How Shimomura snared Kevin Mitnick

By John Markoff 28 Feb 95 Copyright © 1995, The New York Times

It takes a computer hacker to catch one. If, as United States federal authorities contend, 31-year-old computer outlaw Kevin Mitnick is the person behind a spate of break-ins to dozens of corporate, university and personal computers on the Internet, his biggest mistake was raising the interest and ire of Tsutomu Shimomura.

Shimomura, 30, is a physicist with a reputation as a brilliant cyber-sleuth in the tightly knit community of programmers and engineers who defend the country's computer networks.

It was Shimomura who raised the alarm in the Internet world after someone used sophisticated hacking techniques on Christmas day to remotely break into the computers he keeps in his beach cottage near San Diego and steal thousands of his files.

Almost from the moment Shimomura discovered the intrusion, he made it his business to use his own considerable hacking skills to aid the FBI's inquiry into the crime spree.

He set up monitoring posts, and used software of his own design to track the intruder prowling the Internet. Shimomura's monitoring efforts enabled investigators to watch as the intruder commandeered telephone company switching centres, stole computer files from Motorola, Apple Computer and other companies and copied 20,000 credit-card account numbers from a commercial computer network.

It was Shimomura who concluded that the intruder was probably Mitnick, whose whereabouts had been unknown since November 1992, and that he was operating from a cellular telephone network in Raleigh, North Carolina.

On a recent Sunday morning, Shimomura took a flight from San Jose to Raleigh-Durham International Airport. By 3am the next day, he had helped local telephone company technicians and federal investigators use cellular-frequency scanners to pinpoint Mitnick's location: a 12- unit apartment building in the Raleigh suburb of Duraleigh Hills.

Over the next 48 hours, as the FBI sent in a surveillance team, obtained warrants and prepared for an arrest, cellular telephone technicians from Sprint Corporation monitored the electronic activities of the man they believed to be Mitnick.

Last Christmas day, Tsutomu Shimomura was in San Francisco, preparing for a holiday in the Sierra Nevadas.

Before he could leave, he received a telephone call from colleagues at the San Diego Supercomputer Centre someone had broken into his home computer, which was connected to the centre's computer network.

Shimomura returned to his beach cottage at Solana Beach, California, where he found that hundreds of software programs and files had been taken electronically from his powerful work station.

This was no random ransacking: the information would be useful to anyone interested in breaching the security of computer networks or cellular phone systems.

The Christmas attack exploited a flaw in the Internet's design by fooling a target computer into believing that a message was coming from a trusted source.

By masquerading as a familiar computer, an attacker can gain access to protected computer resources and seize control of an otherwise well-defended system. In this case, the attack began from a commandeered computer at Loyola University, Chicago.

Although the vandal was deft enough to gain control of Shimomura's computers, he, she or they made an error. One of Shimomura's machines routinely mailed a copy of several record-keeping files to a safe computer elsewhere on the network a fact that the intruder did not notice.

That led to an automatic warning to employees of the supercomputer centre that an attack was under way. This allowed staff to throw the burglar off the system and it later allowed Shimomura to reconstruct the attack.

In computer-security circles, Shimomura is a respected voice. Over the years, software security tools that he designed have made him a consultant not only to corporations, but also to the FBI, the Air Force and the National Security Agency.

The first significant break in the case came on 28 January, after Bruce Koball, a computer programmer in Berkeley, California, read a newspaper account detailing the attack on Shimomura's computer.

The day before, Koball had received a puzzling message from the managers of a commercial online service called the Well. Koball is an organiser for a public-policy group called Computers, Freedom and Privacy, and the Well officials told him that the group's directory of network files was taking up millions of bytes of storage space, far more than the group was authorised to use.

That struck him as odd, because the group had made only minimal use of the Well. But as he checked the group's directory on the Well, he realised that someone had broken in and filled it with Shimomuru's stolen files.

Well officials eventually called in Shimomura, who recruited a colleague from the supercomputer centre and an independent computer consultant.

Hidden in a back room at the Well's headquarters, the three experts set up a temporary headquarters, attaching three laptop computers to the Well's internal computer network.

The team had an immediate advantage: it could watch the intruder unnoticed.

Although the identity of the attacker was unknown, within days a profile emerged that seemed increasingly to fit a well-known computer outlaw: Kevin Mitnick, who had been convicted in 1989 of stealing software from Digital Equipment Corporation.

Among the programs found at the Well and at hiding places elsewhere on the Internet was the software that controls the operations of cellular telephones made by Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and others. That would be consistent with the kind of information of interest to Mitnick, who had first made his reputation by hacking into telephone networks.

The burglar operated with Mitnick's trademark derring-do. One night, as the investigators watched electronically, the intruder broke into the computer designed to protect Motorola's internal network from outside attack.

But one brazen act helped the investigators. Shimomura's team discovered that someone had obtained a copy of the credit-card numbers for 20,000 members of Netcom Communications, a service based in San Jose that provides Internet access.

To get a closer look, the team moved its operation to Netcom's network operation centre in San Jose.

To let its customers connect their computer modems to its network with only a local telephone call, Netcom provides dozens of computer dial-in lines in cities across the country.

Hacking into the long-distance network, the intruder was connecting a computer to various dial-in sites to elude detection. Still, every time the intruder connected to the Netcom system, Shimomura was able to capture the computer keystrokes.

FBI surveillance agents in Los Angeles were almost certain that the intruder was operating somewhere in Colorado. Yet calls were also coming into the system from Minneapolis and Raleigh.

The big break came in San Jose, as Shimomura and Gross, red-eyed from a 36-hour monitoring session, were eating pizza. Subpoenas issued by Kent Walker, the US assistant attorney-general in San Francisco, had begun to yield results from telephone company calling records.

Data came from Walker showing that telephone calls had been placed to Netcom's dial-in phone bank in Raleigh through a cellular telephone modem.

The calls were moving through a local switching office operated by GTE Corp. But GTE's records showed that the calls had looped through a nearby cellular phone switch operated by Sprint Corporation.

Because of someone's clever manipulation of the network software, the GTE switch thought that the call had come from the Sprint switch, and the Sprint switch thought that the call had come from GTE.

Neither company had a record identifying the cellular phone.

When Shimomura called the number in Raleigh, he could hear it looping around with a "clunk, clunk" sound. He called a Sprint technician in Raleigh and spent five hours comparing Sprint's calling records with the Netcom log-ins. It was almost dawn in San Jose when they determined that the cellular phone calls were being placed from near the Raleigh-Durham International Airport.

By 1am on Monday, Shimomura was riding around Raleigh with a Sprint technician, who drove his own car so as not to attract attention.

Shimomura held a cellular-frequency direction-finding antenna and watched a signal-strength meter on a laptop computer screen. Within 30 minutes the two had narrowed the site to an apartment complex in Duraleigh Hill, four kilometres from the airport.

The next evening, the agents had an address and a federal judge issued a warrant. When FBI agents knocked on the door of Apartment 202, it took Mitnick more than five minutes to open it.

When he did, he said he was on the phone with his lawyer. But when an agent took the receiver, the line went dead.

Return to the Beginning of this document

---

The Fugitive Game - online with Kevin Mitnick by Jonathan Littman

Little, Brown and Company ISBN 0-316-52858-7
Reviewed by Chris Gulker

The Fugitive Game by Jonathan Littman is the first of at least 3 books written on the subject of the events surrounding Kevin Mitnick's arrest in February of 1995. Mitnick's arrest and the efforts of computer security specialist Tsutomu Shimomura to apprehend him were the subject of a highly publicized series of articles by John Markoff in the New York Times in late 1994 and early 1995.

