laeaslarhawpuiolshawzadxijxkjgvvbvaxavlowyuuhdsxausmrmbulbegukseq
My main duties in the Information Technology Department at the law firm fell into the “computer operations” category: solving problems with printers and computer files, converting files from WordPerfect to Word and several other formats, writing scripts to automate procedures, and doing system and network administration tasks. I was also given a couple of major projects: connecting the firm to the Internet (this was just when the Internet was beginning to be much more widely used) and installing and managing a product called SecurID, which provides “two-form-factor” authentication. Authorized users have to provide the six-digit code displayed on the SecurID device in conjunction with a secret PIN for remote access to the firm’s computer systems.
One of my collateral duties—and I couldn’t have designed this better if I had been handing out job assignments myself—was a shared responsibility for supporting the firm’s telephone billing management system. That meant studying the telephone accounting application, on company time, no less. This was how I learned exactly where to add some programming instructions that would turn the application into an early-warning system for me.
I wrote a script that would check every outgoing phone call from the law firm against a hit list of area codes and telephone prefixes. And my list of numbers included, guess what? Right: the FBI and U.S. Attorney’s offices in Los Angeles and Denver. If a call was made to any number within those agencies, the script I wrote would send a message to my pager with the code “6565”—easy for me to remember because it was the last four digits of the main number assigned to the Los Angeles FBI office.
While I was at the firm, I actually got that code twice, and it scared the crap out of me both times. On each occasion, I waited a few minutes with a knot in my stomach, then looked up the number that had been called and dialed it myself.
Both times the call had been placed to the U.S. Attorney’s Office in Los Angeles… but to the Civil Division, not the Criminal Division. Whew!
In my spare time, I was still working out at the YMCA every day, of course, and still keeping busy with my hacking projects, of course. But I was also finding time to enjoy the variety of activities that Denver had to offer. The planetarium, besides reawakening a childhood interest in astronomy, also offered laser light shows accompanied by rock music, often from favorite bands of mine like Pink Floyd, Journey, and the Doors—a really enjoyable experience.
I was starting to settle into my new cover identity, becoming more sociable. Sometimes I’d go to one of the local dance clubs, just to find people to talk to. I met a girl I dated a few times, but I didn’t think it would be fair to her for us to get more involved: if I got picked up by the Feds, anyone I was close to could be put in a very uncomfortable situation, either being leaned on to give evidence against me or maybe even becoming a suspect herself. And, too, there was always a chance that I’d say something to give myself away, or she might spot some documents identifying me by some other name, or overhear a phone call. Pillow talk can have its dangers. From comments by fellow prisoners while I was in custody, I had learned that most had been ratted out by their significant others. I wasn’t going to make the same mistake.
There was a bookstore in the Cherry Creek area of Denver called the Tattered Cover, where I’d drink my fill of coffee and read computer books one after another. I tried a few of the rock clubs, but they drew a heavy-metal crowd of brawny guys with tats, so I felt more than a little out of place.
Sometimes I’d just go bike riding and enjoy the scenery, the glorious Denver scenery with all those mountains, so beautifully snowcapped in winter. Or visit a casino on one of the nearby Indian reservations to play a little blackjack.
I always looked forward to my next conversation with my mom, using those prearranged signals where she’d call from one of the casinos. Sometimes Gram would be with her. Those calls were so important to me, making me feel happy inside and giving me strength, though they were a great inconvenience to my family and a huge risk for me, should the Feds decide to step up their surveillance. It was hard not being closer to my mom and grandmother, who had showered me with so much love, caring, and support.
Meanwhile, to change my appearance and maybe also as a natural part of approaching the age of thirty, I let my hair grow long, so it eventually reached shoulder length.
I liked a lot of things about my new life.
After several months in Denver, I was ready for a trip to see my family, traveling this time by Amtrak. Mom and Gram came to the train station to pick me up. Now that my hair was long and my mustache had sprouted, my own mother almost didn’t recognize me. It was a really cool reunion, and I entertained them with stories about my job and my coworkers at the law firm.
I was able to feel more relaxed in Vegas now, thanks to my credentials as Eric Weiss, but I was still cautious. My mom and I would meet in unlikely locations. I’d get into her car in a parking garage and lie down in the backseat until she had driven into her own garage at home and closed the door. She fussed over me and made foods I liked, pressing seconds on me even as she told me how pleased she was that I still looked trim and fit.
I could see how much strain this whole thing had put on Gram, but even more so on my mom. Though she was happy and comforted to see me, having me there in person seemed to make her that much more aware of how much she missed me and how worried she was about my safety in Denver. And I constantly felt her conflict between cherishing my visit and fearing that my being in her company put me in much graver danger.
In the week I was there, we probably got together a dozen times.
