The Fugitive Game: Online With Kevin Mitnick (50 page)

Mired in vulnerable UNIX technology like all Internet providers,
the Well is wide open to a number of attack techniques. And Katz is
the first to admit the Well's technology lags behind most Internet
providers. The Well doesn't even provide access to the World Wide
Web, the Internet's navigator for widely dispersed pictures, sound,
video, and text. The Well's interface is right out of the 1970s, complete with cryptic UNIX shell commands. Subscribers join the Well
and rub shoulders with an eclectic mix of journalists, hackers, indus-
try insiders, and libertarians. It's a hip cafe in cyberspace, a place to
chat with a select crowd and make contacts with movers and
shakers. The Well isn't a computer or its stored online conversa-
tional threads. It's an attitude, an outlook, a style.

The current breakins are prodding the Well to do what it proba-
bly should have done long ago; junk its outmoded computers for a
$120,000 SparC computer, spiff up its interface software, and join
the rest of the Net. Stroud empathizes with Mitnick's predicament.
But she wonders. What may happen if the hacker discovers they're
helping out the FBI? What if Mitnick decides he wants revenge?
Stroud wants the new computer and system up and running as soon
as possible.

"We can only do this for so long," Stroud warns Walker. "You've
got about a week before we get our new SparC computer and move
everything over. We can't continue to monitor forever."

Walker listens carefully to Stroud's concerns. That's why he's here
today, to see how he can help.

"What do you need?" Walker asks Shimomura.

The two men talk for several minutes, and Walker is clearly taken
with Shimomura. He's spied his little Palmtop computer, which
seems to Walker to have "all the relevant information in the uni-
verse," this sort of "great cyberspace briefcase." But it's Shimo-
mura's aura that strikes Walker, "his laser-like focus on the issues."
All of the technical people Walker knows consider Shimomura
a genius, and Walker himself is no novice to high-tech investigations.
He lays claim to the nation's first antipiracy prosecution and also
worked on the Kevin Poulsen case.

Mendez, for his part, is impressed by the federal cooperation
Walker is willing to provide. Telephone records. Quick telephone
traps and traces. If Shimomura wants something, Walker will make
sure he gets it. Walker knows Markoff has lots of good inside infor-
mation, so he punches up the
New York Times
San Francisco bureau
number and puts the reporter on speakerphone. Months later,

Walker won't be able to recall whether it was his idea or Shimo-
mura's to include the reporter in the investigation. The federal pros-
ecutor asks Mark off to fill in the group about Mitnick's background,
his personal quirks, his travel habits. And most importantly, when
the hacker is most likely to be online.

The Assistant U.S. Attorney sees nothing unusual about asking a
reporter to actively assist a federal investigation. He knows Mark-
off's information is good. Markoff tells how Mitnick eluded capture
in Seattle by picking up law enforcement calls on a cellular scanner.
Markoff describes Mitnick's habit of riding Greyhound buses.
Markoff chats about the people Mitnick associates with, and gossips
about De Payne, who he says is currently dating Mitnick's ex-wife.
Markoff even banters with Walker about the FBI's suspicion that the
hacker has been hiding out in Colorado.

Ten minutes later, Kent Walker thanks the
New York Times
re-
porter for all of his help and says goodbye. "He was called, he par-
ticipated," said John Mendez, the former U.S. Attorney in San
Francisco.

■
■
■

The next afternoon, Wednesday, February 8, John Markoff arrives
at the Well at about two o'clock. He won't leave for two hours.

Shimomura is talking excitedly about how someone left him a
taunting voice mail. "We were all huddling around listening to this
[tape recording]," recalls Mark Graham. "Tsutomu was wired. I re-
member leaning over trying to listen to the voice mail. Markoff was
just trying to get the background, writing notes, trying to get the
chronology of facts."

No one seems to think it strange that the
New York Times
re-
porter knows more about the secret investigation than the Well's
own staff. "You have to realize things were happening awfully fast,"
says Katz. "I didn't think we needed a confidentiality agreement
with Markoff."

