idniidhsubrseognteiuignuhrzdalrd ietfetinmeablnigorcsnuatoieclei
I had become so wrapped up in investigating Adam’s death that I needed a break—something else to focus my attention on that wasn’t so emotional. For me, the diversion I needed wasn’t hard to find: I would go back and tackle Neill Clift, the Brit who had been finding all the security holes in DEC’s VMS operating system. How could I trick him into giving me all the security bugs he had found?
From messages I had been reading, I knew that Clift had long craved a job at DEC; maybe that could be my opening. I duped British Telecom into giving me his unlisted home telephone number and called him, introducing myself as Derrell Piper, the name of an actual Digital software engineer in VMS Development. I told him, “We’ve got a hiring freeze right now, but despite that we may be hiring some security engineers. Your name came up because you’ve been so helpful in finding security vulnerabilities and sharing them with us.” And I went on to talk to him about some DEC manuals I knew he wanted.
At the end of the call, I said, “Well, nice talking to you, it’s been a long time.”
Oops—big mistake. The two men had never spoken before.
Later I would learn that Neill called well-known security consultant Ray Kaplan, who he knew had interviewed me on his “Meet the Enemy” conference series. Ray played a portion of the tape.
Neill had to listen for only a few moments before confirming, “Yes—the guy who called me was Kevin Mitnick.” The next time we spoke, Ray told me, “I guess you’re still doing some social engineering.”
Confused, I asked, “What do you mean?”
“Neill called me. I played a piece of the interview I did with you. He recognized your voice and said you’ve been calling him.”
Of course, all this time I was also still in contact with Eric Heinz, who kept bringing up Kevin Poulsen’s name. I had never met Poulsen but had read enough and heard enough to admire his hacking achievements. It was strange that we had never met, never hacked together, because we were close to the same age and had grown up just a few miles apart. He would later explain that he started learning about phone phreaking some time after I did—I was already famous in the hacker community when he was still a neophyte.
Lewis and I were both eager to find out more from Eric about what he and Poulsen had been doing together. In one phone conversation, Eric again rattled off the names of Pacific Bell systems he and Poulsen had gained control over. The list was familiar, all except one that I had never heard of: “SAS.”
“What’s SAS?” I asked.
“It’s an internal testing system that can be used to monitor a line.”
In phone company lingo, “monitor” is a tactful word for wiretap.
I told Eric, “With switch access, you can monitor a line anytime.” I figured he’d understand: the phone company’s 1A ESS switches had a “talk & monitor” feature that let you pop in on a line and listen to the conversation.
Eric said, “SAS is better.”
He claimed that he and Poulsen had made a nighttime visit to the Sunset central office in West Hollywood. But their visit had turned up some things they hadn’t seen before. They found the place strange: unlike other COs, it was equipped with unusual computer terminals and tape drives, “looking like something from an alien planet.” One refrigerator-sized box had various types of equipment humming inside it. They came across a manual identifying the device as a Switched Access Services unit—SAS for short. When Poulsen started leafing through the manual, he realized that SAS was meant for line testing, which sounded like it meant you could connect onto any phone line.
But was it just for checking that the line was working? Or could you pick up conversations?
Poulsen started fiddling with the SAS control terminal. Punching in the number of a pay phone he sometimes used, he confirmed that, yes, you could drop in on a line and hear the conversation.
He went back into the CO on another night with a tape recorder so he could capture the data being sent out from the SAS equipment. He wanted to try to reverse-engineer the protocol at home and give himself the same capabilities.
I had to have access to this system. But when I asked for details, Eric clammed up and quickly changed the subject.
I started researching it the very next day.
The mysterious SAS was just what I had been lacking in my life: a puzzle to be solved, an adventure with hazards. It was unbelievable that in my years of phone phreaking, I had never heard about it. Intriguing. I felt, Wow, I gotta figure this out.
From my earlier nocturnal visits to phone company offices, as well as reading every telephone company manual I could get my hands on and social-engineering phone company employees since I was in high school, I had a well-developed knowledge of the different departments, processes, procedures, and phone numbers within Pacific Bell. There probably weren’t a lot of people inside the company who knew the structure of the working organization better than I did.
