I was reluctant to write this section because I was sure it would sound selfserving.
Well, okay, it is self-serving. But I've been contacted by literally
hundreds of people who want to know "who is Kevin Mitnick?”. For those who
don't give a damn, please turn to Chapter 2. For everybody else, here, for what
it's worth, is my story.
Kevin Speaks Some hackers destroy people's files or entire bard drives; they're
called crackers or vandals. Some novice hackers don't bother learning the
technology, but simply download hacker tools to break into computer systems;
they're called script kiddies. More experienced hackers with programming skills
develop hacker programs and post them to the Web and to bulletin board
systems. And then there are individuals who have no interest in the technology,
but use the computer merely as a tool to aid them in stealing money, goods, or
services. Despite the media-created myth of Kevin Mitnick, I'm not a malicious
hacker. What I did wasn't even against the law when I began, but became a crime
after new legislation was passed. I continued anyway, and was caught. My
treatment by the federal government was based not on the crimes, but on making
an example of me. I did not deserve to be treated like a terrorist or violent
criminal: Having my residence searched with a blank search warrant; being
thrown into solitary for months; denied the fundamental Constitutional rights
guaranteed to anyone accused of a crime; being denied not only bail but a bail
hearing; and being forced to spend years fighting to obtain the government's
evidence so my court appointed attorney could prepare my defense.
What about my right to a speedy trial? For years I was given a choice every six
months: sign a paper waiving your Constitutional right to a speedy trial or go to
trial with an attorney who is unprepared; I chose to sign. But I'm getting ahead of
my story. Starting Out my path was probably set early in life. I was a happy-golucky
kid, but bored. After my father split when I was three, my mother worked
as a waitress to support us. To see me then an only child being raised by a
mother who put in long, harried days on a sometimes-erratic schedule would have
been to see a youngster on his own almost all his waking hours. I was my own
babysitter. Growing up in a San Fernando Valley community gave me the whole
of Los Angeles to explore, and by the age of twelve I had discovered a way to
travel free throughout the whole greater L.A. area. I realized one day while riding
the bus that the security of the bus transfer I had purchased relied on the unusual
pattern of the paper-punch that the drivers used to mark day, time and route on
the transfer slips. A friendly driver, answering my carefully-planted question, told
me where to buy that special type of punch. The transfers are meant to let you
change buses and continue a journey to your destination, but I worked out how to
use them to travel anywhere I wanted to go for free. Obtaining blank transfers
was a walk in the park: the trash bins at the bus terminals were always filled with
only-partly-used books of transfers that the drivers tossed away at the end of their
shifts. With a pad of blanks and the punch, I could mark my own transfers and
travel anywhere that L.A. buses went. Before long, I had all but memorized the
bus schedules of the entire system. This was an early example of my surprising
memory for certain types of information; still, today I can remember phone
numbers, passwords and other items as far back as my childhood. Another
personal interest that surfaced at an early age was my fascination with performing
magic. Once I learned how a new trick worked, I would practice, practice, and
practice until I mastered it. To an extent, it was through magic that I discovered
the enjoyment in fooling people. From Phone Phreak, to Hacker my first
encounter with what I would eventually learn to call social engineering came
about during my high school years, when I met another student who was caught
up in a hobby called phone phreaking. Phone phreaking is a type of hacking that
allows you to explore the telephone network by exploiting the phone systems and
phone company employees. He showed me neat tricks he could do with a
telephone, like obtaining any information the phone company had on any
customer, and using a secret test number to make long-distances calls for free
actually free only to us--I found out much later that it wasn't a secret test number
at all: the calls were in fact being billed to some poor company's MCI account).
That was my introduction to social engineering-my kindergarten, so to speak. He
and another phone phreaker I met shortly thereafter let me listen in as they each
made pretext calls to the phone company. I heard the things they said that made
them sound believable, I learned about different phone company offices, lingo
and procedures. But that "training" didn't last long; it didn't have to. Soon I was
doing it all on my own, learning as I went, doing it even better than those first
teachers. The course my life would follow for the next fifteen years had been set.
One of my all-time favorite pranks was gaining unauthorized access to the
telephone switch and changing the class of service of a fellow phone phreak.
When he'd attempt to make a call from home, he'd get a message telling him to
deposit a dime, because the telephone company switch received input that
indicated he was calling from a pay phone.
I became absorbed in everything about telephones-not only the electronics,
switches, and computers; but also the corporate organization, the procedures, and
the terminology. After a while, I probably knew more about the phone system
than any single employee.
And, I had developed my social engineering skills to the point that, at seventeen
years old, I was able to talk most Telco employees into almost anything, whether
I was speaking with them in person or by telephone. My hacking career started
when I was in high school. Back then we used the term hacker to mean a person
who spent a great deal of time tinkering with hardware and software, either to
develop more efficient programs or to bypass unnecessary steps and get the job
done more quickly. The term has now become a pejorative, carrying the meaning
of "malicious criminal." In these pages I use the term the way I have always used
it in its earlier, more benign sense. In late 1979, a group of fellow hacker types
who worked for the Los Angeles Unified School District dared me to try hacking
into The Ark, the computer system at Digital Equipment Corporation used for
developing their RSTS/E operating system software. I wanted to be accepted by
the guys in this hacker group so I could pick their brains to learn more about
operating systems. These new "friends" had managed to get their hands on the
dial-up number to the DEC computer system. But they knew the dial-up number
wouldn't do me any good: Without an account name and password, I'd never be
able to get in. They were about to find out that when you underestimate others, it
can come back to bite you in the butt. It turned out that, for me, even at that
young age, hacking into the DEC system was a pushover. Claiming to be Anton
Chernoff, one of the project's lead developers, I placed a simple phone call to the
system manager. I claimed I couldn't log into one of "my" accounts, and was
convincing enough to talk the guy into giving me accessing and allowing me to
select a password of my choice. As an extra level of protection, whenever
anyone dialed into the development system, the user also had to provide a dial-up
password. The system administrator told me the password. It was "buffoon,"
which I guess described what he must have felt like later on, when lie found out
what had happened. In less than five minutes, I had gained access to Digital's
RSTE/E development system. And I wasn't logged on as just as an ordinary user,
but as someone with all the privileges of a system developer. At first my new,
so-called friends refused to believe I had gained access to The Ark. One of them
dialed up the system and shoved the keyboard in front of me with a challenging
look on his face. His mouth dropped open as I matter-of-factly logged into a
privileged account. I found out later that they went off to another location and,
the same day, started downloading source-code components of the DEC
operating system. And then it was my turn to be floored. After they had
downloaded all the software they wanted, they called the corporate security
department at DEC and told them someone had hacked into the company's
corporate network. And they gave my name. My so-called friends first used my
access to copy highly sensitive source code, and then turned me in.
