Portions From Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw - By the Man Who Did It, by Tsutomu Shimomura with John Markoff.
Copyright © 1996 Tsutomu Shimomura and John Markoff. To be published by Hyperion. Check out http://www.takedown.com.
Kevin Mitnick was a nuisance. For more than 15 years, he broke into computers, looked around, stole things, and then broke into yet more computers. He did little major damage, but his constant visitations became harassing - especially if you tried to catch him. Then he would screw up your phone service, or your private mail, or your credit records, or even your job. Although he was arrested five times for his digital trespassing, Mitnick wouldn't stop.
Mitnick's obsessive breaking and entering made him a legend - both in the underground of hackerdom and in the headlines of The New York Times. Part of the fascination with Mitnick resides in his uncanny ability to hack any system. From a military computer to FBI and DMV records, Mitnick could weasel his way into nearly any network's core. Yet by almost every account, Mitnick, who is now 32, was technically dull - he achieved most of his conquests through superb social engineering, imitating a lineman's jargon, impersonating a superior, sifting through trash, conning unsuspecting employees out of their field manuals, exploiting his knowledge of a phone company's organizational chart.
But Mitnick was no Luddite. Several years ago, he cleverly figured out that if he could hack cellular phones with the same ease as ordinary phones, he could start from a mobile handset and thread his labyrinthine way to any computer in the world, virtually untraceably. Since he didn't do code, he needed to find someone who did; someone who had custom, turbocharged cellular phone software, and then social-engineer the goods away from him or her. After several unsuccessful attempts to con code from some likely candidates, Mitnick eventually targeted Tsutomu Shimomura as the guy with the tools.
It was a bold move, because Shimomura was a respected security expert and a character almost as complex as Mitnick. A 30-year-old science geek, Shimomura was also a Japanese citizen, a ski bum, a longhaired computational physicist, and a hacker himself. But unlike Mitnick, every time Shimomura's explorations uncovered security holes, he reported them to security authorities, not to hackers.
So, in December 1994, when someone broke into Tsutomu Shimomura's elaborate computer system in his San Diego home using a never-before-seen, sophisticated hacking method and then stole some fancy cellular phone tools, Shimomura took it as a personal challenge. When the trail led to Mitnick, Shimomura became a cybersleuth, on a mission to catch Kevin.
Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw - By the Man Who Did It is Shimomura's first-person account of the search, written with the help of New York Times reporter John Markoff. No stranger to Mitnick, Markoff co-authored the 1991 book Cyberpunks: Outlaws and Hackers on the Computer Frontier, which chronicled the adventures of Mitnick and two other hackers. In retaliation for all the attention, Markoff's own email account was hacked by Mitnick. Takedown's fairly technical narrative makes several things clear: the mobility of a wireless world will greatly complicate security issues and legalities. If your port into cyberspace - that no-place place - is itself constantly moving around in physical space, how do you maintain accountability with the rest of the world? The more important insight arising from the Shimomura story is that, in the eyes of hackers and cops, everything on the Net is transparent. If there is a will, anything you write in email, every conversation you have in chat, every hit you make to a Netscape link, can be read - unless it is heavily encrypted. This has always been true, but if you've had any doubts about the thin veneer of privacy on the Net, the battle between Shimomura and Mitnick makes it plain as day.
ast midnight in mid-February of 1995, I found myself on the phone, sitting in the San Jose, California, offices of Netcom On-Line Communications Services Inc., talking to a cellular telephone company technician in Raleigh, North Carolina. Usually, I work as a research scientist at the San Diego Supercomputer Center, where I delve into problems in areas as diverse as computational physics and computer security, but in December 1994, I was planning a ski-bum vacation I had wanted to take for a long time.
Unfortunately, it just didn't work out. On Christmas Day, someone broke into my computers over the Internet. The stolen data included my electronic mail, software for controlling cellular telephones, and a variety of Internet computer security tools. I had been preparing to leave the next day for the mountains, but instead I flew back to San Diego and over the course of the next several days pieced together how the attack had succeeded.
I patched the security holes in my network and headed back to the mountains. However, in late January, my stolen software was discovered, stashed in an infrequently used account on The Well, an online service based in Sausalito, California. Whoever had taken my software was still operating with impunity, using The Well as a staging base to launch forays into corporate computers at Motorola Inc., Apple Computer, Qualcomm Inc., and dozens of other computer systems all over the Net.