The Fugitive Game is sympathetic to Mitnick's point of view, and suggests that Markoff and Shimimura took advantage of the hype over the Internet to unfairly paint Mitnick as a monster in order to cash in on lucrative book and movie deals.

Mitnick, it should be noted by way of preamble, has been widely villified in the popular media as the personification of the criminal hacker, variously blamed with hacking NORAD, major computer and communication companies, Internet providers, credit card holders et al.

Author Jonathan Littman, a freelance investigative journalist, became a trusted sounding board for Mitnick about a year after after he slipped underground for parole violations late in 1992. The relationship sprung up while Littman worked on a book, as yet unpublished, about the shadowy world of hackers over the edge of legality.

Littman's book contains transcripts of hours of conversations with Mitnick while he lived the gritty, nervous life of a fugitive, juxtaposed with views drawn from prosecutors, federal agents, the media and other hackers. The narrative, while sometimes running to length, nevertheless manages to build to a climax, peaking not at Mitnick's arrest, but the denouement of events afterward..

In Littman's portrait, Mitnick emerges as a sad, lonely kid, whose hardscrabble upbringing is softened only by his ability to learn and master arcane subjects on his own. Starting with Los Angeles County buses, young Mitnick finds comfort in learning how to ride long distances for free. Overweight, angry and alone, teenaged Mitnick progresses to hacking ham radio, the telephone system and the Internet.

By age 17, Mitnick has been convicted of illegally accessing corporate computers. Before turning 30, Mitnick is a convicted felon and federal fugitive, running from seamy apartment to cheap motel, frequently escaping pursuers by seconds or minutes. While Mitnick does break the law, he doesn't do it for riches, and Littman goes to some lengths to contrast Mitnick with criminals like Justin Peterson (aka Agent Steal) who used their hacker abilities to rip off credit cards, banks, radio stations and more.

Markoff receives a much less sympathetic hearing. Littman proceeds from professing respect to broadly suggesting that Markoff knows that Mitnick is harmless (if annoying), but proceeds nevertheless to paint him as a master criminal, the better to cash in on book and movie deals.

It is true that Markoff's role in the Mitnick affair caused a buzz in press circles early last year (I was still at The Examiner, then - much tittering could be heard in the news room). Markoff was a victim of Mitnick's hacking, and a friend of Shimimura's, facts that the New York Times chose not to reveal as Markoff wrote a series of articles about Mitnick.

A blurry picture of Markoff's role in Mitnick's apprehension has emerged, allowing room for critics like Littman to suggest that Markoff was not a disinterested or, at least, disengaged, observer.

For his part, Markoff has maintained that he behaved ethically as a fast-moving story unrolled, and has characterized Littman's book as a "vendetta". Other critics have raised questions about some of Littman's conclusions and methods. I found that his premise warranted consideration, but never felt the case proved beyond a reasonable doubt.

Nevertheless, I found The Fugitive Game interesting, sometimes fascinating reading, particularly when it is describing the oddly skewed lives of obsessive hackers. Mitnick is certainly guilty of something: whether Markoff is guilty as charged is much less clear and must be left to the reader, who will hopefully also read Takedown (as I am doing), the book written from the other side by Shimomura and Markoff.

---

Return to the Beginning of this Document

---

Mitnick, Tuna, Reviewing Evidence -- 1997 and 1998

Mitnick Put in Solitary Confinement for "Hoarding Tuna" -- 2/1/97

Kevin Mitnick was arrested in February 1995 after a nationwide search by federal investigators that later became the subject of several books. He faces three separate federal indictments: possession of cellular phone account information, violating the conditions of a supervised release program relating to a 1989 conviction of computer fraud, and alleged computer fraud committed between November 1992 and his arrest.

Alleged software thief Kevin Mitnick was put in solitary confinement at the Los Angeles Metropolitan Detention Center on February 1, 1997 for apparently for hoarding 74 cans of tuna in his cell, his lawyer said. When asked why Mitnick would have so many cans of tuna in his cell, Mitnick's lawyer answered, "Fish is brain food, you know."

Mitnick Not Allowed to Use Computer to Review Evidence -- 3/31/1998

On March 31, 1998, US District Court Judge Mariana Pfaelzer ruled that Kevin Mitnick could not use a computer to review government evidence in his upcoming trial on computer-fraud and theft charges, a federal judge has ruled.

Judge Pfaelzer said "We're never in the world going to do that."

Government prosecutors argued that because of the nature of the charges against him, allowing Mitnick unrestricted access to files containing such things as computer burglar tools would be unwise. They also called him a flight risk and argued against bail. The judge agreed.

Pfaelzer ordered prosecutors to come up with an alternative plan that would allow Mitnick to review the evidence files. She gave them until 13 April to submit a proposal.

The data, seized by the FBI from Mitnick's computer when he was arrested in 1995, could contain evidence that could prove him innocent of some of the charges against him, according to his defense.

In its encrypted form, the data is useless to prosecutors, who may have tried to decode it and failed, said Donald C. Randolph, the Santa Monica, California, attorney defending Mitnick.

When Randolph was pushed to explain what the new data might include, he would only offer a hypothetical example.

"Such a file might be a letter from a recreational hacker to my client saying they had hacked into company XYZ, and asking if he would like to see the information on how to do it," Randolph said. "Something like that might show that one of the alleged victim companies was hacked by someone other than my client."

"We told the judge that giving him access to those files was like giving someone access to a locked safe that might contain a gun," Painter said. "[Mitnick's attorneys] claimed in court that the data might contain exculpatory evidence but offered no further explanation."

Vincent also said the government was willing to give access to the encrypted files, provided that Mitnick hand over the password. This, said Vincent, would violate Mitnick's Fifth Amendment rights against self-incrimination.

"These are obviously files the government does not plan to use, but because we don't know what's in them, we don't think they should be turned over," Painter said.

Hacker Protest at Takedown Film Content -- July 16, 1998

Protests from the hacker community were held Thursday, July 16, 1998 outside Miramax's offices in New York and Los Angeles over the impending production of the movie Takedown.

Based on the 1996 book by security specialist Tsutomu Shimomura and New York Times reporter John Markoff, the book recounted the pursuit and 1995 arrest of computer hacker Kevin Mitnick, who has been jailed in Los Angeles for three years without bail while awaiting trial on charges of computer and telephone fraud.

"Emmanuel Goldstein," editor of 2600: the Hacker Quarterly, wrote a review after obtaining a 20 March version of the screenplay: "If this film is made the way the script reads, Kevin will be forever demonized in the eyes of the public, and mostly for things that everyone agrees never even happened in the first place."

Among many the scenes Goldstein (in real life generally known as Eric Corley) singled out for criticism: Mitnick changing medical records, Mitnick clobbering Shimomura on the head with the top of a metal garbage can, and Mitnick whistling touch tones into a pay phone to avoid having to pay. Mitnick has never been accused of tampering with medical records or of physical violence, and supporters do not believe that Mitnick was motivated by profits.

According to Goldstein, Mitnick is wrongly depicted as a violent racist who malevolently alters medical records. Goldstein is concerned that the image will perpetuate stereotypes of hackers. "They make him a little too maniacal," said the art director of 2600, who identified himself only as "Phil."

"The only thing that's missing is, like, giving him a mechanical arm," said Phil. He paused, staring with amusement at passing businessmen who were getting their picture taken under a "Free Kevin" banner.

"This is more of a Larry Flynt story," said Phil. "Kevin is a modern-day political prisoner who has been put away for something people don't understand." Phil said that he has been in daily contact with Mitnick.

"There's a strong consensus in the [hacker] community," says Goldstein, "that putting out these fabrications on the big screen is, quite simply, wrong, and must be stopped. We're not trying to stop anyone's creative fictionalized story. But this is being labeled as the way it really happened with real people. Since the one person demonized the most is being kept from defending himself, it's up to the rest of us to do what's right."

Miramax declined comment, leaving open the question of how much the screenplay has changed since the version Corley saw and in what direction. No date has been announced for the film's release.

Markoff says he has not seen the screenplay and is not involved with the film. "I've only read what's been posted to the Web, and Eric Corley is the only one I've seen commenting on it," he says. "There are lots of things in it that never happened, but I expected that. This is Hollywood, after all."

The time Mitnick has spent in jail awaiting trial -- while due partly to his having waived his right to a speedy trial and to delays requested by the defense to gain time to examine the evidence -- is a sore point in the hacker community. Hackers regard him and others in situations similar to his as political prisoners.

Mitnick Wins Narrow Victory to Review Evidence with Laptop -- 7/1998

Despite the non-violent nature of his crimes and the charges in the upcoming case, Mitnick has been held at the Metropolitan Detention Center in Los Angeles, where inmates are often held for violent crimes. His appeals for bail have been turned down by every court they've been sent to, including twice by the U.S. Supreme Court.

Mitnick's trial had been delayed several times due its complexity, and often at the request of the defense. Randolph said Mitnick's limited access to a computer has hampered his efforts to assist in his defense.

Randolph tried repeatedly to get Mitnick a computer so he could review evidence that reportedly includes witness statements totaling 1,400 pages, 10 gigabytes of electronic evidence and 1,700 exhibits in all.

In July, 1998, Mitnick won a narrow victory when the US District Court allowed Mitnick limited use of a laptop computer to review evidence against him. The laptop is disabled from connecting with the outside world. It has no modem, and no network card.

The data is recorded on write-disabled CD-ROM disks. Mitnick is only allowed to use the computer in the presence of either Randolph or Vincent at the Metropolitan Detention Center is Los Angeles.

"It would be a lot more efficient if he could review it on his own time, but the judge has decided that he must do it under our supervision," Vincent said.

In another development, US Supreme Court Justice Sandra Day O'Connor declined on 31 August to hear an emergency appeal to obtain bail for Mitnick. That decision guarantees that Mitnick will remain in prison pending his trial, which is due to begin on 19 January 19 1999.

If convicted, Mitnick could face up to seven years in prison, Painter said.

---

Return to the Beginning of this Document

---

Kevin Mitnick's Guilty Plea

From Don Randolph, Kevin Mitnick's Attourney -- 3/26/99

On Friday, March 26, 1999, Kevin Mitnick ended his forty-nine month battle with the Government by pleading guilty to some charges arising from his activities as a computer hacker.

According to Donald C. Randolph, Mr. Mitnick's attorney, the plea aggreement was substantially more favorable than the offer from the Governement in 1995. The earlier offer allowed the Government to argue for up to eight years in custody, and gave the Court full discretion to impose an even greater sentance. The current agreement, which allows no discretion to the Court, calls for a sentance of forty-six months for the pending charges (after substracting eight months from the already-served sentence from North Carolina).

With credits for good time, Mr. Mitnick could be eligible for release to a half-way house by early Fall, 1999. However, his timely release from custody could be delayed by a pending State prosecution in Van Nuys, California for allegations of computer fraud.

Mitnick's attorney, Donald C. Randolph, declined to comment on the details of the plea agreement, except to say that his client is relieved to have achieved a level of certainty in resolving his on-going situation with the federal government. Mr Randolph stated "my client can now see light at the end of the tunnel, and has a reasonable certainty that it is not another train approaching."

---

Return to the Beginning of this Document

---

Mitnick's Own Words About His 'Hacking' -- Forbes.com Interview 5/99

Kevin Mitnick is the most famous hacker in history. He has been in prison for more than four years for crimes that, when you get down to it, amount to little more than illegally copying proprietary software belonging to major companies including Motorola, Nokia and Sun.

He was made a household name by New York Times reporter John Markoff, who featured Mitnick in a book called Cyberpunk (published in 1991), then wrote a front page story for the Times on July 4, 1994, that portrayed Mitnick as a superhacker who could wreak cyberhavoc--and ruin lives--if not caught by the Feds.

Then a funny thing happened. Markoff's friend, Tsutomu Shimomura, claimed that Mitnick had hacked his home computer on Christmas Day, 1994, and went after him, with Markoff in tow. When Shimomura tracked Mitnick down in North Carolina, Markoff was there for the kill. This was documented in subsequent front-page stories and a book called Takedown, for which Markoff and Shimomura shared a $750,000 advance. Expect the movie version soon.

Markoff became a journalism star as a result of his crusade. Shimomura's name, in the ultimate geek tribute, is recognized by Microsoft Word98 spell check. Not even Sherlock Holmes can say that.

Yet, according to Dale Coddington and Brian Martin, both of whom were hired by the defense to comb through the 9 gigabytes of electronic evidence amassed against Mitnick, there is no proof that Mitnick hacked Shimomura. For all the fanfare it received, it was never contained in the indictment. Yet, the media coverage has had a profound impact on Mitnick's case.

Mitnick reads everything written about him and says he often can’t believe what he reads. He has seen himself portrayed as a "dark side" hacker intent on toppling civilization; a criminal who as a teenager penetrated computers at NORAD, inspiring the hit flick War Games; a phone phreaker who, just by whistling three tones into a telephone receiver, could launch World War III; and a computer hacker who, merely armed with a computer sans modem, could wreak cyberhavoc from his jail cell.

But the reality is a lot less sexy. Kevin Mitnick is a recreational hacker with a compulsive-obsessive relationship to information. He hoarded information, never sold it, and wouldn’t even share it with his friends.

Although he is portrayed in the upcoming film Takedown as an evil menace to society, Mitnick is really just your average geek who has done some bad things in his life, and has paid the price. To this day, he would like nothing more than to dissect some computer program to see how it works.

Says Martin, who often visited Mitnick in prison, "Kevin still wants to look through cellular source code to see how it works. You can see it in his eyes that he'd love to kick back with a printout and just figure it out on his own."

Mitnick doesn’t trust the media. But he agreed to let Forbes interview him over a span of several evenings recently by telephone.

Here is Kevin Mitnick in his own words:

Forbes.com [F]: How would you characterize the media coverage of you?

Mitnick [M]: When I read about myself in the media even I don't recognize me. The myth of Kevin Mitnick is much more interesting than the reality of Kevin Mitnick. If they told the reality, no one would care.

[F} Have stories that John Markoff wrote about you in The New York Times had any impact on your legal proceedings?

[M} Markoff has single-handedly created "The Myth of Kevin Mitnick," which everyone is using to advance their own agendas. I wasn't a hacker for the publicity. I never hacked for personal gain. If I was some unknown hacker, accused of copying programs from cell phone companies, I wouldn't be here. Markoff's printing false and defamatory material about me on the front page of The New York Times had a substantial effect on my case and reputation. He's the main reason I'm still in custody.

[F] The Times continues to report (most recently on March 18) that you had hacked NORAD. Is this true?

[M] No way, no how did I break into NORAD. That's a complete myth. And I never attempted to access anything considered to be classified government systems.

