usygbjmqeauidgttlcflgqmfqhyhwurqmbxzoqmnpmjhlneqsctmglahp
On my very first day in Seattle, my pager goes off at 6:00 a.m., scaring the shit out of me: nobody but De Payne and my mother have my pager number, and Lewis knows better than to wake me this early. Whatever it is, it can’t be good news.
Bleary-eyed, I reach over to the bedside table, grab the pager, and look at the screen. “3859123-3,” it reads. The first string of digits I know by heart: the phone number of the Showboat Hotel and Casino.
The final “3” means code 3: EMERGENCY.
Grabbing my cell phone, programmed as always to a new cloned number that can’t be traced back to me, I call the hotel and ask the operator to page “Mary Schultz.” My mother must be standing by the hotel phones waiting for the page, because she comes on the line in less than a minute.
“What’s wrong?” I ask.
“Kevin, go get a copy of the New York Times right now. You’ve got to go right now.”
“What’s going on?”
“You’re on the front page!”
“Shit! Is there a photograph?”
“Yes, but it’s an old picture—it doesn’t look like you at all.”
Not as bad as it might have been, I decide.
I go back to sleep, thinking, This makes no sense. I haven’t stolen millions from a bank electronically, like Stanley Rifkin. I haven’t crippled the computers of any company or government agency. I haven’t stolen credit card data and run up bills on other people’s cards. I’m not on the FBI’s Ten Most Wanted list. Why would the country’s most prestigious newspaper be running a story about me?
At about 9:00 a.m., I wake up again and go out to find someplace that carries the New York Times—not so easy in the part of Seattle of my by-the-week motel room.
When I finally see the paper, I’m stunned. The headline jumps off the page at me:
Cyberspace’s Most Wanted: Hacker Eludes F.B.I. Pursuit
I start reading the article and can’t believe my eyes. Only the first phrase of the story is pleasing to me, crediting me with “technical wizardry.” From there, John Markoff, the Times reporter who has written the article, goes on to say that “law-enforcement officials cannot seem to catch up with him,” which is sure to burn Agent Ken McGuire and company and embarrass the hell out of them with their superiors—and make them all the more focused on finding me.
This false and defamatory article then claims that I wiretapped the FBI—I didn’t. And that, foreshadowing the 1983 movie War Games, I broke into a North American Aerospace Defense Command (NORAD) computer—not only something I never, ever did but also a near impossible proposition for anyone, given that the agency’s mission-critical computers are not connected to the outside world, and thus immune from being hacked by an outsider.
Markoff has labeled me “cyberspace’s most wanted” and “one of the nation’s most wanted computer criminals.”
And all of this on Independence Day, when red-blooded Americans feel greater national fervor than on any other day of the year. How people’s fear of computing and technology must have been brought to the boil as they ate their sunny-side-ups or their oatmeal and read about this kid who was a threat to the safety and security of every American.
I would find out later that one source of these and other blatant lies was a highly unreliable phone phreaker, Steve Rhoades, who had once been a friend of mine.
I remember being in a state of semishock after reading the article, trying to take in one statement after another that simply wasn’t true. With this one piece, Markoff single-handedly created “the Myth of Kevin Mitnick”—a myth that would embarrass the FBI into making the search for me a top priority and provide a fictional image that would influence prosecutors and judges into treating me as a danger to national security. I couldn’t help recalling that five years earlier I had refused to participate in a book Markoff and his-then wife, Katie Hafner, wanted to write about me and some other hackers, because they wanted to make money from my story while I myself would make no money from it. It also brought back memories of John Markoff telling me in a phone call that if I didn’t agree to an interview, anything anyone else said about me would be considered truthful since I wasn’t there to dispute it.
It was scary as hell to discover I had become such an important target for the Feds.
At least the photograph was a gift. The Times had used a copy of my mug shot from 1988, the one taken after I had been held in Terminal Island Federal Prison for three days without a shower, a shave, or a change of clothes—my hair a mess, me looking grubby and unkempt and like some homeless street person. The guy staring back at me from the front page of the newspaper was puffy-faced, weighing maybe ninety or a hundred pounds more than I did on that July Fourth.
