Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

by Kevin D. Mitnick

The grievance process also made for an interesting read: an inmate could ask for a series of hearings, ending with one at which an outside arbitrator came to listen to the f...

When it came my turn to speak, I said, “Let me show you the current revision of the manual that these folks have not turned over to you.” And I made a fervent appeal that I wanted to rehabilitate myself.

The arbitrator looked at the dates on the pages that the counselor had submitted, and looked at the dates on the pages from me. And he actually winked at me. He ordered them to send me to a facility with a college program. They sent me to Karl Holton, in Stockton, east of San Francisco. Still a very long way from home, but I felt I had won, and felt very proud of myself. Looking back, I’m reminded of the lyrics from that Tom Petty song: “You could stand me up at the gates of hell but I won’t back down.”

I was given early release after only six months. When my Conditions of Release document was being prepared, I was asked, “What condition can we put on you that you won’t keep hacking?” How could I answer that? I said, “Well, there’s ethical hacking and there’s unethical hacking.” “I need some formal language,” was the reply. “What can I put down?”

Star Wars came to mind. I said, “You could call it ‘darkside hacking.’ ” That’s the way it was entered into my Conditions: “No darkside hacking.” I think it was an LA Times reporter who somehow came upon that term. It got picked up and widely reported by the press; it became a kind of nickname for me. Kevin Mitnick, the Darkside Hacker.

After my release, a cop called me, giving his name as Dominick Domino and explaining that he was the guy who had driven me to juvenile hall when I was picked up at Fromin’s. He was working on an LAPD training video about computer crime. Would I...

It came as a real shock one day when my Parole Officer, Melvin Boyer, called to say, “Kevin, have a big breakfast, eat all you can, then come in to see me.” That could only mean one thing: trouble.

For me, it was a game. I’d later learn that a guy in the animal house group who must have had some grudge against me had called the Youth Authority Parole Office to complain I had hacked into his company’s network. I hadn’t. But the guy worked for Xerox, which I guess made him credible.

Instead, I was immediately handcuffed by the supervisor as they whisked me away out the side door to a waiting car. I yelled to my mom that they were sneaking me out the side and arresting me for something I hadn’t even done.

Now it was a week later and where am I but at the same Van Nuys jail, where thanks to my favor for Uncle Mitchell, I can make all the calls I want, free. I stayed on the phone all night.

Parolees have very limited rights, and the board members would only need to believe I probably did whatever I was being accused of; the evidence didn’t have to meet the standard of “beyond a reasonable doubt” as in a criminal trial.

Then things went from bad to worse. They transferred me to LA County Jail, where I was greeted by being told to strip naked so they could spray me with insecticide. I was led to a dormitory that scared the hell out of me.

didn’t know whom to be more frightened of: the really dangerous guys who looked like they’d steal an eyeball if they got the chance, or the crazy guys who could hurt ...

I was twenty years old but, thanks to the probation, still under the jurisdiction of the Youth Authority. This was my third time in Norwalk Reception Center; some of the guards were like old friends.

In my appearance before the parole board, they obviously didn’t take the charge too seriously, maybe because there was no evidence but a report from the Parole Officer based on a single complaint.

said I wanted one “as a gift for my uncle, who’s with the LAPD.” It cost $75 but it was amazing, like finding the Holy Grail: it had the picture of every LAPD officer, even the undercover guys assigned to organized crime.

I wonder if they still put that book out every year… and sell a copy to anyone who shows up with cash in hand.

One day on the way to lunch with a young lady from work, I spotted a bunch of guys in suits who looked like cops, then recognized one as my Parole Officer and another as one of the guys who had searched my car years earlier for the “logic bomb.”

I ducked down and asked her to please drive out in a hurry because I needed to make an important call. From a pay phone, I dialed the LAPD’s West Valley Division and asked to be transferred to records. “This is Detective Schaffer,” I said. “I need to check a subject for any hits, local and in NCIC” (the FBI’s National Crime Information Center). “Mitnick, that’s M-I-T-N-I-C-K, Kevin David. The subject’s DOB is 8-6-1963.”

“Yes, I have a hit on him. It looks like a violation warrant issued by the CYA.” Fuuck! But at least they didn’t get to arrest me. I called my mom and said, “Hey, I’m at 7-Eleven, we should talk.”

It was a code I had established with her. She knew which 7-Eleven, and that I needed to talk because I was in trouble. When she showed up, I told her the story and that I needed a place to stay until I decided what I was going to do. Gram worked out with her friend Donna Russell, the lady who ha...

Still, hey, “Where there’s a will…” I found a provision that said that for a nonviolent crime, the jurisdiction of the Juvenile Court expired either when the defendant turned twenty-one or two years after the commitment date, whichever occurred later. For me, that would mean two years from February 1983, when I had been sentenced to the three years and eight months.

Scratch, scratch. A little arithmetic told me that this would occur in about four months. I thought, What if I just disappear until their jurisdiction ends?

I called my attorney to try out the idea on him. His response sounded testy: “You’re absolutely wrong. It’s a fundamental principle of law that if a defendant disappears when there’s a warrant out for him, the time limit is tolled until he’s found, even if it’s years later.” And he ...

pleaded with him to look into it, which annoyed him, but he finally agreed. When I called back two days later, he had talked to my Parole Officer, Melvin Boyer, the compassionate guy who had gotten me transferred out of the dangerous jungle at LA County Jail. Boyer had told him, “Kevin is right. If he disappears until February 1985, there’l...