I began calling various internal departments. My line was, “I’m with Engineering. Does your group use SAS?” After half a dozen calls, I found a guy in an office in Pasadena who knew what I was talking about.
For most people, I guess, the toughest part of a ruse like this would be figuring out a way to get hold of the desired knowledge. I wanted to know how to gain access to SAS, as well as the commands that would let me take control of it. But I wanted to go about it in a safer way than Eric and Kevin Poulsen had done; I wanted to do it without having to physically enter a Pacific Bell facility.
I asked the guy in Pasadena who knew about SAS to pull a copy of the manual off the shelf for me. When he came back on the line with it, I asked him to open it up and read me the copyright notice.
Sure—that gave me the name of the company that had developed the product. But from there, I hit a snag. The company had gone out of business.
The LexisNexis database maintains massive online files of old newspaper and magazine articles, legal records, and corporate material. As you might guess, the fact that a company has gone out of business doesn’t mean that LexisNexis has deleted the files about it. I found the names of some individuals who had worked for the company that had developed SAS, including one of its officers. The company had been based in Northern California. I did a telephone directory search in that area and came up with the officer’s phone number.
He was home when I called. I told him I was with Pacific Bell Engineering, that we wanted to make some customized improvements to our “SAS infrastructure,” and that I needed to talk to someone who knew the technology. He wasn’t the least bit suspicious. He said it would take him a couple of minutes, then came back on the phone and gave me the name and phone number of the guy who had been the lead engineer in charge of the product development team.
One more thing to do before placing the crucial phone call. At that time, Pacific Bell internal phone numbers began with the prefix 811; anybody who had done business with the company might know that. I hacked into a Pacific Bell switch and set up an unused 811 number, then added call forwarding and forwarded it to the cloned cell phone number I was using that day.
The name I gave when I called the developer was one I still remember: Marnix van Ammers, the name of a real Pacific Bell switching engineer. I gave him the same story about needing to do some integration with our SAS units. “I’ve got the user’s manual,” I told him, “but it doesn’t help for what we’re trying to do. We need the actual protocols that are used between the SAS equipment in our testing centers and the central offices.”
I had dropped the name of an executive at his old company and was using the name of a real Pacific Bell engineer. And I didn’t sound nervous; I wasn’t stumbling over my words. Nothing about my call set off alarm bells. He said, “I might still have the files on my computer. Hang on.”
After a couple of minutes, he came back on the line. “Okay, I found them. Where do you want me to send them?”
I was too impatient for that. “I’m under the gun here,” I said. “Can you fax them?” He said there was too much material for him to fax the whole thing, but he could send a fax with the pages he thought would be most useful, and then mail or FedEx me a floppy with the complete files. For the fax, I gave him a phone number I knew by heart. It wasn’t to a fax machine at Pacific Bell, of course, but it was in the same area code. It was the fax number for a convenient Kinko’s. This was always a little risky because many machines, when they’re sending a fax, display the name of the machine they’re connecting to. I always worried someone would notice the tag saying “Kinko’s store #267” or whatever: dead giveaway. But as far as I can recall, no one ever did.
The FedEx was almost as easy. I gave the engineer the address of those places where you could rent a mailbox and have packages held for you, and I spelled out the name of the Pacific Bell employee I was claiming to be, Marnix van Ammers. I thanked him, and we chatted for a bit. Chatting is the kind of extra little friendly touch that leaves people with a good feeling and makes after-the-fact suspicions that much less likely.
Even though I had been practicing the art of social engineering for years, I couldn’t help but be amazed and a little dazzled by how easy this had been. One of those moments when you feel that runner’s high, or as if you’d won a jackpot in Vegas—the endorphins are rushing through your body.
That same afternoon, I drove to the mailbox rental store to set up a box in Van Ammers’s name. They always require ID for this. No problem. I explained, “I’ve just moved here from Utah, and my wallet was stolen. I need an address where they can mail me a copy of my birth certificate so I can get a driver’s license. I’ll show you the ID as soon as I get it.” Yes, they were violating postal regulations by renting me a box without seeing my ID, but these places are always eager for new business; they don’t really want to turn anybody away. A decent explanation is often all it takes.