Even so, the article ratcheted my paranoia level up more than a few notches. I started to wear sunglasses religiously, even indoors. If anyone asked, “What’s with the shades?” I just said that my eyes had become ultrasensitive to light.
After a quick run-through of the Apartments for Rent listings in the local paper, I decided to look for something in the “U District,” near the University of Washington, expecting it might be like LA’s attractive, lively Westwood area, adjacent to UCLA. I settled on a basement apartment, telling myself that even though it was dumpier than the motel I was in, it made sense for the time being because it was cheap. The building was owned by a single proprietor named Egon Drews and managed by his son David. Happily, Egon was a trusting soul who wasn’t going to bother with a credit or background check that a management company would have required.
The neighborhood turned out not to be a very good choice. This was no pleasant, sunny Westwood but instead a down-scale, seedy section of town, full of street beggars. Maybe I could do better once I had a steady job. But at least there was a YMCA nearby so I could keep up my almost daily workouts.
One of the few highlights of the U District for me was a clean and inexpensive Thai restaurant that offered tasty food and a cute Thai waitress. She was friendly, with a warm smile, and we dated a few times. But my old fear still lingered—the danger that in a close relationship, or in the glow after a few minutes of passion, I might let slip something that would give me away. I continued eating at the restaurant but told her I was too busy for a relationship.
No matter what else I was doing, I always had hacking to keep my mind occupied. That was how I discovered that Neill Clift, the finder of bugs in DEC’s VMS operating system, was using an email account on a system called Hicom, at Loughborough University in England.
Interesting! I had almost given up on Clift because I had discovered that DEC had given him a Vaxstation 4000 and was paying him 1,200 British pounds annually (that’s cheap) to find security bugs with it. After that, I hadn’t expected him to use any other systems except maybe at work or at home for email. Maybe this was my lucky break.
After a little digging around, I learned that Hicom was a public-access system and that anyone could apply for an account. Once I was set up with my own account, I exploited a security hole that Neill evidently didn’t know about, gaining full control of the system, with the same rights and privileges as a system administrator. I was very excited but didn’t anticipate that I would find much, since I doubted he would be careless enough to send DEC his security findings from a public system.
The very first thing I did was grab a copy of Neill’s email directory and look through each and every file. Damn! Nothing interesting—no bugs! I was disappointed. So close and yet so far. And then I had an idea: maybe he was sending emails and then deleting the messages immediately afterward. So I checked the system mail logs.
My eyes lit up: the mail log files showed that Neill was sending messages to some guy named Dave Hutchins at DEC, sometimes two or three of them in a single week. Shit! I really wanted to see the contents of those messages. At first I figured I would examine all the deleted file space on the system’s disk looking for the deleted emails to Hutchins, but then I came up with a better plan.
By reconfiguring the mail exchanger on Hicom, I could rig it so that whenever Neill sent a message to any email address at DEC, it would be redirected to an account I had hacked at USC. It was like adding call forwarding on all “dec.com” email addresses to forward to my account at USC. So I actually would be catching all emails sent to any “dec.com” address from anyone on Hicom.
My next challenge was to find an effective means of “spoofing” emails to Clift so they would look as if they were coming from DEC. Rather than spoofing messages over the Internet—a step that could be spotted if Neill looked closely at the email headers—I wrote a program that forged the email from the local system so I could spoof all the headers as well, making the deception virtually undetectable.
Every time Neill sent a report of a security hole to Dave Hutchins at DEC, the email would be redirected to me (and only me). I would soak up every detail and then send back a “thank-you” message that would appear to have been sent by Hutchins. The beauty of this particular hack—known as a “man-in-the-middle” attack—was that the real Hutchins, and DEC, would never receive the information Neill sent them. This was so exciting because it meant, in turn, that DEC would not be fixing the holes anytime soon, since the developers wouldn’t know about the problems—at least not from Neill.
