The “world’s most wanted hacker,” Kevin Mitnick, has gone straight (interview)

VB: Tell us some stories about being on the run.

KM: I think the federal government came down harder on me is because I was playing games on them. At one point the government sent an informant to come and trap me, around 1992, after I was released from an earlier prison sentence. I quickly worked out what was going on and in the process I compromised the local cell phone company. I was able to identify the cell phones in Los Angeles that were calling the informant. I didn’t know the guy was an informant at the time, as this was part of my usual investigation.

I learned that people calling him were the FBI and it was the agency cell phone numbers. So what I did is I programmed these cell phone numbers into a device at a company where I was working as a private investigator. So if any of the cell phones came within a few miles radius of me, it would send me an alert. It was an early warning detection system that I had set up.

So in September of 1992, I was walking to my office one morning and I disabled the alarm. But I kept hearing a beeping. And I figured out that the alarm was disabled and I starting walking around everyone’s office to find out what this weird beeping was. It turned out it was coming from my office and it was my early warning system going off. A few hours earlier one of the FBI agents was actually making a phone call from the pay phone across the street from my apartment. He was within a mile of where I was.

I realized that the FBI happened to be to at my apartment when I was sleeping and nobody knocked on the door. So I realized they weren’t there to like arrest me immediately. They were probably preparing to get the stuff on my computer. I thought they would do a search. So I cleaned out my floppy disks, computers, and notes. I moved them over to a friend’s house. I went to Winchell’s doughnuts and got a box. I took a Sharpie and wrote “FBI doughnuts” on the box and stuck it in the refrigerator. The next day, the FBI executed the search warrant. The day before they were just gathering a description of my apartment to get the warrant.They searched my apartment and found nothing but the doughnuts. I think they were really pissed off.

I did these immature things that were funny at the time and it irritated them to no end. I think the agents took it personally. So when I was prosecuted, it felt like it was because I was playing games with them. When I was running from the government and living in Denver, I was working for this law firm. I had a legitimate systems administrator job. My hacking was all about becoming the best at circumventing security. So when I was a fugitive, I worked systems administrator jobs to make money. I wasn’t stealing money or using other people’s credit cards. I was doing a 9-to-5 job. I was at this law firm in Denver for a year and a half. One of my jobs was supporting the firm’s telephone system. I put code into the system so that if anyone were to call the FBI in Los Angeles or Denver, or the U.S. Attorney’s office, it would send me a page. I would know if there was an internal investigation or someone working me. I lived under the name Eric Weisz, the real name of Harry Houdini. I did these smart ass things and the government really frowned on it. I made a mockery of them and that’s probably why they came down hard on me.

My hacking did cause losses. But the losses were minimal compared to what the government alleged. The government alleged that I caused $300 million worth of damage, where the damage was that I copied source code. I was interested in the source code for operating systems like [Digital Equipment Corp.’s] VMS. And I wanted to look at the source code; my only purpose was to examine the flaws within the operating system so I could bypass security. So it’s really just leveraging the source code to become a better hacker. Now certainly it was illegal to copy the source code but the government really took that and ran with it.

Some of the FBI agents solicited these companies to actually say their losses $80 million each, based on the value of the source code that I looked at. So basically that was the entire research cost for developing it. It’s kind of like stealing a can of Coke and then getting charged with stealing billions of dollars because you have Coca-Cola formula. In my case, the fair losses would have been like something a few hundred thousand dollars.

VB: So why didn’t that make sense?

KM: It was only in the thousands, not the millions. So what I had done was poked at the tiger too much. They were trying to get me a really substantial prison sentence. My lawyer checked with the Securities and Exchange Commission because any publicly traded company has to report it when they suffer a material loss. Otherwise, they are defrauding shareholders. My attorney founded that none of these companies had reported to the SEC any loss that was attributed to my hacking. So, again, I was punished for causing these multimillion dollar losses.

VB: So there was a mythology to being the world’s most wanted hacker.

KM: Yeah I was you know I was the world’s most-wanted hacker in the 1990s. I would hack in at all these companies and look at their source code and the source code was a trade secret. So the companies themselves had no idea why they have this mysterious person hacking into their system. They were doing investigations. There were some real losses for sure.  I’m sorry that I caused anybody any loss at the time. As a hacker, I was thinking that all they have to do is change a few passwords and they would fix it. They would patch a security hole in their operating system and then I would be locked out. It might take them 30 minutes for them to do that. What I didn’t realize was what the other side is doing. The other side is like rebuilding their operating system from scratch. They are auditing the source codes. They are going through all these significant measures because they don’t know who is on the other side. They don’t know it’s just me. So you know what I’m saying? The victims had to do a lot of work.

VB: Did you feel like you had to correct the record because of the book that John Markoff co-wrote?

KM: Oh my God. I mean we could go on for hours. For example when I hacked into DEC and I copied the VMS source code with the co-defendant. I remember my co-defendant actually set me up for a FBI sting and I was arrested. I ended up in federal prison. Three days later, they finally took me to court and I was expecting to get bail. What had happened was that a federal prosecutor told the judge not only do we have to detain this guy, we have to make sure he can’t get to a pay phone inside the prison. We have to make sure he can’t get to a pay phone because he could dial up to the North American Air Defense System (NORAD) and whistle tones and possibly start a nuclear war.

[Markoff declined comment, beyond pointing out that Mitnick pleaded guilty to computer and wire fraud in March 1999.]

When the prosecutor said this I started laughing because I had never heard something so ridiculous in my life. It’s kind of like you taking something out of the movie War Games and manipulating it to a ridiculous degree. The judge, however, bought it hook line and sinker. I guess the prosecutor was to be believed and I ended up being held in solitary confinement in a federal detention center for nearly a year based on this myth. Then all these other rumors the government started using as fact. They said that I hacked into the National Security Agency and got to their secret access codes.

