Transcript
In 1991, Kevin Mitnick was bouncing back from what was probably the lowest point of his life. His rich criminal record made it hard for him to find employment, he gained a lot of weight in prison – and to top it off, his wife finally had enough of all the troubles he dragged her into, and left him for his best friend and hacking buddy.
Over the following months, Mitnick started to rebuild his life: he started working out and lost a hundred pounds, and most importantly – he was finally on the path towards ditching his self-destructive obsession of hacking.
But just as he was in the process of turning his life around, his brother introduced him to a hacker named Eric Heinz, who told him about a mysterious piece of equipment he came across while breaking into Pacific Bell: SAS, a testing system that allowed its user to listen in on all the calls going through the telephone network. SAS proved to be too great of a temptation for Mitnick, who desperately wanted to wield the power that the testing system could afford him.
Pretexting
After a bit of probing, he discovered that the company that designed SAS went out of business – but Mitnick was able to find the guy who was the system’s lead engineer, and convinced the man to send him a copy of the system’s manual. Eric was right: SAS was every bit as powerful as Mitnick hoped, and allowed him to ‘monitor’ – the phone company’s lingo for wiretapping – any phone number he wished to.
And yet, Mitnick’s intuition told him that something about the other hacker was off. Eric was very secretive, to the point that he even refused to give Mitnick his phone number or home address. Whenever Mitnick tried asking questions about his past, Eric was quick to change the subject. What was Eric trying to hide?
From Mitnick’s autobiography, ‘Ghost in the Wires’:
“Too many things about him seemed suspicious. He didn’t appear to have a job. So how could he afford to hang out at the clubs he talked about? Hot places like Whiskey à Go-Go, where acts like Alice Cooper and the Doors, as well as rock gods from back in the day like Jimi Hendrix had sometimes dropped in to jam. And that business about not giving me a phone number? Eric wouldn’t even give me his pager number. Very suspicious.”
Mitnick decided to get to the bottom of the matter: he hacked Pacific Bell and obtained Eric’s phone number. The next step was finding out his address.
“Posing as a technician in the field, I called Pacific Bell’s […] Line Assignment Office. A lady answered and I said, “Hi. This is Terry out in the field. I need the F1 and the F2 on 310 837-5412.” The F1 was the underground cable from the central office, and the F2 was the secondary feeder cable [..] “
Terry, what’s your tech code?” she asked. I knew she wasn’t going to look it up—they never did. Any three-digit number would satisfy, so long as I sounded confident and didn’t hesitate. “Six three seven,” I said, picking a number at random. “F1 is cable 23 by 416, binding post 416,” she told me. “F2 is cable 10204 by 36, binding post 36.” […]
I didn’t care about anything I had asked so far. It was just to make me sound legitimate. It was the next piece of information that I really wanted. “What’s the sub’s address?” I asked. (“Sub” being phone company lingo for the subscriber, or customer.) “Also 3636 South Sepulveda,” she told me. “Unit 107B.” […] As easy as that. It had taken me not much more than a few minutes to discover Eric’s address and both of his phone numbers.”
The social engineering method that Mitnick employed to fool the lady in the Line Assignment Office is called ‘Pretexting.’ Here’s how he himself described this powerful technique.
“When you use […] pretexting, you become an actor playing a role. […] When you know the lingo and terminology, it establishes credibility—you’re legit, a coworker slogging in the trenches just like your targets, and they almost never question your authority. At least, they didn’t back then.
Why was the lady in Line Assignment so willing to answer all my questions? Simply because I gave her one right answer and asked the right questions, using the right lingo. So don’t go thinking that the Pacific Bell clerk who gave me Eric’s address was foolish or slow-witted. People in offices ordinarily give others the benefit of the doubt when the request appears to be authentic. People, as I had learned at a very young age, are just too trusting.”
FBI Donuts
By combining his social engineering mastery with the almost unlimited access that SAS provided him, Mitnick was soon able to get a hold of the phone numbers that Eric was calling on a regular basis – and was shocked to discover that these numbers belonged to the FBI. Eric, it seems, was working for the bureau.