After spending several weeks waiting for Neill to get busy with his bug hunting, I became impatient. What about all the security bugs I’d already missed? I wanted every one of them. Attempts to break into his system over dial-up were unlikely to work because there wasn’t much I could do at a log-in prompt but guess passwords, or maybe try to find a flaw in the log-in program itself, and he surely had security alerts enabled for log-in failures.
A social-engineering attack via the telephone was out of the question because I knew Neill would recognize my voice from a couple of years earlier. But sending believable fake emails could win me all the trust and credibility I would need to get him to share his bugs with me. There was a downside, of course: if he caught on, I would lose access to all his future bugs because he would certainly figure out that I had compromised Hicom.
But what the hell? I was a risk taker. I wanted to see if I could pull it off.
I sent Neill a fake message from Dave Hutchins, advising that Derrell Piper from VMS Engineering—the same guy I’d pretended to be when I called him the last time—wanted to communicate with him via email. VMS Engineering was ramping up its security processes, I wrote, and Derrell would be heading up the project.
Neill had in fact communicated with the real Derrell Piper several months earlier, so I knew the request would sound plausible.
Next I sent another faked email to Neill posing as Derrell, and spoofing his real email address. After we exchanged several messages back and forth, I told Neill that “I” was putting together a database to track every security issue so DEC could streamline the resolution process.
To build further credibility, I even suggested to Neill that we should use PGP encryption because we didn’t want someone like Mitnick reading our emails! Soon thereafter we had exchanged PGP keys to encrypt our email communications.
At first I asked Neill to send me just a list of all the security holes he had forwarded to DEC over the past two years. I told him I was going to go through the list and mark the ones I was missing. I explained that VMS Engineering’s records were disorganized—the bugs had been sent to different developers, and a lot of old emails had been deleted—but our new security database would organize our efforts to address these problems.
Neill sent me the list of bugs I requested, but I asked for only one or two of the detailed bug reports at a time to avoid any suspicion on his part.
In an effort to build even more credibility, I told Neill I wanted to share some sensitive vulnerability information with him since he had been so helpful. I had the details of a security hole that another Brit had found and reported to DEC a while back. The bug had made big news when it hit the media, and DEC had frantically sent out patches to its VMS customers. I had found the guy who discovered it and persuaded him to send me the details.
Now I sent the data to Clift, reminding him to keep it confidential because it was DEC proprietary information. For good measure, I sent him two more bugs that exploited other security issues he didn’t know about.
A few days later, I asked him to reciprocate. (I didn’t directly use that word, but I was counting on the effectiveness of reciprocity as a strong influence technique.) I explained it would make my life much easier if, in addition to the list, he could send me all the detailed bug reports he had submitted to DEC over the last two years. Then, I said, I could just add them to the database in chronological order. My request was very risky. I was asking Neill to send me everything he had; if that didn’t raise his suspicions, nothing would. I waited a couple of days on pins and needles, and then I saw an email from him, forwarded to my USC mailbox. I opened it up anxiously, half-expecting it to say, “ ‘Good try, Kevin.’ ” But it contained everything! I had just won the VMS bug lottery!
After getting a copy of his bug database, I asked Neill to take a closer look at the VMS log-in program, Loginout. Neill already knew that Derrell had developed the Loginout program and I was curious to know whether he could find any security bugs in it.
Neill emailed me back some technical questions about Purdy Polynomial, the algorithm used to encrypt VMS passwords. He had spent months, maybe even years, trying to defeat the encryption algorithm—or rather, optimizing his code to crack VMS passwords. One of his queries was a yes/no question about the mathematics behind the Purdy algorithm. Rather than research it, I just guessed the answer—why not? I had a fifty-fifty chance of getting it right. Unfortunately, I guessed wrong. My own laziness resulted in revealing the con.
Instead of tipping me off, though, Neill sent me an email claiming that he had found the biggest security bug to date—in the very VMS log-in program I had asked him to analyze. He confided that it was so sensitive that he was willing to send it to me only in the post.
