Sunday, May 20, 2007 | 6:54 a.m.
By the time the FBI was investigating Kevin Mitnick in late 1992, he had been in and out of trouble with the law for more than a decade. In the late '80s, he spent eight months in solitary confinement.
When the law came into his life again, Mitnick didn't cooperate and he didn't run. Instead, he built up dossiers on the FBI agents pursuing him, complete with their Social Security numbers and addresses, and tracked their movements on the cellular phone grid.
"It was like something you'd see in the movies. It was exciting. It was completely insane," Mitnick says. "I was essentially messing with the FBI, and those guys, they don't have a sense of humor."
When the FBI served a search warrant on his Calabasas, Calif., apartment, Mitnick ran. After two years and five cities, he was caught in February 1995 in Raleigh, N.C. During his time on the run, he committed some of his most daring hacks, penetrating the defenses of Motorola, Novell, Nokia and Sun Microsystems. But after more than four years of imprisonment without trial or bail, he and the federal government agreed to a plea bargain that had him out of prison in less than a year. Mitnick appears never to have profited from his crimes. Instead, it was more like a burglar breaking into a lock factory for the thrill of copying lock diagrams.
"I went to jail a long time for excitement and fun," Mitnick says. "I should have gone to Disneyland."
Looking back, Mitnick says one of the worst things that happened to him wasn't even something the government did.
When he was first going underground, he came to Las Vegas to hide and set up a fake identity before fleeing further. He was a fitness nut in those days, and while at the gym, he put all his phony identification - driver's license, Social Security card - and $11,000 cash into a locker. By the time he finished his workout, it was gone.
Broke and desperate, he cashed out the last resource he had, $5,000 in U.S. Treasury bonds he got for his bar mitzvah.
To this day, Mitnick won't leave anything valuable in a locker or in his car.
- Brendan Buhler
Late one night in early 1981, two teenage boys cruise around Hollywood, looking for something to do.
They share an interest in the inner workings of the telephone system. So the younger, Steve, says why don't they go Dumpster diving for manuals behind the switching center on Gower Street.
Kevin, 17 and so bored he got a GED and dropped out of high school after junior year, says he has a better idea. He has hacked into a Pacific Telephone and Telegraph Co. computer and found access codes for the company's buildings, including the one that houses all of Hollywood's phone lines.
Why not take a self-guided tour?
After an hour, at about 1 a.m., a security guard finds them. Big guy. Kevin, acting cool, claims he's Steve from the COSMOS center in San Diego and he's showing his friend around. The guard doesn't buy it and marches the boys into the switching control center. The night crew doesn't buy it either.
Call my boss, Kevin says.
They find one. Kevin asks to talk to her.
"Hi, this is Steve," Kevin says into the phone. "Sorry about this."
The whole time, Kevin's holding the phone tight against his ear, because, boy, is she yelling. Finally, she hangs up, off to call security or worse, the cops. Kevin says goodbye.
"Are you satisfied?" he asks the night crew. Says it with as much arrogance as he can.
The night crew buys it this time.
As soon as the boys are down the hall, they run out of the building and don't stop until their car. Then they watch the building.
Twenty minutes later, the security guard bursts out of the door and jerks his head from side to side, looking around like a cartoon character.
The boys drive off, laughing hard.
"To me, as a kid, I thought it was the greatest thing ever," says Kevin, now 43. "You knew you were doing something wrong, but you didn't think it was something you could go to jail for. It was fun."
Kevin Mitnick, possibly the world's most notorious hacker, made the front page of The New York Times (twice) in the 1990s. He hacked and lied his way into some of the most sensitive telecommunications data in the world. When he spent two years on the run from the FBI, he assumed multiple false identities, complete with fake pasts for himself.
Now that he's out of prison (seven years and counting) and running a security consulting business in Las Vegas, he is asking the world to trust him, because he knows the lying business very well.
Also electronic intrusion and trespassing. For a fee, he's happy to assemble a team of hackers and test your company's security. They'll try to hack into your computers, attempt to persuade your unwitting employees to divulge security information and pose as copy repairmen to get inside your offices. Mitnick particularly enjoys leaving notes under people's keyboards and on their servers. It makes it easier to persuade the client he was there, too.
Oh, and he's also happy to speak at corporate events.
His main message? People are bad at knowing when to trust.