By that evening, I had the fax in my hands—the basic information that I hoped would allow me to wiretap any Pacific Bell phone in all of Southern California. But we still had to figure out how to use the SAS protocols.
Lewis and I attacked the puzzle of trying to figure out how SAS worked from a number of different angles. The system gave a technician the ability to connect to any phone line, so he could run tests to find out why a customer was hearing noise on his line or whatever the problem was. The tech would instruct SAS to dial in to the particular CO that handled the telephone line to be tested. It would initiate a call to a part of the SAS infrastructure at the CO known as a “remote access test point,” or RATP.
That was the first step. In order to hear audio on the line—voices, noise, static, or whatever—the tech would then have to establish an audio connection to the SAS unit in the CO. These units were designed with a clever security provision: they had a list of phone numbers preprogrammed into their memories. The technician would have to send a command to the SAS unit to dial back to one of the pre-programmed numbers—the phone number at the location where he was working.
How could we possibly bypass such a clever, apparently infallible security measure?
Well, it turned out not to be all that hard. You’d have to be a phone company technician or a phone phreaker to understand why this worked, but here’s what I did. I dialed from my telephone into the phone line I knew SAS would use to make its outgoing call, then immediately triggered SAS to call back an authorized number programmed into its memory.
When SAS picked up the line to make an outgoing call, it actually answered the incoming call from my phone. But it was waiting for a dial tone and couldn’t get one because I had the line tied up.
I went mmmmmmmmmmmmmm.
I couldn’t have hummed exactly the right sound, because a dial tone in the United States is actually made up of two frequencies. But it didn’t matter because the equipment wasn’t designed to measure the exact frequencies; it needed only to hear some kind of a hum. My Campbell’s Soup mmmmmmm was good enough.
At this point, SAS attempted to dial the outgoing call… which didn’t go through because I was already connected on the line it was trying to use.
Final step: from my computer, I typed in cryptic commands that instructed SAS to drop in on the phone number of the subscriber line I wanted to monitor.
On our first attempt, I was so excited I could barely breathe.
It worked!
Lewis said afterward, “Kevin, you were beside yourself, dancing around in circles. It was like we had found the Holy Grail.”
We could remotely wiretap any phone number within all of Pacific Bell!
Meanwhile, though, I was really growing antsy to find out the truth about Eric. Too many things about him seemed suspicious.
He didn’t appear to have a job. So how could he afford to hang out at the clubs he talked about? Hot places like Whiskey à Go-Go, where acts like Alice Cooper and the Doors, as well as rock gods from back in the day like Jimi Hendrix had sometimes dropped in to jam.
And that business about not giving me a phone number? Eric wouldn’t even give me his pager number. Very suspicious.
Lewis and I talked about the situation and decided we needed to find out what was going on. First step: penetrate the screen of “I won’t give you my phone number.” Then, once we had his phone number, use it to find his address.
Caller ID wasn’t being offered then to customers in California because the state’s Public Utilities Commission was fretting over privacy issues and hadn’t yet authorized its use. But like most phone companies, Pacific Bell used central office switches developed by Bell Labs and manufactured by AT&T, and it was common knowledge in the phreaker community that these switches already had the caller ID feature built into their software.
In the building where my friend Dave Harrison had his offices, a terminal on the first floor had hundreds of phone lines running to it. I went down to the terminal in stealth mode because there was a security guard stationed very nearby, though thankfully not in direct sight. Using a lineman’s handset that Dave had sitting around in his office, I connected to several cable pairs, looking for one that had a dial tone. When I found one, I dialed the special code to obtain the phone number. That was the bait number I would set Eric up to call.
Next Dave “punched the pair down” in the terminal, connecting that line to an unused phone line running up to his office. Back upstairs, we hooked a phone to the hijacked line and connected a caller ID display box.
