The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (14 page)

So with the phone tapped and the recorder running, Costa dialed Matt. "I called you a few minutes ago, at nine-ten, and couldn't get through," he began.

Closing In The Boeing surveillance team had by now discovered the hackers were not only getting into the U.S. District Court, but also into the Environmental Protection Agency. Don Boelling went to the EPA with the bad news. Like the system administrator for the U.S. District Court, the EPA guys were skeptical of any infringement of their system.

We're telling them their machines were compromised and to them

it was inconceivable. They're saying, "No, no." I happened to

bring the password file with 10 or 15 passwords cracked, and I tell

them the network administrator's password.

They're about ready to throw up because it turns out that all six-

hundred�odd machines across the U.S. are attached to the

Internet by the same account. It was a system privilege root

account and they all had the same password. Chapter 4 Cops and Robbers 81

The law enforcement people attending the computer security seminar were getting far more than they had bargained for. "For the guys that didn't go out with us in the field," Don said, "every day we'd go back to the classroom and detail what we did. They were getting a firsthand account of everything that was going on with the case."

The Past Catches Up Because he was impressed with the skill that the hackers had shown, Don was surprised to learn that they had just two months earlier been in court on other charges, resulting in Costa receiving that sentence to 30 days of work release.

And yet here they were back to breaking the law as if invulnerable. How come? Costa explained that he and Matt were already worried because there was so much more to the original case than the prosecu- tors had found out.

It was kind of a big snowball where they only found a little piece

of ice. They didn't know that we were doing the cell phones, they

didn't know that we had credit card numbers, they didn't know

the scope of what they had caught us for. Because Matt and I had

already talked about our case, we talked about what we were

going to tell them. And so we had pled out to this computer tres-

pass and it was just kinda like a "ha-ha" to us. It was stupid.

On the News Don was driving from Bellevue to the Boeing's South Central facility where his office was when he got a shock. "I had KIRO news on and all of a sudden I hear this breaking story that two hackers have busted into Boeing and there's a federal investigation. I'm thinking, `Damn!'"

The story had been leaked by a Boeing employee unhappy with the decision to watch Matt and Costa's activities rather than arrest them immediately, Don later found out. Don raced to his office and called everyone involved. "I said, `Look, this whole thing has broke! It's on the news! We gotta do something now.' Howard Schmidt was there and being an expert on writing search warrants for computers, he stepped in and helped them so they got it right -- so there wasn't any question about it."

In fact, Don wasn't too upset about the leak. "We were pretty close to busting them anyway. We had plenty, tons of evidence on these guys." But he suspected there was even more that hadn't come to light yet. "There's a few things we figured they were into, like credit card fraud. 82 The Art of Intrusion

Later on they did get caught for that. I think it was six months or a year later that the Secret Service nailed them."

Arrested Costa knew it had to be coming soon, and he wasn't surprised by the heavy-handed knock on his apartment door. By then he had already dis- posed of four notebooks full of incriminating evidence. At that point he had no way of knowing that, thanks to Don Boelling, the Feds had all the evidence they would ever need to convict him and Matt.

Matt remembers seeing the story about a computer break-in at Boeing on television at his parents' home. Around 10 P.M., there was a knock on the front door. It was two FBI agents. They interviewed him in the din- ing room for about two hours while his parents slept upstairs. Matt didn't want to wake them. He was scared to.

Don Boelling would have gone along on the arrest if he could have. Despite all his good connections, he wasn't invited. "They weren't too keen about having civilians go on the actual bust."

Boeing was concerned to learn that one of the hackers had a name that matched an employee's. Matt was not happy to see his father dragged into the mess. "Since Dad worked at Boeing and we share the same name, he actually was interrogated." Costa was quick to point out that they'd been careful not to access Boeing using any of Matt's father's information. "He totally kept his dad out of the loop and didn't want to involve him from the get-go, even before we ever thought we'd be in trouble."

Don was a little miffed when the Special Agent in Charge at the FBI's Seattle office was interviewed after the case broke. One of the TV reporters asked how they had tracked and caught the hackers. The agent answered something like, "The FBI used technical procedures and tech- niques too complicated to discuss here." Don thought to himself, "You're full of crap! You didn't do anything! We did it!'" A whole coor- dinated group had been involved, people from Boeing;, from other com- panies; from the District Court; and from local, state, and federal law enforcement agencies. "This was the first time we'd ever done anything like this. It was a team effort."

Luckily, Matt and Costa had done little damage considering the poten- tial havoc they could have inflicted. "As far as actually harming Boeing, they really didn't do that much," Don acknowledged. The company got off easy but wanted to make sure the lesson was learned. "They pled guilty because basically we had them dead to rights. There was no way they were getting out of this one," Don recalls with satisfaction.

But once again the charges were reduced; this time multiple felony charges being dropped to "computer trespass." The two walked out with Chapter 4 Cops and Robbers 83

another slap on the wrist: 250 hours of community service and five years probation with no use of computers allowed. The one tough part was restitution: They were ordered to pay $30,000, most of it to Boeing. Even though neither was still a juvenile, the boys had been given another chance.

An End to Good Luck They hadn't learned a lesson.

Costa: Instead of stopping altogether, being stupid kids that we

were, or not really stupid but naive in the fact that we didn't

realize how much trouble we could get in. It was not really greed

but more of glamour of being able to have a cell phone and use it

at will.

Matt: Back in that day it was a big deal. It was a very glitzy item

to have.

But the breaks that Matt and Costa were being handed by the criminal justice system were about to end. And the cause would not be for any reason they could have anticipated but, of all things, jealousy.