Skiing would have to wait. I decided to see if it was possible to track the intruder back through the Internet. The management of The Well invited me to assist them in determining how the attacker was breaking into their computers. Several days later, as I pursued the trail of the interloper, Netcom extended the same invitation. I arrived at The Well on Monday, 6 February, and during the next week and a half was able to learn his identity and then lead the FBI to an apartment complex in Raleigh.
While I was tracking Kevin Mitnick, a series of hints had made it clear that he was using a cellular telephone and a modem in an effort to conceal his location.
Over the telephone, I explained to Sprint cellular technician Jim Murphy whom we thought we were dealing with, and that Kevin Mitnick had a 15-year history of tampering with telephone company switches. Murphy was incensed at the idea of someone messing with his switch, and as we talked, I learned that Murph, as he preferred to be called, was in fact very sharp. We immediately dropped into technical detail.
I began by asking him questions about the telephone switch the Sprint system was using. Telephone company switches are just computers with specialized operating systems. Often they have dial-up ports for remote diagnostics and maintenance. Frequently phone phreaks and members of the computer underground have used these ports as backdoors to tamper with the switches. They can get free phone calls or create chat lines anyone can dial into. The Sprint machine was a Motorola EMX 2500, in tandem with a DSC 630 switch, a device about which I knew nothing. I've had some experience with small telephone company and PBX switches, but not much with large central office switches like this. Murph gave me a tutorial on how his switch worked and what kind of data he had available. He had to be careful, because while we had a trap-and-trace warrant for calling records for one of the phone companies in Raleigh (GTE) the United States attorney had yet to prepare one for Sprint. So Murph was limited in the kind of caller data he could offer me.
As we talked, Murph kept checking his switch to see if he could find anything obviously amiss or something that had been tampered with. While I waited on the other end of the line, he explored the innards of the computer, examining its translation tables while giving me a running commentary of what he was looking at. He said he had a theory that Mitnick might somehow have created a special number that would route his calls through the cellular switch and then on to the local dial-up number of Netcom. Every phone number has a direct route as well as an alternate route, and he wondered if one of the alternates had been messed with. He spent a long time probing his database to see if he could find any evidence of such a hidden route.
Nothing obvious showed up, however, and we began looking for alternative explanations. Murph had telephone calling records in a database that could be searched and sorted with many different parameters. However, each of these operations took up to half an hour.
We talked about useful ways to sort through the data, and then it occurred to me to ask, "What happens when I dial the GTE trace number?" I did so and heard this eerie "click-click, click-click, click-click," which continued, getting fainter and fainter until it disappeared and the call disconnected.
I came back on the telephone and described to Murph what I had heard. "My guess is you're hearing the call endlessly looping between the GTE switch and ours," he told me. "Eventually the power falls below a certain level, and the call is dropped."
I tried it again, and this time Murph monitored it from his switch. Again I could hear the "click-click" sound, but at the same time, I could hear the printer in his office register each time his cellular switch tried to set up a call. "Kerchunk. Kerchunk. Kerchunk."
"I'll be very surprised if he's tampered with our switch," Murph said. "We do have remote capabilities, but all remote accesses are logged. When Motorola, for example, connects to our switch, we first give them a password, monitor their activities, and then immediately change the password after the session ends."
"Let me try something else," I said. I dialed the phone number that was one number higher than our mysterious phone number. On the other end of the line, I heard the familiar warble of a fax machine. Murph didn't see the call go through his switch this time. It made me even more suspicious of GTE. It told us that only one phone number in an entire block of phone lines had been routed to Sprint. Something was funny about that particular phone number.
"My guess is that the GTE switch has been hacked," I said. We continued to puzzle. He said he could start three simultaneous searches to try to find a match to the Netcom login information I had, because he had three terminals.
"Let's try a different strategy," I suggested. "How far back does your database go and what kinds of things can you search for?" He said he could go back as far as 3 p.m. on Thursday, 9 February, and gave me a long list of sortable categories, including call start and end time, call duration, called number, and so on. Looking down my list of gkremen's logins - gkremen was a legitimate Netcom user whose account had been commandeered illegally - from different Netcom locations around the country, I saw that there were several long sessions.