And then lectured how naive the suspects were to talk to the police without a lawyer. He once said, “Most criminals believe they can talk their way out of trouble.” I smiled, knowing that was great advice. It amused me to wonder what he would have thought if he had found out that a student sitting in the front row of the class had a fugitive warrant out for him.

Within days, I was back in Los Angeles, full of anticipation. Lenny DiCicco had landed a job at Hughes Aircraft as a computer operator and he was eager for me to come over and visit. Even better, Lenny said he had something to share with me, something he didn’t want to tell me over the phone. I wondered what it could be.

In his time at Hughes Aircraft, Lenny DiCicco told me, he had become buddy-buddy with a lady security guard. I was to come see him on a night when this lady would be on duty, and say I was a DEC employee. When I showed up, she signed me in with a wink, not asking to see any ID.

He led me to a Hughes VAX computer that had access to the Arpanet, linking a collection of universities, research labs, government contractors, and the like. Typing commands, he told me he was accessing a computer system called Dockmaster, which was owned by the National Computer Security Center (NCSC), a public arm of the supersecret National Security Agency. We were elated, knowing that this was the closest we’d ever come to establishing a real connection to the NSA.

Bragging about his social engineering, Lenny said he had pretended to be a member of the National Computer Security Center’s IT Team and conned a worker there named T. Arnold into revealing his credentials to the system. Lenny was practically dancing with pride. He was still such a geek, it seemed like he must be high on some great dope when he boasted, “I’m as good a social engineer as you are, Kevin!”

A Federal Pell Grant plus a student loan paid my way, and my mom came up with the bread for some of the extra expenses. The school required male students to wear a suit and tie to class every day. I hadn’t dressed like that since my bar mitzvah at age thirteen, and now, since I was twenty-three and fairly beefed out, that suit would have been a pretty miserable fit. Mom’s cash paid for two new suits.

I really enjoyed programming in “assembler language,” more challenging because the programmer has to master many technical details, but yielding much more efficient code that uses a much smaller memory footprint.

Coding in this lower-level language was fun. It felt like I had more control over my applications: I was coding much closer to the machine level than using a hig...

The classwork was routine to somewhat challenging, but also fascinating. I was doing what I loved: learning more about computer systems and programming. When the subject of hacking came up...

Every time I figured out a new way of getting into the company’s switches, somebody there would eventually figure out a way of blocking my access. I’d

use the dial-up numbers that RCMAC was using to connect to various switches to process service orders and they’d catch on, then change the dial-up numbers or restrict them so I couldn’t dial in. And then I would remove the restriction when they weren’t paying attention.

Their constant interference had gotten to the point where hacking into Pacific Bell switches was ...

Then I got the idea of trying out a higher-level approach: attacking their Switching Control Center System, or SCCS. If I could do that, I’d have just as much control as if I’d been sitting in front of the switches themselves, able to do whatever I wanted without having to social-engineer...

I started with an attack aimed at the SCCS at Oakland, in Northern California. On my first call, I planned to say I was from ESAC (the Electronic Systems Assistance Center), providing support for all the SCCS software deployed throughout the company. So I did my research, coming up with the name of a legit ESAC worker, then claiming, “I need to get into the Oakland SCCS...

Oops, this was a system with “dial back” security: you had to enter a phone number and wait for the computer to ring you back. What now? “Look, I’m off-site at a remote office,” I said off the top of my head. “So I won’t be able to take a callback.” I had magically hit on a reasonable-sounding excuse. “Sure, I can program it to bypass the dial back when you log in with your username,” he assured me—defeating the company’s elaborate security that would otherwise have required that I be at an authorized callback number.

Lenny joined me in the SCCS break-in effort. Each one we got into gave us access to five or six central-office switches, with full control over them, so we were able to do anything a tech who was in the CO could do, sitting at the switch. We could trace lines, create new phone numbers, disconnect any phone number, add/remove custom calling features, set up traps-and-traces, and access logs from traps-and-traces.

Lenny and I put a huge amount of time into this, from late 1985 through much of 1986. We eventually got into the switches for all of Pacific Bell, then Manhattan, then Utah and Nevada, and in time many others throughout the country.

Among these was the Chesapeake and Potomac Telephone Company, or C&P, which served the Washington, DC, area, including all of the DC-based departments of the Federal government as well as the Pentagon.

The National Security Agency temptation was an itch I couldn’t resist. NSA’s telephone service was provided through a phone company switch in Laurel, Maryl...

Using a test function for switch technicians called “Talk & Monitor,” I was able to set up a circuit to listen to random calls in progress.

Hardly able to believe I was actually listening in on the NSA, I was thrilled and nervous at the same time. The irony was great—I was wiretapping the world’s biggest wiretappers.

The government never found out I had gained this access. And I wouldn’t be including it here, except the statute of limitations has long run its course.

For Lenny and me, it was thrilling every time we compromised another SCCS—like getting into higher and higher levels of a video game.

This was the most significant hacking of my career because of the immense control and power it gave us over the phone systems of much of the United St...

Pacific Bell eventually found out about the access we had gained. Yet we were never arrested and charged because, I later learned, company management was afraid of what would happen if others found out what I had b...