100 0000 10 1 01 001 00 1000 1 010 11 000 0 0000 11 000 000111 00011 10000 11111 11110 11000 00111 10000 11111 10000 11111
Now that we had access to SAS, Lewis and I wanted to get the dial-up numbers for all the central offices, so we would have the ability to monitor any phone in Pacific Bell’s coverage area. Rather than having to social-engineer a Pacific Bell employee to give us the dial-up number every time we wanted access, we would have them all.
I had learned from the employee in Pasadena, the guy who read the copyright line for me, how they used SAS. The tester had to manually enter the dial-up number for the RATP for the central office of the line to be tested. The testers had a list of dial-up numbers for the RATPs in all the central offices they managed.
Small problem: How could I get a copy of the SAS dial-up numbers for all the central offices when I didn’t know what the damned list was called? Then I realized there might be a way. Maybe the information was already available in a database. I called the group in Pasadena that used SAS to run tests on a line when a subscriber was having phone problems. I called that group, identified myself as being “from Engineering,” and asked if I could look up the SAS dial-up numbers in a database. “No,” was the answer, “there’s no database. It’s only in hard copy.”
Bummer. I asked, “Who do you call when you’re having a technical problem with an SAS unit?”
Another example of how willing people are to help out somebody they have reason to believe is a fellow employee: the guy gave me the phone number of a Pacific Bell office in the San Fernando Valley. Most people are sooo willing to be helpful.
I called there, got a manager on the line, and told him, “I’m from Engineering in San Ramon,” the location of the major Pacific Bell engineering facility in Northern California. “We’re putting the SAS dial-up numbers into a database, so we need to borrow a complete listing of all the numbers. Who has a copy of that?”
“I do,” he said, swallowing my story without hesitation, because he was a guy buried deep within the Pacific Bell internal organization who wouldn’t think an outsider would have any way of finding him.
“Is it too long to fax?”
“About a hundred pages.”
“Well, I’d like to pick up a copy for a few days. I’ll either come by for it myself or have somebody pick it up for me. That okay?”
He told me where to find his office.
Again Alex was excited about being a front for me. Dressed in a business suit, he drove over to the Pacific Bell facility in the San Fernando Valley. But the man didn’t just hand him the package, as we expected. Instead he pressed Alex about why he needed the information.
It was an awkward moment. This was in the spring, in Southern California. It was warm outside. And Alex was wearing gloves.
When the guy saw Alex’s gloved hands, he looked at him and said, “Can I see your ID?”
Another uncomfortable moment.
Few things in life are more valuable than being able to think on your feet in a situation that would be flop-sweat time for most people.
Alex nonchalantly said, “I’m not with Pacific Bell. I’m a sales associate on the way to a Pacific Bell meeting downtown. They asked me, as a favor, if I would swing by and pick this up.”
The man looked at him for a moment.
Alex said, “It’s okay—if it’s a problem, it’s no big deal,” and he turned as if he were going to start walking away.
The guy said, “Oh, no, no—here,” and held the package out to Alex.
Alex was wearing an “I did it!” grin when he presented me with the binder containing all the dial-up numbers for the SAS units at every central office in Southern California.
After we had copied the pages, Alex went to a public Pacific Bell customer billing office and convinced a secretary to put the package into intracompany mail to be returned to the man who’d let him borrow it—covering our tracks by avoiding having any questions raised about a missing binder that could lead to a discovery SAS had been compromised, while at the same time leaving Alex untraceable.
One day, I had a gut feeling that Lewis could also be the target of an investigation. Checking just as a precaution, I discovered intercepts on all the phone lines at the company where Lewis worked, Impac Corporation. Why? Could Eric have anything to do with this? Lewis and I decided to phone Eric and see if we could trap him into revealing anything about it.
Lewis handled the call, with me listening and prompting.
Eric mostly responded with a noncommittal Hmm sound. Finally he said, “Sounds like you guys got some problems.” Well, thanks. That wasn’t any help.
Eric asked, “What’s one of the monitor numbers? I’d like to call in and see what I get.” Lewis gave him the monitor number that was in use for intercepting one of the Impac lines: 310 608-1064.
Lewis told him, “Another strange thing—I now have an intercept on the phone in my apartment as well.”
“Pretty weird,” Eric replied.
Lewis said, “What do you think is going on, Eric? Kevin keeps asking me these questions. He would like you to speculate. Could there be law enforcement involvement?”
“I don’t know.”
