qnxpnebielnudqqpbibecua3m’llswhmmhrdzucclsfvqmdune
pbkreezkarsnngpkgmscdnkr
The law firm threw its annual Christmas bash in mid-December. I went only because I didn’t want people to wonder why I wasn’t there. I nibbled at the lavish food but steered clear of the flowing liquor, afraid it might loosen my tongue. I wasn’t really a drinker anyway; zeros and ones were my brand of booze.
Any good snoop watches his back, doing countersurveillance to be sure his opponents aren’t catching on to his efforts. The entire time I had been using Colorado Supernet—for eight months, ever since my arrival in Denver—I had been electronically looking over the system administrators’ shoulders to make sure they hadn’t caught on to the way I was using their servers as a massive free storage locker, as well as a launchpad into other systems. That involved observing them at work; sometimes I’d simply log on to the terminal server they used and monitor their online sessions over the span of a couple of hours or so. And I was also checking that they weren’t watching any of the other accounts I was using.
One night, I decided to target the lead admin’s personal workstation to see if any of my activity had been noticed. I searched his email for keywords that would indicate if he was aware of any ongoing security issues.
I stumbled across a message that got my attention. The admin was sending someone log-in records about my Novell break-in. A few weeks earlier, I had been using an account named “rod” to stash the NetWare source code on a server at Colorado Supernet. Apparently it hadn’t gone unnoticed.
the login records for “rod” during the times that the folks at Novell reported break-ins, and connections FROM Novell during that time. Note that a couple of these do originate via Colorado Springs dial-up (719 575-0200).
I started frantically going through the admin’s emails.
And there it was, double-masked: an email from the admin using an account from his personal domain—“xor.com”—rather than his Colorado Supernet account. It had been sent to someone whose email address was not at a government domain but who was nonetheless being sent logs of my activity, which included logging in to Colorado Supernet from Novell’s network and transferring files back and forth.
I called the FBI office in Denver, gave the name the email had been addressed to, and was told there was no FBI agent by that name in the Denver office. I might want to try the Colorado Springs office, the operator suggested. So I called there and learned that, yes, dammit, the guy was indeed an FBI agent.
Oh, shiiiiit.
I’d better cover my ass. And quickly. But how?
Well, I have to admit that the plan I came up with may not actually have been all that low-key or cover-your-ass, though I knew I had to be very, very careful.
I sent a bogus log file from the administrator’s account to the FBI agent, telling him “we” had more logs detailing the hacker’s activities. I hoped he would investigate and end up chasing a red herring as I continued working on my hacking projects.
We call this tactic “disinformation.”
But knowing that the FBI was on the hunt for the Novell hacker wasn’t enough to make me shut down my efforts.
Since Art Nevarez had become suspicious, I assumed that the Novell Security team would be forming a posse, trying to figure out what had happened and how much source code had been exposed. Shifting my target, I now focused on the Novell offices in San Jose, looking for the dial-up numbers in California. Social-engineering calls led me to a guy named Shawn Nunley.
“Hi, Shawn, this is Gabe Nault in Engineering in Sandy. I’m heading over to San Jose tomorrow and need a local dial-up number to access the network,” I said.
After some back and forth, Shawn asked, “Okay, what’s your username?”
“ ‘g–n–a–u–l–t,’ ” I said, spelling it out slowly.
Shawn gave me the dial-up number to the 3Com terminal server, 800-37-TCP-IP. “Gabe,” he said, “do me a favor. Call my voicemail number at my office and leave me a message with the password you want.” He gave me the number, and I left the message as he’d instructed: “Hi, Shawn, this is Gabe Nault. Please set my password to ‘snowbird.’ Thanks again,” I said.
There was no way I was going to call the toll-free 800-number Shawn had given me: when you call a toll-free number, the number you’re calling from is automatically captured. Instead, the next afternoon I called Pacific Bell and social-engineered the POTS number associated with the number Shawn had given me; it was 408 955-9515. I dialed in to the 3Com terminal server and tried to log in to the “gnault” account. It worked. Perfect.
I started using the 3Com terminal server as my access point into the network. When I remembered that Novell had acquired Unix Systems Laboratories from AT&T, I went after the source code for UnixWare, which I years earlier found on servers in New Jersey. Earlier I had compromised AT&T to get access to the SCCS (Switching Control Center System) source code and briefly got into AT&T’s Unix Development Group in Cherry Hill, New Jersey. Now I felt like it was déjà vu because the hostnames of the development systems were still the same. I archived and compressed the latest source code and moved it to a system in Provo, Utah, then over the weekend transferred the huge archive to my electronic storage locker at Colorado Supernet. I couldn’t believe how much disk space I was using, and often needed to search for additional dormant accounts to hide all my stuff.