[F] What do you think about hacks done in your name--for instance, last September's hack of The New York Times web site. Do they further your cause?

[M] I don't condone anyone causing damage in my name, or doing anything malicious in support of my plight. There are more productive ways to help me. As a hacker myself, I never intentionally damaged anything.

[F] How have you spent most of your time in prison?

[M] Most people here are content watching TV, playing pinochle, dominoes and poker. I work on my defense 14 hours a day.

[F] What do you think of the restrictions placed on you when you get out of prison as part of your plea agreement?

[M] The requirements mandating I can't touch a computer or cell or cordless phone are akin to telling a forger not to use a pen or paper. There is no way I can earn a living when I get out. I couldn't even work at McDonald's. All I could do is something like gardening.

[F] What do you plan on doing when you get out of prison?

[M] "I don't know, but once I get out of here and get on with the rest of my life, I'll never intentionally violate the law."

---

Return to the Beginning of this Document

---

Court Documents on the 1995 Kevin Mitnick Case

June 5, 2000 Brief Amici Curiae in support of defendent's motion for clarification of the terms of his supervised release June 2, 2000 Notice of application, application for clarification of supervised release terms and conditions, declaration of counsel and exhibits, and memorandum of law August 20, 1999 Emergency Motion August 16, 1999 Ex Parte Application for Order that Defendant be Housed at MDC Pending Designation July 26, 1999 Ex Parte Application To Unseal Defense Request for Sanctions and Pleadings Relating to Restitution; Declaration of Gregory L. Vinson June 28, 1999 Ex Parte Application for Temporary Release June 7, 1999 Defense Consolidated Motion for Sanctions and for Reconsideration of Motion for Discovery and Application for Expert Fees Based upon New Facts May 6, 1999 Government's Request for an Order to Show Cause Why Defense Counsel Should not be Sanctioned for Releasing Confidential Victim Loss Letters: Government intends to hold Kevin's attorney Donald Randolph in contempt for revealing documents which were previously filed as publicly available court documents, with no protest from the prosecution. Perhaps the corporations the government has named as victims in the case are unhappy at this publicity, and the possibility of SCC and IRS investigations into why the information in these letters was never revealed to their stockholders. It now seems even more likely that the financial loss figures in the case against Mitnick were fabricated with one purpose: to keep him imprisoned without bail and without trial for a lengthy period. While they may have succeeded in this, the revelations of the deception will finally force the prosecutors to answer some very difficult questions. (click here to view the loss letters) May 10, 1999 Motion to Bifurcate Hearing on Restitution: Defense requests that the Court "bifurcate the hearing on Restitution into, first, a hearing on the Defendant's Ability to Pay, and second, if necessary, a hearing on the Amount of Restitution." April 19, 1999 Notice of Motion and Motion for Discovery: Defense requests that the government not delay disclosure of discovery related to restitution issues to be addressed in court. April 5, 1999 Notice of Motion and Motion to Suppress Evidence: "...Tsutomu Shimomura and his associate, Andrew Gross, acting as government agents, illegally intercepted wire communications without a court order..." April 5, 1999 Notice of Motion and Motion to Suppress Evidence seized in Washington state April 5, 1999 Notice of Motion and Motion to Suppress Evidence seized in North Carolina March 9, 1999 Reply to Government's Opposition RE: Motion for Discovery February 22, 1999 Motion for Court Order RE: Discovery; Request for Sanctions January 22, 1999 Defense Reply in Support of Ex Parte Application to Continue Trial Date January 21, 1999 Government's Opposition To Defendant Mitnick's Ex Parte Application To Continue Trial And Order Discovery January 19, 1999 Ex Parte Application RE: Continuance of Trial Date and Request For Order RE: Discovery December 3, 1998 Court transcript  Discussion of trial continuance date..... A statement from the defense's motion (challenging prosecution's apparent attempt to convince the judge that files erased from a disk are equivalent to words erased from a piece of paper) is misinterpreted as a comment on "the court's presumed lack of expertise in sophisticated computer technology"..... Judge indicates she will separate the trials of Kevin Mitnick and co-defendant Lewis DePayne. December 2, 1998 Court transcript  Brief dispute over whether trial should be continued..... Judge again indicates her eagerness to try the case..... Judge is upset and puts the government on notice to watch for anything "untoward" to happen because a 2600 staffer legally requested her financial disclosure reports (which are on record for all judges, to lessen the possibility of their involvement in cases in which they have financial interests). The basis of this paranoia? It was assumed the person was "a friend of Mr. Mitnick's" because that person had an address in North Carolina, the same state where Kevin was arrested in 1995. December 2, 1998 Defendant Mitnick's Response to Government's Consolidated Opposition To Defendant's Motions; Declaration of Donald C. Randolph December 2, 1998 Declaration of Donald C. Randolph in support of motion for discovery and motion to continue December 2, 1998 Government's Consolidated Opposition To Defendant Mitnick's Motion: (A) For Discovery And (B) To Continue The Trial In This Matter; Memorandum Of Points And Authorities Government's response to Nov. 24 motions, denying that they violated terms by which evidence was to be given to the defense; and denying that there was any government intrusion on the client-attorney privilege between Mitnick and his former attorney. November 24, 1998 Motion to Continue Trial Date Motion filed Nov 24, 1998 to the Court for an order continuing the trial date, currently scheduled for January 19, 1999, until April 13, 1999. November 24, 1998 Motion for Discovery Motion filed Nov 24, 1998 to the Court for an order requiring the government to produce discovery pursuant to the Court's June 3, 1998 Omnibus Order Re: Discovery and Pretrial Management. October 19, 1998 US Supreme Court Denies Emergency Application for Bail Again October 1, 1998 Emergency Application for Bail for Bail Re-Submitted to the US Supreme Court August 24, 1998 US Supreme Court Denial of Emergency Application for Bail August 18, 1998 Petition For Writ Of Certiorari From The US Court Of Appeals For The Ninth Circuit. For review of Mitnick's supervised release conditions. Click here to view the section outlining Kevin's release conditions July 18, 1998 Emergency Application for Bail From The US Court Of Appeals For The Ninth Circuit July 1, 1998 Denial of Petition for Re-hearing of Bail Motion. June 17, 1998 Supplemental Memorandum Re: Petition For Reconsideration; [Proposed] Order June 15, 1998 Petition For Reconsideration Or, Alternatively, For Permission To Appeal regarding the Court's denial of Kevin's right to review computer evidence May 30, 1998 Court Link File 1, Catalog of Events May 30, 1998 Court Link File 2, Catalog of Events May 20, 1998 Ninth Circuit Court of Appeals order affirming District Court's conditions of supervised release Request for oral argument on the appeal was flatly denied; and "Mitnick's challenge to the supervised release conditions on vagueness grounds because 'computer' and other terms are not defined also fails because the conditions give Mitnick fair notice of what is prohibited." May 20, 1998 Court transcript May 19, 1998 Ninth Circuit Court of Appeals order upholding District Court's summary denial of bail May 14, 1998 Defendant Mitnick's Opposition To Government's Proposed Omnibus Order Re: Discovery And Pretrial Management May 8, 1998 Defendant DePayne's Response To Government's Proposed Omnibus Order Re: Discovery And Trial Management May 7, 1998 Memorandum of Law and Facts in Support of Bail Appeal from the US District Court for the Central District of California April 27, 1998 Opposition To Government's Proposed Findings Of Fact And Conclusion Of Law RE: Defendant's Application For Release Pending Trial March 30, 1998 Court transcript: The Court refuses to even consider bail motion, refuses Defendant access to computer evidence for review (due to security concerns), and the amount of paperwork in the case becomes problematic. March 25, 1998 Kevin Mitnick's Application For Release On Bail Pending Trial March 19, 1998 Defendant's Reply To Government's Opposition To Supplemental Law Library Time March 3, 1998 Reply To Government's Opposition To Defendant's Motion For Access To A Computer For Review Of Discovery February 26, 1998 Motion RE: Supplemental Law Library Time February 26, 1998 Appellant's Reply Brief December 12, 1997 Appellant's Opening Brief (Federal appeal) October 8, 1997 Court transcript (concerning Defense review of computer evidence; and the Court believes the Defense is asking for too much money for Kevin's legal defense) June 27, 1997 Court transcript: Response by defense and prosecution to conditions of supervised release June 23, 1997 Court transcript: Conditions of sentence and supervised release June 16, 1997 Court transcript: 1st Sentencing