How stupid did he think I was? I just responded with Derrell’s real mailing address at DEC, knowing the jig was up.
The next time I logged in to Hicom to check the status quo, a message popped up on my display:
Ring me up, Mate.
Neill.
That made me smile. But what the hell? I figured: he already knew he had been hustled, so I had nothing to lose.
I called.
“Hey, mate.” No anger, no threats, no hostility. We were like two old friends.
We spent hours talking, and I shared all the intricate details of how I’d hacked him over the years. I decided I might as well tell him, since it wasn’t likely to work on him again.
We became telephone buddies, sometimes spending hours on the phone together over several days. After all, we shared similar interests: Neill loved finding security bugs, and I loved using them. He told me that the Finnish National Police had contacted him about my hacking into Nokia. He offered to teach me some of his clever bug-hunting techniques, though not until I acquired a better understanding of the “internals” of VMS—that is, the inner workings of the operating system, the details of what was “under the hood.” He said I had spent too much time hacking into stuff instead of educating myself on the internals. Amazingly, he even gave me some exercises to work on, to learn more about this, and then he went over my efforts and critiqued them. The VMS bug hunter training the hacker—how ironic was that?
Later, I would intercept an email that I suspected Neill had sent to the FBI. It read:
Kathleen,
There was only one match in the mail log from nyx:
Sep 18 23:25:49 nyxsendmail[15975]: AA15975: message-id=<00984B0F.85F46A00.9@hicom.lut.ac.uk>
Sep 18 23:25:50 nyxsendmail[15975]: AA15975: from=<kevin@hicom.lut.ac.uk>, size=67370, class=0
Sep 18 23:26:12 nyxsendmail[16068]: AA15975: to=<srush@nyx.cs.du.edu>, delay=00:01:15, stat=Sent
Hope this helps
This log showed the dates and times when I was sending emails from my account on Hicom to one of the accounts I had on a public-access system in Denver called “nyx.” And who was the “Kathleen” the message was addressed to? I figured there was a 99 percent likelihood it was, once again, Special Agent Kathleen Carson.
The email message was clear evidence that Neill had been working with the FBI. I wasn’t surprised; after all, I had drawn first blood and gone after him, so maybe I deserved it. I had enjoyed our conversations and picking his brain; it was disappointing to learn that he had just been playing along in the hope that he might be able to help the Feds nail me. Even though I had always exercised precautions when calling him, I decided it would be best to cut off all contact, to avoid giving the FBI any more leads.
In a criminal prosecution, as you probably know, the government is required to share its evidence with the defendant. Among the documents later turned over to me was one that revealed both the extent of Neill’s cooperation and its importance to the FBI. When I first read a copy of this letter, I was surprised.
U.S. Department of Justice Federal Bureau of Investigation
11000 Wilshire Boulevard #1700
Los Angeles, CA 90014
September 22, 1994
Mr. Neill Clift
Loughborough University
Dear Neill:
It must be quite frustrating to sit over there and wonder if the FBI or British law enforcement authorities are ever going to do anything and catch our “friend,” KDM. I can only assure you that every little piece of information concerning Kevin which finds its way into my hands is aggressively pursued.
In fact, I just verified the information you provided…. It certainly appears this computer system has been accessed and compromised by Kevin. Our dilemma, however, is that the “NYX” system administrator is not as helpful to law enforcement as you have been; and we are somewhat limited in our pursuit of watching the account by the American legal procedures.
I wanted to let you know in this letter how much your cooperation with the FBI has been appreciated. Any telephonic contact made to you by Kevin is very important—at least to me.
… I can report that you (and only you) are the one concrete connection we have to Kevin outside the world of computers. I do not believe we will ever be able to find him via his telephone traces, telnet or FTP connections, and/or other technological methods. It is only through personal (or, in your case, telephonic) exchanges with Kevin that we gain more insight as to his activities and plans. Your assistance is crucial to this investigation. [Emphasis added.]
… I can only assure you, once again, that your efforts in the Kevin “chase” are appreciated…. If you choose to continue your cooperation with the FBI by providing me with information about discussions with Kevin, I promise that, one day, all the little pieces of data filtered to me from around the world will fall into place and lead to a computer terminal where I will find Kevin and promptly place him in handcuffs….
Thanks again, Neill.
Sincerely yours,
Kathleen Carson
Special Agent
Federal Bureau of Investigation
Rereading this now, I’m struck by how frustrated Special Agent Carson sounds about not being able to catch me—and how willing she was to admit that in writing.
In my job-hunting efforts in Seattle, I found a newspaper ad for a Help Desk analyst at the Virginia Mason Medical Center. I went in for an interview, which lasted for a couple of hours and led, a few days later, to a job offer. It didn’t sound like something that was going to present the same challenges that my job in the law firm in Denver had. But my apartment was depressing, and I didn’t want to commit to a better place until I was set with an income and knew which part of town I’d be working in, so I took the job despite the drawbacks.
When I picked up the new-employee package from Human Resources, I found that the application form asked for a print of my index finger.
Bad news. Did those prints get sent out to be checked against FBI records? I made another of my pretext calls, this one to the Washington State Patrol, claiming I was with the Oregon State Police Identification Division.
“Our department is setting up a program to aid city and county organizations by screening their job applicants for criminal records,” I said. “So I’m looking for some guidance. Do you ask for fingerprints?”
“Yes, we do.”
“Do you just run the prints against state files, or do you send them to the FBI?”
“We don’t submit to any outside agencies,” the guy on the other end of the line told me. “We check state records only.”
Excellent! I didn’t have any criminal record in Washington State, so I knew it’d be safe for me to hand in the application with my fingerprint on it.
I started work a few days later, sharing an office with a tall, very detail-oriented guy named Charlie Hudson and one other coworker. The job wasn’t even moderately interesting; my work consisted mostly of answering Help Desk questions from doctors and other hospital staff members who brought to mind those jokes about users so numskulled about technology that they attempted to copy floppy disks on a Xerox machine.
Practically all the employees in the place, for example, were using their Social Security number as the secret question for resetting their computer passwords. I tried to talk to my boss about how unsafe that was, but he blew me off. I thought for a minute about giving him a little demonstration of how easy it was to obtain anyone’s Social Security number, but then realized that would be a very bad idea. When I started writing scripts on the VMS system to solve some technical support problems, I was told that the project was beyond my job responsibilities, and I should quit working on it.
My mental attitude was in pretty good shape. In all the time I had been on the run, I had never had any alarming events that made me fear for my security. But I could never let my guard down completely. One day I walked out of my apartment building and saw a Jeep Cherokee parked across the street. What caught my attention was that there were almost no cars parked on the street at that hour, yet this one was stopped at a place that wasn’t convenient to any house or apartment building entrance. And there was a man sitting in it. As a kind of challenge, I stared straight at him. We made eye contact briefly and then he glanced away, showing no interest. It made sense to be cautious but I decided I was being a little paranoid, and continued on my way.
About two months after I moved to Seattle, Lewis put me in touch with Ron Austin, Poulsen’s one-time hacking buddy, a guy I knew about but had never talked to. My main topic of conversation with Ron was Justin Petersen, who had touched all three of our lives by snitching on us. Austin and I started communicating frequently. He had provided me with a list of pay-phone numbers in the West Los Angeles area, and I would let him know which phone number I’d be calling him on and at what time.
I was routing all my calls from Seattle to switches in Denver, Portland, Sioux Falls, and Salt Lake City, and adding another layer of protection by manipulating the switch software so it would be very time-consuming for anyone to trace my calls. Although I didn’t trust Austin, I felt safe talking to him because we used so many pay phones, a different one each time.
There was another reason I felt safe with him: he shared with me a very powerful research tool he had learned about from Justin. In a bizarre coincidence, Justin—long before I met him—had snuck into a building I was very familiar with: 5150 Wilshire Boulevard, where Dave Harrison had his offices. Justin was interested in stealing credit card data as it was sent to the card processor for verification, and he was targeting the same GTE Telenet network that I had gone after, though with a different intent.