On one occasion, I had a strange feeling after I dialed in to the 3Com terminal server, as if someone were standing behind me and watching everything I typed. Some sixth sense, some instinct, told me the Novell system administrators were looking over my shoulder.
I typed:
Hey, I know you are watching me, but you’ll never catch me!
(I talked with Novell’s Shawn Nunley a while back. He told me they actually were watching at that moment, and they started laughing, wondering, “How could he possibly know?”)
Nonetheless, I continued my hacking into numerous internal systems at Novell, where I planted tools to steal log-in credentials, and intercepted network traffic so I could expand my access into yet more Novell systems.
A few days later I still felt a bit uneasy. I called the RCMAC (Recent Change Memory Authorization Center) at Pacific Bell and spoke to the clerk who processed orders for the San Jose switch. I asked her to query the dial-up number in the switch and tell me exactly what the switch output message said. When she did, I discovered it had a trap-and-trace on it. Son of a bitch! How long had it been up? I called the Switching Control Center for that area, posing as Pacific Bell Security, and was transferred to a guy who could look up the trap-and-trace information.
“It went up on January twenty-second,” he said. Only three days earlier. Whoa—too close for comfort! Luckily, I had not been calling much during that time; Pacific Bell would have been able to trace my calls only as far as the long-distance carrier, but could not track the calls all the way back to me.
I breathed a sigh of relief and decided to leave Novell alone. Things were getting way too hot there.
Years later, that voicemail I’d left for Shawn Nunley would come back to bite me in the ass. Shawn for some reason saved my message, and when somebody from Novell Security got in touch, he played it for him, and then that guy in turn gave it to the San Jose High-Tech Crime Unit. The cops weren’t able to tie the voice to any particular suspect. But months later, they sent the tape to the FBI in Los Angeles to see if the Feds could make anything out of it. The tape eventually found its way to the desk of Special Agent Kathleen Carson. She inserted it into the player on her desk, hit Play, and listened. She knew right away: That’s Kevin Mitnick, the hacker we’re looking for!
Kathleen called Novell Security and said, “I have some good news and some bad news. The good news is that we know the identity of your hacker—it’s Kevin Mitnick. The bad news is, we have no idea how to find him.”
Long afterward, I met Shawn Nunley, and we became good friends. I’m happy that today we can laugh about the whole episode.
With the Novell hack behind me, I decided to target one of the biggest cell phone manufacturers, Nokia.
I called Nokia Mobile Phones in Salo, Finland, posing as an engineer from Nokia USA in San Diego. Eventually I was transferred to a gentleman named Tapio. He sounded like a very nice guy, and I felt kind of bad about social-engineering him. But then I put those feelings aside and told him I needed the current source code release for the Nokia 121 cell phone. He extracted the latest version to a temporary directory in his user account, which I then had him transfer (via FTP) to Colorado Supernet. At the end of the call, he wasn’t suspicious in the least and even invited me to call him back if I needed anything else.
That all went so smoothly that I thought I’d see if I could gain direct access to Nokia’s network in Salo. A call to an IT guy there proved awkward when his English turned out not to be all that good. Maybe a Nokia facility in an English-speaking country would be more productive. I tracked down a Nokia Mobile Phones office in the town of Camberley, England, and reached a lady in IT named Sarah, who had a deliciously thick British accent but used so much unfamiliar slang that I had to stay focused and pay close attention.
I cited my standard excuse of “problems with the network connection between Finland and the U.S., and a critical file to transfer.” The company didn’t have direct dial-ups, she said, but she could give me the dial-up number and password for “Dial Plus,” which would let me connect to the VMS system in Camberley over an X25 packet switched network. She provided the X25 subscriber address—234222300195—and told me I would need an account on the VAX, which she would set up for me.