Lewis pushed: “Just say yes, so he’ll quit asking.”
Eric said, “I would think no. I think it’s just the phone company.”
“Well, if they’re going to monitor all the lines at the place I work, they’re going to have to listen to thousands of calls a month,” Lewis answered.
The next day, with me listening over speakerphone, Eric called Lewis, who started by asking, “Are you calling from a secure line?”
Eric answered, “Yes, I’m calling from a pay phone,” and then launched into another of his “You’ve got to respect my privacy” complaints.
Then, seemingly out of the blue, he asked Lewis, “Have you installed any of the CLASS features at work?”
He was referring to “custom local area signaling services” such as caller ID, selective call forwarding, return call, and other features that weren’t available to the general public. If Lewis said yes, he would be confessing to an illegal act.
Before Lewis had a chance to deny it, we heard a call waiting signal on Eric’s end.
I said to Lewis, “Since when do pay phones have call waiting!?”
Eric muttered that he had to get off the line for a minute. When he came back on, I challenged him about whether he was calling from a pay phone. Eric changed his story, now saying he was calling from a girlfriend’s.
While Lewis continued the conversation, I called Eric’s apartment. A man answered. I tried again, in case I had misdialed. Same man. I told Lewis to press him about it.
Lewis said, “Some guy is answering your home phone. What the hell is this all about, Eric?”
He said, “I don’t know.”
But Lewis kept pressing. “Who’s in your apartment, Eric?”
“Well, I don’t know what’s going on. No one’s supposed to be in my apartment. I’m going to go check it out,” he answered. “With all the stuff that’s happening, I’m going into secure mode. Keep me posted.” And he hung up.
So many lies about little things that didn’t matter.
Eric was becoming a mystery to solve, equal to the mystery of the intercept boxes. So far, all I had on that was three numbers originating from somewhere in Oakland that were connected to the boxes.
Where, physically, were the monitor calls originating from? Not very difficult to find out. I simply called MLAC, the Mechanized Loop Assignment Center, provided one of the phone numbers, and was given the physical address where the telephone line was located: 2150 Webster Street, Oakland, the offices of Pacific Bell’s Security Department. They had previously been located in San Francisco but had since moved across the bay.
Great. But that was just one of the numbers. I wanted to know all of the numbers Pacific Bell Security was using to connect to its secret monitoring boxes. I asked the MLAC lady to look up the original service order that had established the one phone number I had already discovered. As I expected, the order showed that multiple other phone numbers—about thirty of them—had been set up at the same time. And they were originating from what I thought of as the “wiretapping room,” where they were recording the intercepts. (Actually, I would find out much later that there was no dedicated wiretapping room; when a call started on any of the lines being monitored, it would be captured on a voice-activated recorder on the desk of whichever security investigator was handling that case, to be listened to whenever he or she had the opportunity.)
Now that I had the monitor numbers, I needed to figure out where each one was calling out to. First I called each of the numbers, knowing that any of them that didn’t give me a busy signal must not be actively in use for wiretapping; those, I ignored.
For all the others, the ones that were currently in use for intercepts, I called the Oakland SCC and social-engineered a switch tech into performing a query call memory (QCM) command on the DMS-100 switch serving that number (a QCM gives the last phone number called from that phone). With this new information, I now had a list of dial-up monitor numbers for each active Pacific Bell wiretap in the state of California.
The area code and prefix of the monitor number identified which central office the wiretap was in. If Lewis or I knew anyone who had a phone number served out of a CO where a wiretap was active, I would call the central office, say I was from PacBell Security, and explain, “We have one of our boxes there. I need you to trace out the connection.” After a couple of steps I would have the target phone number that the intercept was placed on. If it didn’t belong to anybody I knew, I’d go on to explore the next one.
I kept checking on intercepts as a precaution, watching my back while focused on the crucial task of trying to figure out what Eric was really up to. One approach came to mind that hadn’t occurred to me before. I called the Switching Control Center that managed the switch providing Eric’s telephone service and convinced the tech to perform a line-history block, or LHB, a way of getting a report on the last phone number dialed from a phone line served by a 1A ESS switch.
After that I started calling for LHBs on him up to several times a day, to find out what numbers he was calling.
One of the numbers made me break out in a cold sweat. Eric had called 310 477-6565. I didn’t need to do any research. It was seared into my memory:
The Los Angeles headquarters of the FBI!
Fuuuck.