hearing on violation of supervised release June 9, 1997 Court transcript: Fugitive status hearing October 7, 1996 Court transcript September 26, 1996 Indictment Basically, Kevin is charged with accessing several corporate computer systems without permission, and copying proprietary copyrighted software. He is not charged with selling this software, or using it; simply with copying it. The indictment contains the government's charges against Kevin. April 22, 1996 Court transcript: Agreement to a plea bargain on North Carolina charges, in order to have Kevin's case transferred to his home state of California. Return to the Beginning of this Document Kevin Mitnick's Written Senate Testimony -- 3/2/2000 Honorable Chairperson Thompson, Distinguished Senators, and Members of the Committee: My Biography My name is Kevin Mitnick. I appear before you today to discuss your efforts to create legislation that will ensure the future security and reliability of information systems owned and operated by, or on behalf of, the federal government. I am primarily self-taught. My hobby as an adolescent consisted of studying methods, tactics, and strategies used to circumvent computer security, and to learn more about how computer systems and telecommunication systems work. In 1985 I graduated cum laude in Computer Systems and Programming from a technical college in Los Angeles, California, and went on to successfully complete a post-graduate project in designing enhanced security applications that ran on top of a computer's operating system. That post-graduate project may have been one of the earliest examples of "hire the hacker:" the school's administrators realized I was hacking into their computers in ways that they couldn't prevent, and so they asked me to design security enhancements that would stop others' unauthorized access. I have 20 years experience circumventing information security measures, and can report that I have successfully compromised all systems that I targeted for unauthorized access save one. I have two years experience as a private investigator, and my responsibilities included locating people and their assets using social engineering techniques. My experience and success at accessing and obtaining information from computer systems first drew national attention when I obtained user manuals for the COSMOS computer systems (Computer Systems for Mainframe Operations) used by Pacific Bell. Ten years later the novel "Cyberpunk" was published in 1991, which purported to be a "true" accounting of my actions that resulted in my arrest on federal charges in 1988. One of the authors of that novel went on to write similarly fictionalized "reports" about me for the New York Times, including a cover story that appeared July 4, 1994. That largely fictitious story labeled me, without reason, justification, or proof, as the "world's most wanted cybercriminal." Subsequent media reports distorted that claim into the false claim that I was the first hacker on the FBI's "Ten Most Wanted" list. That false exaggeration was most recently repeated during my appearance on CNN's Burden of Proof program on February 10, 2000. Michael White of the Associated Press researched this issue with the FBI, and FBI representatives denied ever including me on their "Ten Most Wanted" list. I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and their inner workings. After my arrest in 1995, I spent years as a pretrial detainee without benefit of bail, a bail hearing, and without the ability to see the evidence against me, combined circumstances which are unprecedented in U.S. history according to the research of my defense team. In March of 1999 I pled guilty to wire fraud and computer fraud. I was sentenced to 68 months in federal prison with 3 years supervised release. The supervised release restrictions imposed on me are the most restrictive conditions ever imposed on an individual in U.S. federal court, again according to the research of my defense team. The conditions of supervised release include, but are not limited to, a complete prohibition on the possession or use, for any purpose, of the following: cell phones, computers, any computer software programs, computer peripherals or support equipment, personal information assistants, modems, anything capable of accessing computer networks, and any other electronic equipment presently available or new technology that becomes available that can be converted to, or has as its function, the ability to act as a computer system or to access a computer system, computer network, or telecommunications network. In addition to these extraordinary conditions, I am prohibited from acting as a consultant or advisor to individuals or groups engaged in any computer-related activity. I am also prohibited from accessing computers, computer networks, or other forms of wireless communications myself or through third parties. I was released from federal prison on January 21, 2000, just 6 weeks ago. I served 59 months and 7 days, after earning 180 days of time off for good behavior. I am permitted to own a land line telephone. Computer Systems and Their Vulnerabilities -------------------------------------------------------------------------------- The goal of information security is to protect the integrity, confidentiality, availability and access control to the information. Secure information is protected against tampering, disclosure, and sabotage. The practice of information security reduces the risk associated with loss of trust in the integrity of the information. Information security is comprised of four primary topics: physical security, network security, computer systems security, and personnel security. Each of these four topics deserves a complete book, if not several books, to fully document them. My presentation today is intended to provide a brief overview of these topics, and to present my recommendations for the manner in which the Committee may create effective legislation. 1. Physical Security 1.1 Uncontrolled physical access Uncontrolled physical access to computer systems and computer networks dramatically increases the likelihood that the system can and will suffer unauthorized access. 1.1.1 Hardware Security Computers may be locked in rooms or buildings, with guards, security cameras, and cypher-controlled doors. The greatest risk to information security in apparently secure hardware environments is represented by employees, or impostors, who appear to possess authorization to the secured space. 1.1.2 Data Security Many government agencies require formal backup procedures to ensure against data loss. Equally stringent requirements must be in place to ensure the integrity and security of those backup files. Intruders who cannot gain access to secure data but who obtain unauthorized access to data backups successfully compromise any security measures that may be in place, and with much less risk of detection. 2. Network Security 2.1 Stand-alone computers Stand-alone computers are less vulnerable than computers that are connected to any network of any kind. Computers connected to networks typically offer a higher incidence of misconfiguration, or inappropriately enabled services, than computers that are not connected to any network. The hierarchy of network "insecurity" is as follows: Stand-alone computer - least vulnerable Computer connected to a LAN, or local area network - more vulnerable Computer and a LAN accessible via dial-up - even more vulnerable Computer and LAN connected to internet -- most vulnerable of all 2.1.1 Unencrypted Network Communications Unencrypted network communications permit anyone with physical access to the network to use software to monitor all information traveling over the network, even though it?s intended for someone else. Once a network tap is installed, intruders can monitor all network traffic, and install software that enables them to capture, or "sniff," passwords from network transmissions. 2.1.2 Dial-in Access Dial-in access increases vulnerabilities by opening up an access point to anyone who can access ordinary telephone lines. Off site access increases the risk of intruders gaining access to the network by increasing the accessibility of the network and the remote computer. 3. Computer Systems Security 3.1 Non Connected Computer Systems Computer systems that are not connected to any network present the most secure computing environment possible. However, even a brief review of standalone computer systems reveals many ways they may be compromised. 3.1.1 Operating Systems The operating systems control the functions of the computer: how information is stored, how memory is managed, and how information is displayed -- it?s the master program of the machine. At its core, the operating system is a group of discrete software programs that have been assembled into a larger program containing millions of lines of code. Large modern day operating systems cannot be thoroughly tested for security anomalies, or "holes," which represent opportunities for unauthorized access. 3.1.2 Rogue Software Programs ?Rogue? software applications can be installed surreptitiously, or with the unwitting help of another. These programs can install a ?back door?, which usually consists of programming instructions that disable obscure security settings in an operating system and that enable future access without detection; some back door programs even log the passwords used to gain access to the compromised system or systems for future use by the intruder. 