At this point I was on edge, in a state of high excitement, because I was pretty sure I’d be able to get into my target, “Mobira,” one of the VMS systems used by Nokia’s Cellular Engineering Group. I logged in to the account and quickly exploited a vulnerability that gave me full system privileges, then gave a “show users” command to list all the users currently logged in, which in part looked like this:
| Username | Process Name | PID | Terminal |
| CONBOY | CONBOY | 0000C261 | NTY3: (conboy.uk.tele.nokia.fi) |
| EBSWORTH | EBSWORTH | 0000A419 | NTY6: (ebsworth.uk.tele.nokia.fi) |
| FIELDING | JOHN FIELDING | 0000C128 | NTY8: (dylan.uk.tele.nokia.fi) |
| LOVE | PETER LOVE | 0000C7D4 | NTY2: ([131.228.133.203]) |
| OGILVIE | DAVID OGILVIE | 0000C232 | NVA10: (PSS.23420300326500) |
| PELKONEN | HEIKKI PELKONEN | 0000C160 | NTY1: (scooby.uk.tele.nokia.fi) |
| TUXWORTH | TUXWORTH | 0000B52E | NTY12: ([131.228.133.85]) |
Sarah wasn’t logged in. Great: that meant she wasn’t paying much attention to what I was doing on the system.
Next I installed my modified Chaos Computer Club patch to the VMS Loginout program, which allowed me to log in to anyone’s account with a special password, first checking Sarah’s account to see if she might have access to the Mobira in Salo. I ran a simple test and realized that I had access to her account over a networking protocol called DECNET and didn’t even need her password: Mobira was configured to trust the VMS system in the UK. I could simply upload a script to run my commands under Sarah’s account.
I was going to get in! I was ecstatic.
I used a security bug to get full system privileges and then created my own fully privileged account—all in about five minutes. Within about an hour, I was able to find a script that allowed me to extract the source code for any Nokia handset currently under development. I transferred source code for several different firmware releases for the Nokia 101 and Nokia 121 phones to Colorado Supernet. Afterward, I decided to see how security aware the administrators were. It turned out they had security auditing enabled for events such as creating accounts and adding privileges to existing accounts. It was just another speed bump on my way to getting the code.
I uploaded a small VAX Macro program that fooled the operating system and allowed me to disable all the security alarms, without detection, just long enough to change passwords and add privileges on a few dormant accounts—probably belonging to terminated employees—in case I needed to get back in.
Apparently, though, one of the system admins noticed alerts that were triggered when I initially created an account for myself, before I had disabled the alarms. So the next time I tried to get into the Camberley VMS system, I found myself locked out. I called Sarah to see if I could learn anything about this. She told me, “Hannu disabled remote access ’cause there’s some hackering going on.”
“Hackering”—was that what the Brits called it?
Shifting gears, I decided to target getting a copy of the source code for a product referred to internally as “HD760”: the first Nokia digital phone that was currently under development. Reaching the lead developer, Markku, in Oulu, Finland, I convinced him to extract and compress the latest source code version for me.
I wanted him to transfer it via an FTP connection to a server in the United States, but Nokia had just blocked outbound file transfers because of the Mobira security breach.
How about loading it onto a tape? Markku didn’t have a tape drive. I started calling around to other people in Oulu, looking for a drive. Eventually I located a guy in IT who was very friendly, had a good sense of humor, and even more important, had a tape drive. I had Markku send him an archived file containing the code I wanted, and then talked to him about shipping the tape, once the code had been copied onto it, to the Nokia USA office in Largo, Florida. This took a good deal of arranging, but I finally got it put together.
Around the time I knew the package should be arriving, I began calling the mail room at Largo to see if it had gotten there yet. During the last of my several calls, I was put on hold for a long time. When the lady came back on the line, she apologized and said that because the department was moving offices, she would have to “look harder” for my package. Yeah, right: my gut instinct was that they were onto me.
A few days later, I enlisted the help of Lewis De Payne, who was also excited about the idea of getting the source code for this hot new phone. He did a little research and learned that the president of Nokia USA was a guy named Kari-Pekka (“K-P”) Wilska. For some lamebrained reason, Lewis decided to pose as Wilska, a Finnish national, and called the Largo office in that guise to request that the package be reshipped.
We would find out much later that FBI agents had been alerted and had gone to the Largo offices, where they were set up to record the next call either one of us made.
Lewis called, again as Wilska. He confirmed that the package had arrived and asked that it be shipped to a Ramada Inn near his office. I called the hotel to make a reservation for Wilska, knowing that the front desk would hold a package addressed to a guest who was booked to arrive.