Back in Denver, the atmosphere at work soon slid downhill after my boss, the easygoing Lori, left the firm to join her husband in running their own business, Rocky Mountain Snowboards. Her replacement, a thin brunette named Elaine Hill, was not as friendly. Though quite smart, she struck me as calculating and was a schoolteacher type, not a “people person” like Lori.
My coworkers in IT were so different from one another that they seemed almost like the characters in a play. Ginger, who had big teeth and was a bit on the pudgy side, was thirty-one and married. She took something of a liking to me, and we enjoyed a little playful banter at times. Still, I don’t think I did anything to suggest I had any sort of sexual interest in her—and certainly nothing to justify a couple of remarks she made to me around the office. She commented late one evening when we were both in the computer room: “I wonder what would happen if you had me laid out on this table and somebody walked in?” Huh?
Or maybe those come-ons of hers were actually intended to disarm me, so I wouldn’t become suspicious of her.
Back in LA before I went on the run, one of the people in my social circle with Lewis had been a guy named Joe McGuckin, a doughy guy with a round face and a sizable belly, bespectacled, close-shaven but still looking like he had a day’s growth, his brown hair hanging partway down his forehead in girly bangs. The three of us used to hang out together, so often eating at Sizzler and then going to a movie afterward that Lewis and I nicknamed him “Sizzler and a Movie.”
In a conversation we had while I was living in Denver, Lewis told me that Joe had given him an account on a Sun workstation he had at home. Lewis passed the credentials along to me, with a request. He was hoping I could get root on Joe’s workstation and then tell him how I got in, so he could needle Joe about it. That sounded to me like an interesting opportunity: since Joe was a contractor for Sun Microsystems, he very likely had the ability to remotely access the company’s network, which might be a way for me to hack into Sun.
Whenever we had discussed hacking back in those days in LA, Joe had always insisted that his workstation was as secure as Fort Knox. I thought, Oh, I’m going to have fun messing with him. Our love of pulling pranks was a common trait that had drawn Lewis and me together ever since our pranks with the drive-up windows at McDonald’s. I called Joe’s home phone number first to make sure he wasn’t there, then dialed the modem line at his house. Once I had logged in using Lewis’s account, it took me only a few minutes to discover that Joe hadn’t kept his security patches up to date. So much for Fort Knox. By exploiting a flaw in a program called “rdist,” I popped root on his system. Let the games begin. When I listed the processes he was running, I was surprised to see “crack,” the popular program for cracking passwords, written by a guy named Alec Muffett. Why would Joe be running that?
It didn’t take long to find the password file that crack was working on. I stared at the screen, stunned by what I was seeing.
Joe McGuckin, Sun Microsystems contractor, was cracking the passwords of the company’s Engineering Group.
I couldn’t fucking believe this. It was as if I had just taken a walk in the park and found a bag of hundred-dollar bills.
After I copied off the cracked passwords, my next hunt was through Joe’s emails, searching on the keywords modem and dial-up. Bingo! I found an internal Sun email containing the information I was hoping for. It read, in part:
From: kessler@sparky (Tom Kessler)
To: ppp-announce@comm
Subject: New PPP server
Our new ppp server (mercury) is now up and running, available for you to test your connection. The phone number for mercury is 415 691-9311.
I also copied the original Sun password files (which contained the encrypted password hashes) that Joe was in the process of cracking, in case I lost access to his machine. Included in the cracked-password list was Joe’s own Sun password, which as I recall was something like “party5.” (Crack had broken that one, too.) A walk in the park.
That night, I periodically logged in to see if Joe was online and active. Even if he noticed that there had been an incoming call on his modem, it might not arouse his suspicion (I hoped) because he would remember giving Lewis access. Sometime after midnight, Joe’s computer went quiet; I figured he had nodded off for the night. Using the “Point-to-Point” protocol, I logged into Sun’s “mercury” host posing as Joe’s workstation, named “oilean.” Voilà! My computer was now an official host on Sun’s worldwide network!
Within a couple of minutes, with the help of rdist, I had managed to get root, since Sun, like Joe, had been lax about updating the security patches. I set up a “shell” account and installed a simple backdoor giving me future root access.
From there, I targeted the Engineering Group. This was totally familiar stuff, but at the same time totally exhilarating. I was able to log in to most of the Sun machines in Engineering, thanks to Joe’s efforts in cracking that group’s passwords.
So Joe had, without even knowing it, set me up to grab yet another treasure: the latest and greatest version of the SunOS, a flavor of the Unix operating system developed by Sun Microsystems for its server and workstation systems. It wasn’t hard to find the master machine storing the SunOS source code. Even when compressed, though, this was one humongous package of data—not as massive as DEC’s VMS operating system, but still massive enough to be daunting.
