Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

by Kevin D. Mitnick

The legal picture turned from bad to worse. On top of the criminal charges, SCO filed a $1.4 million lawsuit against me for damages. And ditto against Bonnie.

Then a little sun broke through. It turned out the lawsuits were just for leverage: the opposing lawyers said the folks at SCO would drop the civil suits if I would tell them how I’d hacked in. They had never been able to figure it out.

Of course I agreed, and sat down with a system admin named Stephen Marr, who acted as if he thought we were going to chat like good buddies. I treated it the same way I would have if it had been a deposition: he asked questions, I answered. But there wasn’t all that much to tell. No high-tech hacking secrets. I told him how I had simply called a secretary and schmo...

The criminal charges for the SCO break-in turned out better than I could have hoped. The charges against Bonnie were dropped, and my attorney, who knew the prosecutor, Michael Barton, got me a good deal.

For anyone else—for what was technically a first offense, since my juvenile records were sealed—the case would have been charged as a misdemeanor. But because I was Kevin Mitnick, with a badass reputation, the prosecutor initially insisted on charging me with a felony—even though my trespass into SCO’s network still amounted to only a misdemeanor under the law.

agreed to admit to the trespass to settle the case and get the charges against Bonnie dropped. I wouldn’t have to serve any jail time, only pay a way-modest $216 fine and be on “summary probation” for thirty-six months—me...

A few days later I drove up to Santa Cruz for the return of the stuff that had been seized. The cops gave me back my computer terminal but not the disks, which worried me because those incriminating disks contained evidence of my hacks into Pacific Bell, among other interesting places. Another box that they did return, though, they must not have looked at very carefully or cared: it held Bonnie’s pot stash and bong pipe. Then again, this was Santa Cruz, with a small-town police department.

There was an aftermath to the Santa Cruz story. As I had feared, the Santa Cruz detectives apparently got around to looking at those computer disks, and turned information over to Pacific Bell about what I had been doing with its systems.

Pacific Bell Security was alarmed enough to generate an internal memo to all managers, which I found out about in a most unlikely way: a Pacific Bell employee named Bill Cook, also a ham operator who frequently used the infamous 147.435 megahertz repeat...

I contacted Lewis De Payne at work and asked him to temporarily reprogram the fax machine there so incoming calls would be answered by a machine that said it belonged to Pacific Bell Security.

Then I dialed into the phone company switch that handled the telephone service for Pacific Bell Security, and reprogrammed the phone line for its fax machine so it would call-forward to the phone number for the machine at Lewis’s work. That took care of the preparations.

I then called the office of Pacific Bell vice president Frank Spiller. His executive secretary answered. I said I was calling from Pacific Bell Security and gave the name of one of the actual security investigators—maybe I said I was Steve Dougherty. I asked, “Did Frank get the memo on the Kevin Mitnick case?” “What’s it about?” she asked. “A...

I said, “I think we sent you an older revision that has since been updated. Can you fax the version you have to me?” I gave her the internal fax number for Pacific Bell Security in Northern California. “Sure,” she said. “I’ll do it right now.” As soon as Lewis got the fax, he refaxed it to me, then he and I both undid our s...

I imagine a lot of people in the company must have been more than a little upset to find out how deeply I had penetrated their systems, bypassing all of their elaborate security safeguards.

Several months later, by the fall of 1988, I was back at work with Don David Wilson at Franmark. Bonnie was still at GTE, though she was sure their security department had tried to find evidence that she had been hacking into company computers.

Our living with my mom turned out to be a bad idea. As eager as she was to make it work for us, we simply had no privacy. Bonnie would later complain, in a personal memo that she left behind at my mom’s, that she was “reluctant and a bit bitter… about it.”

We were growing apart, and I was getting deeper and deeper back into hacking, spending all my days at work at Franmark and my nights almost until sunup with Lenny DiCicco, largely focused on hacking into Digital Equipment Corporation.

One day, Lenny and I went into the student computer room, which had a bunch of terminals connected to a MicroVAX VMS system. We hacked into the machine quickly and obtained all privileges. Lenny had written a script that would allow us to make a backup of the entire system. We had no real use for it: we just planned to treat it as a trophy. So, once we got in, Lenny put a cartridge tape into the computer tape drive, and ran his script to start the backup, and we left. We were going to return for it a few hours later, after the copy had finished.

bit later as we were walking across campus, I got a page from Eliot Moore, a longtime friend I hadn’t been in touch with for a while. I went to a pay phone to call him back. “Are you at Pierce College?” he asked. “Yes.” “Did you leave a tape in the tape drive?” “Oh, shit… how did you know?” I said. “Don’t go back to the computer room,” he warned me. “They’re waiting for you.” By some strange chance, Eliot had been in the computer lab when the instructor noticed the blinking light on the MicroVAX tape drive. It was obvious that someone had inserted a cartridge tape and was copying some files.

The computer science instructor, Pete Schleppenbach, had immediately suspected us. Eliot overheard the instructor discussing the situation with another staff member and called me right away....