I called Lewis at work from my cloned cell phone and said, “Turn on your ham radio.” He knew that meant something entirely different: it meant, “Turn on your cloned cell phone.” (He was the kind of person who liked to focus on one thing at a time; when he was addressing the task at hand, he’d turn off his cell phone and pager so they wouldn’t interrupt his train of thought.)
When I got him on the safe cell phone, I told him, “Dude, we’re in trouble. I did an LHB on Eric’s line. He’s fucking calling the FBI.”
He didn’t seem concerned. Entirely without emotion. Whaaaat?!
Well, maybe there was someone else in the office, and he couldn’t react. Or maybe it was that arrogance of his, that attitude of superiority, the notion that he was invulnerable.
I said, “You need to get your floppy disks and notes out of your apartment and office. Anything to do with SAS, you need to stash somewhere safe. I’m gonna be doing the same.”
He didn’t seem to think one phone call to the FBI was such a big deal.
“Just do it!” I told him, trying not to shout.
Common sense dictated my next call, to Pacific Bell’s Customer Name and Location Bureau. The effort was routine but produced an unexpected result. A cheerful young lady took my call and asked for my PIN; I used one that I had nabbed a few months earlier by hacking into the CNL database, then gave her the two phone numbers in Eric’s apartment.
“The first one, 310 837-5412, is listed to a Joseph Wernle, in Los Angeles,” she told me. “And it’s non-pub”—short for “non-published,” meaning a number that the information operator won’t give out. “The second, 310 837-6420, is also listed to Joseph Wernle, and it’s also non-pub.” I had her spell the name for me.
So the “Eric Heinz” name was a phony, and his real name was Joseph Wernle. Or Eric had a roommate… which didn’t actually seem too likely for a guy who claimed to have a different sleepover every night. Or maybe he had just registered the phone under a fake name.
Most likely Eric Heinz was a phony name and Joseph Wernle his real name. I needed to find out who this guy really was, and I needed to do it fast.
Where to start?
The rental application he’d filled out at his apartment complex might have some background information—references or whatever.
The Oakwood Apartments, where Lewis and I had paid him that surprise visit, turned out to be just one in a national string of rental properties owned by a real estate conglomerate. The places were rented to companies putting employees up on a temporary assignment, or people recently transferred to a new city and needing a place to live while looking for new digs. Today the company describes itself as “the world’s largest rental housing solution company.”
To set things up, I found the fax number for Oakwood’s worldwide headquarters, then hacked into a phone company switch and temporarily forwarded the phone line so any incoming fax calls would be transferred to the fax machine at a Kinko’s in Santa Monica.
On a call to Oakwood’s corporate headquarters, I asked for the name of a manager, then dialed the rental office at Eric’s building. The call was answered by a young lady with a pleasant voice and a helpful manner. Identifying myself as the manager whose name I had gotten, I said, “We’ve had a legal issue come up about one of the tenants there. I need you to fax me the rental application for Joseph Wernle.” She said she’d take care of it right away. I made sure the fax number she had for corporate was the same one I had just diverted to Kinko’s.
I waited until I thought the fax had been sent, then called the Kinko’s it was being forwarded to. I told the manager there that I was a supervisor at another Kinko’s location and explained, “I have a customer here who’s waiting for a fax. He just realized it was sent to the wrong Kinko’s.” I asked him to locate the fax and resend it to “my” Kinko’s. This second step would make it harder for any Feds to unravel my work. I call it “laundering a fax.”
Half an hour later, I stopped by the local Kinko’s and picked up the fax, paying cash.
But after all that effort, the application didn’t clear up anything. It only added to the mystery. The owners of corporate rental buildings usually require background information to make sure their new tenants don’t pose any financial risk. But in this case Oakwood had rented to a guy who had provided hardly any information at all. No references. No bank accounts. No previous addresses.
And most significantly, no mention of Eric’s name. The apartment had been rented in the same name the telephone service was under, Joseph Wernle. The only other piece of information on the entire application was a work phone number, 213 507-7782. And even that was curious: it was not an office number but, as I easily determined, a cell phone with service provided by PacTel Cellular.
Yet at least it gave me a lead to follow.
A call to PacTel Cellular gave me the name of the store that had sold the cell phone listed on Eric’s rental application: One City Cellular, in the Westwood neighborhood of Los Angeles, the area that includes the campus of UCLA. I made a pretext call to the store and said I wanted some information about “my” account.
“What’s your name, sir?” the lady on the other end asked.