There was a lesson here, but not one I managed to learn easily. Through the years
to come, I would repeatedly get into trouble because I trusted people who I
thought were my friends. After high school I studied computers at the Computer
Learning Center in Los Angeles.
Within a few months, the school's computer manager realized I had found a
vulnerability in the operating system and gained full administrative privileges on
their IBM minicomputer. The best computer experts on their teaching staff
couldn't figure out how I had done this. In what may have been one of the earliest
examples of "hire the hacker," I was given an offer I couldn't refuse: Do an
honors project to enhance the school's computer security, or face suspension for
hacking the system. Of course I chose to do the honors project, and ended up
graduating Cum Laude with Honors. Becoming a Social Engineer some people
get out of bed each morning dreading their daily work routine at the proverbial
salt mines. I've been lucky enough to enjoy my work. In particular you can't
imagine the challenge, reward, and pleasure I had in the time I spent as a private
investigator. I was honing my talents in the performance art called social
engineering-getting people to do things they wouldn't ordinarily do for a strangerand
being paid for it. For me it wasn't difficult becoming proficient in social
engineering. My father's side of the family had been in the sales field for
generations, so the art of influence and persuasion might have been an inherited
trait. When you combine an inclination for deceiving people with the talents of
influence and persuasion you arrive at the profile of a social engineer. You might
say there are two specialties within the job classification of con artist. Somebody
who swindles and cheats people out of their money belongs to one sub-specialty,
the grifter. Somebody who uses deception, influence, and persuasion against
businesses, usually targeting their information, belongs to the other sub-specialty,
the social engineer. From the time of my bus transfer trick, when I was too young
to know there was anything wrong with what I was doing, I had begun to
recognize a talent for finding out the secrets I wasn't supposed to have. I built on
that talent by using deception, knowing the lingo, and developing a well-honed
skill of manipulation.
One way I used to work on developing the skills in my craft (if I may call it a
craft) was to pick out some piece of information I didn't really care about and see
if I could talk somebody on the other end of the phone into providing it, just to
improve my talents. In the same way I used to practice my magic tricks, I
practiced pretexting. Through these rehearsals, I soon found I could acquire
virtually any information I targeted. In Congressional testimony before Senators
Lieberman and Thompson years later, I told them, "I have gained unauthorized
access to computer systems at some of the largest corporations on the planet, and
have successfully penetrated some of the most resilient computer systems ever
developed. I have used both technical and non-technical means to obtain the
source code to various operating systems and telecommunications devices to
study their vulnerabilities and their inner workings." All of this was really to
satisfy my own curiosity, see what I could do, and find out secret information
about operating systems, cell phones, and anything else that stirred my curiosity.
The train of events that would change my life started when I became the subject
of a July 4th, 1994 front-page, above-the-fold story in the New York Times.
Overnight, that one story turned my image from a little known nuisance of a
hacker into Public Enemy Number One of cyberspace. John Markoff, the
Media's grifter
"Combining technical wizardry with the ages-old guile of a grifter, Kevin
Mitnick is a computer programmer run amok." (The New York Times, 7/4/94.)
Combining the ages-old desire to attain undeserved fortune with the power to
publish false and defamatory stories about his subjects on the front page of the
New York Times, John Markoff was truly a technology reporter run amok.
Markoff was to earn himself over $1 million by single-handedly creating what I
label "The Myth of Kevin Mitnick." He became very wealthy through the very
same technique I used to compromise computer systems and networks around the
world: deception. In this case however, the victim of the deception wasn't a
single computer user or system administrator, it was every person who trusted the
news stories published in the pages of the New York Times.Cyberspace's Most
Wanted Markoff's Times article was clearly designed to land a contract for a
book about my life story. I've never met Markoff, and yet he has literally become
a millionaire through his libelous and defamatory "reporting" about me in the
Times and in his 1991 book, Cyberpunk. In his article, he included some dozens
of allegations about me that he stated as fact without citing his sources, and that
even a minimal process of fact-checking (which I thought all first-rate
newspapers required their reporters to do) would have revealed as being untrue or
unproven. In that single false and defamatory article, Markoff labeled me as
"cyberspace's most wanted," and as "one of the nation's most wanted computer
criminals," without justification, reason, or supporting evidence, using no more
discretion than a writer for a supermarket tabloid. In his slanderous article,
Markoff falsely claimed that I had wiretapped the FBI (I hadn't); that I had
broken into the computers at NORAD (which aren't even connected to any
network on the outside); and that I was a computer "vandal," despite the fact that
I had never intentionally damaged any computer I ever accessed. These, among
other outrageous allegations, were completely false and designed to create a
sense of fear about my capabilities. In yet another breach of journalistic ethics,
Markoff failed to disclose in that article and in all of his subsequent articles-a
pre-existing relationship with me, a personal animosity based on my having
refused to participate in the book Cyberpunk In addition, I had cost him a bundle
of potential revenue by refusing to renew an option for a movie based on the
book. Markoff's article was also clearly designed to taunt America's law
enforcement agencies.
"...Law enforcement," Markoff wrote, "cannot seem to catch up with him...." The
article was deliberately framed to cast me as cyberspace's Public Enemy Number
One in order to influence the Department of Justice to elevate the priority of my
case. A few months later, Markoff and his cohort Tsutomu Shimomura would
both participate as de facto government agents in my arrest, in violation of both
federal law and journalistic ethics. Both would be nearby when three blank
warrants were used in an illegal search of my residence, and be present at my
arrest. And, during their investigation of my activities, the two would also violate
federal law by intercepting a personal telephone call of mine. While making me
out to be a villain, Markoff, in a subsequent article, set up Shimomura as the
number one hero of cyberspace. Again he was violating journalistic ethics by not
disclosing a preexisting relationship: this hero in fact had been a personal friend
of Markoff's for years. My first encounter with Markoff had come in the late
eighties when he and his wife Katie Hafner contacted me while they were in the
process of writing Cyberpunk, which was to be the story of three hackers: a
German kid known as Pengo, Robert Morris, and myself.
