programmer has to master many technical details, but yielding much more efficient code that uses a much smaller memory footprint. Coding in this lower-level language was fun. It felt like I had more control over my applications: I was coding much closer to the machine level than using a higher-level programming language such as COBOL. The classwork was routine to somewhat challenging, but also fascinating. I was doing what I loved: learning more about computer systems and programming. When the subject of hacking came up every now and then, I played dumb, just listening.
But of course, I was continuing to hack. I had been playing cat-and-mouse games with Pacific Bell, as the former Pacific Telephone had restyled itself. Every time I figured out a new way of getting into the company’s switches, somebody there would eventually figure out a way of blocking my access. I’d use the dial-up numbers that RCMAC was using to connect to various switches to process service orders and they’d catch on, then change the dial-up numbers or restrict them so I couldn’t dial in. And then I would remove the restriction when they weren’t paying attention. It went back and forth for months. Their constant interference had gotten to the point where hacking into Pacific Bell switches was getting to be more like work.
Then I got the idea of trying out a higher-level approach: attacking their Switching Control Center System, or SCCS. If I could do that, I’d have just as much control as if I’d been sitting in front of the switches themselves, able to do whatever I wanted without having to social-engineer clueless technicians day after day. Ultimate access and power could be mine.
I started with an attack aimed at the SCCS at Oakland, in Northern California. On my first call, I planned to say I was from ESAC (the Electronic Systems Assistance Center), providing support for all the SCCS software deployed throughout the company. So I did my research, coming up with the name of a legit ESAC worker, then claiming, “I need to get into the Oakland SCCS but our Data kit equipment is down for maintenance, so I’ll have to get access through dial-up.”
“No sweat.”
The man I had reached gave me the dial-up number and a series of passwords, and stayed on the line with me, talking me through each step.
Oops, this was a system with “dial back” security: you had to enter a phone number and wait for the computer to ring you back. What now?
“Look, I’m off-site at a remote office,” I said off the top of my head. “So I won’t be able to take a callback.”
I had magically hit on a reasonable-sounding excuse. “Sure, I can program it to bypass the dial back when you log in with your username,” he assured me—defeating the company’s elaborate security that would otherwise have required that I be at an authorized callback number.
Lenny joined me in the SCCS break-in effort. Each one we got into gave us access to five or six central-office switches, with full control over them, so we were able to do anything a tech who was in the CO could do, sitting at the switch. We could trace lines, create new phone numbers, disconnect any phone number, add/remove custom calling features, set up traps-and-traces, and access logs from traps-and-traces. (A trap-and-trace is a feature placed on a line that captures incoming numbers, usually placed on customers’ lines if they are the victim of harassing phone calls.)
Lenny and I put a huge amount of time into this, from late 1985 through much of 1986. We eventually got into the switches for all of Pacific Bell, then Manhattan, then Utah and Nevada, and in time many others throughout the country. Among these was the Chesapeake and Potomac Telephone Company, or C&P, which served the Washington, DC, area, including all of the DC-based departments of the Federal government as well as the Pentagon.
The National Security Agency temptation was an itch I couldn’t resist. NSA’s telephone service was provided through a phone company switch in Laurel, Maryland, which we had already gained access to. Directory assistance listed the agency’s public phone number as 301 688-6311. After randomly checking out several numbers with the same prefix, I proceeded on the reasonable hunch that NSA was assigned the entire prefix. Using a test function for switch technicians called “Talk & Monitor,” I was able to set up a circuit to listen to random calls in progress. I popped in on one line and heard a man and a woman talking. Hardly able to believe I was actually listening in on the NSA, I was thrilled and nervous at the same time. The irony was great—I was wiretapping the world’s biggest wiretappers.
Okay, I’d proved I could do it… time to get out, in a hurry. I didn’t stay on long enough to hear what they were talking about, and I didn’t want to know. If the call had been really sensitive, I’m sure it would have been on a secure line, but even so, it was way too risky. The likelihood of my getting caught was slim if I just did it once and didn’t ever go back.
The government never found out I had gained this access. And I wouldn’t be including it here, except the statute of limitations has long run its course.
For Lenny and me, it was thrilling every time we compromised another SCCS—like getting into higher and higher levels of a video game.
This was the most significant hacking of my career because of the immense control and power it gave us over the phone systems of much of the United States. And yet we never made any use of it. For us, the thrill lay simply in knowing we had gained the power.
Pacific Bell eventually found out about the access we had gained. Yet we were never arrested and charged because, I later learned, company management was afraid of what would happen if others found out what I had been able to do and started trying to duplicate my efforts.