As a child, Mitnick became fascinated with magic tricks - the physical skills involved, definitely, but also the salesmanship required to get people to pay attention to what you want them to and not what you're actually doing, getting to look at the right hand while the left hand does all the work.
Bouncing from apartment to apartment and school to school as his divorced mother took different waitress jobs in the San Fernando Valley, Mitnick pursued mostly solitary games (though he's quick to add that he was in, and enjoyed, Little League).
He took up ham radio and learned to jam too-loud neighbors' sets, which was as fun as a magic trick. Then he added the telephone system, making other kids' phones ask for a dime whenever they or their parents tried to make a call. Phones led to computers.
By the time he was strolling into phone company buildings at 17, Mitnick had learned the basic skills of a hacker.
As much or more than his technical skills and persistence, Mitnick relied on brazen manipulation. Sure, he could spend forever breaking into a computer, but why do that when he could just call up and ask for what he wanted?
Most people, most of the time, want to trust. It's easier and it's nicer. All Mitnick had to do was tweak the situation a little so they could do what they wanted to do anyway.
Calling on a Friday afternoon is a good way to start. On Friday afternoons, people are not thinking about company security, they're thinking about how to get you off the phone so they can get on to their weekend.
What you don't want when you're trying to get people to tell you things they shouldn't ("social engineering," in hacker speak) is someone who is thinking about everything you say and analyzing its implications and consequences. No, Mitnick says, you want someone who's distracted and will take mental shortcuts.
Like, "Oh, he knows Bob from accounting, he must work here, too."
Like, "Oh heck, he says the Corporate Vice President for Flying Off the Handle wants this done right away, I'd better do it."
At this point, Mitnick says, many people will do what you ask, especially if it seems easy or trivial enough, like e-mailing a document or looking up a number in the company directory.
(A social engineer might go through several people to get what he wants. In Mitnick's case, this was usually access to a company's network, software code or engineering specifications.)
If you're asking for something bigger, maybe you should start by doing him a favor so you can ask for one later.
Tell him you're from the IT department and say you've heard reports that the e-mail server is acting up. Has he noticed anything? If he has, help him fix it. Even if he hasn't, give him your cell phone number and tell him to call if he has a problem later on. Then go make one - attack the mail server or switch it off, whatever.
When he calls, tell him it happened to everyone and it will take days before you can fix his e-mail. When he gets angry, when he yells - "This is unacceptable!" is common - tell him fine, as a favor, you'll fix his first. You'll just need his user name and password.
It's like a chess game, Mitnick says. Move, reaction, move, reaction. There are oh, so many ways to get people to tell you what they shouldn't.
What companies need to realize, Mitnick says, is that security is a habit, not a policy.
Those pieces of paper about data protection in employee handbooks? Worthless. About as well read as the workers' comp procedures.
What employees need is regular training, a good scare. The kind of scare Mitnick's company can provide, the kind of scare that can hone distrust to a keen edge of well, it depends.
Too much distrust drives customers away. How much do you need?
Say, a federal agency handling sensitive data. That's an agency that needs a lot of distrust. (Incidentally, Mitnick waves his usual fees for most government agencies and asks only travel money. Better to be in their good graces, he's decided.) Same thing if you're a credit card company, or, heh heh, a phone company.
But say you sell widgets or run a spa. In that case, do a little cost-benefit analysis. How likely are you to be attacked? Maybe you need to think about security only occasionally and ought to give callers a reasonable amount of trust.
Mitnick himself seems to be easing into a little more trust these days. Not too much, though. A couple of years on the run will make you a little cautious.
The hardest part of life is to get people to trust him, Kevin Mitnick.
After all, he spent a few years as a famous hacker, a scourge of corporations, and now he wants companies to hire him.
His sales pitch is two-fold.
One, he says he knows what he did more than a decade ago was unethical and illegal. Now that he is middle-aged and out of prison, though, he's willing to skip the adventure for permission and a paycheck when he hacks.
Two, he won't release his client list, because he knows any company for which he works will become a target for any punk with a keyboard, just because he set up the security.
Plus, the boogeyman business cuts both ways. He can tell at speaking gigs when he asks for audience participation. They don't trust him, but, well, he's famous.
"You can see them saying to themselves, 'He's going to trick me! He's going to do something!' " Mitnick says as he laughs and shakes his hands next to his wide-open eyes. "'Be very scared! ' "
And then they do what he asks.
archive