What would my compensation be for participating? Nothing. I couldn't see the
point of giving them my story if they would profit from it and I wouldn't, so I
refused to help. Markoff gave me an ultimatum: either interview with us or
anything we hear from any source will be accepted as the truth. He was clearly
frustrated and annoyed that I would not cooperate, and was letting me know he
had the means to make me regret it. I chose to stand my ground and would not
cooperate despite his pressure tactics. When published, the book portrayed me as
"The Darkside Hacker." I concluded that the authors had intentionally included
unsupported, false statements in order to get back at me for not cooperating with
them. By making my character appear more sinister and casting me in a false
light, they probably increased the sales of the book. A movie producer phoned
with great news: Hollywood was interested in making a movie about the
Darkside Hacker depicted in Cyberpunk. I pointed out that the story was full of
inaccuracies and untruths about me, but he was still very excited about the
project. I accepted $5,000 for a two-year option, against an additional $45,000 if
they were able to get a production deal and move forward. When the option
expired, the production company asked for a six month extension. By this time I
was gainfully employed, and so had little motivation for seeing a movie produced
that showed me in such an unfavorable and false light. I refused to go along with
the extension. That killed the movie deal for everyone, including Markoff, who
had probably expected to make a great deal of money from the project. Here was
one more reason for John Markoff to be vindictive towards me. Around the time
Cyberpunk was published, Markoff had ongoing email correspondence with his
friend Shimomura. Both of them were strangely interested in my whereabouts
and what I was doing. Surprisingly, one e-mail message contained intelligence
that they had learned I was attending the University of Nevada, Las Vegas, and
had use of the student computer lab. Could it be that Markoff and Shimomura
were interested in doing another book about me? Otherwise, why would they care
what I was up to? Markoff in Pursuit Take a step back to late 1992. I was nearing
the end of my supervised release for compromising Digital Equipment
Corporation's corporate network. Meanwhile I became aware that the government
was trying to put together another case against me, this one for conducting
counter-intelligence to find out why wiretaps had been placed on the phone lines
of a Los Angeles P.II firm. In my digging, I confirmed my suspicion: the Pacific
Bell security people were indeed investigating the firm. So was a computer-crime
deputy from the Los Angeles County Sheriff's Department. (That deputy turns
out to be, co-incidentally, the twin brother of my co-author on this book. Small
world.) About this time, the Feds set up a criminal informant and sent him out to
entrap me. They knew I always tried to keep tabs on any agency investigating
me. So they had this informant befriend me and tip me off that I was being
monitored. He also shared with me the details of a computer system used at
Pacific Bell that would let me do counter-surveillance of their monitoring. When
I discovered his plot, I quickly turned the tables on him and exposed him for
credit-card fraud he was conducting while working for the government in an
informant capacity. I'm sure the Feds appreciated that! My life changed on
Independence Day, 1994 when my pager woke me early in the morning. The
caller said I should immediately pick up a copy of the New York Times. I
couldn't believe it when I saw that Markoff had not only written an article about
me, but the Times had placed it on the front page. The first thought that came to
mind was for my personal safety-now the government would be substantially
increasing their efforts to find me. I was relieved that in an effort to demonize
me, the Times had used a very unbecoming picture. I wasn't fearful of being
recognized they had chosen a picture so out of date that it didn't look anything
like me! As I began to read the article, I realized that Markoff was setting
himself up to write the Kevin Mitnick book, just as he had always wanted. I
simply could not believe the New York Times would risk printing the
egregiously false statements that he had written about me. I felt helpless. Even if
I had been in a position to respond, I certainly would not have an audience equal
to the New York Times s to rebut Markoff's outrageous lies. While I can agree I
had been a pain in the ass, I had never destroyed information, nor used or
disclosed to others any information I had obtained. Actual losses by companies
from my hacking activities amounted to the cost of phone calls I had made at
phone-company expense, the money spent by companies to plug the security
vulnerabilities that my attacks had revealed, and in a few instances possibly
causing companies to reinstall their operating systems and applications for fear I
might have modified software in a way that would allow me future access. Those
companies would have remained vulnerable to far worse damage if my activities
hadn't made them aware of the weak links in their security chain. Though I had
caused some losses, my actions and intent were not malicious ... and then John
Markoff changed the world's perception of the danger I represented. The power
of one unethical reporter from such an influential newspaper to write a false and
defamatory story about anyone should haunt each and every one of us. The next
target might be you.
After my arrest I was transported to the County Jail in Smithfield, North
Carolina, where the U.S. Marshals Service ordered jailers to place me into `the
hole'-solitary confinement. Within a week, federal prosecutors and my attorney
reached an agreement that I couldn't refuse. I could be moved out of solitary on
the condition that I waived my fundamental rights and agreed to: a) no bail
hearing; b) no preliminary hearing; and, c) no phone calls, except to my attorney
and two family members. Sign, and I could get out of solitary. I signed.The
federal prosecutors in the case played every dirty trick in the book up until I was
released nearly five years later. I was repeatedly forced to waive my rights in
order to be treated like any other accused. But this was the Kevin Mitnick case:
There were no rules. No requirement to respect the Constitutional rights of the
accused. My case was not about justice, but about the government's
determination to win at all costs. The prosecutors had made vastly overblown
claims to the court about the damage I had caused and the threat I represented,
and the media had gone to town quoting the sensationalist statements; now it was
too late for the prosecutors to back down. The government could not afford to
lose the Mitnick case. The world was watching.