Costa says his then-girlfriend thought he was cheating on her with another woman. Nothing of the kind, says Costa; the other lady was "just a friend, nothing more." When he wouldn't give up seeing her, Costa believes the girlfriend called the authorities and reported that "the Boeing hackers are selling stolen computers."

When investigators showed up at his mother's home, Costa wasn't in but his mother was. "Oh, yes, come on in," she told them, sure there would be no harm.

They didn't find any stolen property. That was the good news. The bad news was that they found a scrap of paper that had fallen to the floor and been lost to sight under the edge of a carpet. On it was a phone number and some digits that one investigator recognized as an electronic serial number. A check with the phone company revealed that the information was associated with a cell phone account that was being used illegally.

Costa heard about the raid on his mother's home and decided to drop out of sight.

I was on the run for five days from the Secret Service -- they had

jurisdiction over cellular phone fraud. I was a fugitive. And so I

was actually staying at a friend's apartment in Seattle and they

had actually come to the apartment looking for me, but the car 84 The Art of Intrusion

that I was driving was still in the name of the person that previ-

ously owned it, so I didn't get caught.

On the fifth or sixth day, I talked to my attorney and I walked

into the Probation Officer's office with him and turned myself in.

I was arrested and taken away.

Running from the Secret Service -- that was a stressful time.

Matt was picked up, as well. The two found themselves on separate floors of Seattle's King County Jail.

Jail Phreaking This time there would be no trial, the boys learned. Once the investigation had been finished and the U.S. Attorney's Office had drawn up the papers, the pair would go before a federal judge on violation of their probation. No trial, no chance to put on a defense, and not much hope of leniency.

Meanwhile they would each be questioned in detail. They knew the drill: Keep the bad guys separated and trip them up when they tell dif- ferent stories.

Matt and Costa found that jail, for them at least, was a harder place than prison to serve time. "County jail is the worst, like no other place. I was threatened by a couple of people," says Costa. "I actually got in a fight. If you don't bark back, then you're gonna get chewed up." Matt remembers getting punched. "I think it was because I didn't get off the phone. So, lesson learned."

Jail was hard in another way. Costa recalls:

[It was] not knowing what was next, 'cause we had gotten in

trouble already and we knew we were in trouble way more. It was

fear of the unknown more than fear of the inmates. They just said

"lock 'em up" and there was no bail, no bond. It was a Federal

hold. We had no idea where we were going from there and we were

indefinitely locked up.

Jails generally have two types of telephones: pay phones where conver- sations are monitored to make sure inmates are not plotting something illegal and phones that connect directly to the Public Defenders Office so that inmates can talk to their lawyers.

At the Seattle jail, calls to the Public Defenders are dialed from a list of two-digit codes. Matt explained, "But if you call after hours, what do you get? You're in their voicemail system and you can enter as many touch tones as you like." He began exploring the voicemail system. Chapter 4 Cops and Robbers 85

He was able to identify the system as a Meridian, a type he and Costa were both very familiar with, and he programmed it so it would transfer his calls to an outside line. "I set up a menu number eight, which the automated voice announcement didn't prompt for. Then I could dial a local number, and a six-digit code I knew. From there I could call any- where in the world."

Even though the phones were turned off at 8 P.M., the Public Defenders line was always left on. "We would just play with the phones all night and there's nobody waiting to use them because they think they're turned off," says Costa. "They just think you're crazy, sitting there with the phone. So, it just worked out perfectly."

While Costa was discovering how to make outside calls, Matt was also using the telephone on his own unit at night to do some exploring of his own. He located a "bridge number in an old loop" of a Pennsylvania tele- phone company, which allowed both to call in on a phone company test number and talk to each other.

The two spent hours on the unmonitored phones talking to one another. "We had the ability to discuss our case prior to our interviews. That was handy, really handy," says Costa. Matt added, "We would dis- cuss forever what the other side was being told. We wanted to have every- thing corroborated."

Word spread among the inmates that the two new kids were wizards with the phones.

Costa: I got kinda fat in there because other people were giving

me their trays for free phone calls.

Matt: I was starting to get skinny because I was nervous. I was

sitting there with all the thugs and I didn't like giving them all

those calls.

Sitting in jail and breaking the law by making illegal phone calls and planning their stories in hopes of deceiving the prosecutors. To any hacker, that's just plain funny. For Matt and Costa, it meant risking more charges being piled on top of the ones they were already facing.

In the end, their efforts at collusion didn't help. The facts were stacked high against them, and this time they were in front of a judge who wasn't going to hand them just another slap on the wrist. They were each sen- tenced to serve "a year and a day" in a federal facility, with credit for time already served in the county jail. The extra "day" of prison time was of substantial benefit to them. Under federal sentencing laws, that made them eligible to be released up to 54 days earlier for good behavior. 86 The Art of Intrusion

The two were held without bond for three and a half months, then released on their own recognizance under a heavy set of restrictions until the judge decided on a sentence. Don was right: no leniency this time.

Doing Time Matt was sent to the Sheridan Camp in Oregon, while Costa went to Boron Federal Prison Camp in California. "It was federal because we vio- lated our terms of probation on a federal charge," says Costa.

Nevertheless, this wasn't exactly "hard time" for either of them. As Costa recalls:

I knew I had it cushy. This was a prison camp that had a swim-

ming pool. In the middle of the Mojave, that was kinda nice. We

didn't have a fence, just a yellow line in the sand. It was one of these

places that, you know, had three senators down there. There was the

guy that started a famous restaurant chain in there with me.

Boron was the last federal institution with a pool, and Costa heard later that a Barbara Walters television story had resulted in the pool being filled in just after he was released. Personally I can understand not spend- ing taxpayer money to put in a swimming pool when a new prison is being built, but I can't understand destroying one that already exists.