‘siass nuhmil sowsra amnapi waagoc ifinti dscisf iiiesf ahgbao staetn itmlro
Lenny and I wanted to get the source code for Digital Equipment Corporation’s VMS operating system so we could study it to find security flaws. We would also be able to look for developers’ comments about fixing security problems, which would let us work backward and figure out what those problems were and how we could exploit them. We also wanted to be able to compile parts of the operating system ourselves, so it would be easier for us to install some backdoor patches in the systems we compromised. Our plan was to launch a social-engineering attack on DEC to get into the VMS development cluster. I got the dial-up number for the VMS development modem pool.
When Lenny was at work, he went to the terminal box for the building to find a fax line belonging to another tenant. Because a lot of companies had office suites in the same building, he could punch down someone else’s line on an unused cable pair that went into VPA’s computer room, and no one would be able to trace our outgoing calls.
Meanwhile, I went to the Country Inn hotel near his office and used a pay phone to call Lenny. Once I had him on the line on one phone, I used another pay phone to call DEC’s main number in Nashua, New Hampshire, where its labs and developers were.
Then I stood there between the two phones with a receiver held up to each ear.
I told the woman who answered in Nashua that I worked at DEC too, then asked where the computer room was and got the phone number for operations.
When I called that department, I used the name of someone in development and asked if operations supported the “Star cluster” group of VMS systems that were used by VMS development. The DEC employee said yes. I then covered that mouthpiece with my hand and spoke to Lenny through the other one, telling him to dial the modem number.
Next I told the operator to type in a “show users” command to show who was logged in. (If you were in the process of logging in, as Lenny was, it would show this by displaying “<LOGIN>” along with the device name of the terminal that was being used for logging in.) This is what she saw on her display:
VMS User Processes at 9-JUN-1988 02:23 PM
Total number of users = 3, number of processes = 3
| Username | Node | Process | NamePID | Terminal |
| GOLDSTEIN | STAR | Aaaaaa_fta2: | 2180012D | FTA2: |
| PIPER | STAR | DYSLI | 2180011A | FTA1: |
| <LOGIN> | 2180011E | TTG4: |
The “<LOGIN>” indicated the type of device Lenny was on, TTG4.
I then asked the operator to type in a “spawn” command:
spawn /nowait/nolog/nonotify/input=ttg4:/output=ttg4:
Because she wasn’t keying in usernames or passwords, she didn’t think anything about what I was asking her to do. She should’ve known what a spawn command did, but apparently operators rarely used it, so evidently she didn’t recognize it.
That command created a logged-in process on the modem device that Lenny was connected to in the context of the operator’s account. As soon as the operator typed in the command, a “$” prompt appeared on Lenny’s terminal. That meant he was logged in with the full privileges of the operator. When the “$” showed up, Lenny was so excited that he started shouting into the phone, “I’ve got a prompt! I’ve got a prompt!”
I held Lenny’s phone away from my head and said calmly to the operator, “Would you excuse me? I’ll be right back.”
I pressed that phone against my leg to mute the mouthpiece, picked up the other phone, and told Lenny, “Shut up!” Then I went back to my call with the operator.
Lenny immediately checked to see if security audits were enabled. They were. So rather than setting up a new account for us, which would have raised suspicions by triggering an audit alarm, he just changed the password on a dormant account that had all system privileges.
Meanwhile, I thanked the operator and told her that she could log out now.
Afterward, Lenny dialed back up and logged in to the dormant account with his new password.
Once we had compromised VMS development, our objective was to get access to the latest version of the VMS source code. It wasn’t too difficult. When we listed the disks that were mounted, one of them was labeled “VMS_SOURCE.” Nothing like making it easy for us.
At that point, we uploaded a small tool designed to disable any security audits in a way that wouldn’t trigger an alarm. Once the alarms had been disabled, we set up a couple of user accounts with full privileges and changed a few more passwords on other privileged accounts that hadn’t been used in at least six months. Our plan was to move a copy of the latest version of the VMS source code to USC so we could maintain full access to the code even if we got booted off the Star cluster.
After setting up our new accounts, we also went into the email of Andy Goldstein. He had been a member of the original VMS design team at Digital and was well known throughout the VMS community as an operating-system guru. We knew he also worked with VMS security issues, so we figured his email would be a good place to look for information about the latest security issues DEC was trying to fix.
We discovered that Goldstein had received security bug reports from a guy named Neill Clift. I quickly learned that Clift was a grad student at Leeds University in England, studying organic chemistry. But he was obviously also a computer enthusiast with a unique talent: he was very skilled at finding vulnerabilities in the VMS operating system, which he faithfully alerted DEC to. What he didn’t realize was that now he was alerting me as well.
This laid the groundwork for what would prove to be a goldmine for me.
While searching through Goldstein’s emails, I found one that contained a full analysis of a clever patch for “Loginout,” the VMS log-in program. The patch was developed by a group of German hackers who belonged to something they called the “Chaos Computer Club” (CCC). A few members of the group focused on developing patches for particular VMS programs that enabled you to take full control of the system.