Claudia Stroud says hello, and Markoff chats with the Well's pub-
lic relations man. Stroud doesn't consider asking why Markoff is
there. He's a customer, one of the celebrities on the Well.

Markoff greets Hua-Pei Chen and Mark Graham, but he spends

most of his time talking with Shimomura about the investigation.
The threats on his voice mail aren't the only thing Shimomura finds
interesting. Back on February 1, at 7:20 p.m, Chen watched the
hacker roam the bowels of the Well, enter a subscriber's home direc-
tory, and type "grep" on the subject line in the mailbox, searching
for any file containing the letters "itni." Two days later, on February
3, at 6:07 p.m., she watched the hacker grep the subject line of the
subscriber's e-mail again. Then, on February 5, at 1:27 a.m., the
hacker did something different. He had root access and could do
whatever he wanted. He entered the subscriber's home directory and
sent a message the subscriber was not likely to miss. After all, how
often do people send themselves e-mail?

On February 8, the monitoring group remains intrigued by the
unusually addressed e-mail. It's the only e-mail message they've
found that Mitnick left for someone at the Well. Shimomura finds it
puzzling. So does Markoff. The reporter tries to make sense of it.
Mitnick seems to have a secret communication channel with Jon
Liftman, a journalist Markoff happens to know.

"We all thought it was interesting," says Chen. "It was out of the
ordinary. We all said, however, that we shouldn't look at it."

■ ■ ■

Markoff calls Robert Berger, chief technology officer of Internex Se-
curities, a tiny Menlo Park, California, Internet provider, and tells
him he has a security problem. Markoff explains that Mitnick has
broken into his Internex e-mail account, and that "Tsutomu" is
working "on tracking it down." Markoff would later say that Shim-
omura phoned Berger first, and that Markoff phoned as a reporter,
and out of concern for his own e-mail. Berger, when reinterviewed,
said, "I think the person I first actually talked to was Markoff, but
Tsutomu might have left a voice mail originally."

The investigators are already in contact with Mark Seiden, a secu-
rity consultant to Internex and a close friend of Mark Lottor and
Shimomura.

What happens next is extraordinary. Mark Seiden transfers and
copies 100-plus megabytes of files stashed on the Well.

"I figured rather than nickel-and-dime, I would transfer [the

intruder's] whole tool kit and figure out what else was in his bag of
tricks," says Seiden. "Shimomura and Gross were up to their necks
trying to write tracking programs." Seiden says he transferred the
file from the Well to an Internex machine "using the same methods
the intruder was using."

The Well doesn't even know it's happening. Nor the FBI.

Seiden starts digging around the intruder's loot, and soon finds
something interesting: a huge chunk of the customer data base of
Netcom, an Internet provider in San Jose, California — over 30,000
customer records and 21,600 credit card numbers. "It was pretty
old, from January or February of '94," says Seiden. "It was unclear
that Mitnick had stolen it directly, as opposed to trading it or finding
it lying around."

Seiden quickly phones Gross and Shimomura at the Well before
dawn on Thursday morning. Netcom looks like another good place
to track the intruder. Markoff knows Mitnick's accomplice, Lewis
De Payne, maintains an account on Netcom. There are even stories
that the government monitored De Payne's account not too long
ago. Mitnick's allegedly hacked into Netcom before. Why not now?

Jim Murphy, a Sprint cellular
technician in Raleigh, North
Carolina, sits alone in a vast Sprint cellular switch room the after-
noon of Saturday, February 11. He's been given a seven-digit num-
ber that the FBI thinks is a cellular number. Murphy doesn't
recognize the prefix, but just the same he searches through the sub-
scriber database, and just as he suspected, nothing comes up. So he
searches to see if it is a number a subscriber may have called, a termi-
nating number.