“The Feds had targeted me before, and made sure the arrest got big media coverage. And now, if my suspicions were correct, the Bureau was dangling a carrot in front of me. By introducing Eric into my life, the agents were doing the equivalent of sticking a bottle of Scotch under the nose of a “reformed” alcoholic to see if they could bump him off the wagon.”
A short while later he discovered that the FBI also placed a wiretap on his phone lines. If the Feds were listening on his calls to Lewis, his hacking buddy, this meant that they probably already knew about his hacking escapades – and that he was actively violating the conditions of his supervised release. The prospects of returning to The Hole filled Mitnick with dread, and he was determined to do whatever it took to evade that fate.
And so Mitnick decided to build his own “early warning system.”
“I bought a RadioShack scanner [and] a device called a “digital-data interpreter,” or DDI—a special box that could decode the signaling information on the cellular network. […] I programmed the scanner to monitor the frequency of the cell tower nearest to [my workplace] so it would pick up information from the tower identifying the phone number of every cell phone in or even just passing through the area.”
Mitnick configured his contraption to monitor the phone numbers of every FBI agent that was in communication with Eric and play an alarm tone if any of them were detected nearby.
He didn’t have to wait long. Only a few weeks later his early warning system began sounding the alarm. Mitnick returned to his apartment, made sure to get rid of any items or documents that might implicate him – and then stopped at a doughnut shop. When the Fed raided his apartment the next day, they found it empty of any incriminating evidence – but they did find a box of 12 doughnuts waiting for them in Mitnick’s fridge, with a sticky note that read: FBI DOUGHNUTS.
A Close Call
But for all his bravado, Mitnick was well aware that with the FBI’s watchful eyes trained on him, it was only a matter of time until he’ll be back behind bars. And so –
“I had decided on my future: I would become someone else and disappear. I would go to live in some other city, far away from California. Kevin Mitnick would be no more.”
But before pulling off his disappearing act, Mitnick had two more things to take care of. The first was saying goodbye to his beloved mother and grandmother in Las Vegas. The second was Eric Heinz. While Mitnick now knew for certain that Heinz was an FBI informant, he still didn’t know the hacker’s true identity – and Mitnick being Mitnick, he could not leave such a puzzle unsolved.
While packing his things and getting ready to leave Las Vegas, Mitnick called California’s Department of Motor Vehicles. Posing as an investigator with the Los Angeles County Welfare Fraud Unit, he requested a copy of Eric’s driver’s license – something he did regularly since the DMV’s databases held a wealth of personal information about almost everyone in the state.
Mitnick asked for the documents to be faxed to a local print shop and since he knew the feds were looking for his car, had his grandmother drive him there. The print shop was packed full of customers, and so Mitnick had to wait in line for twenty minutes before he picked up his envelope. But when he pulled the fax sheets from the manila, he was surprised to discover that the details on the document weren’t those of Eric Heinz, but of a nondescript lady. Mitnick cursed the DMV’s incompetent employee who mishandled his request and went outside to call the DMV on a nearby pay phone.
But unbeknownst to Mitnick, the technician who took his request was already alerted by the DMV’s security department. She immediately notified her supervisors – and the nondescript lady whose picture she sent Mitnick was affectionately known as Annie Driver, a fictional character used by DMV for educational purposes. Four agents were staking the print shop, eagerly waiting for the person who would pick up the fax.
As Mitnick started dialing, he noticed the four suited figures walking in his direction.
“What do you want?” he asked them.
“DMV investigators – we want to talk to you.” said one of them.
Mitnick froze, then dropped the pay phone handset. “You know what? I don’t want to talk to you!” he said and tossed the papers into the air. As the agents instinctively tried to grab the falling documents, Mitnick seized the opportunity and took off through the parking lot.
“My heart was racing, my adrenaline pumping. I focused all my energy on outrunning my pursuers. Those many hours I’d spent in the gym, day after day, month after month, paid off. The hundred pounds I had shed made all the difference. I ran north through the parking lot, dashed over a narrow wooden footbridge leading into a residential area dotted with palm trees, and kept running as hard as I could, never looking back.”