The next afternoon, I called the hotel to make sure the package was ready for pickup. The lady I spoke to sounded uncomfortable and put me on hold but then came back on the line to say that yes, the package was there. I asked her to tell me how big it was. She said, “They have it at the bell desk, I’ll go find out.”
She put me on hold again and was gone for a long time. I became antsy, then a little panicky. This was a huge red flag.
Finally she came back on the line and described the size of the package, which did sound about right for a computer tape.
But by now I was feeling really uneasy. Did the bell desk really have it, or was this a setup, a trap? I asked, “Was it delivered by FedEx or UPS?” She said she’d find out and again put me on hold. Three minutes. Five. Something like eight minutes passed before I heard her voice again, telling me, “FedEx.”
“Fine,” I said. “Do you have the package in front of you?”
“Yes.”
“Okay, please read me the tracking number.”
Instead, she put me on hold yet again.
I didn’t need to be a rocket scientist to figure out that something was seriously wrong.
I fretted for half an hour, wondering what to do. The only sensible option, of course, would be to just walk away and forget the whole thing. But I had gone to so much trouble to get that source code, I really wanted it. “Sensible” didn’t seem to enter into the equation.
After half an hour, I called the hotel again and asked to speak to the manager on duty.
When he came on the line, I said, “This is Special Agent Wilson with the FBI. Are you familiar with the situation on your premises?” I was half expecting him to reply that he didn’t know what I was talking about.
Instead he answered, “Of course I am! The police have the whole place under surveillance!”
His words hit me like a ton of bricks.
He told me that one of the officers had just come into his office, and I should speak with him.
The officer came on the line. In an authoritative voice, I asked for his name. He told me.
I said I was Special Agent Jim Wilson with the White Collar Crime Squad. “What’s happening down there?” I asked.
The cop said, “Our guy hasn’t shown up yet.”
I said, “Okay, thanks for the update,” and hung up.
Way too close for comfort.
I called Lewis. He was just walking out the door to go and pick up the package. I practically yelled into the phone, “Wait! It’s a trap.”
But I couldn’t leave it there. I called a different hotel and made a reservation for K-P Wilska, then phoned back the lady at the Ramada Inn and told her, “I need to have you reship the package to another hotel. My plans have changed, and I’m staying there tonight so I can make an early-morning meeting tomorrow.” I gave her the name and address of the new hotel.
I figured I might as well let the Feds chase another red herring for a while.
When I saw an ad for NEC’s newest cell phone, I didn’t care too much about the phone itself; I just knew I had to have the source code. It didn’t matter that I had already grabbed source code for several other hot cell phones: this was going to be my next trophy.
I knew that NEC, a subsidiary of NEC Electronics, had an account on the Internet service provider called Netcom. This ISP had become one of my principal routes for accessing the Internet, in part because it conveniently offered dial-up numbers in nearly every major city.
A call to NEC’s U.S. headquarters in Irving, Texas, provided the information that the company developed all its cellular phone software in Fukuoka, Japan. A couple of calls to NEC Fukuoka led me to their Mobile Radio Division, where a telephone receptionist found someone who spoke English to translate for me. That’s always an advantage, because the translator lends authenticity: she’s right there in the same building, speaking the same language as your target. The person at the end of the chain tends to assume you’ve already been vetted. And in this case, it also helped that the level of trust is so high in the Japanese culture.
The translator found a guy to help me who she said was one of the group’s lead software engineers. I told her to tell him, “This is the Mobile Radio Division in Irving, Texas. We have a crisis here. We’ve had a catastrophic disk failure and lost our most recent versions of source code for several mobile handsets.”
His answer came back, “Why can’t you get it on mrdbolt?”
Hmmm. What was that?
I tried, “We can’t get onto that server because of the crash.” It passed the test—“mrdbolt” was obviously the name of the server used by this software group.
I asked the engineer to FTP it to the NEC Electronics account on Netcom. But I got push back because that would mean sending this sensitive data to a system outside the company.
Now what? To buy some time, I told the translator that I had to take another incoming call and would phone back in a few minutes.
My brain conjured up a work-around that seemed as if it might do the trick: I would use as an intermediary NEC’s Transmission Division, in the automotive sector of the company, where the staff probably didn’t deal with much in the way of sensitive, company-confidential information and so would be less security-conscious. And besides, I wouldn’t even be asking for any information.
Telling the guy I reached in the Automotive Group, “We’re having networking difficulties between NEC Japan and the network in Texas,” I asked if he would set up a temporary account so I could FTP a file to him. He didn’t see any problem with doing that. While I waited on the phone, he set up the account and gave me the hostname for the NEC server, as well as the log-in credentials.