Their VMS Loginout patch also modified the log-in program in several ways, instructing it to secretly store user passwords in a hidden area of the system authorization file; to cloak the user with invisibility; and to disable all security alarms when anyone logged in to the system with a special password.
Newspaper stories about the Chaos Computer Club mentioned the name of the group’s leader. I tracked down the guy’s number and called him up. By this time, my own reputation in the hacking community was starting to grow, so he recognized my name. He said I should talk to another member of the group, who, sadly, turned out to be in the end stages of cancer. When I called him at the hospital, I explained that I’d obtained an analysis of the club’s backdoor patches for the VMS Loginout and “Show” programs and thought they were wickedly clever. I asked if he had any other cool tools or patches he’d be willing to share.
The guy was both supercool and talkative, and he offered to send me some information. Unfortunately, he said, he’d have to send it by snail mail, since the hospital didn’t have a computer. Several weeks later, I received a packet of printouts detailing some of the hacks the group had created that weren’t already in the public domain.
Expanding on the Chaos Computer Club’s work, Lenny and I developed some improved patches that added even more functionality. Essentially, the CCC created a framework that we then built upon. As new versions of VMS came out, Lenny and I kept adapting our patches. Because Lenny always worked at companies that had VMS systems, we were able to test our patches on his work systems and deploy them into systems we wanted to maintain access to.
After some major DEC clients were compromised, the company’s programmers wrote a security tool that would detect the Chaos patch. Lenny and I located the detection software and analyzed it, then simply modified our version of the Chaos patch so DEC’s tool wouldn’t be able to find it anymore. It was quite simple, really. This made it easier for us to install our patch into numerous VMS systems on Digital’s worldwide network, known as Easynet.
If locating the code wasn’t hard, transferring it was. This was a lot of code. To reduce the volume of code, we compressed it. Each directory contained hundreds of files. We’d compress all of them in a single file and encrypt it, so that if anyone found it, it would look like garbage.
The only way to retain access to the files so we’d be able to study them at leisure was to find systems on DEC’s Easynet that connected to the Arpanet, giving us the ability to transfer them outside DEC’s network. We only found four systems on Easynet that had Arpanet access, but we could use all four to move the code out piece by piece.
Our original plan to store a copy of the code at USC proved a little shortsighted. First of all, we realized we should use more than one storage location for redundancy, so all that work wouldn’t go to waste if the code was discovered. But it turned out there was an even bigger issue: the code base was humongous. Trying to store it all in one location would run too big a risk of being detected. So we began spending a lot of time hacking into systems on the Arpanet, looking for other safe “storage lockers.” It began to feel like getting the code from DEC was the easy part, while the big challenge was figuring out where to stash copies of it. We gained access to computer systems at Patuxent River Naval Air Station, in Maryland, and other places. Unfortunately, the system at Patuxent River had minimal storage available.
We also tried to set ourselves up on the computer systems at the Jet Propulsion Laboratory, in Pasadena, California, using our customized version of the Chaos patch.
JPL eventually realized one of their systems had been compromised, possibly because they were watching for any unauthorized changes to the VMS Loginout and Show programs. They must have reverse engineered the binaries to identify how the programs were being modified and decided it was the Computer Chaos Club who had gained access. JPL management went to the media with that version of the story, which led to huge news coverage about the German hackers who had been caught breaking into the JPL computers. Lenny and I chuckled over the incident. But at the same time, we were a bit nervous because we were detected.
Once we started the transfers, we had to keep them going night and day, moving the code bit by bit. It was a very slow process. The dial-up speed of the connections at the time (if you could even use the word “speed”) was a maximum of T1 speeds, which was about 1.544 megabits per second. Today, even cell phones are much faster than that.
Soon DEC detected our activity. The guys responsible for keeping the systems up and operational could tell that something was going on because of the heavy network traffic in the middle of the night. To make matters worse, they discovered that their available disk space was disappearing. They didn’t usually have a lot of volume on the system: it would be counting in megabytes, whereas we were moving gigabytes.
The nighttime activity and the disappearing disk space pointed to a security issue. They quickly changed all the account passwords and deleted all the files we stored on the system. It was a challenge, but Lenny and I weren’t deterred. We just kept hacking back in, night after night, despite their best efforts. In fact, because the staff and users of the system didn’t realize that we had their personal workstations under our control and could intercept their keystrokes, it was easy for us to immediately obtain their new log-in credentials every time they changed them.
DEC’s network engineers could see all along that lots of large files were being transferred, but they couldn’t figure out how to stop it. Our unrelenting assault had them convinced that they were under some kind of corporate espionage attack by international mercenaries who’d been hired to steal their flagship technology. We read their theories about us in their emails. It was clearly driving them crazy. I could always log on to see how far they were getting and what they were going to try next. We did our best to keep them chasing red herrings along the way. Because we had full access to Easynet, we could dial in from the United Kingdom, and other countries throughout the world. They couldn’t identify our entry points because we were constantly changing them.
