Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

At about 9:00 a.m., I wake up again and go out to find someplace that
carries the 
New York Times—
not so easy in the part of Seattle of my by-the-
week motel room.
When I finally see the paper, I’m stunned. The headline jumps off the
page at me:
Cyberspace’s Most Wanted: Hacker Eludes F.B.I. Pursuit
I start reading the article and can’t believe my eyes. Only the first phrase
of the story is pleasing to me, crediting me with “technical wizardry.” From
there, John Markoff, the 
Times
reporter who has written the article, goes on
to say that “law-enforcement officials cannot seem to catch up with him,”
which is sure to burn Agent Ken McGuire and company and embarrass the
hell out of them with their superiors—
and make them all the more focused
on finding me
.
This false and defamatory article then claims that I wiretapped the FBI
—I didn’t. And that, foreshadowing the 1983 movie 
War Games
, I broke
into a North American Aerospace Defense Command (NORAD) computer
—not only something I never, ever did but also a near impossible
proposition for anyone, given that the agency’s mission-critical computers
are not connected to the outside world, and thus immune from being hacked
by an outsider.
Markoff has labeled me “cyberspace’s most wanted” and “one of the
nation’s most wanted computer criminals.”
And all of this on Independence Day, when red-blooded Americans feel
greater national fervor than on any other day of the year. How people’s fear
of computing and technology must have been brought to the boil as they ate
their sunny-side-ups or their oatmeal and read about this kid who was a
threat to the safety and security of every American.
I would find out later that one source of these and other blatant lies was
a highly unreliable phone phreaker, Steve Rhoades, who had once been a
friend of mine.
I remember being in a state of semishock after reading the article, trying
to take in one statement after another that simply wasn’t true. With this one
piece, Markoff single-handedly created “the Myth of Kevin Mitnick”—a
myth that would embarrass the FBI into making the search for me a top

priority and provide a fictional image that would influence prosecutors and
judges into treating me as a danger to national security. I couldn’t help
recalling that five years earlier I had refused to participate in a book
Markoff and his-then wife, Katie Hafner, wanted to write about me and
some other hackers, because they wanted to make money from my story
while I myself would make no money from it. It also brought back
memories of John Markoff telling me in a phone call that if I didn’t agree to
an interview, anything anyone else said about me would be considered
truthful since I wasn’t there to dispute it.
It was scary as hell to discover I had become such an important target
for the Feds.
At least the photograph was a gift. The 
Times
had used a copy of my
mug shot from 1988, the one taken after I had been held in Terminal Island
Federal Prison for three days without a shower, a shave, or a change of
clothes—my hair a mess, me looking grubby and unkempt and like some
homeless street person. The guy staring back at me from the front page of
the newspaper was puffy-faced, weighing maybe ninety or a hundred
pounds more than I did on that July Fourth.
Even so, the article ratcheted my paranoia level up more than a few
notches. I started to wear sunglasses religiously, even indoors. If anyone
asked, “What’s with the shades?” I just said that my eyes had become
ultrasensitive to light.
After a quick run-through of the Apartments for Rent listings in the local
paper, I decided to look for something in the “U District,” near the
University of Washington, expecting it might be like LA’s attractive, lively
Westwood area, adjacent to UCLA. I settled on a basement apartment,
telling myself that even though it was dumpier than the motel I was in, it
made sense for the time being because it was cheap. The building was
owned by a single proprietor named Egon Drews and managed by his son
David. Happily, Egon was a trusting soul who wasn’t going to bother with a
credit or background check that a management company would have
required.
The neighborhood turned out not to be a very good choice. This was no
pleasant, sunny Westwood but instead a down-scale, seedy section of town,
full of street beggars. Maybe I could do better once I had a steady job. But

at least there was a YMCA nearby so I could keep up my almost daily
workouts.
One of the few highlights of the U District for me was a clean and
inexpensive Thai restaurant that offered tasty food and a cute Thai waitress.
She was friendly, with a warm smile, and we dated a few times. But my old
fear still lingered—the danger that in a close relationship, or in the glow
after a few minutes of passion, I might let slip something that would give
me away. I continued eating at the restaurant but told her I was too busy for
a relationship.
No matter what else I was doing, I always had hacking to keep my mind
occupied. That was how I discovered that Neill Clift, the finder of bugs in
DEC’s VMS operating system, was using an email account on a system
called Hicom, at Loughborough University in England.
Interesting! I had almost given up on Clift because I had discovered that
DEC had given him a Vaxstation 4000 and was paying him 1,200 British
pounds annually (that’s cheap) to find security bugs with it. After that, I
hadn’t expected him to use any other systems except maybe at work or at
home for email. Maybe this was my lucky break.
After a little digging around, I learned that Hicom was a public-access
system and that anyone could apply for an account. Once I was set up with
my own account, I exploited a security hole that Neill evidently didn’t
know about, gaining full control of the system, with the same rights and
privileges as a system administrator. I was very excited but didn’t anticipate
that I would find much, since I doubted he would be careless enough to
send DEC his security findings from a public system.
The very first thing I did was grab a copy of Neill’s email directory and
look through each and every file. Damn! Nothing interesting—no bugs! I
was disappointed. So close and yet so far. And then I had an idea: maybe he
was sending emails and then deleting the messages immediately afterward.
So I checked the system mail logs.
My eyes lit up: the mail log files showed that Neill was sending
messages to some guy named Dave Hutchins at DEC, sometimes two or
three of them in a single week. Shit! I really wanted to see the contents of
those messages. At first I figured I would examine all the deleted file space
on the system’s disk looking for the deleted emails to Hutchins, but then I
came up with a better plan.