When Justin started playing back the recording of the modem tones through a setup that translated them into text on the computer screen, he realized that among all the other data was the sign-on credentials of some agency that was accessing California DMV records—credentials he and any other hacker could use to retrieve any information from the DMV. Incredible! I could just picture Justin’s jaw dropping. He probably couldn’t believe his good luck, and began using these credentials himself to run license plates and driver’s licenses.
Ron wasn’t just telling me a story about Justin. He was actually sharing the details with me: “The GTE Telenet address is 916268.05. As soon as the display goes blank, you type ‘DGS.’ The password is ‘LU6.’ And you’re in!”
I couldn’t get off the phone fast enough to try it out. It worked!
From then on, I would never have to social-engineer the DMV for information again. I could get everything I wanted, quickly, cleanly, and safely.
Austin’s sharing of this hack put my mind to rest about whether he might really be a snitch trying to get information to help the Feds find me. If he were an informant, the Feds would never have allowed him to give me access to protected DMV records. I was convinced that he was safe to deal with.
During my investigation of Eric, I had spent countless hours online and on the phone with a well-known Dutch hacker who went by the hacker name “RGB,” working to figure out bugs and hack into different systems. He had been busted in May 1992, arrested at his home in Utrecht, the Netherlands, by government agents posing as salesmen for a computer company—a combined force made up of local police and the PILOT team, a law enforcement group formed to battle hacking-related offenses. RGB told me the police had hundreds of pages of transcripts of his conversations with me.
When he was released from detention, we went back to hacking together again. RGB started probing systems at Carnegie Mellon University and monitoring their network traffic using a program called “tcpdump.” After weeks of monitoring, he finally intercepted a CERT staff member’s password. As soon as he confirmed that the password worked, he contacted me, full of pure excitement, and asked for my help in finding anything of interest, most particularly any reported security vulnerabilities that we could leverage in our hacking.
The Computer Emergency Response Team, CERT, based at Carnegie Mellon University, in Pittsburgh, was a federally funded research and development center established in November 1988, after the Morris Worm brought down 10 percent of the Internet. CERT was intended to prevent major security incidents by setting up a Network Operations Center to communicate with security experts. The Center created a vulnerability disclosure program with the mission of publishing advisories about security vulnerabilities, usually after the software manufacturer had developed a patch or created a work-around to mitigate the risk of the security flaw. Security professionals relied on CERT to protect their clients’ systems and networks from intrusions. (CERT’s functions would be taken over by the Department of Homeland Security in 2004.)
Now think about this for a moment: if someone discovered and reported a security hole, CERT would issue an advisory. Most CERT security advisories focused on “exposed network services”—operating system elements that could be accessed remotely—but they also reported security holes that could be exploited by “local users,” people who already had accounts on the system. The vulnerabilities were usually associated with the Unix-based operating systems—including SunOS, Solaris, Irix, Ultrix, and others—that made up most of the Internet back then.
New security bug reports were often sent to CERT, sometimes in unencrypted emails. These were what RGB and I were after, new bugs that we could leverage to get into systems, almost as if we had a master key to the server. Our goal was to leverage the “window of exposure,” the time lapse until the manufacturer came up with a patch and companies could get it installed. Such security holes had a limited shelf life: we would have to make use of them before they were fixed or otherwise blocked.
I had known about RGB’s plan but doubted he would be able to capture the credentials to a CERT staff member’s account. Yet he had pulled it off in a short time. I was shocked but happy to share the spoils with him. As a team, we hacked into the workstations of several other CERT staff members and grabbed everyone’s email spools, meaning all their email messages. And we hit the mother lode, because many of those emails contained unencrypted messages disclosing so-called zero-day vulnerabilities—meaning that they had just been discovered, and the software manufacturers had not yet developed or distributed patches to fix the problems.
When RGB and I found that most bugs were sent “in the clear”—unencrypted—we could hardly contain ourselves.