We were facing a similar challenge at USC. Administrators there had likewise noticed that disk space on a few MicroVAXes was disappearing. We’d start transferring data at night, and they’d come on and kill the network connection. We’d start it up again, and they’d bring the system down for the night. We’d just wait them out, then start up our transfer again. This game continued for months.
Sometimes, between fending off the system admins, grappling with the gigabytes of code, and putting up with the painfully slow bandwidth, we felt like we were trying to suck an ocean through a straw. But we endured.
Once all the VMS source code had been moved to several systems at USC, we needed to put it on magnetic tape so we could sift through the code without worrying about being tracked back while dialed into Easynet. Moving the source code onto tape was a three-man operation.
Lewis De Payne was stationed on campus, posing as a student. He would ask one of the computer operators to mount a tape he provided onto the system’s tape drive.
Across town, at the office of my friend Dave Harrison, I would connect to a VMS system called “ramoth” over a dial-up modem that had Lewis’s tape mounted on the drive. I would fill up the tape with as much VMS source code as would fit. Lewis would then hand the operator another blank one and pass the written tape to Lenny DiCicco. At the end of each session, Lenny would take all the new tapes to hide in a rented storage locker. We repeated this cycle until, eventually, we had thirty to forty tapes containing the full VMS Version 5 source code.
While I was spending so much time at Harrison’s, it occurred to me that a company called GTE Telenet, which had offices in the same building, operated one of the largest “X25” networks, serving some of the biggest customers in the world. Maybe I could gain administrative access to their network and monitor customer traffic. Dave had previously picked the lock to the firemen’s box and lifted the master key to the building. Late one night, Dave and I used the key to walk into the GTE Telenet offices, just to look around. When I saw they used VMS, I was elated; I felt right at home.
I discovered a VMS system with a node-name of “Snoopy.” After poking around for a bit, I discovered that Snoopy was already logged in to a privileged account, giving me full access to the system. The temptation was too great. Even though Telenet people were in and out of the offices twenty-four hours a day, I sat down at the terminal and started to explore, looking at scripts and third-party applications to figure out what tools they had and how those tools could be used to monitor the network. Within a very short time, I figured out how to eavesdrop on customer network traffic. Then it hit me. The node had been named Snoopy because it allowed the technicians to monitor traffic on customer networks: it allowed them to snoop.
I already had the X25 address to connect to the VMS system at the organic chemistry department at Leeds University, where Neill Clift studied, so I connected. I didn’t have any log-in credentials; none of my guesses were correct. He was already logged in to the system because of the time difference, saw my log-in attempts, and emailed the administrator of Snoopy to say that someone was trying to get into his university’s system; of course I deleted the email.
Though I didn’t get into Leeds University that night, my efforts had laid the groundwork for targeting Clift later on that would prove to be a goldmine.
Lenny and I fell into a battle of wits against each other. He was a computer operator at a company called VPA, and I had joined a company called CK Technologies, in Newbury Park. We kept making bets on whether we could break into each other’s computer systems that we managed for our employers. Whoever could hack into the VMS system at the other’s company would get the prize. It was like a game of “capture the flag,” designed to test our skill at defending our systems against each other.
Lenny wasn’t astute enough to keep me out. I kept getting into his systems. The bet was always $150, the cost of dinner for two at Spago, the Beverly Hills restaurant of celebrity chef Wolfgang Puck. I had won this ongoing bet enough times that Lenny was starting to feel annoyed.
During one of our all-night hacking sessions, Lenny started complaining that he never won the bet. I told him he could quit anytime he wanted. But he wanted to win.
His company had just installed a digital lock on the door to its computer room; Lenny challenged me to bypass the lock by guessing the code, knowing it would be almost impossible to do. “If you can’t get in,” he said, “you have to pay me a hundred and fifty bucks right now, tonight.”
I told him I didn’t want to take his money because it would be too easy. And then I added that he’d be upset with himself afterward since I was always going to win, no matter what. These taunts made him even more anxious for me to accept the bet.
Actually, it would have been difficult for me to win it straight up. But dumb luck came to my rescue. As I was working on Lenny’s terminal, hacking into Digital’s network, I spotted a wallet on the floor under his desk. I “accidentally” dropped my pen, then bent over to get it and stuffed the wallet into my sock. I told Lenny I had to take a leak.
Inside the wallet, I found a slip of paper with the code for the digital door lock written on it. I couldn’t believe it: Lenny was such a clever hacker, but he couldn’t remember a simple number? And he’d been foolish enough to write down the code and leave it in his wallet? It seemed so preposterous that I wondered if he was setting me up. Had he planted the wallet just to jerk my chain?
I went back to his desk, replaced the wallet, and told him he’d have to give me an hour to guess the door code. We agreed that the only rule was that I couldn’t break the lock. Anything else was fair game.