By reconfiguring the mail exchanger on Hicom, I could rig it so that
whenever Neill sent a message to any email address at DEC, it would be
redirected to an account I had hacked at USC. It was like adding call
forwarding on all “dec.com” email addresses to forward to my account at
USC. So I actually would be catching all emails sent to any “dec.com”
address from 
anyone
on Hicom.
My next challenge was to find an effective means of “spoofing” emails
to Clift so they would look as if they were coming from DEC. Rather than
spoofing messages over the Internet—a step that could be spotted if Neill
looked closely at the email headers—I wrote a program that forged the
email from the local system so I could spoof all the headers as well, making
the deception virtually undetectable.
Every time Neill sent a report of a security hole to Dave Hutchins at
DEC, the email would be redirected to me (and only me). I would soak up
every detail and then send back a “thank-you” message that would appear
to have been sent by Hutchins. The beauty of this particular hack—known
as a “man-in-the-middle” attack—was that the real Hutchins, and DEC,
would never receive the information Neill sent them. This was so exciting
because it meant, in turn, that DEC would not be fixing the holes anytime
soon, since the developers wouldn’t know about the problems—at least not
from Neill.
After spending several weeks waiting for Neill to get busy with his bug
hunting, I became impatient. What about all the security bugs I’d already
missed? I wanted every one of them. Attempts to break into his system over
dial-up were unlikely to work because there wasn’t much I could do at a
log-in prompt but guess passwords, or maybe try to find a flaw in the log-in
program itself, and he surely had security alerts enabled for log-in failures.
A social-engineering attack via the telephone was out of the question
because I knew Neill would recognize my voice from a couple of years
earlier. But sending believable fake emails could win me all the trust and
credibility I would need to get him to share his bugs with me. There was a
downside, of course: if he caught on, I would lose access to all his future
bugs because he would certainly figure out that I had compromised Hicom.
But what the hell? I was a risk taker. I wanted to see if I could pull it off.
I sent Neill a fake message from Dave Hutchins, advising that Derrell
Piper from VMS Engineering—the same guy I’d pretended to be when I
called him the last time—wanted to communicate with him via email. VMS

Engineering was ramping up its security processes, I wrote, and Derrell
would be heading up the project.
Neill had in fact communicated with the 
real
Derrell Piper several
months earlier, so I knew the request would sound plausible.
Next I sent another faked email to Neill posing as Derrell, and spoofing
his real email address. After we exchanged several messages back and
forth, I told Neill that “I” was putting together a database to track every
security issue so DEC could streamline the resolution process.
To build further credibility, I even suggested to Neill that we should use
PGP encryption because we didn’t want someone like Mitnick reading our
emails! Soon thereafter we had exchanged PGP keys to encrypt our email
communications.
At first I asked Neill to send me just a 
list
of all the security holes he had
forwarded to DEC over the past two years. I told him I was going to go
through the list and mark the ones I was missing. I explained that VMS
Engineering’s records were disorganized—the bugs had been sent to
different developers, and a lot of old emails had been deleted—but our new
security database would organize our efforts to address these problems.
Neill sent me the list of bugs I requested, but I asked for only one or two
of the detailed bug reports at a time to avoid any suspicion on his part.
In an effort to build even more credibility, I told Neill I wanted to share
some sensitive vulnerability information with him since he had been so
helpful. I had the details of a security hole that another Brit had found and
reported to DEC a while back. The bug had made big news when it hit the
media, and DEC had frantically sent out patches to its VMS customers. I
had found the guy who discovered it and persuaded him to send me the
details.
Now I sent the data to Clift, reminding him to keep it confidential
because it was DEC proprietary information. For good measure, I sent him
two more bugs that exploited other security issues he didn’t know about.
A few days later, I asked him to reciprocate. (I didn’t directly use that
word, but I was counting on the effectiveness of reciprocity as a strong
influence technique.) I explained it would make my life much easier if, in
addition to the list, he could send me all the detailed bug reports he had
submitted to DEC over the last two years. Then, I said, I could just add
them to the database in chronological order. My request was very risky. I
was asking Neill to send me everything he had; if that didn’t raise his

suspicions, nothing would. I waited a couple of days on pins and needles,
and then I saw an email from him, forwarded to my USC mailbox. I opened
it up anxiously, half-expecting it to say, “ ‘Good try, Kevin.’ ” But it
contained everything! I had just won the VMS bug lottery!
After getting a copy of his bug database, I asked Neill to take a closer
look at the VMS log-in program, Loginout. Neill already knew that Derrell
had developed the Loginout program and I was curious to know whether he
could find any security bugs in it.
Neill emailed me back some technical questions about Purdy
Polynomial, the algorithm used to encrypt VMS passwords. He had spent
months, maybe even years, trying to defeat the encryption algorithm—or
rather, optimizing his code to crack VMS passwords. One of his queries
was a yes/no question about the mathematics behind the Purdy algorithm.
Rather than research it, I just guessed the answer—why not? I had a fifty-
fifty chance of getting it right. Unfortunately, I guessed wrong. My own
laziness resulted in revealing the con.
Instead of tipping me off, though, Neill sent me an email claiming that
he had found the 
biggest
security bug to date—in the very VMS log-in
program I had asked him to analyze. He confided that it was so sensitive
that he was willing to send it to me only 

Download 2,97 Mb.

Do'stlaringiz bilan baham: