Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (3 page)

Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online

Authors: Kevin Mitnick,Steve Wozniak,William L. Simon

Tags: #BIO015000

BOOK: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
12.97Mb size Format: txt, pdf, ePub

I was signed up at a Hebrew school in Sherman Oaks but got booted for goofing off. Mom found a cantor to teach me one-on-one, so I couldn’t get away with reading a technology book under the table. I managed to learn enough to get through the service and read my Torah passage aloud to the congregation with no more than the usual amount of stumbling, and without embarrassing myself.

Afterward my parents chided me for mimicking the accent and gestures of the rabbi. But it was subconscious. I’d later learn that this is a very effective technique because people are attracted to others who are like themselves. So at a very early age, all unaware, I was already practicing what would come to be called “social engineering”—the casual or calculated manipulation of people to influence them to do things they would not ordinarily do. And convincing them without raising the least hint of suspicion.

The typical shower of presents from relatives and from people who attended the reception after the bar mitzvah at the Odyssey Restaurant
left me with gifts that included a number of U.S. Treasury bonds that came to a surprisingly handsome sum.

I was an avid reader, with a particular focus that led me to a place called the Survival Bookstore in North Hollywood. It was small and in a seedy neighborhood and was run by a middle-aged, friendly blond lady who said I could call her by her first name. The place was like finding a pirate’s treasure chest. My idols in those days were Bruce Lee, Houdini, and Jim Rockford, the cool private detective played by James Garner in
The Rockford Files
, who could pick locks, manipulate people, and assume a false identity in a matter of moments. I wanted to be able to do all the neat things Rockford could.

The Survival Bookstore carried books describing how to do all those nifty Rockford things, and lots more besides. Starting at age thirteen, I spent many of my weekends there, all day long, studying one book after another—books like
The Paper Trip
by Barry Reid, on how to create a new identity by using a birth certificate of someone who had passed away.

A book called
The Big Brother Game
, by Scott French, became my Bible because it was crammed with details on how to get hold of driving records, property records, credit reports, banking information, unlisted numbers, and even how to get information from police departments. (Much later, when French was writing a follow-up volume, he called to ask me if I would do a chapter on techniques for social-engineering the phone companies. At the time, my coauthor and I were writing our second book,
The Art of Intrusion
, and I was too busy for French’s project, though amused by the coincidence, and flattered to be asked.)

That bookstore was crammed with “underground” books that taught you things you weren’t supposed to know—very appealing to me since I had always had this urge to take a bite of knowledge from the forbidden apple. I was soaking up the knowledge that would turn out to be invaluable almost two decades later, when I was on the run.

The other item that interested me at the store besides their books was the lockpicking tools they offered for sale. I bought several different kinds. Remember the old joke that goes, “How do you get to Carnegie Hall? Practice, practice, practice”? That’s what I did to master the art of lockpicking, sometimes going down to the area of tenant storage lockers in the garage of our apartment building, where I’d pick open some of
the padlocks, swap them around, and lock them again. At the time I thought it was an amusing practical joke, though looking back, I’m sure it probably threw some people into angry fits and put them to a good deal of trouble, plus the expense of a new lock after they had managed to get the old one removed. Only funny, I guess, when you’re a teenager.

One day when I was about fourteen, I was out with my uncle Mitchell, who was a bright star of my life in those years. We swung by the Department of Motor Vehicles and found it packed with people. He left me to wait while he walked straight up to the counter—just like that, walking past everyone standing in line. The DMV clerk, a lady with a bored expression, looked up in surprise. He didn’t wait for her to finish what she was doing with the man at the window but just started talking. He hadn’t said more than a few words when the clerk nodded to him, signaled the other man to step aside, and took care of whatever it was Uncle Mitchell wanted. My uncle had some special talent with people.

And I appeared to have it, too. It was my first conscious example of social engineering.