A few minutes later, he went downstairs to get something. When he came back, he couldn’t find me. He searched everywhere, then finally unlocked the door to the computer room. I was sitting inside, typing on the VMS console, logged in with full privileges. I smiled at him.
Lenny was furious. “You cheated!” he shouted.
I stuck out my hand. “You owe me a hundred and fifty bucks.” When he resisted, I said, “I’ll give you a week.” It felt great to knock the ego of the self-important Lenny down a few notches.
He didn’t pay and didn’t pay. I kept giving him extensions, then told him I was going to charge him interest. Nothing. Finally, more as a joke than anything else, I called accounts payable at his company and pretended to be from the IRS’s Wage Garnishment Division. “Do you still have a Leonard DiCicco working there?” I asked.
“Yes, we do,” said the lady on the other end.
“We have a garnishment order,” I said. “We need you to withhold his pay.” The lady said she’d have to have authorization in writing. I told her, “You’ll have a fax on Monday, but I’m giving you official notice to withhold all paychecks until you receive further documentation from us.”
I thought Lenny might be a little inconvenienced, but no worse than that. When no fax arrived on Monday, payroll would just give him his money.
When the people from accounting told Lenny about the IRS call, he knew instantly who’d been behind it.
But he was so over-the-top, out-of-control furious that he lost all sense of reason and did a really stupid thing: he went to his boss and told him that the two of us had been hacking into DEC from VPA’s offices.
His boss didn’t call the cops; instead, he and Lenny together called security staff at DEC and told them who’d been plaguing them over the past several months. Eventually the FBI was called in, and its agents set up a sting.
Personnel from the FBI and Digital Equipment Corporation set up camp at VPA prior to one of our late-night hacking sessions. They placed monitoring software on VPA’s computers that would record everything we did. Lenny was wearing a wire to capture our conversations. That night my target was Leeds University in England. After earlier identifying Neill Clift as one of Digital’s main sources of information about VMS security bugs, I wanted to get into the VMS system in Leeds’s Organic Chemistry Department, where Clift had an account.
At one point I sensed that something a bit weird was going on with Lenny and asked him, “Is everything all right? You’re acting strange.” He said he was just tired, and I shrugged off his odd behavior. He was probably petrified I’d figure out what was really happening. After several hours of hacking, we called it quits. I wanted to keep going, but Lenny said he had to get up early.
Several days later, I got a call from Lenny, who said, “Hey, Kevin, I finally got my vacation pay. I have your money. C’mon over.”
Two hours later I rolled into the small ground-floor parking garage of the building where VPA had its offices. Lenny was standing there, not moving. He said, “I need to get the VT100 terminal emulator software to make a copy for a friend,” referring to software on disks he knew I had in the car. It was already 5:00 p.m. and I told him I hadn’t eaten all day and was starving, and even offered to buy him dinner. He kept insisting. I wanted to get the hell out of there: something felt wrong. But finally I gave in and, leaving the motor running, stepped out of the car to get the disks.
“You know that feeling in your stomach when you’re about to get arrested?” Lenny taunted. “Well, get ready!”
The whole garage was suddenly filled with the sounds of car engines. Cars shot out at us from what seemed like every direction, stopping in a circle around us. Guys in suits jumped out and started screaming at me, “FBI!”
“You’re under arrest!”
“Hands on the car!”
If Lenny had staged all this just to scare me, I thought, it was an impressive display.
“You guys aren’t FBI. Show me your ID.”
They pulled out their wallets and flipped them open. FBI badges all around me. The real thing.
I looked at Lenny. He was dancing in a little circle of joy, as if he were celebrating some kind of victory over me.
“Lenny, why would you do this to me?”
As an agent handcuffed me, I asked Lenny to call my mom and tell her I’d been arrested. The bastard didn’t even do that one last small bit of kindness for me.
I was driven by two agents to the Terminal Island Federal Prison. I had never seen anything like this outside of a movie or a television show: long rows of open cells, with guys hanging their arms out of the bars. Just the sight of it made me feel like I was dreaming, having a nightmare. But the other prisoners surprised me by being cool and friendly, offering to lend me some stuff that was sold in the commissary and the like. A lot of them were white-collar guys.
But I couldn’t shower. I felt disgusting by the time some FBI agents finally picked me up and took me to FBI headquarters in West Los Angeles, where they took a mug shot of me. I knew I looked a mess—unshowered, uncombed, wearing the same clothes I’d been in for three days, and having slept badly each night on a small cot. At least that picture was to give me some small comfort at a crucial time later on.
After being held over the weekend, I was taken before Magistrate Venetta Tassopulos for my initial detention hearing on Monday morning, expecting to be released on bail. I was assigned a court-appointed lawyer, who asked if I’d been a fugitive. It turned out he’d already talked to the prosecutor, who told him I’d fled to Israel back in 1984, which wasn’t true.