VB: That sounds a little implausible.

KM:    Back in the beginning, around the mid-90s you could do a “who is” command on a site. Nowadays, you do that it shows who it belongs to. Back then, they used to list the registered users of the host and their phone numbers. So I had a file on my floppy disk at the time called “NSA.txt” and it was a file that the output of a system called Dock Master. And Dock Master was a system that was run by the National Computer Security Center, which was the public arm of the NSA. And it listed the user names in a four-digit number and the four-digit number was their telephone extension.

The prosecutor characterized that file as proof that I hacked into the NSA and got their secret access codes and those four-digit numbers were secret access codes. I was said to be stalking the actress Kristy McNichol. I was supposedly messing with her telephone and calling her at all times of the day and night. The rumor went so far I ended up on the front page of the National Examiner which was like The National Enquirer. And so I remember going to the supermarket and seeing a  front page photo of me where it says Mitnick is stalking Kristy McNichol and this is I couldn’t believe it. The government used this in court as to what a danger I was. My mom at the time was a waitress at Jerry’s Delicatessen in Studio City. She saw Kristy McNichol and walked up to her. She said my son is Kevin Mitnick. She told my mom that whatever was happening wasn’t true. Kristy McNichol was going to write a letter to the court and explain these things had never happened. Her agents stopped her because they didn’t want it in the news that she was supporting me. There was a report that I hacked into a news wire service and was trying to discredit Security Pacific Bank and that cause them a big loss. That was a totally made-up allegation. I mean the list just goes on and on you know I don’t want to bore you.

Then the true thing is that when I was younger I was able to get celebrities’ unlisted telephone numbers and then I would verify that they were indeed the right number. Then I would never call again. There was an allegation that I had wiretapped the entire Los Angeles office of the FBI, which wasn’t true. I did however monitor the locations of cell phones and looked at the call detail records. So I would know a person A is calling person B.  But actually, in the New York Times, it said that I was wiretapping their conversations which wasn’t true. One chapter of the book describes the court drama. Most of the book is focused on the adventure, the crazy things I did as a juvenile. The book isn’t about me whining about this.

VB: What was the hack that you were most proud of?

KM: The hack I was most proud was actually hacking the McDonald’s drive-through window. I did this when I was 17. It wasn’t about hacking a computer. It was actually hacking their drive up windows so that I could overtake the radio in the drive-through window. I could sit across the street and talk and pretend that I was the employee inside McDonald’s. The poor employee could hear what’s going on but my transmitter was more powerful than his.

So you can imagine what fun you can have as a teenager when customers would drive up. I would say, ‘can I take your order please?’ They give the order. And I would say, ‘OK I have your order you are the 50th customer today so please right forward. Your order is absolutely free. And then the cops would drive up to order something. And I would say, ‘I’m sorry we only serve doughnuts to cops. We don’t serve any type of other food.’ Or I would say, ‘Hide the cocaine, hide the cocaine. May I take your order sir?’ One time, a manager of a McDonald’s came out to find out what the hell was happening. He walked around the parking lot and couldn’t see anybody. He looked in cars. He walked up to the drive-through speaker and he put his face next to the speaker as if there were someone hiding inside. I yelled into the microphone, ‘What the f*** are you doing?’ and the guy flies back 15 feet. These are the types of hacks I enjoyed. As a young kids, I was a prankster. I hacked into my friend’s home telephone service so that it became a pay phone. Whenever his parents tried to make a call, it would say, ‘please deposit 25 cents.’

I was doing this starting in the late 1980s and there were no computer crime laws at the time. I had a teacher in high school where he encouraged it. One of my first programming assignments was to write a FORTRAN program that found Fibonacci numbers. I thought that’s kind of boring. So I wrote a password stealer so I could get any of the other students’ passwords in class. I spent a longer time working on developing that program because it was my first and I didn’t have time to do the other assignment. So I ended turning in my password stealer instead and the teacher was clearly impressed and even gave me an A. He started telling all the other students how smart and clever this was. So I was raised at a time where the instructors in high school encouraged hacking and there were no laws against it.

VB: You know today you are in the business of being an ethical hacker. Do you find that today that the issues that ethical hackers have to deal with are pretty difficult in terms of being able to stay on the right side of the law?

KM: Not really. I was a hacker for a number of years before I became involved in security because there was no such occupation for doing it legally. Companies dealt with security by having their internal IT departments deal with it. There was no the security industry. In fact, if that did exist when I was younger, I might have taken a different path. But I was so interested in learning about computers. My primary goal of hacking was the intellectual curiosity, the seduction of adventure. The No. 1 thing was the pursuit of knowledge and there was no way to get the knowledge back then because those avenues didn’t exist.

Now today, a 14-year-old can use a laptop and set up their own entire lab on a laptop with different operating systems. There are different frameworks that you can download for absolutely free. There are tons of material on the internet so you can learn all about hacking and all about security. You can learn about offensive and defensive measures.  So you can be a part of a red team are trying to hack into a target to test their security or you could be on the defense side.

So today’s world is completely changed where young kids and even adults have a more social acceptable way to learn about this stuff. In fact, at Defcon this year was the first time they had kids come. There were kids who were eight, nine or ten who were attending a hacking conference. Of course, they are interested in hacking games. And one ten-year-old girl found a vulnerability. The world has changed from 1978.

VB: It’s also easier to become a criminal hacker.

KM: The ethical thing is actually the easier thing to do. Now if you are a criminal, then you will use hacking techniques to steal money and property. The hackers of my time were never in it to steal money. They could break into systems to get access to information. But it wasn’t a for-profit venture. Today, you have organized crime using hacking.