And then I had an idea that might make the transfer easier. Targeting the Sun office in El Segundo, just south of the Los Angeles International Airport, I began by doing queries on several workstations to learn what devices were attached to them. I was looking for a user who had a tape drive connected to his computer. When I found one, I called him on the phone and said I was with the Sun Engineering Group in Mountain View. “I understand you have a tape drive connected to your workstation,” I said. “One of my engineers is at a client site in LA, and I need to transfer some files to him, but they’re pretty large to transfer over a modem. Do you have a blank tape you could stick in your drive, so I could write the data to that instead?”
He left me hanging on the phone while he hunted down a blank tape. After a few minutes, he came back on the line and told me he was shoving it in the drive. I had encrypted the compressed source code into an unintelligible blob of data, just in case he got curious and took a look. I transferred a copy to his workstation, then gave a second command to write it to the tape.
When the transfer to tape was finally complete, I called him back. I asked him if he wanted me to send him a replacement tape, but as I expected, he said it was okay, I didn’t need to do that. I said, “Can you put it in an envelope for me, and mark it with the name ‘Tom Warren’? Are you going to be in the office for the next couple of days?”
He started telling me about when he would and wouldn’t be available. I interrupted him: “Hey, there’s an easier way. Can you just leave it with the receptionist, and I’ll tell Tom to ask her for it?” Sure, he’d be glad to do that.
I called my buddy Alex and asked him if he’d swing by the Sun office and pick up an envelope the receptionist was holding for “Tom Warren.” He was a little reluctant, knowing there was always a risk. But he overcame that a moment later and agreed with what sounded like a smile on his face—I suppose as he remembered the kick he always got from participating in my hacking adventures.
I felt triumphant. But here’s the odd part: when I got the tape, I didn’t even spend much time looking at the code. I had succeeded in my challenge, but the code itself was of less interest to me than the achievement.
I continued acquiring passwords and software treasures from Sun, but constantly having to dial up to the modems in Mountain View was chancy. I wanted another access point into Sun’s network.
Time for a social-engineering attack. Using my cloned cell phone, I programmed in a number with the 408 area code for Mountain View, which I would need if the system administrator in Sun’s Denver sales office wanted to call me back to verify that I was who I claimed to be. Using a tool available to all Sun staffers, I pulled up a list of employees, chose Neil Hansen at random, and wrote down his name, phone number, building number, and employee number. Then I called the main number at Sun’s Denver sales office and asked for the computer support person.
“Hi, this is Neil Hansen with Sun in Mountain View. Who’s this?” I asked.
“Scott Lyons. I’m the support person in the Denver office.”
“Cool. Later today I’m flying to Denver for some meetings. I was wondering if you guys had a local dial-up number so I can access my email without having to make long-distance calls back to Mountain View.”
“Sure, we have a dial-up, but I have to program it to dial you back. The system does that for security reasons,” he told me.
“No problem,” I said. “The Brown Palace Hotel has direct-dial numbers for the guest rooms. When I get into Denver later this evening, I can give you the number.”
“What’s your name again?” he asked, sounding a little suspicious.
“Neil Hansen.”
“What’s your employee number?” he demanded.
“10322.”
He put me on hold for a moment, presumably to check me out. I knew he was using the same tool I’d used to look up Hansen’s information.
“Sorry, Neil, I just had to verify you in the employee database. Give me a call when you get in, and I’ll set that up for you.”
I waited until just before quitting time, called Scott back, and gave him a local 303 (Denver) number that I had cloned to my cell phone. When I started a connection, a callback would come to the cell phone, I’d manually answer it, and then my modem would make a connection. For several days, I used this access point to get into Sun’s internal network.
But then, abruptly, the callbacks stopped working. Damn! What had happened?
I dialed back into Mountain View and accessed the system in Denver. Oh, shit! Scott had fired off an urgent email to Brad Powell with Sun’s Security Department. He had turned on the logging feature on the dial-up I was using and captured all my session traffic. He quickly realized that I was not checking my mail at all but poking around in places I shouldn’t be. I deleted the log files so there wouldn’t be any evidence of my visits and immediately stopped using the cell phone number I had given him.
Did this discourage me from hacking into Sun? Of course not. I just went back to using Sun’s Mountain View dial-up to find more connections into SWAN (Sun’s Wide-Area Network) in case I got locked out of the system. I wanted to establish multiple access points so I’d always have a variety of ways of getting in. I targeted all of Sun’s sales offices in the United States and Canada, each of which had its own local dial-up so its staff could access SWAN without needing to make long-distance calls to the company’s Mountain View headquarters. Compromising these offices was a piece of cake.
While exploring Sun’s network, I stumbled across a server with the hostname “elmer,” which stored the entire database of bugs for all of Sun’s operating systems. Each entry included everything from the initial report or detection of a bug, to the name of the engineer assigned to tackle the issue, to the specific new code implemented to fix the problem.