I believe that the courts bought into the fear generated by media coverage, since
many of the more ethical journalists had picked up the "facts" from the esteemed
New York Times and repeated them. The media-generated myth apparently even
scared law enforcement officials. A confidential document obtained by my
attorney showed that the U.S. Marshals Service had issued a warning to all law
enforcement agents never to reveal any personal information to me; otherwise,
they might find their lives electronically destroyed. Our Constitution requires
that the accused be presumed innocent before trial, thus granting all citizens the
right to a bail hearing, where the accused has the opportunity to be represented by
counsel, present evidence, and cross-examine witnesses. Unbelievably, the
government had been able to circumvent these protections based on the false
hysteria generated by irresponsible reporters like John Markoff. Without
precedent, I was held as a pre-trial detainee-a person in custody pending trial or
sentencing-for over four and a half years. The judge's refusal to grant me a bail
hearing was litigated all the way to the U.S. Supreme Court. In the end, my
defense team advised me that I had set another precedent: I was the only federal
detainee in U.S. history denied a bail hearing. This meant the government never
had to meet the burden of proving that there were no conditions of release that
would reasonably assure my appearance in court. At least in this case, federal
prosecutors did not dare to allege that I could start a nuclear war by whistling into
a payphone, as other federal prosecutors had done in an earlier case. The most
serious charges against me were that I had copied proprietary source code for
various cellular phone handsets and popular operating systems. Yet the
prosecutors alleged publicly and to the court that I had caused collective losses
exceeding $300 million to several companies. The details of the loss amounts are
still under seal with the court, supposedly to protect the companies involved; my
defense team, though, believes the prosecution's request to seal the information
was initiated to cover up their gross malfeasance in my case. It's also worth
noting that none of the victims in my case had reported any losses to the
Securities and Exchange Commission as required by law. Either several
multinational companies violated Federal law-in the process deceiving the SEC,
stockholders, and analysts--or the losses attributable to my hacking were, in fact,
too trivial to be reported. In his book he Fugitive Game, Jonathan Li wan reports
that within a week of the New York Times front-page story, Markoff's agent had
"brokered a package deal" with the publisher Walt Disney Hyperion for a book
about the campaign to track me down. The advance was to be an estimated
$750,000. According to Littman, there was to be a Hollywood movie, as well,
with Miramax handing over $200,000 for the option and "a total $650,000 to be
paid upon commencement of filming." A confidential source has recently
informed me that Markoff's deal was in fact much more than Littman had
originally thought. So John Markoff got a million dollars, more or less, and I got
five years. One book that examines the legal aspects of my case was written by a
man who had himself been a prosecutor in the Los Angeles District Attorney's
office, a colleague of the attorneys who prosecuted me. In his book Spectacular
Computer Crimes, Buck Bloombecker wrote, "It grieves me to have to write
about my former colleagues in less than flattering terms.... I'm haunted by
Assistant United States Attorney James Asperger's admission that much of the
argument used to keep Mitnick behind bars was based on rumors which didn't
pan out." He goes on to say, "It was bad enough that the charges prosecutors
made in court were spread to millions of readers by newspapers around the
country. But it is much worse that these untrue allegations were a large part of the
basis for keeping Mitnick behind bars without the possibility of posting bail?" He
continues at some length, writing about the ethical standards that prosecutors
should live by, and then writes, "Mitnick's case suggests that the false allegations
used to keep him in custody also prejudiced the court's consideration of a fair
sentence." In his 1999 Forbes article, Adam L. Penenberg eloquently described
my situation this way: "Mitnick's crimes were curiously innocuous. He broke into
corporate computers, but no evidence indicates that he destroyed data. Or sold
anything he copied. Yes, he pilfered software but in doing so left it behind." The
article said that my crime was "To thumb his nose at the costly computer security
systems employed by large corporations." And in the book The Fugitive Game,
author Jonathan Littman noted, "Greed the government could understand. But a
hacker who wielded power for its own sake ... was something they couldn't
grasp." Elsewhere in the same book, Littman wrote: U.S. Attorney James
Sanders admitted to Judge Pfaelzer that Mitnick's damage to DEC was not the $4
million that had made the headlines but $160,000. Even that amount was not
damage done by Mitnick, but the rough cost of tracing the security weakness that
his incursions had brought to DEC's attention. The government acknowledged it
had no evidence of the wild claims that had helped hold Mitnick without bail and
in solitary confinement. No proof Mitnick had ever compromised the security of
the NSA. No proof that Mitnick had ever issued a false press release for Security
Pacific Bank. No proof that Mitnick ever changed the TRW credit report of a
judge. But the judge, perhaps influenced by the terrifying media coverage,
rejected the plea bargain and sentenced Mitnick to a longer term then even the
government wanted. Throughout the years spent as a hacker hobbyist, I've
gained unwanted notoriety, been written up in numerous news reports and
magazine articles, and had four books written about me. Markoff and
Shimomura's libelous book was made into a feature film called Takedown. When
the script found its way onto the Internet, many of my supporters picketed
Miramax Films to call public attention to the inaccurate and false characterization
of me. Without the help of many kind and generous people, the motion picture
would surely have falsely portrayed me as the Hannibal Lector of cyberspace.
Pressured by my supporters, the production company agreed to settle the case on
confidential terms to avoid me filing a libel action against them.
Final Thoughts
Despite John Markoff's outrageous and libelous descriptions of me, my
crimes were simple crimes of computer trespass and making free telephone calls.
I've acknowledged since my arrest that the actions I took were illegal, and that I
committed invasions of privacy. But to suggest, without justification, reason, or
proof, as did the Markoff articles, that I had deprived others of their money or
property by computer or wire fraud, is simply untrue, and unsupported by the
evidence. My misdeeds were motivated by curiosity: I wanted to know as much
as I could about how phone networks worked, and the ins and outs of computer
security. I went from being a kid who loved to perform magic tricks to becoming
the world's most notorious hacker, feared by corporations and the government.
As I reflect back on my life for the last thirty years, I admit I made some
extremely poor decisions, driven by my curiosity, the desire to learn about
technology, and a good intellectual challenge. I'm a changed person now. I'm
turning my talents and the extensive knowledge I've gathered about information
security and social engineering tactics to helping government, businesses and
individuals prevent, detect, and respond to information security threats. This
book is one more way that I can use my experience to help others avoid the
efforts of the malicious information thieves of the world. I think you will find the
stories enjoyable, eye-opening and educational.