Once the hearing began, I sat there in disbelief as the Court got an earful from the prosecutor, Assistant U.S. Attorney Leon Weidman. Weidman told the judge, “This thing is so massive, we’re just running around trying to figure out what he did.” Among other things, he said that I had:
hacked into the NSA and obtained classified access codes
disconnected my former Probation Officer’s phone
tampered with a judge’s TRW report after receiving unfavorable treatment
planted a false news story about Security Pacific National Bank’s having lost millions of dollars, after I had an employment offer withdrawn
repeatedly harassed and turned off the phone service of actress Kristy McNichol
hacked into Police Department computers and erased my prior arrest records.
Every one of these claims was blatantly false.
The allegation that I had hacked into the NSA was totally ridiculous. On one of the floppy disks seized by the Santa Cruz police was a file labeled “NSA.TXT.” It was the “whois” output listing all the registered users of Dockmaster, the unclassified National Security Agency computer system that Lenny had social-engineered himself into when he worked at Hughes Aircraft. Everything in the file was public information, including the lists of telephone extensions at the National Computer Security Center. The prosecutor, who obviously didn’t understand what he was looking at, was characterizing public telephone extensions as “classified access codes.” Unbelievable.
Another allegation, the claim that I’d hacked into police computers and deleted my arrest record, was related to my Santa Cruz Operations hacking case, but the missing record was really law enforcement’s own fault. Remember, when Bonnie and I surrendered ourselves to the West Hollywood Sheriff’s Department, because they neglected to fingerprint or photograph us, no record was created of our arrest. In short, it was their own screwup: they didn’t do their job.
All the other allegations were also false, rehashes of rumors that apparently convinced the magistrate I was a serious threat to national security.
The one that mystified me most was that I had repeatedly had the phone service of the actress Kristy McNichol turned off because I had a crush on her. First of all, I couldn’t imagine why anyone would think that turning off someone’s phone would be a good way to demonstrate affection. I never understood how the story got started but the experience had been seared into my memory. I’d had to endure the humiliation of standing in line at the grocery store and seeing my photo plastered on the cover of the National Examiner alongside florid headlines saying I was a crazed stalker obsessed with Kristy McNichol! The feeling in the pit of my stomach as I glanced around me, hoping that none of the other shoppers had recognized me on that cover, is one I wouldn’t wish on my worst enemy.
Weeks later, my mom, who then worked at Jerry’s Famous Deli in Studio City, saw McNichol having lunch at one of the tables. Mom introduced herself and said, “Kevin Mitnick is my son.”
McNichol immediately said, “Yeah, what’s all this about his turning off my phones?” She said that nothing like that had ever happened to her, and she herself wondered, just as I had, how the rumor had gotten started. Later a private investigator would confirm that none of it had taken place.
When people ask me why I ran, years later, instead of facing the Federal charges against me, I think back on moments like this. What good would it do for me to come clean if my accusers were going to play dirty? When there’s no presumption of fair treatment, and the government is willing to base its charges on superstition and unverified rumors, the only smart response is to run!
When it was his turn to present my case, my court-appointed attorney told the magistrate that I had indeed gone to Israel in late 1984, but that I hadn’t been absconding, just visiting. I was stunned. We had discussed this point ten minutes before my hearing, and I’d explained that I hadn’t been outside the country in years and had in fact never been overseas. Mom, Gram, and Bonnie all looked shocked because they knew that what he was saying just wasn’t true. How could an attorney be so incompetent?
In a last-ditch effort to frighten the magistrate, Leon Weidman made one of the most outrageous statements that have probably ever been uttered by a Federal prosecutor in court: he told Magistrate Tassopulos that I could start a nuclear holocaust. “He can whistle into a telephone and launch a nuclear missile from NORAD,” he said. Where could he have possibly come up with that ridiculous notion? NORAD computers aren’t even connected to the outside world. And they obviously don’t use the public telephone lines for issuing launch commands.
His other claims, every single one of which was false, were tall tales, likely picked up from bogus media reports and who knows what other sources. But I had never heard this NORAD one before, not even in a science-fiction story. I can only think he picked up the notion from the Hollywood hit movie WarGames. (Later it would become widely accepted that WarGames was partly based on my exploits; it wasn’t.)
Prosecutor Weidman was painting a portrait of me as the Lex Luthor of the computer world (which I guess made him Superman!). The whistling-into-the-phone thing was so farfetched that I actually laughed out loud when he said it, certain that Her Honor would tell the man he was being absurd.
Instead, she ordered me held without bail because when “armed with a keyboard” (“armed”!), I posed a danger to the community.
And she added that I was to be held where I would not have any access to a telephone. The living areas assigned to a prison’s “general population” have phones that inmates can use to make collect calls. There is only one area with no phone access at all: solitary confinement, known as “the hole.”