How did people see me at Monroe High School? My teachers would have said that I was always doing unexpected things. When the other kids were fixing televisions in TV repair shop, I was following in Steve Jobs and Steve Wozniak’s footsteps and building a blue box that would allow me to manipulate the phone network and even make free phone calls. I always brought my handheld ham radio to school and talked on it during lunch and recess.

But one fellow student changed the course of my life. Steven Shalita was an arrogant guy who fancied himself as an undercover cop—his car was covered with radio antennas. He liked to show off the tricks he could do with the telephone, and he could do some amazing things. He demonstrated how he could have people call him without revealing his real phone number by using a phone company test circuit called a “loop-around”; he would call in on one of the loop’s phone numbers while the other person was calling the loop’s second phone number. The two callers would be magically connected. He could get the name and address assigned to any phone number, listed or not, by calling the phone company’s Customer Name and Address (CNA) Bureau. With a single call, he got my mom’s unlisted phone number. Wow! He could get the phone
number and address of anyone, even a movie star with an unlisted number. It seemed like the folks at the phone company were just standing by to see what they could do to help him.

I was fascinated, intrigued, and I instantly became his companion, eager to learn all those incredible tricks. But Steven was only interested in showing me what he could do, not in telling me
how
all of this worked, how he was able to use his social-engineering skills on the people he was talking to.

Before long I had picked up just about everything he was willing to share with me about “phone phreaking” and was spending most of my free time exploring the telecommunications networks and learning on my own, figuring out things Steven didn’t even know about. And “phreakers” had a social network. I started getting to know others who shared similar interests and going to their get-togethers, even though some of the “phreaks” were, well, freaky—socially inept and uncool.

I seemed cut out for the social-engineering part of phreaking. Could I convince a phone company technician to drive to a “CO” (a central office—the neighborhood switching center that routes calls to and from a telephone) in the middle of the night to connect a “critical” circuit because he thought I was from another CO, or maybe a lineman in the field? Easy. I already knew I had talents along these lines, but it was my high school associate Steven who taught me just how powerful that ability could be.

The basic tactic is simple. Before you start social engineering for some particular goal, you do your reconnaissance. You piece together information about the company, including how that department or business unit operates, what its function is, what information the employees have access to, the standard procedure for making requests, whom they routinely get requests from, under what conditions they release the desired information, and the lingo and terminology used in the company.

The social-engineering techniques work simply because people are very trusting of anyone who establishes credibility, such as an authorized employee of the company. That’s where the research comes in. When I was ready to get access to nonpublished numbers, I called one of the phone company’s business office representatives and said, “This is Jake Roberts, from the Non-Pub Bureau. I need to talk to a supervisor.”

When the supervisor came on the line, I introduced myself again and said, “Did you get our memo that we’re changing our number?”

She went to check, came back on the line, and said, “No, we didn’t.”

I said, “You should be using 213 687-9962.”

“No,” she said. “We dial 213 320-0055.”

Bingo!

“Okay,” I told her. “We’ll be sending a memo to a second-level”—the phone company lingo for a manager—“regarding the change. Meanwhile keep on using 320-0055 until you get the memo.”

But when I called the Non-Pub Bureau, it turned out my name had to be on a list of authorized people, with an internal callback number, before they would release any customer information to me. A novice or inept social engineer might have just hung up. Bad news: it raises suspicions.

Ad-libbing on the spot, I said, “My manager told me he was putting me on the list. I’ll have to tell him you didn’t get his memo yet.”

Another hurdle: I would somehow have to be able to provide a phone number internal to the phone company that I could receive calls on!

I had to call three different business offices before I found one that had a second-level who was a man—someone I could impersonate. I told him, “This is Tom Hansen from the Non-Pub Bureau. We’re updating our list of authorized employees. Do you still need to be on the list?”

Of course he said yes.

I then asked him to spell his name and give me his phone number. Like taking candy from a baby.

My next call was to RCMAC—the Recent Change Memory Authorization Center, the phone company unit that handled adding or removing customer phone services such as custom-calling features. I called posing as a manager from the business office. It was easy to convince the clerk to add call forwarding to the manager’s line, since the number belonged to Pacific Telephone.