A typical bug report read:
Synopsis: syslog can be used to overwrite any system file
Keywords: security, password, syslog, overwrite, system
Severity: 1
Priority: 1
Responsible Manager: kwd
Description:
syslog and syslogd feature of LOG_USER can be used to overwrite *any* system file. The obvious security violation is using syslog to overwrite /etc/passwd. This can be done to remote systems if LOGHOST is not set to localhost.
bpowell: breakin code removed for security reason
If you need a copy of the breakin code see Staci Way (contractor)(staciw@castello.corp).
Work around: NONE except turning off syslog which is unacceptable
Interest list: brad.powell@corp, dan.farmer@corp, mark.graff@Corp
Comments: this one is pretty serious. It has already been used on sun-barr to break root, and is one of the few security bugs that work for 4.1.X as well as 2.X e.g. ANY Sun released OS.
To use one of my favorite expressions, this again was like finding the Holy Grail. I now had access to every bug discovered internally at Sun as well as every one reported by any other source. It was like putting a quarter into a slot machine and winning the progressive jackpot with the first pull of the handle. The information from this database was going into my bag of tricks. I started thinking of the tune to the old Felix the Cat theme song, “Whenever he gets in a fix, he reaches into his bag of tricks.”
After the Sun system administrator in Denver reported the security incident, the company got wise that it had a gremlin deeply burrowed into its systems. Dan Farmer and Brad Powell, Sun’s top two security people, sent emails around the entire company warning staff to watch out for hacker attacks that also used social engineering. Then they began removing the bug reports from the database in hopes of hiding them from me. But I was still reading their internal emails. Many of the bug reports contained statements like the one in the message above—did you notice it?
If you need a copy of the breakin code see Staci Way (contractor) (staciw@castello.corp).
You probably already know what I’d do when I saw a message like this.
Right: I’d email Staci from an internal Sun account and social-engineer her into sending me the bug. It never failed, not once.
Despite my success in hacking into the company, the following year Powell would receive a “merit award” from Sun’s chief information officer “for his role in securing Sun and thwarting the attacks on SWAN by Kevin Mitnick.” Powell was so proud of the award that he listed it on his résumé, which I discovered on the Internet.
After about six months of morning and evening bus commutes, it seemed like a good idea to move nearer to work. The ideal location would be some place I could walk to work from every morning—plus the right place would put me within walking distance of the 16th Street Mall in downtown Denver, my favorite area to hang out on weekends. An old-style apartment building, the Grosvenor Arms, on East 16th Street, had a unit available on the fifth floor that I was excited to find—a very cool place, spacious, with windows all around, and even old-style boxes where the milkman used to leave bottles of milk every morning. This time I would have to undergo a credit check, but no sweat: by hacking into the credit reporting agency TRW, I was able to identify several Eric Weisses with reasonably good credit. I used the Social Security number of one of them on my rental application (different from the one I was using for employment). My paperwork sailed through without a problem.
Only about five blocks from my new apartment, Denver’s tourist district offered tons of terrific bars and restaurants. One in particular was a favorite, a Mexican restaurant at 16th and Larimer Streets that was a hangout for lots of great-looking girls. I was still avoiding serious relationships, but chatting up attractive young ladies at the bar didn’t cross any of my barriers of caution, and it helped me feel human. On occasion a gal would sit down next to me and let me buy her a drink or two… or sometimes even buy them for me. Great for the ego.
Having so many restaurants nearby held particular appeal: I ate out almost every meal, rarely fixing even oatmeal or bacon and eggs for myself.
Settling into the new apartment made me feel even more comfortable about being in Denver, yet I knew I could never let my guard down. With full access into PacTel Cellular, I was still keeping track of the cell phone calls that the FBI agents were making to Justin Petersen, aka Eric Heinz, and also watching to see if they were making any calls to Denver phone numbers. A check of Justin’s landline at the safe house showed that his long-distance service, MCI, was still in the name of Joseph Wernle—which meant it was probably still being paid for by the Bureau. Justin’s snitching hadn’t helped the Feds catch me, but they obviously still had him in harness. I wondered what hackers he was targeting and trying to put into prison now that I was out of his reach.
One day while working in the computer room with Darren and Liz, I noticed that Darren had turned his computer at an angle that would make it difficult for anyone else to see what he was doing, which naturally made me suspicious. I fired up a program called “Watch”; aptly named, it let me watch everything on his screen.
I couldn’t believe my eyes. He was in the law firm’s Human Resources directory and had pulled up the payroll file, displaying the pay and bonuses of all the lawyers, assistants, support staff, receptionists, and IT workers, as well as every other employee of the firm, from the highest-earning partner to the lowest-paid clerk.
He scrolled down to a listing that read:
WEISS, ERIC Comp Oper MIS $28,000.00 04/29/93
The nerve of this guy, looking up my salary! But I could hardly complain: I knew he was spying on me only because I was spying on him!