I called Japan back and gave the information to the translator to pass along. Now they would be transferring the source code to another NEC facility, which got them out of their discomfort zone. It took about five minutes for them to complete the transfer. When I called back the guy in the Transmission Division, he confirmed that the file had arrived. Because of the way I had set this up, he naturally assumed that I had sent it. I gave him instructions for FTPing the file to the NEC Electronics account at Netcom.
Then I went up on Netcom and transferred the source code to one of the servers at USC that I was using as a storage locker.
This hack was a big deal, but for me, it had been too easy. Where was the satisfaction?
So next I set myself an even bigger challenge: to break into NEC’s network and download the source code for all the NEC cell phones used in the United States. And while I was at it, I might as well get set up for England and Australia too, in case one day I decided to try living in either of those countries, right?
Matt Ranney, at NEC in Dallas, was willing to create a dial-in account for me, based on my story that I was visiting temporarily from the NEC facility in San Jose, California, and needed local connectivity—though first I had to convince his boss as well. Once I was logged in, it was easy to get root using one of the exploits I had found in my earlier hack into Sun. Adding a backdoor to the log-in program, I gave myself a secret password—“.hackman.”—that allowed me to log in to anyone’s account, including root. With another tool from my hacker’s bag of tricks, I “tweaked the checksum,” so the backdoored version of log-in would be less likely to be detected.
Back in those days, a system administrator would do a checksum on a system program, such as “log-in,” to see if it had been modified. After I compiled a new version of log-in, I modified the checksum back to its original value, so that even though the program had been backdoored, any check would come back as clean.
The Unix “finger” command gave me the names of users who were currently logged in to mrdbolt. One was Jeff Lankford; the listing gave his office phone number and showed that he had been typing on his keyboard until just two minutes earlier.
I called Jeff, posing as “Rob in the IT Department,” and asked, “Is Bill Puknat in?” giving the name of another engineer in the Mobile Radio Division. No, Bill wasn’t in.
“Oh, damn. He called us with a trouble ticket, saying he couldn’t create files that began with a period. Have you had any problem like that?”
No.
“Do you have a .rhosts file?”
“What’s that?”
Ahhh: music to my ears. It was like a carnival worker’s slipping a chalk mark onto the back of someone’s jacket to let other carneys know the guy was a patsy, or a “mark” (the origin of that meaning of the word).
“Well, okay,” I said. “Do you have a few moments to run a test with me so I can close this trouble ticket?”
“Sure.”
I told him to type:
echo “+ +” >~ .rhosts
Yes, a variation of the .rhosts hack. I provided him with a reasonable-sounding explanation for each step, very nonchalantly, so he thought he understood what was happening.
Next I asked him to type “ls-al” to get a directory listing of his files.
As his directory listing was being displayed on his workstation, I typed
rlogin lankforj@mrdbolt
which logged me into his account, “lankforj,” on the mrdbolt server.
And I was into his account without needing his password.
I asked Jeff if he saw the .rhosts file that we had just created, and he confirmed that he did. “Great,” I said. “Now I can close the trouble ticket. Thanks for taking the time to test it.”
And then I had him delete the file to make it appear that everything was back to its original state.
I was so excited. As soon as we hung up, I quickly obtained root access and set up the log-in backdoor on the mrdbolt server. I started typing at hyperspeed, so charged I couldn’t slow my fingers down.
My guess had been correct: mrdbolt was the mother lode, the link used to share development work among the Mobile Radio Division, NEC USA, and NEC Japan. I found several versions of source code for several different NEC handhelds. But the source code I really wanted, for the NEC P7, wasn’t online. Damn! All that effort, and I wasn’t hitting pay dirt.
Since I was already into the internal network, maybe I could get the code from NEC Japan. Over the next several weeks, I would be able without much difficulty to get access to all the servers used by the Mobile Radio Division in Yokohama.
I continued my search for the cell phone source code but found that there was a massive excess of information: the company was developing phones for a number of different markets, including the United Kingdom, other European countries, and Australia. Enough, already; it was time for an easier approach.
I checked the mrdbolt server to see who was logged in. Jeff Lankford appeared to be a workaholic: well after the end of the normal working day, he was still online.