From my old VT100 terminal, I dialed in to the Webster Street central office switch and added the caller ID feature to the bait phone line.
Later that night I returned to my dad’s apartment in Calabasas, set my alarm clock to go off at 3:30 a.m., and turned in. When the alarm went off, with my cell phone as usual cloned to someone else’s number, I paged Eric, who by then had loosened up enough to give me his pager number. I left the bait phone number for him to return the call. When Eric dialed the number, the caller ID data would be sent between the first and second rings, capturing the number of his phone. Gotcha!
Hermit-like, Dave secretly lived and slept in his office. As soon as I thought Eric would have returned the page, I phoned Dave. It was 3:40 in the morning. I had to keep calling until he finally answered, really angry. “What is it?!” he shouted into the receiver.
“Did you get the caller ID?”
“Yes!”
“Dave, it’s really important. What is it?”
“Call me in the morning!” he yelled before slamming the phone down.
I went back to sleep and didn’t reach him again until the next afternoon, when he obligingly read me the phone number off the caller ID: 310 837-5412.
Okay, so I had Eric’s phone number. Next to get his address.
Posing as a technician in the field, I called Pacific Bell’s Mechanized Loop Assignment Center, or MLAC, also known simply as the Line Assignment Office. A lady answered and I said, “Hi. This is Terry out in the field. I need the F1 and the F2 on 310 837-5412.” The F1 was the underground cable from the central office, and the F2 was the secondary feeder cable that connects a home or an office building to the serving area interface, which eventually connects to the F1, all the way back to the central office.
“Terry, what’s your tech code?” she asked.
I knew she wasn’t going to look it up—they never did. Any three-digit number would satisfy, so long as I sounded confident and didn’t hesitate.
“Six three seven,” I said, picking a number at random.
“F1 is cable 23 by 416, binding post 416,” she told me. “F2 is cable 10204 by 36, binding post 36.”
“Where’s the terminal?”
“The oh-dot-one is at 3636 South Sepulveda.” That was the location of the terminal box, where the field technician bridged the connection to the customer’s home or office.
I didn’t care about anything I had asked so far. It was just to make me sound legitimate. It was the next piece of information that I really wanted.
“What’s the sub’s address?” I asked. (“Sub” being phone company lingo for the subscriber, or customer.)
“Also 3636 South Sepulveda,” she told me. “Unit 107B.”
I asked, “Do you have any other workers at 107B?”—“workers” being lingo for “working telephone numbers.”
She said, “Yes, we have one other,” and gave me the second number, along with its F1 and F2. As easy as that. It had taken me not much more than a few minutes to discover Eric’s address and both of his phone numbers.
When you use social engineering, or “pretexting,” you become an actor playing a role. I had heard other people try to pretext and knew it could be painfully funny. Not everybody could go on stage and convince an audience; not everybody could pretext and get away with it.
For anyone who had mastered pretexting the way I had, though, it became as smooth as a champion bowler’s sending a ball down the lane. Like the bowler, I didn’t expect to score a strike every time. Unlike the bowler, if I missed, I usually got another try at it with no loss of score.
When you know the lingo and terminology, it establishes credibility—you’re legit, a coworker slogging in the trenches just like your targets, and they almost never question your authority. At least, they didn’t back then.
Why was the lady in Line Assignment so willing to answer all my questions? Simply because I gave her one right answer and asked the right questions, using the right lingo. So don’t go thinking that the Pacific Bell clerk who gave me Eric’s address was foolish or slow-witted. People in offices ordinarily give others the benefit of the doubt when the request appears to be authentic.
People, as I had learned at a very young age, are just too trusting.
Maybe my venture back into hacking was excusable, or at least understandable, justified by my need to solve the riddle of my half-brother’s death. Yet I suddenly realized I had been beyond stupid: I had been using one of the three phone lines in my dad’s apartment to make all kinds of social-engineering calls to Pacific Bell, to follow leads in my Adam investigation, and to talk with Lewis.
These were all clear violations of my conditions of my supervised release. What if the Feds were monitoring my dad’s phone lines and had heard those conversations?
I needed to find out what they knew.