The Fugitive Game: Online With Kevin Mitnick (32 page)

"Do you think that's the world we're headed toward?"

"No. It's my world. It's an unfortunate world, but it's better than
being in jail. Why would I have to ever bring it up? What's impor-
tant is the future. Shoot, we're only here a maximum seventy, eighty
years, and I'm thirty-one. Who wants to spend it in custody with a
bunch of assholes? It doesn't do me any good. What are they gonna
do, keep you off the streets so you can't hack for a while?"

This is what Eric said a few weeks before he was captured.

"Have you ever wondered why they can't figure out a way to take
people with your talents and supervise you and have you fix things?"

"I dunno," Mitnick mumbles, dubious of the idea. "I think they
tried that with Poulsen, didn't they?"

"Almost but not quite."

"I thought he was damn lucky to get a job with SRI [SRI Interna-
tional, a think tank and defense contractor in Menlo Park, Califor-
nia]. If I got a job at that bank [Security Pacific], I wouldn't be here
now. I'd probably be rich. I'd probably be driving my Mercedes on
the 405 [freeway]."

Mitnick starts to say good night. "I just wanted to let you know
about that
U.S. News & World Report.
"

"This week's edition?"

"Yep. I'm walking by the newsstand and there's this big badge
and it says 'Cybercop.' I start going
whoa!
A new movie! And then I
read it's an article on Internet security and how these companies on

the Internet had better watch themselves. ... It said the worst guy in
the world is blah-blah-blah," Mitnick recalls.

"Well, at least you're at the top of your profession."
"Yeah. I mean I'd like to be rich and be famous one day. It's not
nice to be infamous, but to be famous would be nice," Mitnick re-
flects. "I've made my mark in history. Now I need the money to go
with it."

'Mere's an Italian place! I think I'll eat here," Mitnick exclaims,
ounding like he's driving past a restaurant. "I hope it's not too ex-
pensive."

"I didn't even hear the car."

"HONK!"

"You hear the horn?" Mitnick chuckles like a kid. "It's a real
car
."

"Why's the connection so good?"

" 'Cuz I have it routed. No, I dunno. I guess the high bills I pay on
my cellular phone, I deserve a good connection."

"You're gonna love this," I tell Mitnick. "I was just talking to this
guy ... he doesn't like hackers, and he told me, in China, if you have
someone else's ESN, guess what the penalty is?"

"Death," Mitnick replies.

"I had to go on business like six months ago, flying to D.C.," Mit-
nick begins, his voice bubbling with excitement. "So I actually went
on the White House tour."

"You're kidding?"

"No! Could you imagine, all these Secret Service agents?" Mit-
nick chuckles at the irony. One of the Secret Service's jobs is to
catch hackers. "They're in uniforms. It's weird they're not in like
suits."

"So Cyberman goes to the —"

"The White House, dude."

"I wanted to get some pictures taken, but I decided that was a bad
idea.

"They didn't have much security," Mitnick observes. "Little did
they know I was there to get into WhiteHouse.gov," Mitnick chortles,
referring to Clinton's Internet site address. " 'Hello, I just wanna see
the computer room, guys.' "

"They're on the Net, right?"

"WhiteHouse.gov. That's one that's secure," Mitnick deadpans.
"I'm just kidding. Any computer is insecure unless you're military."

A day in the life of a cyberfugitive. Five hours of conversation in a
single day, his moods as fleeting as his erratic cellular calls, so much
time that I feel as if I've been following him around. The long calls
provide clues, too; that is if they aren't just misinformation. Hints
that Mitnick recently visited Chicago and, incredibly, the White
House. More than anything, the calls convince me Mitnick is on
edge. He told me in the morning he wouldn't be calling anymore
now that his name had been plastered in
U.S. News & World Report as the nation's most wanted hacker. But instead of silence, the warn-
ing spawned an endless verbal stream of consciousness.

Talking to Mitnick is like trying to tell when a double agent is
telling the truth. And his parting comment about military computers
being secure just makes me wonder. Is he telling me they aren't safe?
That he's hacked military computers, too?

The hacker's given me no reason to believe anything is off-limits.
Mitnick doesn't see anything wrong with invading people's privacy
because he doesn't see computer information as private. He's blind
to his key role in De Payne's harassment program. Does Kevin Mit-
nick have a conscience? I'm really not sure. He sees himself in almost
mechanical terms. Mitnick just supplies the information, he doesn't
do
anything. I remember the anger and denial in his voice when I
confronted him about his role in the harassment.

Now I have a different theory about Kevin Mitnick and Lewis De
Payne. Perhaps, in the pop psychology of the nineties, they're co-
dependents. The hacker doesn't tell his friend to get lost because on
the anonymous Internet they're electronically linked, two sides of
the same schizophrenic.

A network version of Dr. Jekyll and Mr. Hyde.

Morning,
January 20, 1995

"So apparently some guy broke
into his workstation."

Kevin Mitnick's on the phone, chuckling, telling me about what
sounds like the hacker breakin of the year. Somebody's hacked the
home computer of Tsutomu Shimomura, the Internet security expert
Mitnick is convinced is an NSA spook bent on putting him behind
bars.

It's the morning of January 20, 1995. And you won't find this
news in the papers.

"He's pretty upset," Mitnick chortles. "They're actually putting
out a big CERT advisory."

"A CERT advisory?" CERT is the Computer Emergency Re-
sponse Team, a federally funded team of computer security experts,
headquartered at Carnegie Mellon University.

Mitnick's beside himself, his voice the same high-pitched frenzy as
after he'd hacked Shimomura's friend, Mark Lottor. But this time
Mitnick describes himself as just a spectator.