But the LAPD kept an eye on us, positioning their team on the classroom rooftops and trailing us for days. Apparently, attempting to copy student lab work became a top priority. You’d think they’d have more interesting cases to work on. At night, they’d follow us to Lenny’s work, where we stayed at his office hacking until the wee hours of the morning. They knew we were up to no good, but they couldn’t prove anything.

guess the Pierce College folks were disappointed, and weren’t ready to drop it. I noticed a DEC company vehicle in the college parking lot. So I called the local DEC field office for Los Angeles, said I was from Accounts Payable at Pierce College, and asked what support they were providing at the time. “Oh,” the guy told me, “we’re trying to help you catch some hackers.”

At a terminal in the Pierce computer lab, I was able to examine a memory location from my student account that showed me that all “security auditing” was enabled on my account. Lenny checked his account using the same technique; security auditing was enabled on it, as well. The guy from DEC was closeted in a small room with...

(I discovered this by showing up early one day before the tech arrived and fol...

But I found a way to keep him busy: I wrote a very simple script that listed the files in my directory, over and over. Since the security auditing was designed to send a detailed alert for every file opened or read, I knew his printer would be working nonstop.

could picture the guy closed up in his tiny room, pulling his hair out that his printer kept running until it was out of paper. And as soon as he would load more paper, the file lists would start printing out again.

A short while later, the instructor pulled Lenny and me out of the computer room and accused us of typing unauthorized commands. I asked, “Is doing a...

Both Lenny and I were sent to the dean for furt...

Over the next several weeks, Pierce’s administrators held a kangaroo court hearing on our case. They still suspected we were behind the hacking incident, but still couldn’t prove it. No eyewitnesses. No fingerprints. No confessions. Nonetheless, Lenny and...

Lenny and I wanted to get the source code for Digital Equipment Corporation’s VMS operating system so we could study it to find security flaws. We would also be able to look for developers’ comments about fixing security problems, which would let us work backward and figure out what those problems were and how we could exploit them.

able to compile parts of the operating system ourselves, so it would be easier for us to install some backdoor patches in the systems we compromised.

Our plan was to launch a social-engineering attack on DEC to get into the VMS development cluster. I got the dial-up number ...

Meanwhile, I went to the Country Inn hotel near his office and used a pay phone to call Lenny. Once I had him on the line on one phone, I used another pay phone to call DEC’s main number in Nashua, New Hampshire, where its labs and developers were. Then I stood there between the two phones with a receiver held up to each ear.

When I called that department, I used the name of someone in development and asked if operations supported the “Star cluster” group of VMS systems that were used by VMS development. The DEC employee said yes. I then covered that mouthpiece with my hand and spoke to Lenny through the other one, telling him to dial the modem number.

Because she wasn’t keying in usernames or passwords, she didn’t think anything about what I was asking her to do. She should’ve known what a spawn command did, but apparently operators rarely used it, so evidently she didn’t recognize it.

As soon as the operator typed in the command, a “$” prompt appeared on Lenny’s terminal. That meant he was logged in with the full privileges of the operator. When the “$” showed up, Lenny was so excited that he started shouting into the phone, “I’ve got a prompt! I’ve got a prompt!”

Lenny immediately checked to see if security audits were enabled. They were. So rather than setting up a new account for us, which would have raised suspicions by triggering an audit alarm, he just changed the password on a dormant account that had all system privileges. Meanwhile, I thanked the operator and told her that she could log out now.

At that point, we uploaded a small tool designed to disable any security audits in a way that wouldn’t trigger an alarm.

We knew he also worked with VMS security issues, so we figured his email would be a good place to look for information about the latest security issues DEC was trying to fix.

he was very skilled at finding vulnerabilities in the VMS operating system, which he faithfully alerted DEC to. What he didn’t realize was that now he was alerting me as well.

This laid the groundwork for what would prove to be a goldmine for me.

Their VMS Loginout patch also modified the log-in program in several ways, instructing it to secretly store user passwords in a hidden area of the system authorization file; to cloak the user with invisibility; and to disable all security alarms when anyone logged in to the system with a special password.

Several weeks later, I received a packet of printouts detailing some of the hacks the group had created that weren’t already in the public domain.

Because Lenny always worked at companies that had VMS systems, we were able to test our patches on his work systems and deploy them into systems we wanted to maintain access to.

After some major DEC clients were compromised, the company’s programmers wrote a security tool that would detect the Chaos patch. Lenny and I located the detection software and analyzed it, then simply modified our version of the Chaos patch so DEC’s tool wouldn’t be able to find it anymore.

If locating the code wasn’t hard, transferring it was. This was a lot of code. To reduce the volume of code, we compressed it. Each directory contained hundreds of files. We’d compress all of them in a single file and encrypt it, so that if anyone found it, it would look like garbage. The

only way to retain access to the files so we’d be able to study them at leisure was to find systems on DEC’s Easynet that connected to the Arpanet, giving us the ability to transfer them outside DEC’s network. We only found four systems on Easynet that had Arpanet access, but we could use all four to move the code out piece by piece.

Trying to store it all in one location would run too big a risk of being detected. So we began spending a lot of time hacking into systems on the Arpanet, looking for other safe “storage lockers.” It began to feel like getting the code from DEC was the easy part, while the big challenge was figuring out where to stash copies of it.

We also tried to set ourselves up on the computer systems at the Jet Propulsion Laboratory, in Pasadena, California, using our customized version of the Chaos patch.

JPL eventually realized one of their systems had been compromised, possibly because they were watching for any unauthorized changes to the VMS Loginout and Show programs.