Well, okay, it is self-serving. But I've been contacted by literally
hundreds of people who want to know "who is Kevin Mitnick?”. For those who
don't give a damn, please turn to Chapter 2. For everybody else, here, for what
it's worth, is my story.
Kevin Speaks Some hackers destroy people's files or entire bard drives; they're
called crackers or vandals. Some novice hackers don't bother learning the
technology, but simply download hacker tools to break into computer systems;
they're called script kiddies. More experienced hackers with programming skills
develop hacker programs and post them to the Web and to bulletin board
systems. And then there are individuals who have no interest in the technology,
but use the computer merely as a tool to aid them in stealing money, goods, or
services. Despite the media-created myth of Kevin Mitnick, I'm not a malicious
hacker. What I did wasn't even against the law when I began, but became a crime
after new legislation was passed. I continued anyway, and was caught. My
treatment by the federal government was based not on the crimes, but on making
an example of me. I did not deserve to be treated like a terrorist or violent
criminal: Having my residence searched with a blank search warrant; being
thrown into solitary for months; denied the fundamental Constitutional rights
guaranteed to anyone accused of a crime; being denied not only bail but a bail
hearing; and being forced to spend years fighting to obtain the government's
evidence so my court appointed attorney could prepare my defense.
What about my right to a speedy trial? For years I was given a choice every six
months: sign a paper waiving your Constitutional right to a speedy trial or go to
trial with an attorney who is unprepared; I chose to sign. But I'm getting ahead of
my story. Starting Out my path was probably set early in life. I was a happy-golucky
kid, but bored. After my father split when I was three, my mother worked
as a waitress to support us. To see me then an only child being raised by a
mother who put in long, harried days on a sometimes-erratic schedule would have
been to see a youngster on his own almost all his waking hours. I was my own
babysitter. Growing up in a San Fernando Valley community gave me the whole
of Los Angeles to explore, and by the age of twelve I had discovered a way to
travel free throughout the whole greater L.A. area. I realized one day while riding
the bus that the security of the bus transfer I had purchased relied on the unusual
pattern of the paper-punch that the drivers used to mark day, time and route on
the transfer slips. A friendly driver, answering my carefully-planted question, told
me where to buy that special type of punch. The transfers are meant to let you
change buses and continue a journey to your destination, but I worked out how to
use them to travel anywhere I wanted to go for free. Obtaining blank transfers
was a walk in the park: the trash bins at the bus terminals were always filled with
only-partly-used books of transfers that the drivers tossed away at the end of their
shifts. With a pad of blanks and the punch, I could mark my own transfers and
travel anywhere that L.A. buses went. Before long, I had all but memorized the
bus schedules of the entire system. This was an early example of my surprising
memory for certain types of information; still, today I can remember phone
numbers, passwords and other items as far back as my childhood. Another
personal interest that surfaced at an early age was my fascination with performing
magic. Once I learned how a new trick worked, I would practice, practice, and
practice until I mastered it. To an extent, it was through magic that I discovered
the enjoyment in fooling people. From Phone Phreak, to Hacker my first
encounter with what I would eventually learn to call social engineering came
about during my high school years, when I met another student who was caught
up in a hobby called phone phreaking. Phone phreaking is a type of hacking that
allows you to explore the telephone network by exploiting the phone systems and
phone company employees. He showed me neat tricks he could do with a
telephone, like obtaining any information the phone company had on any
customer, and using a secret test number to make long-distances calls for free
actually free only to us--I found out much later that it wasn't a secret test number
at all: the calls were in fact being billed to some poor company's MCI account).
That was my introduction to social engineering-my kindergarten, so to speak. He
and another phone phreaker I met shortly thereafter let me listen in as they each
made pretext calls to the phone company. I heard the things they said that made
them sound believable, I learned about different phone company offices, lingo
and procedures. But that "training" didn't last long; it didn't have to. Soon I was
doing it all on my own, learning as I went, doing it even better than those first
teachers. The course my life would follow for the next fifteen years had been set.
One of my all-time favorite pranks was gaining unauthorized access to the
telephone switch and changing the class of service of a fellow phone phreak.
When he'd attempt to make a call from home, he'd get a message telling him to
deposit a dime, because the telephone company switch received input that
indicated he was calling from a pay phone.
I became absorbed in everything about telephones-not only the electronics,
switches, and computers; but also the corporate organization, the procedures, and
the terminology. After a while, I probably knew more about the phone system
than any single employee.
And, I had developed my social engineering skills to the point that, at seventeen
years old, I was able to talk most Telco employees into almost anything, whether
I was speaking with them in person or by telephone. My hacking career started
when I was in high school. Back then we used the term hacker to mean a person
who spent a great deal of time tinkering with hardware and software, either to
develop more efficient programs or to bypass unnecessary steps and get the job
done more quickly. The term has now become a pejorative, carrying the meaning
of "malicious criminal." In these pages I use the term the way I have always used
it in its earlier, more benign sense. In late 1979, a group of fellow hacker types
who worked for the Los Angeles Unified School District dared me to try hacking
into The Ark, the computer system at Digital Equipment Corporation used for
developing their RSTS/E operating system software. I wanted to be accepted by
the guys in this hacker group so I could pick their brains to learn more about
operating systems. These new "friends" had managed to get their hands on the
dial-up number to the DEC computer system. But they knew the dial-up number
wouldn't do me any good: Without an account name and password, I'd never be
able to get in. They were about to find out that when you underestimate others, it
can come back to bite you in the butt. It turned out that, for me, even at that
young age, hacking into the DEC system was a pushover. Claiming to be Anton
Chernoff, one of the project's lead developers, I placed a simple phone call to the
system manager. I claimed I couldn't log into one of "my" accounts, and was
convincing enough to talk the guy into giving me accessing and allowing me to
select a password of my choice. As an extra level of protection, whenever
anyone dialed into the development system, the user also had to provide a dial-up
password. The system administrator told me the password. It was "buffoon,"
which I guess described what he must have felt like later on, when lie found out
what had happened. In less than five minutes, I had gained access to Digital's
RSTE/E development system. And I wasn't logged on as just as an ordinary user,
but as someone with all the privileges of a system developer. At first my new,
so-called friends refused to believe I had gained access to The Ark. One of them
dialed up the system and shoved the keyboard in front of me with a challenging
look on his face. His mouth dropped open as I matter-of-factly logged into a
privileged account. I found out later that they went off to another location and,
the same day, started downloading source-code components of the DEC
operating system. And then it was my turn to be floored. After they had
downloaded all the software they wanted, they called the corporate security
department at DEC and told them someone had hacked into the company's
corporate network. And they gave my name. My so-called friends first used my
access to copy highly sensitive source code, and then turned me in.