3.1.3 Ineffective Passwords Computer users often choose passwords that are in the dictionary, or that have personal relevance, and are quite predictable. Static, or unchanging, passwords represent another easy method for breaching a computer system -- once a password is compromised, the user and the system administrators have no way of knowing the password is known to an intruder. Dynamic passwords, or non-dictionary passwords are problematic for many users, who write them down and keep them near their computers for easy access -- their own, or anyone who breaches physical security of the computer installation. 3.1.4 Uninstalled Software Updates Out-of-date system software containing known security problems presents an easy target to an intruder. Systems administrators cannot keep systems updated as a result of work overload, competing priorities, or ignorance. The weaknesses of systems are publicized, and out-of-date systems typically offer well-known vulnerabilities for easy access. 3.1.5 Default Installations Default installations of some operating systems disable many of the built-in security features in a given operating system. In addition, system administrators unintentionally misconfigure systems, or include unnecessary services that may lead to unauthorized access. Again, these weaknesses are widely publicized within the computing community, and default or misconfigured installations present an easy target. 4. Personnel Security 4.1 People The most complex element in information security is the people who use the systems in which the information resides. Weaknesses in personnel security negate the effort and cost of the other three types of security: physical, network, and computer system security. 4.1.1 Social Engineering Social engineering, or "gagging," is defined as gaining intelligence through deception. Employees are trained to be helpful, and to do what they are told in the workplace. The skilled social engineer will use these traits to his or her advantage as they seek to gain information that will enable them to achieve their objectives. 4.1.2 Email Attachments Email attachments may be sent with covert code embedded within. Upon receiving the email, most people will launch the attachment, which can lower the security settings on the target machine without the user's knowledge. The likelihood of a successful installation using this method can be increased by following up the email submittal with a telephone call to prompt the person to open the attachment. Information Security Exploits -------------------------------------------------------------------------------- Information security exploits are the methods, tactics, and strategies used to breach the integrity, confidentiality, availability or access control of information. Discovery of compromised information security has several consequences, the most important of which is the decline in the level of trust associated with the compromised information and systems that contain that information. Examples of typical security exploits follow. 5. Physical Security Exploits 5.1 Data Backup Exploit Using deception or sheer bravado, the intruder can walk into the off site backup storage facility, and ask for the physical data backup by pretending to be from a certain agency. The intruder can claim that particular backup is necessary to perform a data restoration. Once an intruder has physical possession of the data, the intruder can work with the data as though he possessed superuser, or system administrator, privileges. 5.2 Physical Access Exploit If an intruder gains physical access to a computer and is able to reboot it, the intruder can gain complete control of the system and bypass all security measures. An extremely powerful exploit, but one that exposes the intruder to great personal risk because they're physically present on the premises. 5.3 Network Physical Access Exploit Physical access to a network enables an intruder to install a tap on the network cable, which can be used to eavesdrop on all network traffic. Eavesdropping enables the intruder to capture passwords as they travel over the network, which will enable full access to the machines whose passwords are compromised. 6. Network Security Exploits 6.1 Network Vulnerability Probing Software Network software exists that probes computers for weaknesses. Once one system weaknesses are revealed and the system is compromised, the intruder can install software (called ?sniffer? software) that compromises all systems on the network. Following that, an intruder can install software that logs the passwords used to access that compromised machine. Users routinely use the same or similar passwords across multiple machines; thus, once one password for one machine is obtained, then multiple machines can be compromised (see "Personnel Security Exploits"). 7. Computer System Exploits 7.1 Program Vulnerabilities Vulnerabilities in programs (e.g., the UNIX program sendmail) can be exploited to gain remote access to the target computer. Many system programs contain bugs that enable the intruder to trick the software into behaving in a way other than that which is intended in order to gain unauthorized access rights, even though the application is a part of the operating system of the computer. 7.2 Misconfigured Installations A misconfigured installation on a computer in operation at the Raleigh News and Observer, a paper in Raleigh, North Carolina, demonstrates the problematic aspect of system misconfiguration. Using the UNIX program ?Finger,? which enables one to identify the users that are currently logged into a computer system, I created a user name on the computer system I controlled. The user name I assigned myself matched exactly the user name that existed on the target host. The misconfigured system was set to ?trust? any computer on the network, which left the entire network open for unauthorized access. 8. Personnel Security Exploits 8.1 Social Engineering Social Engineering involves tricking or persuading people to reveal information or to take certain actions at the behest of the intruder. My work as a private investigator relied heavily on my skills in social engineering. In my successful efforts to social engineer my way into Motorola, I used a three-level social engineering attack to bypass the information security measures then in use. First I was able to convince Motorola Operations employees to provide me, on repeated occasions, the pass code on their security access device, as well as the static PIN. The reason this was so extraordinary is that the pass code on their access device changed every 60 seconds: every time I wanted to gain unauthorized access, I had to call the Operations Center and ask for the password in effect for that minute. The second level involved convincing the employees to enable an account for my use on one of their machines, and the third level involved convincing one of the engineers who was already entitled to access one of the computers to give me his password. I overcame that engineer's vigorous reluctance to provide the password by convincing him that I was a Motorola employee, and that I was looking at a form that documented the password that he used to access his personal workstation on Motorola's network -- despite the fact that he never filled out any such form! Once I gained access to that machine, I obtained Telnet access to the target machine, access which I had sought all along. 8.2 Voice Mail and Fax Exploit This exploit relies on convincing an employee at a large company to enable a voice mailbox: the intruder would call the people who administer the voice mailboxes for the target company and request a mailbox. The pretext would be that the intruder works for a different division, and would like to retrieve messages without making a toll call. Once the intruder has access to the voice mail system, the intruder would call the receptionist, represent himself as an employee of the company, and ask that they take messages for him; last but not least, the intruder would request the fax number and ask that incoming faxes be held for pickup. This sets the stage for the call to the target division of the company. At this point, the intruder would call the target division to initiate the fax exploit with the goal of obtaining the targeted confidential company information. During that call the intruder would identify himself as an employee of the division whose voice mail and fax systems have just been compromised, he would cite the voice mail box in support of his identity, and would social engineer the target employee into faxing the target information to the compromised fax number located at one of their other offices. Now the intruder would call the receptionist, tell the receptionist that he's in a business meeting, and ask that the receptionist fax the confidential material "to the hotel." The intruder picks up the fax containing confidential information at the secondary fax, which cannot be traced back to either the intruder or the targeted company. I used this exploit to successfully compromise ATT's protected network access points routinely. ATT had learned that a system had been compromised by unauthorized entry at a central network access point called "DataKit." They imposed network access passwords on all DataKits to inhibit unauthorized access. I contacted one of the manager's secretaries and used the Fax Exploit to convince the secretary to fax me the password that enabled access to a DataKit that controlled dial-up access to ATT's worldwide computer network. 