I told her, “It should be under ‘U.S. Government’ ”—hoping she would correct my error… hoping it was an error. And at the same time hoping she would be helpful enough to give the name on the account.
She did. “Are you Mike Martinez?” she asked.
What the hell?!
“Yes, I’m Mike. By the way, what’s my account number again?”
That was taking a chance, but she was a retail clerk at a cell phone store, not a knowledgeable customer service rep at the cell phone company. She wasn’t the least bit suspicious and just read off the account number for me.
Heinz… Wernle… Martinez. What the fuck was going on?
I called the cell phone store back. The same young lady answered. I hung up, waited a bit, and tried again. This time I got a guy. I gave him “my” name, phone number, and account number. “I lost my last three invoices,” I said, and asked him to fax them to me right away. “I accidentally erased my address book off my cell phone and I need my bills to reconstruct it,” I said.
Within minutes, he was faxing the invoices. Driving a little too fast but not, I hoped, fast enough to get myself pulled over, I sped to Kinko’s. I wanted to know as soon as possible what was in those bills.
The fax turned out to be far more expensive than I expected. When I looked at Martinez’s bills, my jaw dropped. Each of the three monthly bills was nearly twenty pages long, listing well over a hundred calls. Many of them were to area code 202—Washington, DC—and there also were lots of calls to 310 477-6565, the Los Angeles headquarters of the FBI.
Oh, shit! One more confirmation Eric must be an FBI agent. The situation was getting more and more worrisome every time I turned over a new rock. Every lead I followed took me toward the people I most wanted to stay away from.
Hold on now. That wasn’t the only possibility. My new “friend” Eric Heinz might indeed be an agent himself, but on second thought, that was hard to believe—I’d found out by then that he wasn’t just hanging out at rock-and-roll clubs. The crowd he kept company with included our initial intermediary, Henry Spiegel, who had told me he once employed Susan Headley, aka Susan Thunder, that hacking hooker who had pointed a finger at me for breaking into the COSMOS center and once physically cut all the phone lines going to my mom’s condominium complex as an act of vengeance. And there were Eric’s own stories of having sex with a different stripper every night.
No, he sure didn’t sound like a kind of guy who would pass the FBI’s vetting process for would-be agents. So I figured that he probably wasn’t an agent at all. Maybe he was just a guy the Feds had something on, whom they had put to work as a confidential informant—a snitch. But why?
Only one explanation made sense: the FBI was trying to round up some hackers.
The Feds had targeted me before, and made sure the arrest got big media coverage. And now, if my suspicions were correct, the Bureau was dangling a carrot in front of me. By introducing Eric into my life, the agents were doing the equivalent of sticking a bottle of Scotch under the nose of a “reformed” alcoholic to see if they could bump him off the wagon.
Four years earlier, in 1988, USA Today had even superimposed my face over a huge picture of Darth Vader on the front page of its Money section, tarring me as “the Darth Vader of the hacking world” and digging up the old label of “the Darkside Hacker.”
So maybe it shouldn’t seem surprising that the FBI might have decided to make me into a priority.
And it wouldn’t be hard. After all, when I was still just a young man, prosecutors had felt justified in manipulating a judge with that absurd story about my being able to launch a nuclear missile by calling NORAD and whistling into the phone. I felt damned certain they wouldn’t hesitate to do it again now if they had the chance.
The address on Mike Martinez’s cell phone bill turned out to be some attorney’s office in Beverly Hills.
I called the office claiming to be from One City Cellular, Martinez’s cell provider. “Your bill is past due,” I told the girl who answered. “Oh, we don’t pay those bills,” she said. “We just forward them to a post office box in Los Angeles,” and she gave me the box number and the address—the Federal Building at 11000 Wilshire Boulevard. Not good.
My next call was to the U.S. Postal Inspection Service, in Pasadena. “I need to send a complaint,” I said. “Who is the inspector for the Westwood area of Los Angeles?”
Using the inspector’s name, I called the post office in the Federal Building, asked for the postmaster, and said, “I need you to look up the application for this P.O. box and give me the name and address of the applicant.”
“That post office box is registered to the FBI here at 11000 Wilshire.”
The news didn’t come as a surprise.
So who was the person who was passing himself off as Mike Martinez? What was his relationship with the FBI?
Even though I was desperate to know how much the government had on me, probing further just didn’t make any sense. It would mean getting deeper and deeper into the situation, making it all the more likely that I would eventually be rounded up and sent back to prison. I couldn’t face that. But could I really resist the urge?