There was a lesson here, but not one I managed to learn easily. Through the years
to come, I would repeatedly get into trouble because I trusted people who I
thought were my friends. After high school I studied computers at the Computer
Learning Center in Los Angeles.
Within a few months, the school's computer manager realized I had found a
vulnerability in the operating system and gained full administrative privileges on
their IBM minicomputer. The best computer experts on their teaching staff
couldn't figure out how I had done this. In what may have been one of the earliest
examples of "hire the hacker," I was given an offer I couldn't refuse: Do an
honors project to enhance the school's computer security, or face suspension for
hacking the system. Of course I chose to do the honors project, and ended up
graduating Cum Laude with Honors. Becoming a Social Engineer some people
get out of bed each morning dreading their daily work routine at the proverbial
salt mines. I've been lucky enough to enjoy my work. In particular you can't
imagine the challenge, reward, and pleasure I had in the time I spent as a private
investigator. I was honing my talents in the performance art called social
engineering-getting people to do things they wouldn't ordinarily do for a strangerand
being paid for it. For me it wasn't difficult becoming proficient in social
engineering. My father's side of the family had been in the sales field for
generations, so the art of influence and persuasion might have been an inherited
trait. When you combine an inclination for deceiving people with the talents of
influence and persuasion you arrive at the profile of a social engineer. You might
say there are two specialties within the job classification of con artist. Somebody
who swindles and cheats people out of their money belongs to one sub-specialty,
the grifter. Somebody who uses deception, influence, and persuasion against
businesses, usually targeting their information, belongs to the other sub-specialty,
the social engineer. From the time of my bus transfer trick, when I was too young
to know there was anything wrong with what I was doing, I had begun to
recognize a talent for finding out the secrets I wasn't supposed to have. I built on
that talent by using deception, knowing the lingo, and developing a well-honed
skill of manipulation.
One way I used to work on developing the skills in my craft (if I may call it a
craft) was to pick out some piece of information I didn't really care about and see
if I could talk somebody on the other end of the phone into providing it, just to
improve my talents. In the same way I used to practice my magic tricks, I
practiced pretexting. Through these rehearsals, I soon found I could acquire
virtually any information I targeted. In Congressional testimony before Senators
Lieberman and Thompson years later, I told them, "I have gained unauthorized
access to computer systems at some of the largest corporations on the planet, and
have successfully penetrated some of the most resilient computer systems ever
developed. I have used both technical and non-technical means to obtain the
source code to various operating systems and telecommunications devices to
study their vulnerabilities and their inner workings." All of this was really to
satisfy my own curiosity, see what I could do, and find out secret information
about operating systems, cell phones, and anything else that stirred my curiosity.
The train of events that would change my life started when I became the subject
of a July 4th, 1994 front-page, above-the-fold story in the New York Times.
Overnight, that one story turned my image from a little known nuisance of a
hacker into Public Enemy Number One of cyberspace. John Markoff, the
Media's grifter
"Combining technical wizardry with the ages-old guile of a grifter, Kevin
Mitnick is a computer programmer run amok." (The New York Times, 7/4/94.)
Combining the ages-old desire to attain undeserved fortune with the power to
publish false and defamatory stories about his subjects on the front page of the
New York Times, John Markoff was truly a technology reporter run amok.
Markoff was to earn himself over $1 million by single-handedly creating what I
label "The Myth of Kevin Mitnick." He became very wealthy through the very
same technique I used to compromise computer systems and networks around the
world: deception. In this case however, the victim of the deception wasn't a
single computer user or system administrator, it was every person who trusted the
news stories published in the pages of the New York Times.Cyberspace's Most
Wanted Markoff's Times article was clearly designed to land a contract for a
book about my life story. I've never met Markoff, and yet he has literally become
a millionaire through his libelous and defamatory "reporting" about me in the
Times and in his 1991 book, Cyberpunk. In his article, he included some dozens
of allegations about me that he stated as fact without citing his sources, and that
even a minimal process of fact-checking (which I thought all first-rate
newspapers required their reporters to do) would have revealed as being untrue or
unproven. In that single false and defamatory article, Markoff labeled me as
"cyberspace's most wanted," and as "one of the nation's most wanted computer
criminals," without justification, reason, or supporting evidence, using no more
discretion than a writer for a supermarket tabloid. In his slanderous article,
Markoff falsely claimed that I had wiretapped the FBI (I hadn't); that I had
broken into the computers at NORAD (which aren't even connected to any
network on the outside); and that I was a computer "vandal," despite the fact that
I had never intentionally damaged any computer I ever accessed. These, among
other outrageous allegations, were completely false and designed to create a
sense of fear about my capabilities. In yet another breach of journalistic ethics,
Markoff failed to disclose in that article and in all of his subsequent articles-a
pre-existing relationship with me, a personal animosity based on my having
refused to participate in the book Cyberpunk In addition, I had cost him a bundle
of potential revenue by refusing to renew an option for a movie based on the
book. Markoff's article was also clearly designed to taunt America's law
enforcement agencies.
"...Law enforcement," Markoff wrote, "cannot seem to catch up with him...." The
article was deliberately framed to cast me as cyberspace's Public Enemy Number
One in order to influence the Department of Justice to elevate the priority of my
case. A few months later, Markoff and his cohort Tsutomu Shimomura would
both participate as de facto government agents in my arrest, in violation of both
federal law and journalistic ethics. Both would be nearby when three blank
warrants were used in an illegal search of my residence, and be present at my
arrest. And, during their investigation of my activities, the two would also violate
federal law by intercepting a personal telephone call of mine. While making me
out to be a villain, Markoff, in a subsequent article, set up Shimomura as the
number one hero of cyberspace. Again he was violating journalistic ethics by not
disclosing a preexisting relationship: this hero in fact had been a personal friend
of Markoff's for years. My first encounter with Markoff had come in the late
eighties when he and his wife Katie Hafner contacted me while they were in the
process of writing Cyberpunk, which was to be the story of three hackers: a
German kid known as Pengo, Robert Morris, and myself.