"That means they actually held a press conference because the
way he was attacked was so sophisticated that no way could anyone
on the Internet protect themselves," Mitnick says with what sounds
like pride.

This is strange. There hasn't been a report of a press conference.
Who or what could Mitnick be talking about?

"But no one knows about the CERT advisory yet," he advises. "It
won't be released until tomorrow. So he's not a happy camper."

This doesn't add up. CERT never releases advance information of
its security advisories. Even when it e-mails international CERT
groups it encrypts the messages. So how could Mitnick have found
out in advance? By snooping on Shimomura's e-mail, or Markoff's?
Or wiretapping their phone calls?

"What was so sophisticated about it?"

"They did it through a TCP/IP prediction packet attack."

"A TCP/IP prediction packet attack?" I ask, not having the slight-
est idea what he's talking about.

"Each packet has a sequence number," Mitnick explains, slowing
down for my benefit. "If you can predict the sequence number,
there's a way to impersonate a packet coming from any host. You
have the packet look like it's coming from your internal network or
a trusted host.

"The person [intruder] realized that he was being logged. In other
words that he [Shimomura] was logging all his [the intruder's] TCP/
IP traffic through a TCP/IP dump, but he [the intruder] didn't realize
until recently that he [Shimomura] was emailing out to another site
all his logs on a constant interval. And that's how he [Shimomura]
was able to determine how the attack occurred."

Mitnick seems to know a lot about the intricate details of the
attack.

"You say they had a press conference, what, this morning?"

I can hear a car honking in the background. Mitnick sounds like
he's outside.

"I don't know," Mitnick replies vaguely. "Within the last few
days."

But there was no CERT press conference. Could he be talking
about a "private" press briefing?

■ ■ ■

Three days later, on January 23, Shimomura will describe the attack
in a widely distributed public Internet post. IP source address spoof-
ing and TCP/IP sequence number prediction are the technical terms
Shimomura uses to describe it, much like Mitnick's description. But

his analysis is extremely technical, and even some UNIX security
experts find it tough going.

That same day, about
z
p.m., CERT will blast out an advisory to
its international mailing list of 12,000 Internet sites in the United
States, Germany, Australia, the United Kingdom, Japan, and other
countries. The vaguely worded report is much less specific than Mit-
nick's one-minute explanation on the telephone. Most likely, CERT
is trying to provide enough detail so Internet sites can protect them-
selves against future attacks without providing so much detail that it
could encourage copycat attacks.

On one level, the hack is simple, a clever strike at a basic weak-
ness of the Internet. Computers on the Internet are often pro-
grammed to trust other computers. The Internet was created to
share information, and the attack on Shimomura, just like the Rob-
ert Morris Internet Worm attack seven years before, exploits that
(rust.

The Internet has its own way of sending e-mail or files. Messages
or files are split into smaller digital chunks or packets, each with its
own envelope and address. When each message is sent, it's like a
flock of birds that migrates to a planned location and reunites as a
flock at the destination. Computers on the Internet often act like
great flocks of birds that trust one another too. And all it takes is one
enemy bird to infiltrate the flock.

On Christmas Day 1994 the attack begins.

First, the intruder breaks into a California Internet site that bears
the cryptic name
toad.com
. Working from this machine, the intruder
issues seven commands to see who's logged on to Shimomura's
workstation, and if he's sharing files with other machines. Finger is
one of the common UNIX commands the intruder uses to probe
Shimomura's machine. As a security professional Shimomura should
have disabled the feature. Finger is so commonly used by hackers to
begin attacks that 75 percent of Internet sites, or about 15 million of
the more than 20 million Internet users, block its function to in-
crease security.

The intruder's making judgment calls on the fly about which

commands will help him uncover which machines Shimomura's
workstation might trust. He works fast. In six minutes he deduces
the pattern of trust between Shimomura's UNIX workstation and an
unknown Internet server.

Then the automatic spoofing attack begins. It will all be over in
sixteen seconds. The prediction packet attack program fires off a
flurry of packets to busy out the trusted Internet server so it can't
respond. Next, the program sends twenty more packets to Shi-
momura's UNIX workstation.

The program is looking for a pattern in the initial sequence
numbers — the numbers used to acknowledge receipt of data
during communications. The program deciphers the returned
packets by subtracting each sequence number from the previous
one. It notes that each new initial sequence number has grown
by exactly 128,000. The program has unlocked the sequence num-
ber key.

Shimomura's machine has to be idle for the attack to succeed.
New Internet connections would change the initial sequence number
and make it more difficult to predict the key. That's why the hacker
attacks on Christmas Day.

The attack program sends packets that appear to be coming from
the trusted machine. The packet's return or source address is the
trusted machine's Internet address. Shimomura's workstation sends
a packet back to the trusted machine with its initial sequence num-
ber. But flooded by the earlier flurry of packets, the trusted server is
still trying to handle the earlier traffic. It's tangled up.

Taking advantage of the gagged server, the attacking program
sends a fake acknowledgment. It looks real because it's got the
source address of the trusted server, and the correct initial sequence
number. Shimomura's workstation is duped. It believes it's commu-
nicating with a trusted server.

Now the attacking program tells Shimomura's obedient worksta-
tion to trust everyone. It issues the simple UNIX "Echo" command
to instruct Shimomura's workstation to trust the entire Internet. At
that point, Shimomura's personal and government files are open
game to the world. It's more than a humiliating blow to the security
expert. By making Shimomura's machine accessible from any Internet site, the intruder has masked his own location. He can return
from anywhere.