Meanwhile Lenny’s accessing of Dockmaster had not gone unnoticed. NSA traced the break-in back to Hughes, which in turn traced it back to the computer room where Lenny was working on the night I visited. Security at Hughes questioned him first, then the FBI summoned him for an official interview. Lenny hired an attorney who accompanied him to the meeting.
Lenny told the agents he and I had never done anything with Dockmaster. He was grilled several times by Hughes management. He stood his ground and wouldn’t point a finger at me. Much later, though, to save his own neck, he claimed that I had hacked into Dockmaster while I visited Hughes that evening. When they asked why he’d lied about my not being involved in the first place, he said he’d been afraid because I’d threatened to kill him if he gave me up. Clearly, he was desperately trying to come up with an excuse why he lied to Federal agents.
The visitors’ log showed that a Kevin Mitnick had indeed signed in as a guest of Lenny’s. Of course he was summarily canned from Hughes.
Two years later I would be accused of possessing secret access codes for the NSA, when I actually only had the output of a “whois” command—which showed the names and telephone numbers of registered users with accounts on Dockmaster—something readily available to anyone with access to the Arpanet.
Meanwhile, back at the computer school, the students weren’t all guys. One of the girls was a cute, petite coed named Bonnie. I wasn’t exactly the most attractive guy around, carrying all the extra weight I had put on ever since that friend from my preteen bus-riding days had introduced me to junk food as a basic food group. I was weighing in at around fifty-five pounds overweight. “Obese” would have been a more-than-polite term.
Still, I thought she was really cute. When we were both in the computer room working on school projects, I started sending messages to her across the room, asking her not to stop any of my programs that were running at a higher priority, and her replies were friendly enough. I asked her out to dinner. She said, “I can’t. I’m engaged.” But I had learned from my hacking not to give up easily; there’s usually a way. A couple of days later I asked again about dinner, and told her she had a beautiful smile. And whaddaya know? This time she accepted.
Later, she told me she thought her fiancé might be lying to her about his finances—what cars he owned and how much he owed on them. I told her, “I can find out if you want.” She said, “Yes, please.”
I had lucked my way into accessing TRW, the credit-reporting company, while still in high school. Nothing clever about this. One night I went out to the back of Galpin Ford in the San Fernando Valley and dug through the trash. It took about fifteen minutes, but my little Dumpster-diving expedition paid off. I found a bunch of credit reports on people buying cars from the dealership. Incredibly, printed out on each report was Galpin’s access code for TRW. (Even more incredible: they were still printing out the access code on each credit report years later.)
In those days, TRW was very helpful to its clients. If you called in and gave a merchant’s name and the correct access code, and explained that you didn’t know the procedure, the nice lady would talk you through every step of getting a person’s credit report. Very helpful to real clients, very helpful as well to hackers like me.
So when Bonnie said she’d like me to look into what her boyfriend was really up to, I had all the tricks I needed. A call to TRW and a few hours on the computer gave me his credit report, his bank balance, his property records. Suspicions confirmed: he was nowhere near as well-off as he had been claiming, and some of his assets were frozen. DMV records showed he still had a car he told Bonnie he had sold. I felt bad about all this—I wasn’t trying to undermine her relationship. But she broke off their engagement.
Within two or three weeks, when she had gotten over her initial emotions about the breakup, we started dating. Though six years older than I was and considerably more experienced at this game, she thought I was smart and good-looking, despite my weight. This was my first serious relationship; I was soaring.
Bonnie and I both liked Thai food and going to the movies, and she turned me on to hiking, something far out of my normal comfort zone, showing me the beautiful trails in the nearby San Gabriel Mountains. She was fascinated by my ability to gather information on people. And one thing more, a coincidence I still laugh at: my new girlfriend was having her salary paid and her tuition covered by one of my principal lifelong hacking targets, the phone company GTE.
After finishing the prescribed half year for my certificate at the computer school, I ended up staying on a bit longer. The system admin, Ariel, had been trying to catch me getting administrator privileges on the school’s VM/CMS system for months. He finally nailed me by hiding behind a curtain in the terminal room while I was snooping inside his directory, catching me red-handed. But instead of booting me out of the program, he offered me a deal: he was impressed with the skills that had allowed me to hack into the school’s computers, and if I would agree to write programs that would make their IBM minicomputer more secure, he would label it an “honors project.” How about that: the school was training students in the esoteric knowledge of computers, but recruiting a student to improve its own security. That was a big first for me. I took it as a compliment and accepted the assignment. When I finished the project, I graduated with honors.
Ariel and I eventually became friends.
The Computer Learning Center had an inducement it used for signing up students: a number of high-profile companies made a practice of hiring its graduates. And one of them was Bonnie’s employer, GTE, my hacking target for so many years. How fantastic was that!?