What would my compensation be for participating? Nothing. I couldn't see the
point of giving them my story if they would profit from it and I wouldn't, so I
refused to help. Markoff gave me an ultimatum: either interview with us or
anything we hear from any source will be accepted as the truth. He was clearly
frustrated and annoyed that I would not cooperate, and was letting me know he
had the means to make me regret it. I chose to stand my ground and would not
cooperate despite his pressure tactics. When published, the book portrayed me as
"The Darkside Hacker." I concluded that the authors had intentionally included
unsupported, false statements in order to get back at me for not cooperating with
them. By making my character appear more sinister and casting me in a false
light, they probably increased the sales of the book. A movie producer phoned
with great news: Hollywood was interested in making a movie about the
Darkside Hacker depicted in Cyberpunk. I pointed out that the story was full of
inaccuracies and untruths about me, but he was still very excited about the
project. I accepted $5,000 for a two-year option, against an additional $45,000 if
they were able to get a production deal and move forward. When the option
expired, the production company asked for a six month extension. By this time I
was gainfully employed, and so had little motivation for seeing a movie produced
that showed me in such an unfavorable and false light. I refused to go along with
the extension. That killed the movie deal for everyone, including Markoff, who
had probably expected to make a great deal of money from the project. Here was
one more reason for John Markoff to be vindictive towards me. Around the time
Cyberpunk was published, Markoff had ongoing email correspondence with his
friend Shimomura. Both of them were strangely interested in my whereabouts
and what I was doing. Surprisingly, one e-mail message contained intelligence
that they had learned I was attending the University of Nevada, Las Vegas, and
had use of the student computer lab. Could it be that Markoff and Shimomura
were interested in doing another book about me? Otherwise, why would they care
what I was up to? Markoff in Pursuit Take a step back to late 1992. I was nearing
the end of my supervised release for compromising Digital Equipment
Corporation's corporate network. Meanwhile I became aware that the government
was trying to put together another case against me, this one for conducting
counter-intelligence to find out why wiretaps had been placed on the phone lines
of a Los Angeles P.II firm. In my digging, I confirmed my suspicion: the Pacific
Bell security people were indeed investigating the firm. So was a computer-crime
deputy from the Los Angeles County Sheriff's Department. (That deputy turns
out to be, co-incidentally, the twin brother of my co-author on this book. Small
world.) About this time, the Feds set up a criminal informant and sent him out to
entrap me. They knew I always tried to keep tabs on any agency investigating
me. So they had this informant befriend me and tip me off that I was being
monitored. He also shared with me the details of a computer system used at
Pacific Bell that would let me do counter-surveillance of their monitoring. When
I discovered his plot, I quickly turned the tables on him and exposed him for
credit-card fraud he was conducting while working for the government in an
informant capacity. I'm sure the Feds appreciated that! My life changed on
Independence Day, 1994 when my pager woke me early in the morning. The
caller said I should immediately pick up a copy of the New York Times. I
couldn't believe it when I saw that Markoff had not only written an article about
me, but the Times had placed it on the front page. The first thought that came to
mind was for my personal safety-now the government would be substantially
increasing their efforts to find me. I was relieved that in an effort to demonize
me, the Times had used a very unbecoming picture. I wasn't fearful of being
recognized they had chosen a picture so out of date that it didn't look anything
like me! As I began to read the article, I realized that Markoff was setting
himself up to write the Kevin Mitnick book, just as he had always wanted. I
simply could not believe the New York Times would risk printing the
egregiously false statements that he had written about me. I felt helpless. Even if
I had been in a position to respond, I certainly would not have an audience equal
to the New York Times s to rebut Markoff's outrageous lies. While I can agree I
had been a pain in the ass, I had never destroyed information, nor used or
disclosed to others any information I had obtained. Actual losses by companies
from my hacking activities amounted to the cost of phone calls I had made at
phone-company expense, the money spent by companies to plug the security
vulnerabilities that my attacks had revealed, and in a few instances possibly
causing companies to reinstall their operating systems and applications for fear I
might have modified software in a way that would allow me future access. Those
companies would have remained vulnerable to far worse damage if my activities
hadn't made them aware of the weak links in their security chain. Though I had
caused some losses, my actions and intent were not malicious ... and then John
Markoff changed the world's perception of the danger I represented. The power
of one unethical reporter from such an influential newspaper to write a false and
defamatory story about anyone should haunt each and every one of us. The next
target might be you.
After my arrest I was transported to the County Jail in Smithfield, North
Carolina, where the U.S. Marshals Service ordered jailers to place me into `the
hole'-solitary confinement. Within a week, federal prosecutors and my attorney
reached an agreement that I couldn't refuse. I could be moved out of solitary on
the condition that I waived my fundamental rights and agreed to: a) no bail
hearing; b) no preliminary hearing; and, c) no phone calls, except to my attorney
and two family members. Sign, and I could get out of solitary. I signed.The
federal prosecutors in the case played every dirty trick in the book up until I was
released nearly five years later. I was repeatedly forced to waive my rights in
order to be treated like any other accused. But this was the Kevin Mitnick case:
There were no rules. No requirement to respect the Constitutional rights of the
accused. My case was not about justice, but about the government's
determination to win at all costs. The prosecutors had made vastly overblown
claims to the court about the damage I had caused and the threat I represented,
and the media had gone to town quoting the sensationalist statements; now it was
too late for the prosecutors to back down. The government could not afford to
lose the Mitnick case. The world was watching.