In Time magazine’s issue of January 9, 1989, an item under the heading of “Technology” noted: “Even the most dangerous criminal suspects are usually allowed access to a telephone, but not Kevin Mitnick—or at least not without being under a guard’s eye. And then he is permitted to call only his wife, mother and lawyer. The reason is that putting a phone in Mitnick’s hands is like giving a gun to a hit man. The twenty-five-year-old sometime college student is accused by Federal officials of using the phone system to become one of the most formidable computer break-in artists of all time.”
“Like giving a gun to a hit man”—said of a guy whose only weapons were computer code and social engineering!
I would have another chance to plead my case. The hearing before a magistrate concerns only the initial decision about detention. In the Federal system, you then “go to the wheel,” and a Federal judge is assigned to your case at random (thus “the wheel”). I was told I was lucky to get Judge Mariana Pfaelzer. Not quite.
The new attorney who had been assigned to me, Alan Rubin, tried to argue that I shouldn’t be housed in solitary confinement, which was intended for inmates who committed violent acts in prison or were a threat to the prison itself. Judge Pfaelzer said, “That’s exactly where he belongs.”
Now I was taken to the brand-new, just-opened Federal Metropolitan Detention Center in downtown Los Angeles, where I was escorted up to the eighth floor, Unit 8 North, and introduced to my new home, a space about eight feet by ten, dimly lit, with one narrow vertical slit of a window through which I could see cars, the train station, people walking around free, and the Metro Plaza hotel, in which, seedy though it probably was, I longed to be. I couldn’t even see the guards or other prisoners, since I was closed in not by bars but by a steel door with a slot that my food trays were slid through.
The loneliness was mind-numbing. Prisoners who have to stay in the hole for extended periods often lose contact with reality. Some never recover, living the rest of their lives in a dim never-never-land, unable to function in society, unable to hold a job. To get an idea of what it’s like, picture being trapped for twenty-three hours a day in a closet lit by only a single forty-watt bulb.
Whenever I left my cell, even to walk just ten feet to the shower, I had to be shackled in leg irons and handcuffs, treated the same way as a prisoner who had violently assaulted a guard. For “exercise,” I would be shuffled once a day to a kind of outdoor cage, not much more than twice the size of my cell, where for an hour I could breathe fresh air and do a few push-ups.
How did I survive? Visits from my mom, dad, grandmother, and wife were all I had to look forward to. Keeping my mind active was my salvation. Since I wasn’t in the hole for violating prison rules, the strict guidelines for prisoners in solitary were relaxed a little for me. I could read books and magazines, write letters, listen to my Walkman radio (favorites: KNX 1070 News radio and classic rock). But writing was difficult because I was allowed only a short pencil, too stubby to use for more than a few minutes at a time.
But even in solitary, in spite of the court’s best efforts, I managed to do a bit of phone phreaking. I was allowed phone calls to my attorney, my mom, my dad, and Aunt Chickie, as well as to Bonnie, but only when she was at home at her apartment, not at work. Sometimes I’d long to talk to her during the day. In order to make a call, I had to be shackled and walked to a hallway that had a bank of three pay phones. The guard would take the restraints off once we reached the phone area, and would sit in a chair five feet away, facing the wall of phones.
Calling anyone not listed in the court order would seem impossible, short of trying to bribe the guard—and I knew that would be a shortcut to getting the few privileges I did have revoked.
But wasn’t there some way I could call Bonnie at work? I concocted a plan. It would take balls, but what did I have to lose? I was already in solitary confinement, a supposed threat to national security. I was already at the bottom of the barrel.
I told the guard, “I want to call my mother,” and he looked up the number in the logbook. He walked the few steps, dialed the phone, and handed it to me. The operator came on and asked my name, then went off the line until my mom answered and agreed to accept a collect call from Kevin, and we were finally connected.
As I was talking with Mom, I would frequently rub my back against the pay phone as if I had an itch. At the end of our conversation, I would then put one hand behind my back, acting like I was scratching my back. With my hand still behind me, while continuing to talk as if carrying on a conversation, I would hold down the switch hook for a few seconds to disconnect the call. Then I would bring my hand back around in front of my body.
I knew I had only eighteen seconds to dial a new number before the phone would start emitting a loud, fast busy signal that the guard would surely be able to hear.
So I’d reach behind my back again and pretend to scratch, while I very quickly dialed whatever number I wanted to call—beginning with 0 to make it a collect call. I would pace back and forth while scratching my back, so the guard would get used to this action and not think it was suspicious.
Of course, I couldn’t see the dial pad, so I had to be sure to get the numbers right without having to look. And I had to hold the phone tightly against my ear to mask the sound of the touch tones as I redialed.
All the while, I had to act as if I were still talking to my mother. So I would nod and appear to be holding a conversation with her, as the guard watched.
After I punched in the new number, I had to time my fake conversation just right, so that when the operator came on and said, “Collect call. Who shall I say is the caller?” the next word I said would be “Kevin”—in a sentence that would sound normal to the guard. (As the operator asked my name, I’d be saying something like, “Well, tell Uncle John that…” The operator would stop talking and wait for me to give my name, just as I was saying “… KEVIN… sends my best.”)