On The Run
And so, Kevin Mitnick became a fugitive. He spent some time in Las Vegas acquiring the necessary documents for his new identity – Eric Weiss, a name he picked as a homage to Harry Houdini, the famous escape artist – and then took off to Denver, Colorado, where he found a job as an IT person in a law firm. One would expect that with the FBI hot on his heels, Mitnick would try to lay as low as possible – but instead, he spent his nights hacking into Sun Microsystems, Novell, Nokia, Motorola, and others.
Also while in Denver, he continued his investigation into Eric Heinz’s true identity. By hacking into the Social Security Administration he managed to find Eric’s father, Eric Heinz Sr. Mitnick called Heinz Sr., and presented himself as Eric’s high school buddy. To his surprise, the elderly gentleman immediately became angry and suspicious – and Mitnick quickly learned why: Eric Heinz died in a car crash, along with his mother, when he was only two years old. The informant’s identity was a stolen one.
It took Mitnick a few more months to uncover Eric’s true identity: Justin Tanner Petersen, a black hat hacker who was caught stealing and struck a deal with the FBI to help them nab Mitnick in return for his freedom. But it seemed that in Petersen’s case, once a thief – always a thief: while Mitnick was running from the law, Petersen was caught red-handed committing credit card fraud. This came as a relief to Mitnick since this meant that Petersen lost all his credibility, and any testimony he would give against Mitnick would be worthless.
—
Over time, Mitnick’s superiors became suspicious of their IT person. As part of his social engineering attempts against his marks, Mitnick spent an exuberant amount of time talking on his cell phone – but since this was 1994 and cell phone usage was still billed by the minute, such long calls were definitely out of the ordinary: Mitnick’s bosses suspected that he was conducting freelance consulting on the company’s time. He was promptly fired – and a few weeks later learned that somehow, his former managers discovered that his identity was fabricated. Fearing that the FBI would be called to investigate, Mitnick had no choice but to flee Denver. He moved to Seattle under a new name, “Brian Merril.”
But on his very first day in the new city – which, incidentally, was also Independence Day – he woke up to see his mugshot splashed all over the New York Times front page, with the headline: “Cyberspace’s Most Wanted: Hacker Eludes F.B.I. Pursuit.”
“And all of this on Independence Day, when red-blooded Americans feel greater national fervor than on any other day of the year. How people’s fear of computing and technology must have been brought to the boil as they ate their sunny-side-ups or their oatmeal and read about this kid who was a threat to the safety and security of every American.”
Although the picture in the New York Times was old enough as to make it difficult to recognize him, Mitnick was gripped by a strong sense of paranoia, convinced that he could be identified by someone on the street at any minute. Two months into his stay in Seattle, he saw a low-flying helicopter hovering above his apartment: suspecting that he was being tracked by his cell phone signal, Mitnick decided to flee Seattle.
He moved to Raleigh, North Carolina, and rented an apartment at a complex called Players Club under a new identity.
Tsutomu Shimomura
Somewhere along the way, Mitnick picked up a new friend: an Israeli hacker who went by the handle JSZ. The two would spend hours conversing via the internet and hacking into various systems. On Christmas Day, 1994, Mitnick called JSZ to jokingly wish him a Jewish Merry Christmas – but it turned out that JSZ was the one who had a Christmas present for him.
A year earlier, while still in Denver, Mitnick learned of a company called Network Wizards, which was marketing software that was designed to enable hackers to control cell phones produced by OKI, a Japanese company. Naturally, Mitnick wanted very much to get his hands on the software’s source code – and learned that a security researcher named Tsutomu Shimomura might have a copy of it.
Mitnick had already heard about Shimomura. Outwardly, the 30-year-old Japanese-born security expert looked every bit like a classic California ‘Dude’, sporting shoulder-length black hair, raggedy jeans, and sandals. Yet for all his ragged looks, Shimomura was well known for his brilliance: as a Physics student, he studied physics under famed physicist Richard Feynman – and then went on to work at Los Alamos National Laboratory. When Shimomura decided to pursue a career as a computer security expert, it was only a matter of time before the NSA recruited him.