9. Recommendations The Voice Mail and Fax Exploit demonstrates the most important element in my testimony today: that verification mechanisms are the weak link in information security, and voice mail and fax are the tools used to verify the authenticity of the credentials presented by someone seeking physical, network, or computer systems access. The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. The corporate security measures that I breached were created by some of the best and brightest in the business, some of whom may even have been consulted by the committee as you drafted your legislation, Senate Bill S1993. S1993 is represents a good first step toward the goal of increasing information security on government computer systems. I have several recommendations that I hope will increase the effectiveness of your bill. 1. Each agency perform a thorough risk assessment of the assets they want to protect. 2. Perform a cost-benefit analysis to determine whether the price to protect those systems represents real value. 3. Implement policies, procedures, standards and guidelines consistent with the risk assessment and cost benefit analyses. Employee training to recognize sophisticated social engineering attacks is of paramount importance. 4. After implementing the policies, procedures, standards and guidelines, create an audit and oversight program that measures compliance throughout the affected government agencies. The frequency of those audits ought to be determined consistent with the mission of a particular agency: the more valuable the data, the more frequent the audit process. 5. Create a numeric "trust ranking" that quantifies and summarizes the results of the audit and oversight programs described above. The numeric "trust ranking" would provide at-a-glance ranking -- a report card, if you will -- of the characteristics that comprise the four major categories defined above: physical, network, computer systems, and personnel. 6. Effective audit procedures -- implemented from the top down -- must be part of an appropriate system of rewards and consequences in order to motivate system administrators, personnel managers, and government employees to maintain effective information security consistent with the goals of this committee. Conclusion -------------------------------------------------------------------------------- Obviously a brief presentation such as the one I've made today cannot convey adequately the measures needed to implement effective information security measures. I'm happy to answer any questions that may have been left unanswered for any members of the Committee. Return to the Beginning of this Document FCC Moves to Take Mitnick's Radio Licence Away -- 12/22/2001 In a five-page order released Friday, the US Federal Communications Commission (FCC) claims that 38-year old convicted hacker Kevin Mitnick is not morally fit to be a ham radio operator. "Mr. Mitnick's criminal background raises a substantial and material question of fact as to whether he possesses the requisite character qualifications to be and remain a commission licensee," the FCC said. "Given his propensity to engage in criminal activities, particularly those involving fraud, we have serious reservations about Mr. Mitnick's ability to comply with our rules and regulations in the future." What's more, the FCC reminds us, "Mr. Mitnick's prolific and damaging hacking career made him the most wanted computer criminal in United States history." Mitnick was convicted of hacking-related felonies and was released from prison in January of 2001. He's still on probation until January 2003. Mitnick's had a ham radio license for about 25 years, and he applied two years ago for what's normally a routine renewal. He's not accused of making any illicit radio transmissions or any offenses that fall under the FCC's jurisdiction -- it's just that official Washington firmly believes computer hacking must be an unforgivable venal sin. Under FCC regulations, Mitnick's loss of his license is probable, but not automatic. A hearing will be scheduled at some to-be-determined date before an FCC administrative law judge (who, no surprise, typically sides with the bureaucrats). Appeals go to the full commission and from there to the federal courts. "It's just another example of them trying to harass me," Mitnick said Friday evening. "Now I've got to spend money to keep a ham license. How ridiculous." "Obviously I'm going to have to fight for my right to be licensed," said Mitnick, who uses his ham radio every day. If Mitnick doesn't respond in 20 days, he automatically loses. Federal law requires amateur radio enthusiasts to obtain a license from the government. Mitnick has a "general class" license that required him to pass a five-words-per-minute Morse code test. (His callsign is N6NHG.) This action against Mitnick doesn't affect his "Dark Side of the Internet" radio show, which aired on KFI AM 640. Citing an advertising slowdown, the radio station gave it the axe on 10 December. The FCC believes it can do pretty much whatever it wants to Mitnick thanks to an enormously favorable DC Circuit Court of Appeals ruling last year. The judges said that the FCC could rescind the license of an amateur radio operator convicted of calling long distance for free via fake access codes, a felony. "There is nothing unreasonable about the FCC's conclusion that (Herbert) Schoenbohm's felony conviction was relevant to his license renewal. A conviction for fraudulent conduct plainly calls into question a licensee's ability to act in a manner consonant with FCC regulations," the panel of judges ruled three to zero. Fortunately for Mitnick, there's still a way to fight back. He can confess that, yes, he was a felonious knave -- who's completely has changed his ways. The agency's own "Policy Regarding Character Qualifications in Broadcast Licensing" admits that "rehabilitation" is a mitigating factor. Mitnick insists he's cured. "I was called to testify before Congress on federal computer security and now they're questioning my character," he says, noting that he even spent two days briefing the US Commission on National Security. The prosecutor who put him behind bars thinks otherwise. Christopher Painter, now deputy chief of the Justice Department's computer crime section, said earlier this month that Mitnick is still an unrepentant wretch. After running into his former courtroom adversary at the National Press Club, Painter said: "My problem with Mitnick these days is that he's never really accepted responsibility for his conduct... I hope he gets his life together, and I bear him no ill-will, but I think if you don't accept responsibility and you glamorize hacking and you get attention based on your former exploits, that sends the wrong message to people." (Mitnick was in town to speak at a Business Software Alliance conference.) That was on December 6, 2001. Five days later, the FCC decided to take action against Mitnick. The decision became public on Friday. A coincidence -- or a way to strike back at the world's most famous convicted hacker? Says Mitnick: "I'm surprised that after two years they did this. Why the delay? It's very suspicious to me." Return to the Beginning of this Document Mitnick Testifies Against Sprint in Vice Hack Case 6/24/2002 The ex-hacker details his past control of Las Vegas' telecom network, and raids his old storage locker to produce the evidence. LAS VEGAS--Since adult entertainment operator Eddie Munoz first told state regulators in 1994 that mercenary hackers were crippling his business by diverting, monitoring and blocking his phone calls, officials at local telephone company Sprint of Nevada have maintained that, as far as they know, their systems have never suffered a single intrusion. The Sprint subsidiary lost that innocence Monday when convicted hacker Kevin Mitnick shook up a hearing on the call-tampering allegations by detailing years of his own illicit control of the company's Las Vegas switching systems, and the workings of a computerized testing system that he says allows silent monitoring of any phone line served by the incumbent telco. "I had access to most, if not all, of the switches in Las Vegas," testified Mitnick, at a hearing of Nevada's Public Utilities Commission (PUC). "I had the same privileges as a Northern Telecom technician." Mitnick's testimony played out like a surreal Lewis Carroll version of a hacker trial -- with Mitnick calmly and methodically explaining under oath how he illegally cracked Sprint of Nevada's network, while the attorney for the victim company attacked his testimony, effectively accusing the ex-hacker of being innocent. The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence in allegedly allowing hackers to control their network to the benefit of a few crooked businesses. Munoz is the publisher of an adult advertising paper that sells the services of a bevy of in-room entertainers, whose phone numbers are supposed to ring to Munoz's switchboard. Instead, callers frequently get false busy signals, or reach silence, Munoz claims. Occasionally calls appear to be rerouted directly to a competitor. Munoz's complaints have been echoed by other outcall service operators, bail bondsmen and private investigators -- some of whom appeared at two days of hearings in March to testify for Munoz against Sprint. Munoz hired Mitnick as a technical consultant in his case last year, after SecurityFocus Online reported that the ex-hacker -- a