When I heard Bonnie’s voice, my heart soared. It took willpower to control myself, forcing myself to talk with no more animation than when I really was talking to my mother.
It had worked. I was as excited as if I’d just succeeded with some epic hack.
The first time is the hardest. I kept up that routine day after day. It’s a wonder the guard didn’t buy me some lotion for itchy skin.
One night a couple of weeks after I began doing this trick, when I was sleeping, my cell door slid open. Standing there were a bunch of suits: a couple of associate wardens and the captain of the detention center. I was handcuffed, shackled, and hustled off to a conference room thirty feet away. I sat down, and one of the associate wardens asked, “Mitnick, how are you doing it? How are you redialing the phone?” I played dumb, thinking it would be stupid to admit anything. Let them prove it.
The captain chimed in, “We’ve been monitoring your calls. How are you dialing the phone? The CO [Correctional Officer] is watching you at all times.” I smiled and said, “I’m not David Copperfield—how could I possibly redial the phone? The officer never takes his eyes off me.”
Two days later, I heard noises outside my room. It was a Pacific Bell technician. What the hell? He was installing a phone jack in the hallway across from my cell and the next time I asked to make a phone call, I found out why: the guard brought a phone with a twenty-foot handset cord and plugged it into the jack, dialed the authorized number I requested, and then passed the handset through the slot in the heavy metal door to my cell. The phone itself was far beyond my reach. Bastards!
Besides taking my phone calls, Bonnie was also very supportive in person. Three times a week after work, she’d make the long drive to the prison and wait in line for a very long time for her turn to see me in the visiting room, with guards watching us the whole time. We were allowed a brief hug and quick kiss. Over and over, I would earnestly reassure her that this was the last time I would ever do anything like this. As in the past, I really believed it.
I continued to sit in solitary while attorney Alan Rubin negotiated with the prosecutor about the terms of a plea bargain that would let me get out of prison without a trial. I was being charged with breaking into DEC and possessing MCI access codes, causing DEC a loss of $4 million—an absurd claim. Digital’s actual losses were related to the investigation of the incident; the $4 million figure was an arbitrary number chosen for the purpose of sentencing me to a lengthy prison term under the Federal Sentencing Guidelines. My punishment should really have been based on the cost of the licensing fees I hadn’t paid for the source code I’d copied, which would have been much, much less.
Still, I wanted to settle the case and get out of my coffinlike cell as quickly as possible. I didn’t want to stand trial because I knew the Feds had easily enough evidence to convict me: they had my notes and disks, they had Lenny’s eagerness to testify against me, they had the tape from a body wire Lenny had worn during our last hacking session.
At last my attorney worked out a deal with the Federal prosecutors that would result in my serving a one-year prison term. They also wanted me to testify against Lenny. That came as a shock, since I’d always heard that the guy who squealed first would get off easy, maybe without even doing any time at all. But the Feds now wanted to nail their own snitch, and my former friend. Sure, I said. Lenny had given evidence against me, so why shouldn’t I pay him back in kind?
But when we got into court, Judge Pfaelzer apparently was influenced by the many rumors and false allegations that had piled up against me over time. She rejected the plea agreement, deeming it too lenient. Still, she allowed a revised version that gave me one year in jail, followed by six months in a halfway house. I was also required to sit down with DEC’s Andy Goldstein to tell him how we’d hacked into DEC and copied its most coveted source code.
As soon as I said I would accept a plea agreement, I magically lost my “national security threat” status. I was transferred from solitary into the general population. At first it felt almost as good as being released, but then reality quickly reminded me that I was still in jail.
While I was in the general population at the Metropolitan Detention Center, a fellow prisoner, a Colombian drug lord, offered to pay me $5 million cash if I could hack into Sentry, the Federal Bureau of Prisons’ computer system, and get him released. I played along to keep on friendly terms with him, but I had absolutely no intention of going down that road.
Soon I was transferred to the Federal prison camp at Lompoc. What a difference: there was dormitory housing instead of cells, and not even a fence around the place. I was sharing my new digs with the who’s who of white-collar crime. My fellow inmates even included a former Federal judge who had been convicted of tax evasion.
My weight had spiked back up to 240 while I was in solitary, since I had been living mostly on comfort food from the commissary—goodies like Hershey bars dipped in peanut butter. Hey, when you’re in solitary, anything that makes you feel a little better is a good thing, right?
But now, at Lompoc, another inmate, a cool guy named Roger Wilson, talked me into doing lots of walking and exercising as well as eating healthier foods such as rice and veggies and the like. It was hard for me to get started, but with his encouragement, I succeeded. It was the beginning of a change in my lifestyle that would remake me, at least in terms of my body image.
Once when I was sitting on a wooden bench, waiting in line to use the phone, Ivan Boesky sat down next to me with a coffee in hand. Everybody knew who he was: a onetime billionaire financial genius who had been convicted of insider trading. And it turned out he knew who I was, too: “Hey, Mitnick,” he said, “how much money did you make hacking those computers?”