As I said, that had all happened a couple of years earlier. But now, sometime around September 1994, an unexpected message popped up from RGB, drawing my attention back to CERT:
Hi, Here’s some info for you:
there is a vax/vms system on 145.89.38.7 login name:
opc/nocomm there might be x.25 access on here but i’m not sure, on the network there is a host called hutsur, this host does have access to x.25 for sure.
you might wonder why this has to be so secret, but i’m starting to hack again and I dont want the police to know anything about it. in order to start again, i need you to do me a favor. could you get me some numbers of terminal servers all over the u.s., i will use some outdials i got to get to them, and will go from these terminal servers on to the internet.
This time around i’m really gonna setup all the things right, so nothing will be noticed. The preparation for the whole thing will take about 1 month or so, after that i will be found regularly on the internet, i will then give you some more info on what projects i’m working. i’m all ready busy trying to get access to cert again, i have gotten different passwords for cmu systems, which i will use in a later stage.
Thanxs,
P.s.)
Included is my pgp key
He wanted to get back into CERT again!
One day in early October 1994, not long after RGB’s email, I went out to lunch carrying a small package containing a defective OKI 900 cell phone that I was planning to mail back to the store that day. As was almost always the case when I was out on foot, I was talking on my cell phone. I walked down Brooklyn Avenue toward the heart of the U District. When I crossed 52nd Street, about two blocks from my apartment, I heard the faint sound of a helicopter.
The sound gradually grew louder, then was suddenly very loud and right overhead, very low, as the helicopter evidently headed for a landing at a nearby schoolyard.
But it didn’t land.
As I walked, it stayed right over my head and appeared to be descending. What the fuck is going on? My thoughts started churning. What if—what if the chopper is looking for me? I felt my palms start to sweat and my heart begin to pound. Anxiety was running through my veins.
I ran into the courtyard of an apartment complex, where I hoped some tall trees would block me from view of the chopper. I tossed my package in the bushes and started running full bore, ending my cell phone call as I pounded along. Once again my daily workouts on the StairMaster were paying off.
As I ran, I calculated an escape route: get to the alley, turn left, then run like hell for two blocks, across 50th Street and into the business district.
I figured they had ground support on the way, and at any moment I’d begin to hear the yowling wail of police car sirens.
I turned into the alley. I ran on the left side of the alley, next to the apartment complexes that would provide good cover.
Fiftieth Street just ahead. Heavy traffic.
I was going on pure adrenaline.
I ran into the street, dodging between cars to get across.
Damn! Almost hit—close call.
I ran into a Walgreen’s pharmacy, now feeling waves of nausea. My heart was pounding, sweat was running down my face.
Then out of the drugstore again and into another alley. No helicopter—what a relief! But I kept going. Jogging toward University Avenue.
Feeling safer at last, I ducked into a store, and placed another cell phone call.
It wasn’t five minutes before I heard the sound of the helicopter getting louder and louder and louder.
It flew until it was right over the store, then hovered there. I felt like Dr. Richard Kimble in The Fugitive. My stomach was churning again, my anxiety rapidly returning. I needed to escape.
Out the store through the back entrance. Run a couple blocks, duck into another store.
Every time I turned on my cell phone and placed a call, the damned helicopter would reappear. Son of a bitch!
I turned off the phone and ran.
With the phone off, the helicopter wasn’t following me anymore. I knew then. No question. They were tracking me by my cell phone transmissions.
I stopped under a tree and leaned against its solid trunk to catch my breath again. People walking past looked at me with suspicion written all over their faces.
After a few minutes with still no helicopter, I began to calm down.
I found a pay phone and called my dad. “Go to the pay phone at Ralph’s,” I told him, naming the supermarket near his apartment. Again my curious, uncanny memory for phone numbers came in handy.
When I reached him, I told him the story about the helicopter chase. I longed for his sympathy and support, his understanding.
What I got was something else:
“Kevin, if you think somebody was chasing you in a helicopter, you really need help.”