onetime Las Vegas resident -- claimed he had substantial access to Sprint's network up until his 1995 arrest. After running some preliminary tests, Mitnick withdrew from the case when Munoz fell behind in paying his consulting fees. On the last day of the March hearings, commissioner Adriana Escobar Chanos adjourned the matter to allow Munoz time to persuade Mitnick to testify, a feat Munoz pulled-off just in time for Monday's hearing. Mitnick admitted that his testing produced no evidence that Munoz is experiencing call diversion or blocking. But his testimony casts doubt on Sprint's contention that such tampering is unlikely, or impossible. With the five year statute of limitations long expired, Mitnick appeared comfortable describing with great specificity how he first gained access to Sprint's systems while living in Las Vegas in late 1992 or early 1993, and then maintained that access while a fugitive. Mitnick testified that he could connect to the control consoles -- quaintly called "visual display units" -- on each of Vegas' DMS-100 switching systems through dial-up modems intended to allow the switches to be serviced remotely by the company that makes them, Ontario-based Northern Telecom, renamed in 1999 to Nortel Networks. Each switch had a secret phone number, and a default username and password, he said. He obtained the phone numbers and passwords from Sprint employees by posing as a Nortel technician, and used the same ploy every time he needed to use the dial-ups, which were inaccessible by default. With access to the switches, Mitnick could establish, change, redirect or disconnect phone lines at will, he said. That's a far cry from the unassailable system portrayed at the March hearings, when former company security investigator Larry Hill -- who retired from Sprint in 2000 -- testified "to my knowledge there's no way that a computer hacker could get into our systems." Similarly, a May 2001 filing by Scott Collins of Sprint's regulatory affairs department said that to the company's knowledge Sprint's network had "never been penetrated or compromised by so-called computer hackers." Under cross examination Monday by PUC staff attorney Louise Uttinger, Collins admitted that Sprint maintains dial-up modems to allow Nortel remote access to their switches, but insisted that Sprint had improved security on those lines since 1995, even without knowing they'd been compromised before. But Mitnick had more than just switches up his sleeve Monday. The ex-hacker also discussed a testing system called CALRS (pronounced "callers"), the Centralized Automated Loop Reporting System. Mitnick first described CALRS to SecurityFocus Online last year as a system that allows Las Vegas phone company workers to run tests on customer lines from a central location. It consists of a handful of client computers, and remote servers attached to each of Sprint's DMS-100 switches. Mitnick testified Monday that the remote servers were accessible through 300 baud dial-up modems, guarded by a technique only slightly more secure than simple password protection: the server required the client -- normally a computer program -- to give the proper response to any of 100 randomly chosen challenges. The ex-hacker said he was able to learn the Las Vegas dial-up numbers by conning Sprint workers, and he obtained the "seed list" of challenges and responses by using his social engineering skills on Nortel, which manufactures and sells the system. The system allows users to silently monitor phone lines, or originate calls on other people's lines, Mitnick said. Mitnick's claims seemed to inspire skepticism in the PUC's technical advisor, who asked the ex-hacker, shortly before the hearing was to break for lunch, if he could prove that he had cracked Sprint's network. Mitnick said he would try. Two hours later, Mitnick returned to the hearing room clutching a crumpled, dog-eared and torn sheet of paper, and a small stack of copies for the commissioner, lawyers, and staff. At the top of the paper was printed "3703-03 Remote Access Password List." A column listed 100 "seeds", numbered "00" through "99," corresponding to a column of four digit hexadecimal "passwords," like "d4d5" and "1554." Commissioner Escobar Chanos accepted the list as an exhibit over the objections of Sprint attorney Patrick Riley, who complained that it hadn't been provided to the company in discovery. Mitnick retook the stand and explained that he used the lunch break to visit a nearby storage locker that he'd rented on a long-term basis years ago, before his arrest. "I wasn't sure if I had it in that storage locker," said Mitnick. "I hadn't been there in seven years." "If the system is still in place, and they haven't changed the seed list, you could use this to get access to CALRS," Mitnick testified. "The system would allow you to wiretap a line, or seize dial tone." Mitnick's return to the hearing room with the list generated a flurry of activity at Sprint's table; Ann Pongracz, the company's general counsel, and another Sprint employee strode quickly from the room -- Pongracz already dialing on a cell phone while she walked. Riley continued his cross examination of Mitnick, suggesting, again, that the ex-hacker may have made the whole thing up. "The only way I know that this is a Nortel document is to take you at your word, correct?," asked Riley. "How do we know that you're not social engineering us now?" Mitnick suggested calmly that Sprint try the list out, or check it with Nortel. Nortel could not be reached for comment after hours Monday. The PUC hearing was to continue the next day. Return to the Beginning of this Document F.C.C. Lets Convicted Hacker Go Back on Net WASHINGTON, Dec. 26, 2002 — Kevin Mitnick, once labeled by the federal government as "the most wanted computer criminal in U.S. history", has won a long fight to renew his ham radio license, and next month may resume surfing the Internet. He applied to renew his ham radio license in 1999, while in prison. The Federal Communications Commission ordered a hearing, noting that he once was "the most wanted computer criminal in U.S. history." Richard Sippel, an administrative law judge with the commission, granted the license in a ruling made public on Monday. Mr. Mitnick, who began using ham radios when he was 13, said it cost him more than $16,000 in legal expenses to persuade the commission to renew his license. Typically, renewals are free. The hacker, Kevin Mitnick, 39, of Thousand Oaks, Calif., served five years in federal prison for stealing software and altering data at Motorola, Novell, Nokia, Sun Microsystems and the University of Southern California. Prosecutors accused him of causing tens of millions of dollars in damage to corporate computer networks. Mr. Mitnick was freed in January 2000. The terms of his probation, which expires on Jan. 20, 2002, require that he get government permission before using computers, software, modems or any devices that connect to the Internet. His travel and employment also are limited. He has been allowed to use a cellphone and received permission this year to type a manuscript on a computer not connected to the Internet. "Not being allowed to use the Internet is kind of like not being allowed to use a telephone," Mr. Mitnick said today in a phone interview. He said he was starting a company to help companies protect themselves from computer attacks. Christopher Painter, deputy chief of the Justice Department's computer crime section and the former assistant United States attorney who prosecuted Mr. Mitnick, said that once Mr. Mitnick's probation is over, he will not be subject to any special surveillance. Mr. Mitnick led the Federal Bureau of Investigation on a three-year hunt that ended in 1995 when agents arrested him in an apartment in Raleigh, N.C., with help from a top security expert. During the chase, Mr. Mitnick continued breaking into computer networks and became a cult figure among hackers. Return to the Beginning of this Document Kevin Mitnick publishes "The Art of Deception" While still in prison, Kevin, along with William Simon, gets his informative book, The Art of Deception published by John Wiley and Sons. The publication date is listed as October 4, 2002. Mitnick often used social engineering to get people in companies to reveal privileged and private information. In The Art of Deception, Mitnick takes the reader through a series of multi-stage situations where the hacker gets employees to reveal company privileged information. His claim is "people are the weakest part of a company's computer security." After the lengthy and informative series of social engineering episodes, Mitnick finishes the book with a serious discussion of security policy for dealing with social engineering. This material is interesting and useful, and has not been published before in such a wide and understandable format. The security advice is thus quite valuable, and makes the book a good read for the security practitioner. Return to the Beginning of this Document Kevin released from Prison 01/21/2003 Kevin was released from prison on January 21, 2003. Since his release from prison, Mr. Mitnick has appeared on television, as an expert witness in the courtroom and before Congress, offering advice about computer security. He also appeared in the WebCast, "From Chaos to Control" first given in February, 2003. The webcast can still be heard at the link http://www.netiq.com/netiqtv/security/chaostocontrolWebcast.asp Return to the Beginning of this Document