The revelation that reporters for Rupert Murdoch’s now-defunct tabloid the News of the World hacked into the phones and voicemail boxes of British politicians and members of the royal family, as well as the parents of a murder victim and the victims of the July 7 London bombings, has brought the practice of phone hacking into global disrepute. Now comes Kevin Mitnick, who describes himself as “The World’s Most Wanted Hacker” and wants a medal for engaging in some of the same conduct. Mitnick served over five years in prison in the 1990s after pleading guilty to a variety of computer crimes, including wire fraud (conning people into sending him Sun Microsystems’ source code) and the interception of data communications (installing network sniffers to grab passwords).
Although the Feds also found more than 20,000 credit card numbers on his computer, taken from Netcom’s customer database, Mitnick stresses that he never attempted to use any of them; nor did he sell the source code he intercepted and copied. Instead, he hacked for the thrill, not for the money. “Hacking was my entertainment,” he writes. “You could almost say it was a way of escaping to an alternate reality — like playing a video game.”
Mitnick began hacking young — he started by tricking phone company workers into giving him the unlisted numbers of celebrities — and then figured out how to divert calls so that people in Rhode Island dialing directory assistance were connected instead to him. He was first arrested for hacking into the phone company and stealing company manuals and passwords, and spent his 18th birthday in a California juvenile detention facility. After his release, he violated the conditions of his probation so repeatedly that a psychological counselor called his hacking an “addiction.”
Mitnick’s most significant efforts focused on Pacific Bell, where he found he could “trace lines, create new phone numbers, disconnect any phone number” and more. Mitnick says he “never made any use” of his “immense control and power over the phone system of much of the United States” but hacked merely for kicks. Later, he figured out how to make cellphone calls disguised as someone else (“I had achieved invisibility”) and talked employees into giving him the source codes for the hottest new cell phones manufactured by Motorola and other companies. He briefly listened in on the conversations of agents at the National Security Agency, taking pleasure in “wiretapping the world’s biggest wiretappers.”
After the California probation department issued a bench warrant for his arrest, based on his hacking into the voicemail of a Pacific Bell security agent, he went on the lam, constructing a new identity for himself by choosing the name Eric Weiss, the real name of Harry Houdini, and then stealing the identity of a real Eric Weiss who lived in Portland by procuring copies of a birth certificate that he then used to apply for a drivers license. Even when the Feds finally showed up at his apartment, he continued to deny his real identity. Eventually, he was busted in the most low-tech way: The Feds found a pay stub in an old ski jacket made out to his real name. (In a coincidence Mitnick doesn’t notice, the assistant U.S. attorney who prosecuted him, Kent Walker, went on to become general counsel of Google.)
All this is entertaining enough, if you like James Bond movies, but the most useful part of Mitnick’s book is his revelations about how easy it is to con security officials at high tech companies and government agencies into turning over highly sensitive information. Mitnick calls this “social engineering,” which he defines as “the casual or calculated manipulation of people to influence them to do things they would not ordinarily do.” But, really, he was just an enterprising con artist, impersonating a variety of company employees and police officers to persuade other employees to give him information for free. The technique worked, he says, because “people . . . are just too trusting.” By doing his homework and deploying simple tricks (people won’t turn over sensitive information when asked directly, but “if you pretend you already have the information and give them something that’s wrong, they’ll frequently correct you”), Mitnick shows that the greatest vulnerability in any security system is human credulousness.
In an admiring forward to the book, Steve Wozniak, co-founder of Apple, praises Mitnick for refusing to profit from his ruses, “hacking just for the fun of it, just for the challenge.” But in fact, before his arrest Mitnick was not an “ethical hacker,” penetrating a security system to reveal its vulnerabilities and then reporting the problem rather than exploiting it. On the contrary, he left a host of privacy violations and collateral damage in his wake. When an attractive fellow student said she couldn’t go out with him because she was engaged, Mitnick hacked into the fiance’s credit report, revealing his financial vulnerabilities, which led to the end of the engagement. Mitnick then married the woman himself, and when she asked for a divorce a few years later, he hacked into her voice mail messages and discovered that she’d been cheating with his best friend. Angered by a New York Times technology writer’s critical articles about him, Mitnick hacked into the reporter’s e-mail account and read his messages. None of this was for sport or altruism; Mitnick repeatedly violated the privacy of others to advance his own interests.
Since his release from prison in January 2000, Mitnick has reinvented himself as a computer security consultant who is paid by companies to do ethical hacking, as well as a radio talk-show host and the author of an international bestseller on hacking, “The Art of Deception.” He considers his work today “nothing short of a miracle. . . . Now people hire me to do the same things I went to prison for, but in a legal and beneficial way.” It’s nice for him that he has found a way to follow his bliss without harming others in the process. But the speed with which Mitnick broke into some of America’s leading telecommunications companies should give all of us pause. The security of our most sensitive data, it turns out, is in the hands of naive human beings who can be too easily conned.
GHOST IN THE WIRES
My Adventures as the World’s Most Wanted Hacker
By Kevin Mitnick with William L. Simon
Little Brown. 413 pp. $25.99