“I didn’t do it for the money; I did it for the entertainment,” I replied.
He said something like, “You’re in prison, and you didn’t make any money. Isn’t that stupid?” Like he was looking down his nose at me. At that exact moment, I happened to spot a roach floating in his coffee. Smiling, I pointed at it and said, “This place isn’t like the Helmsley, is it?”
Boesky never answered. He just got up and walked away.
After almost four months at Lompoc, I was coming up for release to the halfway house, a place called “Beit T’Shuvah.” I was told the name was Hebrew for “House of Return.” Beit T’Shuvah used the 12-step program, designed for people with drug, alcohol, and other addictions.
My imminent move to a halfway house was the good news. The bad news was that a Probation Officer had called Bonnie to make an appointment to “inspect” the apartment she was then living in, explaining that he had to approve my future living arrangements before I was released. For Bonnie, that was the last straw. She felt she had been through enough and couldn’t dance this dance anymore. “You don’t need to inspect my apartment,” she told the guy. “My husband won’t be living here.” On her next visit, she gave me the bad news: she was filing for divorce.
She now says, “It was a very painful time for me. I thought I had failed. It was scary. I was too afraid to leave Kevin, but too afraid to stay. The fear of staying just became too big.”
I was stunned. We had been planning to spend the rest of our lives together, and now she had changed her mind just as I was nearing release. I felt as if a ton of bricks had been dropped on me. I was really hurt, and totally shocked.
Bonnie agreed to come to the halfway house for a couple of marriage-counseling sessions with me. They didn’t help.
I was deeply disappointed about her decision to end our marriage. What could account for her sudden change of heart? There must be another guy, I thought—somebody else was in the picture. I figured that by checking out the messages on her answering machine, I could find out who it was. I felt bad about doing it, but I needed to know the truth.
I knew Bonnie’s answering machine was a RadioShack product because I recognized the jingle it played to prompt the caller to leave a message. I also knew that with this particular machine, you could retrieve messages remotely, but only if you had the handheld device that came with it, which emitted a special set of tones to turn on the playback. How could I get around that and listen to her messages without the remote beeper?
I called a RadioShack store and described the type of answering machine she had, then added that I had lost my beeper and needed to buy another. The salesman said there were four possible beepers for the various models of that particular answering machine—A, B, C, and D—each of which played a different sequence of tones. I said, “I’m a musician, so I’ve got a good ear.” He wanted me to come down to the store, but I couldn’t leave the halfway house because new arrivals weren’t permitted to leave the premises for the first thirty days they were there. I pleaded with him to open one of each type, put batteries in the remotes, and then play each remote so I could hear it.
My persistence paid off: the guy went to the trouble of setting up the four remotes and playing each of their tones for me. I had a microcassette-tape recorder running the whole time, pressed to the telephone receiver.
Afterward, I called Bonnie’s phone and played back the tones through the receiver. The third one did the trick. I heard Bonnie leave a message on her own phone, presumably from work. After the call had gone to the machine, some guy in her apartment picked up, and the tape recorded both sides of their conversation as she told him about “how great it was to spend time with you.”
Eavesdropping on her messages was a stupid thing for me to do because it just made the pain I was already feeling that much worse. But it confirmed my suspicions. I was pretty upset that she had been lying to me. I was desperate enough to actually consider sneaking out of the halfway house to see her. Luckily I stopped myself, knowing what a huge mistake that would be.
After that first month, I was allowed to leave the halfway house for some selected appointments and visits. I often went to see Bonnie, trying to win her back. On one of those visits, I noticed that she’d carelessly left her latest phone bill sitting on the table. It showed that she’d been spending hours on the phone with Lewis De Payne, who until that moment I’d still believed was my closest friend.
Well, of course, I had to find out for sure. I casually asked if she ever heard from any of my buddies, like Lewis.
She lied, flatly denying having ever been in touch with him at all—and confirming my worst fear. In my mind, she had completely blindsided me. Where were the faith and trust that I thought I had finally found in her? I confronted her but got nowhere. I was devastated. Licking my wounds, I walked out and cut off all contact with her for a long time.
Soon after, she moved in with Lewis. To me it made no sense at all: she was leaving a guy with a hacking addiction for another guy with the same propensities. But more important was that Bonnie hadn’t been just my girlfriend: she had been my wife. And now she’d taken up with my best friend.
After my release, I traded my hacking addiction for an addiction of a different kind: I became an obsessive gym rat, working out for hours every day.
I was also able to find a short-term job as a tech-support person for a firm called Case Care, but that lasted only three months. When it ended, I obtained permission from the Probation Office to relocate to Las Vegas, where my mom had moved and would welcome me living with her until I could get my own place.
Over a period of months, I dropped a hundred pounds. That put me in the best shape of my life. And I wasn’t hacking. I was feeling great, and if you had asked me then, I would have said the hacking days were all behind me.
That was what I thought.