Bingo! Murphy finds some calls, but they're weird. Calls coming
in and out on the same GTE Durham trunk line, bouncing back and
forth repeatedly before they fail. He's never seen anything quite like
it. Murphy phones Burns, and offers a few possible scenarios. But
it's guesswork really, since the agent hasn't given Murphy a clue as
to who or what he's up against.

Murphy finishes his routine duties at about 10 p.m., and works
for half an hour on the odd call before driving home. But the
night's not quite finished. Agent Burns phones again, and he
doesn't want to talk on Murphy's cellular line. Murphy wolfs
down his second pork chop, drives to the nearby strip mall, and
parks in front of the pay phone at the pharmacy. He waits in the
cold booth, while a Washington agent struggles to conference him

in with Burns and another man. But the FBI can't seem to make
the connection.

■ ■ •

Murphy sets up the conference call back at the Sprint switch. First
Burns at his home near Washington, D.C., then Tsutomu Shimo-
mura, somewhere in northern California.

The conversation starts slowly, but soon Murphy is learning
about the suspect he's helping to pursue. "So Mitnick's very familiar
with phone switches," Murphy thinks out loud. "If he [Mitnick]
knows translations, he could have accessed GTE's switch to get this
call loop going. When they get a call failure, it usually goes to a
recorded announcement. When his fails, it gives him a Netcom ac-
cess number. It just looks like a call failure."

Murphy talks with Shimomura for a couple of hours. He's
hooked now. Shimomura faxes him hundreds of Nationwide Net-
com access phone numbers, and a list of suspected Netcom log-ins
by Mitnick. If Murphy can match the log-in times with actual mobile
calls, they can profile the hacker's excursions on the Net.

Murphy punches in a search of local Internet access numbers, and
the calls flash across his screen; "a bunch of calls" made by one
cellular customer, from one mobile number — 919-602-6523.

Murphy tells Burns he's got "activity" but he needs a subpoena to
go any further. No problem. Within minutes Kent Walker, the San
Francisco Assistant U.S. Attorney, phones Murphy and asks for the
appropriate wording. Half an hour later, Walker faxes the subpoena
to the Raleigh switch and Sprint headquarters in Chicago.

Murphy's in high gear now. He's got three terminals searching the
last twelve hours of calls processed through Sprint's switch — calls
to Minneapolis, Seattle, Denver. The hacker seems to be dialing the
Internet all over the country, but Murphy notices that nearly all
the cellular modem calls originate from one local Raleigh cell site.
The Sprint engineer checks activity on the cellular number. It, too,
seems suspicious, with dozens of calls to Internet access numbers in
just the last twelve hours. And not a single incoming call.

Murphy and Shimomura pore through the records over the
phone. The pattern is clear. Mitnick's suspected access times on the

Net and the local mobile calls match perfectly except for a consistent
three-minute gap they chalk up to timing differences. Murphy fig-
ures the mobile calls to Minnesota, Seattle, and Denver are "bogus
long distance calls," a simple technique Mitnick is likely using to
disguise his whereabouts. And though the technician knows it's tech-
nically possible, he can't believe the local calls are faked. The
hacker's gotta be in Raleigh, pretending to be all over the country.
It's Murphy's call, but after nearly five hours on the phone with
Shimomura he's as sure as he's going to be.

"All these seem to be originating in one spot," Murphy tells Shi-
momura.

"You sure about that?" asks Shimomura.

"Yup," says Murphy.

"I'll be on the next plane."

■ ■ ■

Joe Orsak, a senior maintenance engineer with Sprint Cellular, gets a
call Sunday at about i p.m.

"Do you have the Cellscope?" his boss asks.

"Yes."

"Get it ready."

Orsak plugs the equipment into his Blazer, turns it on and drives
out to a cell site just a few miles from his house. He circles the build-
ing. If the antenna and cable are properly connected, the signal
strength readings won't vary more than -15 dBms. He takes a couple
passes and gets a range of -35 to -50, not bad at all. It's ready for
action.