After interviewing with GTE’s IT Department, I was brought back for an interview with three people from Human Resources, then offered a job as a programmer. Dreams really did come true! No more hacking for me—I wouldn’t need it. I’d be getting paid for doing what I loved, at the place I loved doing it.
The job began with employee orientation to teach new hires about the names and functions of all the different GTE computer systems. Hello! It was a telephone company: I could have been teaching the classes. But of course I sat there taking notes like everyone else.
Cool new job, a daily quick stroll to the cafeteria for lunch with my girlfriend, a legitimate paycheck—I had it made. Walking through the offices, I’d smile at the hundreds of usernames and passwords that were right in front of my nose, written out on Post-it notes. I was like a reformed drunk on a Jack Daniel’s distillery tour, confident but nearly dizzy from imagining “What if?”
Bonnie and I would regularly have lunch with a friend of hers, a guy from their Security Department. I was always careful to turn my ID badge around; he obviously hadn’t caught my full name when we were introduced, so why let him read it on my badge like a billboard flashing “Phone Company Public Enemy #1”?
Altogether, this was one of the coolest times of my whole life—who needed hacking?
But only a week after I started, my new boss dropped a bomb on me. He handed me a security form for an all-access badge that would grant me entry to the data center twenty-four/seven, since I would be on call for emergencies. Immediately, I knew I was going to get canned; as soon as staff from GTE Security looked at my form, they’d recognize my name and wonder how I had bypassed all of their security checks and actually been hired—as a programmer, no less.
A couple of days later, I went to work with a bad gut feeling. Later that morning, my supervisor sent for me, and his boss, Russ Trombley, handed me my paycheck plus severance pay, saying he had to let me go because my references had not checked out. An obvious ruse. I had provided the names only of people who would say good things about me.
I was escorted back to my desk to gather my personal effects. Within minutes, a posse from Security showed up, including the guy who had been having lunch with Bonnie and me. A couple of them started searching my box of floppies for any company property. Whatever. There was none, just legitimate software. The whole posse walked me to the door and all the way to my car. As I drove off into the distance, I glanced in my rearview mirror. They were all waving good-bye.
My career at GTE had lasted a total of nine days.
I heard later that the guys from Pacific Bell Security razzed the hell out of their buddies at GTE, thinking it was hilarious that any company could be stupid enough to hire the notorious phone phreaker Kevin Mitnick—whom Pacific Bell had been keeping a file on for years.
One step back and one step forward. A Computer Learning Center instructor who also worked at Security Pacific National Bank as an Information Security Specialist suggested I apply for a job there. Over a period of weeks, I had three sets of interviews, the last one with a vice president of the bank. Then a fairly lengthy wait. Finally the phone call came: “One of the other candidates has a college degree, but we’ve decided you’re the person we want.” The salary was $34,000, which for me was great!
They sent an in-house memo around that announced, “Please welcome new employee Kevin Mitnick, who starts next week.”
Remember that article in the Los Angeles Times, which covered my juvenile arrest and printed my name, a violation of law as well as a violation of my privacy because I was a minor? Well, one of the people at Security Pacific National Bank remembered that article, too.
The day before I was to start, I got a strange call from Sandra Lambert, the lady who’d hired me and who founded the security organization Information Systems Security Association (ISSA). The conversation was actually more like an interrogation:
| SL: | “Do you play Hearts?” |
| Me: | “The card game?” |
| SL: | “Yes.” |
I had a sinking feeling that the party was over.
| SL: | “Are you a ham radio operator with the call sign WA6VPS?” |
| Me: | “Yes.” |
| SL: | “Do you dig around in the Dumpsters behind office buildings?” |
| Me: | Uh-oh. “Only when I’m hungry.” |
My attempt at humor fell. She said good-bye and hung up. I received a phone call from Human Resources the next day withdrawing the employment offer. Once again, my past had come back to bite me in the ass.
Sometime later, media outlets received a press release from Security Pacific National Bank announcing a $400 million loss for the quarter. The release was a phony—it wasn’t really from the bank, which had not in fact lost money in that quarter. Of course the higher-ups at the bank were sure I was behind it. I didn’t learn about any of this until months later, at a court hearing, when prosecutors told the judge that I had committed this malicious act. Thinking back, I remembered telling De Payne that my job offer had been pulled. Years afterward, I asked him if he had been behind that press release. He vehemently denied it. The fact is, I didn’t do it. That wasn’t my style: I’ve never practiced any kind of vicious retribution.
But the phony press release became another part of the Myth of Kevin Mitnick.
Still, I had Bonnie in my life, one of the best things that had ever happened to me. But have you ever felt that something was so good it couldn’t possibly last?