In detail, it worked like this: I called a technician in the appropriate central office. Believing I was a repair tech in the field, he clipped onto the manager’s line using a lineman’s handset and dialed the digits I gave him, effectively call-forwarding the manager’s phone to a phone company “loop-around” circuit. A loop-around is a special circuit that has two numbers associated with it. When two parties call into the loop-around, by dialing the respective numbers, they are magically joined together as if they called each other.

I dialed into the loop-around circuit and three-wayed in a number that would just ring, ring, and ring, so when Non-Pub called back to the authorized manager’s line, the call would be forwarded to the loop-around, and the caller would hear the ringing. I let the person hear a few rings and then I answered, “Pacific Telephone, Steve Kaplan.”

At that point the person would give me whatever Non-Pub information I was looking for. Then I’d call back the frame technician and have the call-forwarding deactivated.

The tougher the challenge, the greater the thrill. This trick worked for years and would very likely still work today!

In a series of calls over a period of time—because it would seem suspicious to ask Non-Pub to look up the numbers of several celebrities—I got the phone numbers and addresses of Roger Moore, Lucille Ball, James Garner, Bruce Springsteen, and a bunch of others. Sometimes I’d call and actually get the person on the line, then say something like, “Hey, Bruce, what’s up?” No harm done, but it was exciting to find anyone’s number I wanted.

Monroe High offered a computer course. I didn’t have the required math and science courses to qualify, but the teacher, Mr. Christ (pronounced to rhyme with “twist”), saw how eager I was, recognized how much I had already learned on my own, and admitted me. I think he came to regret the decision: I was a handful. I got his computer password to the school district’s minicomputer every time he changed it. In desperation, thinking to outfox me, he punched out his password on a piece of computer paper tape, which was the type of storage used in those pre-floppy-drive days; he would then feed that through the tape reader whenever he wanted to sign on. But he kept the short piece of punched tape in his shirt pocket, where the holes were visible through the thin cloth. Some of my classmates helped me figure out the pattern of holes on the tape and learn his latest password every time he changed it. He never did catch on.

Then there was the telephone in the computer lab—the old kind of phone, with a rotary dial. The phone was programmed for only calling numbers within the school district. I started using it to dial into the USC computers to play computer games, by telling the switchboard operator, “This is Mr. Christ. I need an outside line.” When the operator started to get suspicious after numerous calls, I switched to phone-phreaker tactics,
dialing into the phone company switch and turning off the restriction so I could just dial into USC whenever I wanted. Eventually he figured out that I had managed to make unrestricted outgoing calls.

Soon after he proudly announced to the class how he was going to stop me from dialing into USC once and for all, and held up a lock made especially for dial telephones: when locked in place in the “1” hole, it prevented the dial from being used.

As soon as he had the lock in place, with the whole class watching, I picked up the handset and started clicking the switch hook: nine fast clicks for the number “9” to get an outside line, seven fast clicks for the number “7.” Four clicks for the number “4.” Within a minute, I was connected to USC.

To me it was just a game of wits. But poor Mr. Christ had been humiliated. His face a bright red, he grabbed the phone off the desk and
hurled
it across the classroom.

But meanwhile I was teaching myself about RSTS/E (spoken as “RIS-tisEE”), the operating system manufactured by Digital Equipment Corporation (DEC) used on the school’s minicomputer located in downtown Los Angeles. The nearby Cal State campus at Northridge (CSUN) also used RSTS/E on its computers. I set up an appointment with the chairman of the Computer Science Department, Wes Hampton, and told him, “I’m extremely interested in learning about computers. Could I buy an account to use the computers here?”

Other books

The Headsman by James Neal Harvey
Alphas by Mathew Rodrick
The Score: A Parker Novel by Richard Stark
Natural Blond Instincts by Jill Shalvis
Love, Unmasked by Vivian Roycroft
Blood Music by Bear, Greg
Sudden Country by Loren D. Estleman
Breakup by Dana Stabenow
Ruthless by Cairo