Mitnick, for his part, was impressed with Shimomura’s technical skills – but disliked what he considered to be his arrogant demeanor. He also had a score to settle: when Mitnick tried to break into the researcher’s computer looking for the said source code, Shimomura quickly noticed the suspicious activity and kicked Mitnick out of it.
So when JSZ told him that he had a backdoor into Shimomura’s computer, Mitnick was beside himself: here was a chance to both grab the source code he sought – and teach Shimomura a lesson.
“It was known in the hacker community that Shimmy had a very arrogant demeanor—he thought he was smarter than everyone else around him. We decided to bring his ego down a few notches toward reality—just because we could.”
Mitnick and JSZ broke into Shimomura’s system. They had to work fast: it was almost Christmas, and Mitnick was concerned that Shimomura might decide to log in and check his mail for Christmas greetings. They nabbed whatever data they could find, and held their breaths until the file transfer was complete. Mitnick then uploaded the files to a hacked storage account he kept at The Well, a well-known virtual community.
When all was over, Mitnick was euphoric.
“I was still elated about the success of the Shimmy hack. But I would live to regret it. Those few hours would eventually lead to my undoing. I had unleashed a hacker vigilante who would stop at nothing to get even with me.”
The Hunt Begins
It didn’t take long for Tsutomu Shimomura to learn about the hack. After almost getting hacked by Mitnick a year earlier, he took the precaution of installing a network monitoring tool and an automatic program that periodically emailed his system’s logs to his assistant. The assistant noticed the suspicious activity and notified Shimomura, who was about to leave for a ski vacation. Instead, the disappointed researcher had to take a flight back to San Diego and spend the holiday piecing together the attack.
A few weeks later, in late January 1995, a user of The Well virtual community noticed some strange new files that suddenly appeared in his account, that seemed to belong to someone named Shimomura. By chance, that same night he came across a story in the New York Times that described the hack – and quickly realized that these were probably the files that were stolen from the security expert. He reached out to Shimomura, who – with The Well’s admins blessing – set up temporary headquarters there, and began tracking the hacker’s activities.
For the next week and a half, Shimomura and a few aids kept a close watch on the accounts Mitnick was using to store the data he was stealing from his various victims. They were also able to eavesdrop, in real-time, on Mitnick’s online chats with JSZ: It was only then that Shimomura finally learned of his attacker’s identity – which only made him that much more determined.
As luck would have it, one of the files they found in the hacked accounts was a database of some 20,000 credit card numbers that Mitnick nabbed from a San Jose ISP named Netcom. Shimomura and his team relocated their headquarters to Netcom’s facility, which turned out to be a wise decision: Mitnick was using Netcom’s network to connect his computer to the Internet, and Shimomura was able to record his hacking sessions. It took a few days for San Francisco’s District Attorney to obtain a subpoena that required the phone company to hand over its logs, and from these Shimomura learned that Mitnick was connecting to Netcom’s network via a cellular phone, from an unknown location in Raleigh, North Carolina.
Shimomura reached out to Sprint, whose network Mitnick was using to call Netcom’s internet access dial-up numbers. The engineer who assisted him ran a check on the cellular phone number that was supposedly calling Netcom – and was surprised to discover that that number didn’t belong to any known Sprint customer.
Acting on an impulse, Shimomura decided to call the said number, to see if anyone would pick up on the other end. Instead of the usual ringtone, what he heard was an eerie “click-click, click-click, click-click,” which continued, getting fainter and fainter until it disappeared and the call disconnected.
It was yet another clever scheme Mitnick devised as an extra layer of protection. He hacked the communication switch that connected the phone company’s network to that of Sprint so that the phone company thought the call came from Sprint – while Sprint’s system thought it was from the phone company. Any incoming call would bounce back and forth between the two networks until it would finally drop and disconnect.
