Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

Game Over
2B 2T W 2X 2Z 36 36 2P 36 2V 3C W 3A 32 39 38 2Z W 3D 33 31
38
2V 36 3D W 2R 2Z 3C 2Z W 3E 3C 2V 2X 2Z 2Y W 3E 39 W 2R 32 2V
3E W 2V 3A 2V 3C 3E 37 2Z 38 3E W 2X 39 37 3A 36 2Z 2S 1R
B
y Tuesday, February 7, a posse was being formed to catch me. Assistant
U.S. Attorney Kent Walker now stepped into the case, meeting with
Shimmy and his girlfriend Julia Menapace, Shimmy’s assistant Andrew
Gross, two FBI agents, and the Well’s vice president and system
administrator, as well as its attorney, John Mendez, who had some special
clout in the room since he had previously been with the U.S. Attorney’s
Office and had been Walker’s boss.
Walker was based in Northern California and had no previous
connection to my case, and according to the record, would be bending rules
and crossing some lines to give Shimmy an extraordinary role through the
following days. It was like some Wild West posse of old, where the U.S.
Marshal deputized civilians to assist him in tracking down a wanted man.
Apparently Walker made a secret arrangement to provide Shimmy with
confidential trap-and-trace information, as well as confidential information
from the FBI files on me. Shimmy could intercept my communications
without a warrant, under the pretense that he was not assisting the
government but rather working only for the Internet service providers. (The
Feds would never charge me with hacking Shimomura; I believe this was
because they couldn’t afford to expose their gross misconduct, which
appeared to violate Federal wiretapping statutes.)
It seems Shimmy appeared to be put in charge of the investigation as a
de facto government agent. This was unprecedented. Perhaps the Feds
figured they would never find me without Shimmy’s vigilante persistence.

My conversation with Littman kept nagging at me. After talking to
Markoff, Littman thought he knew what part of the country I was in. It was
time for me to get access to Markoff’s email and find out what he knew.
Tracing the path was simple: all emails addressed to his “nyt.com”
address were sent to Internex, a small Internet service provider in Northern
California. After probing the Internex Solaris server for a few minutes, I
sighed with relief. The idiot administrating the system exported everyone’s
home directory (using Sun’s Network File System) to everyone on the
Internet, meaning I could remotely mount any user’s home directory—that
is, make the entire directory accessible to my local system. I uploaded a
.rhosts file to a user’s directory—which I configured to trust any user
connecting in from any host, meaning I was able to log in to his or her
account without needing a password. Once logged in, I was able to exploit
another vulnerability to gain root access. It took a total of ten minutes. I
almost wanted to send the system admin a thank-you letter for leaving the
system wide open.
Just that easily, I had access to Markoff’s emails. Unfortunately, he had
set up his email client software to delete the messages after he retrieved
them. Several messages had been left on the server, but they didn’t contain
any information related to me.
I added a little configuration change so any new email sent to Markoff
would also be forwarded to another email address under my control. I was
hoping to uncover his sources—people who might have told him where
they thought I was. I was also eager to find out more about the extent of his
involvement in my case.
While I was doing this, I later learned, Shimmy and his team were
watching. They had been passively monitoring incoming network traffic at
both the Well and Netcom. It was a very easy thing to pull off because the
Internet service providers had given his team full access to their networks.
After setting up surveillance at Netcom around February 7, Shimmy
asked one of the network admins to search the system accounting records of
Netcom, looking for any users who had been logged in at times when the
Well’s accounts were being illicitly accessed by some user at Netcom. The
admin searched through the accounting records by matching the log-ins and
log-outs that had occurred during the intrusions, and was eventually able to

track down one of the accounts accessing the Well from Netcom’s network.
It was the “gkremen” account, and it was mostly being used to dial in to
Netcom through the company’s modems in Denver and Raleigh.
The next day, when I was searching Markoff’s email for anything related
to me, I ran a search for the string “itni” (since searching for the name
“Mitnick” would have been a dead giveaway). But Shimmy and his team
were watching me in real time, and when they saw this search, it confirmed
their suspicions that I was their intruder.
Shimmy contacted Kent Walker and let him know that the intruder was
coming in through dial-up modems in Denver and Raleigh. Shimmy asked
Walker to put a trap-and-trace on the dial-up number to Netcom in Denver
that I had been using. (This was, again, a very unusual request for a civilian
to make of an assistant U.S. attorney: ordinarily, only law enforcement
agencies make such requests.)
Walker contacted the FBI in Denver, and Denver checked with the Los
Angeles FBI office for an okay. But the LA office wanted Denver to stay
out of it. Instead, in what sounds like an intra-agency turf war, an agent at
the LA office told the people in Denver they were not to assist with setting
up a trap-and-trace. They all wanted a piece of me. If I’d known about the
squabbling at the time, I might have been able to use it to my advantage.
As soon as “gkremen” logged on from Raleigh, Shimmy’s team asked
an FBI agent to contact General Telephone, the telephone company that
provisioned Netcom’s dial-up numbers in Research Triangle Park, and
request that the call be traced in real time. After a couple of attempts,
General Telephone’s technicians completed a successful trace. They passed
on the number to the FBI and advised that it was originating from Sprint’s
cellular network.
But this wasn’t information that would lead my pursuers anywhere. To
provide an extra layer of protection, I had previously set up what I call a
“cut-out number.” The first part of this involved hacking into a phone
company switch, finding an unused phone number, and adding call
forwarding to the line. Then I set a different billing number in the switch so
any calls placed from that number would appear to be originating from the
billing number rather than the actual number. Why? I had discovered a flaw
in the switch software: it would sometimes report not the actual phone
number that a call was originating from, but the 
billing
number. So if phone
company techs tried to trace some of my calls, they might not immediately

discover my cut-out number—the number I was routing my calls through—
but instead would come up with a phone number assigned to some random
customer I chose. I knew that some switch technicians were not even aware
that a trace might report the billing number, which gave me an
extraordinary extra level of protection. In any case, in my experience, the
phone companies never caught on to my using a cut-out number to make it
harder to trace where my calls were originating from, because it never
occurred to them that someone might have hacked into their switch.
Several weeks earlier, JSZ had set up an account for me on “escape.com”
(which was owned by his buddy Ramon Kazan) so the two of us could
communicate directly through that system. This had become another of
many entry points I used to connect to the Internet. Since I had root access,
I also stashed numerous hacking tools, exploits, and source code from
various companies I had recently been hacking into. (My account on
escape.com was named “marty,” after the character in the movie 

Download 2,97 Mb.

Do'stlaringiz bilan baham: