In this part, the once most wanted hacker Kevin Mitnick tells Hak5’s Shannon Morse about his experience with the law enforcement when he was a fugitive.
Shannon Morse: Speaking of people that you might have social-engineered, and same with the people that might have accused you of things: did you worry about any of the people that you had written about in the book? Like, did any of them confront you or anything like that?
Kevin Mitnick: Well, one did. I was working for this lady named Elaine Hill at a law firm, and that was when I was a fugitive in Denver. She was one of my bosses, so she wrote me on LinkedIn. She goes: “Hi Eric/Kevin,” because I was under the name Eric Weiss, the real name for Harry Houdini at the time. And she goes: “My husband is loving your book,” and, by the way, because I characterized her as a school teacher personality. And she goes: “You’re not going to believe what I do today,” and she told me that she’s now a school teacher, she goes: “You got me right!”
– It’s so cute! You had a lot of people that had lied to get you in trouble. Now that the book is out, did any of those people come up to you and say: “Hey, I’m sorry for saying that,” when they saw this book?
– No, not at all, none of my pals. My past hacking partner who was hacking with me for a number of years was Lewis De Payne. He’s not happy about the book, because I wrote that he cooperated with the government, but he wanted to clarify with me that he was cooperating after my sentencing so it would have no effect on me. So he was not really an informant. He was kind of disappointed that I wrote about him in that way, but I just tried to be 100% frank and honest.
– Ok, so you had so many fun hacks, it just sounds like you had such a good time doing it.
– It was kind of a game, but then again, it got more serious, because my goal was to become the best at circumventing security.
– You never made a dime off of any of these?
– It wasn’t money; again, it was seduction of adventure, curiosity, and challenge.
– So you never even wanted to make any money?
– No, I wanted to be the Harry Houdini of hacking. So I went after the source code of operating systems like VMS at the time and hacked it, and took a copy of the source code, which is, you know, a serious offence. I was leveraging that source code to become better at hacking, because I could analyze it for bugs, I could look at developer comments, I could change the code and patch system binaries. And then, when I eventually became a fugitive, I hacked into cell phone companies to get the source code so I could maintain invisibility.
And I knew it was important to maintain invisibility because when the FBI was chasing me, I was doing counter-intelligence: I hacked into the cell phone company in Los Angeles called ‘Pactel Cellular’, and there was this informant that was trying to set me up. So, what I did is I was able to get access to the call detail records, so I searched for who calls this guy, who in ‘Pactel Cellular’ calls this informant. And then I came up with a list of numbers, and I looked at their billing records, and it turned out that they were calling FBI internal numbers.
It doesn’t take a rocket scientist to figure out they’re the feds. So, common sense, I should have stopped there; but I didn’t have any common sense. I had this device called the DDI – the digital data interceptor, which allows me to monitor a cell site on the data channel and see who registers and see who gets calls. So I programmed these numbers into this device at my office – I worked as a private investigator. And I just let it sit there. And then, like, a month later I walk into the office and I hear: “beep, beep, beep”; I’m walking all around the offices – it’s coming from mine. What the hell is going on? I look at my computer, and I see my FBI early warning system has been trapped.
And it turns out that one of the agents – yeah, I was petrified – had called the payphone number, and I knew that number, what it was, it was the payphone across the street from the apartment I was living at. So I was thinking: “That happened 2 hours earlier, I was sleeping; if the FBI had come to arrest me, they would have walked in and they wouldn’t follow a hacker.” Why would they follow me? They already know where I work. So the next logical thing is they were going to do a search. In America, they have to get a description of the premises.
So, that night – I knew they were probably going to search the next day – I moved out all my computer equipment, my floppy disks. So I moved all that stuff out, and then the next day nothing happened, so I got a little bit bolder. I went to Winchell’s Donuts, I got a big box of 12 donuts and I wrote “FBI donuts” on it. I put it in the fridge, and then on a post-it note I wrote “FBI Donuts Inside” – like the “Intel Inside”.
And what happened is they raided me at 6 a.m. the next day, and the only thing they found were the FBI donuts. That’s why they were mad at me. And they didn’t touch any, I don’t know why; they left them all for me. Maybe they thought they were poisoned or something.
– Personally, I don’t think the law quite understands what it took to be a hacker back then. Do you think they would understand better now and maybe give you more fair treatment?
– Well, computers and hacking was kind of mysterious. And they couldn’t understand the non-profit motive back then. Today we’re post 9/11, so they probably would have treated me worse. Who knows? But to be locked up in solitary confinement on some myth that you could launch nuclear weapons? You know, who really knows? I was kind of the guy they wanted to make the example, to set an example for everybody else: “If you hack, this is what the federal government is going to do to you.”
And in fact, there was this guy named at Novell named Shawn Manley who I called up and convinced to set up an account on one of their terminal servers, and he asked me to call his voice mail to leave the password I wanted, and I did. He set up the account and I used it. But he never deleted that voice mail. And then, when they figured out what was going on, they turned that voice mail over to Novell security, it went to the San Jose police. But they played the recording, it’s just a voice, they don’t know who it is. So they couldn’t solve it. The San Jose computer crime squad had no idea who I was, I guess.
So, eventually it gets to the FBI in LA and one of the agents plays the tape, immediately knows my voice: “Oh, that’s Kevin,” calls up Novell, says: “I have some good news, I have some bad news. The good news is your hacker is Kevin Mitnick, the bad news is we don’t know where to find him.”
So, what eventually happened is when I was arrested and they held me for so many years without trial, this Shawn talked to the prosecutors, like: “What’s going on with the Mitnick case? How can you hold him for years without the trial?” And one of the prosecutors tells him, according to Shawn: “We’re going to teach him a lesson and send a message. And we know we’re violating his rights, but we don’t care”. Shawn was shocked, so he called my defense lawyer, offering to help me – and this is the guy I conned. We’re great friends today, I mean, we’re really good friends. He works for Fusion-io, and it was just like: “Wow,” he was appalled. And I didn’t even know what was going on, I was just sitting in prison, wondering where’s the light at the end of the tunnel. That’s a scary experience.