I believe that the courts bought into the fear generated by media coverage, since
many of the more ethical journalists had picked up the "facts" from the esteemed
New York Times and repeated them. The media-generated myth apparently even
scared law enforcement officials. A confidential document obtained by my
attorney showed that the U.S. Marshals Service had issued a warning to all law
enforcement agents never to reveal any personal information to me; otherwise,
they might find their lives electronically destroyed. Our Constitution requires
that the accused be presumed innocent before trial, thus granting all citizens the
right to a bail hearing, where the accused has the opportunity to be represented by
counsel, present evidence, and cross-examine witnesses. Unbelievably, the
government had been able to circumvent these protections based on the false
hysteria generated by irresponsible reporters like John Markoff. Without
precedent, I was held as a pre-trial detainee-a person in custody pending trial or
sentencing-for over four and a half years. The judge's refusal to grant me a bail
hearing was litigated all the way to the U.S. Supreme Court. In the end, my
defense team advised me that I had set another precedent: I was the only federal
detainee in U.S. history denied a bail hearing. This meant the government never
had to meet the burden of proving that there were no conditions of release that
would reasonably assure my appearance in court. At least in this case, federal
prosecutors did not dare to allege that I could start a nuclear war by whistling into
a payphone, as other federal prosecutors had done in an earlier case. The most
serious charges against me were that I had copied proprietary source code for
various cellular phone handsets and popular operating systems. Yet the
prosecutors alleged publicly and to the court that I had caused collective losses
exceeding $300 million to several companies. The details of the loss amounts are
still under seal with the court, supposedly to protect the companies involved; my
defense team, though, believes the prosecution's request to seal the information
was initiated to cover up their gross malfeasance in my case. It's also worth
noting that none of the victims in my case had reported any losses to the
Securities and Exchange Commission as required by law. Either several
multinational companies violated Federal law-in the process deceiving the SEC,
stockholders, and analysts--or the losses attributable to my hacking were, in fact,
too trivial to be reported. In his book he Fugitive Game, Jonathan Li wan reports
that within a week of the New York Times front-page story, Markoff's agent had
"brokered a package deal" with the publisher Walt Disney Hyperion for a book
about the campaign to track me down. The advance was to be an estimated
$750,000. According to Littman, there was to be a Hollywood movie, as well,
with Miramax handing over $200,000 for the option and "a total $650,000 to be
paid upon commencement of filming." A confidential source has recently
informed me that Markoff's deal was in fact much more than Littman had
originally thought. So John Markoff got a million dollars, more or less, and I got
five years. One book that examines the legal aspects of my case was written by a
man who had himself been a prosecutor in the Los Angeles District Attorney's
office, a colleague of the attorneys who prosecuted me. In his book Spectacular
Computer Crimes, Buck Bloombecker wrote, "It grieves me to have to write
about my former colleagues in less than flattering terms.... I'm haunted by
Assistant United States Attorney James Asperger's admission that much of the
argument used to keep Mitnick behind bars was based on rumors which didn't
pan out." He goes on to say, "It was bad enough that the charges prosecutors
made in court were spread to millions of readers by newspapers around the
country. But it is much worse that these untrue allegations were a large part of the
basis for keeping Mitnick behind bars without the possibility of posting bail?" He
continues at some length, writing about the ethical standards that prosecutors
should live by, and then writes, "Mitnick's case suggests that the false allegations
used to keep him in custody also prejudiced the court's consideration of a fair
sentence." In his 1999 Forbes article, Adam L. Penenberg eloquently described
my situation this way: "Mitnick's crimes were curiously innocuous. He broke into
corporate computers, but no evidence indicates that he destroyed data. Or sold
anything he copied. Yes, he pilfered software but in doing so left it behind." The
article said that my crime was "To thumb his nose at the costly computer security
systems employed by large corporations." And in the book The Fugitive Game,
author Jonathan Littman noted, "Greed the government could understand. But a
hacker who wielded power for its own sake ... was something they couldn't
grasp." Elsewhere in the same book, Littman wrote: U.S. Attorney James
Sanders admitted to Judge Pfaelzer that Mitnick's damage to DEC was not the $4
million that had made the headlines but $160,000. Even that amount was not
damage done by Mitnick, but the rough cost of tracing the security weakness that
his incursions had brought to DEC's attention. The government acknowledged it
had no evidence of the wild claims that had helped hold Mitnick without bail and
in solitary confinement. No proof Mitnick had ever compromised the security of
the NSA. No proof that Mitnick had ever issued a false press release for Security
Pacific Bank. No proof that Mitnick ever changed the TRW credit report of a
judge. But the judge, perhaps influenced by the terrifying media coverage,
rejected the plea bargain and sentenced Mitnick to a longer term then even the
government wanted. Throughout the years spent as a hacker hobbyist, I've
gained unwanted notoriety, been written up in numerous news reports and
magazine articles, and had four books written about me. Markoff and
Shimomura's libelous book was made into a feature film called Takedown. When
the script found its way onto the Internet, many of my supporters picketed
Miramax Films to call public attention to the inaccurate and false characterization
of me. Without the help of many kind and generous people, the motion picture
would surely have falsely portrayed me as the Hannibal Lector of cyberspace.
Pressured by my supporters, the production company agreed to settle the case on
confidential terms to avoid me filing a libel action against them.
Final Thoughts
Despite John Markoff's outrageous and libelous descriptions of me, my
crimes were simple crimes of computer trespass and making free telephone calls.
I've acknowledged since my arrest that the actions I took were illegal, and that I
committed invasions of privacy. But to suggest, without justification, reason, or
proof, as did the Markoff articles, that I had deprived others of their money or
property by computer or wire fraud, is simply untrue, and unsupported by the
evidence. My misdeeds were motivated by curiosity: I wanted to know as much
as I could about how phone networks worked, and the ins and outs of computer
security. I went from being a kid who loved to perform magic tricks to becoming
the world's most notorious hacker, feared by corporations and the government.
As I reflect back on my life for the last thirty years, I admit I made some
extremely poor decisions, driven by my curiosity, the desire to learn about
technology, and a good intellectual challenge. I'm a changed person now. I'm
turning my talents and the extensive knowledge I've gathered about information
security and social engineering tactics to helping government, businesses and
individuals prevent, detect, and respond to information security threats. This
book is one more way that I can use my experience to help others avoid the
efforts of the malicious information thieves of the world. I think you will find the
stories enjoyable, eye-opening and educational.
No comments:
Post a Comment