For what I had in mind, I needed privacy. Darren and Liz had already left for the day; Ginger had the swing shift, so she was still around, but her office was on the opposite side of the computer room. I partly closed the door to the space I shared with my coworkers, leaving it just far enough ajar that I could see if anyone approached.
What I was about to do was gutsy. I was no Rich Little when it came to doing accents, but I was going to try to pass myself off as Takada-san, from NEC Japan’s Mobile Radio Division.
I called Lankford at his desk. When he picked up the phone, I launched into my act:
“Misterrrrr, ahhh, Lahngfor, I Takada-san… from Japan.” He knew the name and asked how he could help.
“Misterrrrr Lahng… for—we no find, ahhhh, vers’n three ohh five for hotdog uhh project”—using the codename I’d picked up for the NEC P7 source code. “Can you, ahhh, put on mrdbolt?”
He assured me that he had Version 3.05 on floppy and could upload it.
“Ahhh, thank… ahhh, thank you, Mr. Jeff…. I check mrdbolt soon. Bye.”
Just as I was ringing off in my apparently not-too-pathetic accent, the door swung all the way open, and Ginger was standing there.
“Eric… what are you doing?” she asked.
Bad timing.
“Oh, just playing a joke on a buddy of mine,” I told her.
She gave me a weird look, then turned and walked away.
Whoa! Close call!
I logged into mrdbolt and waited for Jeff to finish uploading the code, which I then immediately transferred to a system at USC for safekeeping.
During this period, I was constantly searching through all the administrator emails at NEC for certain keywords, including FBI, trace, hacker, gregg (the name I was using), trap, and security.
One day I came across a message that rocked me on my heels:
FBI called because source code showed up at a site that they monitor in LA. May 10th the files were FTP’ed from netcom7 to site in LA. 5 files, containing about 1 total meg of stuff. 1210-29.lzh p74428.lzh v3625dr.lzh v3625uss.lzh v4428us.scr. Kathleen called Bill Puknat.
Puknat—whose name I had dropped in my first phone conversation with Jeff Lankford—was the lead software engineer for the Mobile Radio Division in the States. “Kathleen” must be Kathleen Carson, from the FBI in Los Angeles. And “a site that they monitor in LA” had to mean the Feds were watching the systems where I was storing the NEC files: USC. They had been watching most or all of my transfers to USC.
Shit!
I needed to find out how I was being watched, and how long it had been going on.
Examining the systems I had been using at USC, I found that a monitoring program had been installed to spy on my activities, and I was even able to identify the USC system administrator who had set it up, a guy named Asbed Bedrossian. Reasoning that one good spy deserved another, I located the host where he and other USC system administrators received their email—sol.usc.edu—got root access, and searched Asbed’s mail, in particular for the term FBI. I came upon this:
Heads up! We have a security incident. We have two accounts that are being monitored by the FBI and by sysadmin ASBED. The accounts have been compromised. If you receive a call from ASBED, please co-operate with capture and copy files, etc. Thanks.
It was bad enough that these guys had found one account I was using; now I knew they had found the second one as well. I was worried but at the same time pissed that I hadn’t caught on to the monitoring sooner.
I figured Asbed must have noticed that a huge amount of file space was being used that couldn’t be accounted for. When he took a peek, he would have realized immediately that some hacker was storing purloined software on the system. Since I had used several USC systems to store source code during my DEC hack in 1988, I assumed I was at the top of the suspect list.
I learned later that the Feds had started looking through the files and calling companies to alert them that proprietary source code had been lifted from their systems and was now residing on a server at USC.
Jonathan Littman wrote in his book The Fugitive Game about a meeting that took place in early 1994, convened, he says, by prosecutor David Schindler and held at the FBI’s Los Angeles office. Attending were “embarrassed and alarmed” representatives from the major cell phone manufacturers I had hacked into. Not a single person wanted it known that their company had been the victim of a hack—not even in this roomful of other victims. Littman says Schindler told him, “I had to dole out aliases. This guy was from company A, this guy was from company B. They wouldn’t do it any other way.”
“Everyone suspected Mitnick,” Littman wrote, adding that Schindler wondered aloud, “What’s the purpose of gathering all this code? Is somebody sponsoring him? Is he selling it? From a threat assessment, what can he do with it?”
Apparently it never occurred to any of them that I might be doing it just for the challenge. Schindler and the others were stuck in what you might call “Ivan Boesky thinking”: for them, hacking made no sense if there wasn’t money being made from it.