Shimomura decided to try another line of investigation. He and Sprint’s engineer cross-checked the network’s logs looking for data calls that lasted more than 35 minutes and coincided with times when Mitnick was active inside The Well’s network. Such calls were rare enough that the engineer was able to quickly pinpoint a specific number whose calls all seemed to originate from a specific cell tower – cell #19 – located on the northeastern outskirts of Raleigh. They now had Mitnick’s location narrowed down to within a single kilometer – half a mile – around the tower.
Shimomura notified the FBI, and quickly took a flight to Raleigh. Knowing full well who he was dealing with, Shimomura was anxious: if Mitnick would somehow learn about the noose that was being tightened around his neck, all he had to do was go silent for a few days – and slip away from the city undetected.
The Trap Closes
When the FBI’s radio surveillance team arrived that night in Raleigh, they brought with them a cellular radio direction-finding system. When Shimomura saw the system installed on the van’s roof, he was horrified: The roof unit had a massive black base, with four long silver antennas.
“I pointed out […] that they weren’t dealing with some technically illiterate cocaine dealer. “This guy’s paranoid, and he’s been known to use scanners to monitor the police before,” I said. […] “You guys are going to park out there, and he’s not stupid. I’m sure he knows what a direction-finding antenna looks like.”
When he realized the FBI’s operators weren’t taking his warnings seriously, Shimomura took the initiative: he found a large cardboard box, cut a hole in it for the antennas, and lashed it on top of the van. Now the van looked like a respectable electrician’s van. The next morning, the FBI team took to the road, and within a few hours narrowed Mitnick’s location to a group of apartments in the Players Club complex. However, since the radio signal was reflected by the apartments’ walls, they still weren’t certain in which specific apartment he was located.
—
The first time that Mitnick noticed that something was off was when, a few days earlier, he logged into a hacked account he had in a service called escape.com.
“I immediately noticed that someone else had logged in to my account… from the Well. Someone else had been there. What the fuck? I immediately went to the Well and started poking around, but didn’t find anything that led me to the mystery spy. I disconnected immediately, feeling like I was being watched.”
Mitnick spent February 14th looking for a job in Raleigh, writing resumes and cover letters. Later that evening he logged into The Well and snooped around for any evidence that he was somehow being watched – but Shimomura and his team covered their tracks well, and he didn’t find anything suspicious. At 9 p.m., he decided to go to the gym.
—
Meanwhile, Shimomura and the FBI agents were stalking the Players Club apartment complex. He and his contact at Netcom decided that when Mitnick would be arrested, Netcom’s engineers would make backup copies of his stashed files to keep as evidence and delete the original versions. Sensing that something could happen at any moment, Shimomura sent Netcom a pager message with a code that meant ‘get ready’. But due to an error, the message was sent several times instead of only once: his Netcom contact erroneously interpreted the flurry of messages to mean that Mitnick had already been apprehended, and started deleting files. When Shimomura realized what had happened, he became deeply anxious. As he recalled in a Wired article –
“But there was no time to fret about the error now: my cellular monitoring gear indicated that Kevin Mitnick had just signed on for the night shift. And if he hadn’t noticed before dinner that his stashes had been destroyed – and his presence now indicated he might not yet know – he was about to find out.”
—
Sometime after midnight, Mitnick returned to his apartment.
“I logged on to the Well to take a look around. As I changed the passwords on several new dormant accounts just for insurance, again I had a creepy feeling that someone had been watching me. I decided to go into partial cleanup mode. […] Then I noticed that several of the backdoors I’d been using to access various systems had mysteriously disappeared. The Feds worked very slowly. Even if a call of mine had been traced, it would usually take them days or weeks to investigate. Someone appeared to be hot on my trail, but I still had plenty of time. Or so I thought. […] As I was working on moving files around, I had a very, very uncomfortable sensation, a sinking feeling in my stomach that something bad was about to happen.”
Mitnick decided to ignore his gut feelings, trying to convince himself that he was just being paranoid. But the uneasy feeling kept bugging him, so some time later he got up from his chair and walked to the front door. It opened to an outside corridor that gave him a good view of the parking lot, so Mitnick stuck his head out and scanned the street. Nothing. He closed the door and returned to his seat.
It was this random peek that gave him away. Outside, the FBI agents who were stalking him were still unsure in which apartment he was – but when a deputy U.S. marshal noticed a head peering around an opened door at such a late hour, he immediately became suspicious.
—
Thirty minutes later, at around 1:30, Mitnick heard a loud knock on the door.
“Who is it?” he yelled.
“FBI.”
His blood froze in his veins. Panicked, he looked for an escape route: maybe he could use the bed sheets as a makeshift rope, and climb down the balcony? No – it would take too long. He decided to fall back, as always, on his social engineering skills.
He unlocked the door, and the suited agents pushed their way into the room. “Are you Kevin Mitnick?”. No, he was Thomas Case, and what the hell were they doing raiding his home in the middle of the night?
“Like an actor, I put myself in the mindset of someone being violated. I get loud: “You don’t have any right to be here. Get outta my apartment. You don’t have a search warrant. Get outta my apartment NOW!”
One of the agents pulled a document from a folder and showed it to Mitnick, who knew where to look. “This isn’t a valid warrant. There’s no address,” he said triumphantly.
One of the agents left the apartment and half an hour later returned with a new warrant – this time with Mitnick’s exact address – signed by a federal judge.
Damn.
But the agents were still unsure if the man standing before them was indeed Kevin Mitnick: all they had to go by was a photograph taken more than six years ago.
“[It was a picture] from back when I was way heavier and grubby-looking from not having showered or shaved for three days. I tell the agent, “That doesn’t look like me at all.” Running through my mind is the thought, They’re not sure. Maybe I really can get out of this.”
Then one of the agents, who was searching inside a closet, turned around holding a wallet. Mitnick briefly considered grabbing the wallet from the man’s hands – but could do nothing as the agents pulled several driver licenses out of it: licenses that Mitnick created for his previous fake identities. “Who’s Eric Weiss?”, asked the agent, “Who’s Michael Stanfill?…”
This was damming as hell – but still, it didn’t prove that he was indeed Kevin Mitnick. Maybe he still had a chance.
And then one of the agents pulled an old ski jacket from the closet. Fumbling inside a zippered inner pocket, the agent pulled out a crumpled piece of paper. It was a pay stub from a company Mitnick worked for years ago, and it was made out to Kevin Mitnick. Game Over.
—
As Mitnick was being led out of the hearing courtroom in cuffs, a belly chain, and leg irons, he noticed a man looking at him intently. He never met the man, but he immediately recognizes him. As Mitnick passed Tsutomu Shimomura, he nodded at him. “I respect your skills.”
Shimomura returned the nod, and Mitnick was taken away.
Epilogue
In 1998, Kevin Mitnick was charged with 22 counts of wire fraud and unauthorized access to a federal computer. He was sentenced to 46 months in federal prison, plus 22 months more for violating the terms of his 1989 supervised release.
Apparently, the five years that Mitnick spent in prison were enough to convince him to leave his criminal career behind him. After his release in 2000, he turned his life around and became a security consultant, provided penetration testing services to various organizations, wrote books, and taught social engineering classes.
“People often ask if I’ve completely kicked the hacking habit. Often I still keep hackers’ hours—up late, eating breakfast when everyone else has already finished lunch, busy on my computer until three or four in the morning.
And I am hacking again… but in a different way. For Mitnick Security Consulting LLC, I do ethical hacking—using my hacking skills to test companies’ security defenses by identifying weaknesses in their physical, technical, and human-based security controls so they can shore up their defenses before the bad guys exploit them. […] What I do now fuels the same passion for hacking I felt during all those years of unauthorized access. The difference can be summed up in one word: authorization.
It’s the word that instantly transforms me from the World’s Most Wanted Hacker to one of the Most Wanted Security Experts in the world. Just like magic.”
On July 16, 2023, at the age of 59, Mitnick passed away from pancreatic cancer. He was married and expecting his first child.