"Can you search for calls of a duration of more than 35 minutes on Friday?" I asked. I had decided that while it might have been possible for Mitnick to conceal where he was calling from, it would be much more difficult to conceal the fact that a call was taking place. This was the beauty of traffic analysis. The second request I had for Murph was to search for all cellular telephone calls made to the range of numbers that were routed to Netcom Raleigh dial-in telephone numbers. Finally, I asked him to search for all cell phone calls to Netcom's Denver number.
Few people use cellular modems to transmit data, so any cellular call to a Netcom point of presence - the local telephone number in Raleigh - would be unusual. In any case, given that Netcom was a local call, a long-distance call to a dial-up number would be even more suspicious. In any case, if Mitnick had been making calls using the Sprint cellular system, we should have been able to find them here, even if GTE was unable to trace them.
Now I had my three questions. As he set up his computers, Murph said it was going to take a while to do the database search, so I told him I would ring him back in a while and hung up.
I settled in a vacant carrel with a still-functioning telephone. I called Murph back after about a half an hour to check on his searches. We started with the local calls to Netcom's Raleigh POP.
"I think I've seen that first number," he said.
"Good! Can you give me all the calls to the Raleigh POP?"
"I can't tell you the actual calling numbers because you don't have a warrant," he replied. "I can't give you the actual MIN-ESN pairs." The mobile identification number is the assigned cellular phone number and the ESN is the permanent serial number embedded in the phone.
"I don't want the number," I explained, and told him that I was trying to match calls to the sessions we had seen from the Netcom Raleigh dial-up. I was curious to see if there was a pattern to the calls that Mitnick might be making to Netcom through Sprint. If we were lucky, we might discover that all the calls came from a small number of MINs or from the same physical location.
We began playing a game that was a lot like the classic children's game Battleship. He couldn't tell me what the number was, but he could tell me if it was the same as some other number under certain conditions.
What I could say was, "Do you see this call at this time?" I took two lists: the Netcom list of dial-in numbers from around the country and the summary of gkremen's login sessions.
"On Friday at 15:29, do you see a call to (404) 555 7332, duration approximately 44 minutes?" The number was one of the public Netcom dial-up numbers in Raleigh.
"Yes, I have that."
"Do you have a call of duration 49 minutes at about 20:22 your time on Friday to (612) 555 6400?"
"I have it."
"Do they both come from the same MIN?" I asked.
"Yes," he replied.
"Do you have a phone call on 11 February at 02:21 to (919) 555 8900?"
"Yes, I have that one, too."
I asked the same question with five more logins taken at random. In each case the answer was the same: they'd been placed from the same cellular telephone number. Occam - the 13th-century philosopher who advocated the simplest solution to a problem as the correct one - was right.
"So where is it?" I asked. Murph walked across the room to a map of Sprint's Raleigh cell sites. All of the calls were coming from cell number 19, located on the northeastern outskirts of the city, near the airport. We now had another important piece of information: Mitnick was at a fixed location. I thought it was unlikely that the calls would be made while he was driving, but I had been worried that he might be changing locations with each call.
"Do you have sector information?" I asked. Some cellular systems can determine in which direction the calling phone is actually located, in relation to the cell site - that is, the particular transmitter-receiver tower in a certain area.
"No, we don't have that information, but to the east of the cell site is Umstead State Park and to the northwest is the airport. My guess is he is transmitting from somewhere south or west of the cell, based on the locations of our other cells."
It was almost one in the morning. By the time we were through, we had his location narrowed down to a radius of less than a kilometer.
"I'll fly out first thing in the morning," I told him.
I arrived in Raleigh on Sunday afternoon, and early the next day I was joined by a friend, Julia Menapace. At 7:30 a.m., just as Julia and I were preparing to leave the hotel, I received a call from Mark Seiden, a computer-security expert who had been helping me with my investigation and was continuing to monitor events at InterNex, a California Internet service provider. He sounded worried. Kevin Mitnick had again broken into InterNex less than an hour before, and it was evident that he knew something was up. "Looks like he's added an account called Nancy, deleted Bob, and changed a lot of passwords - including mine and root's [the system manager's account with all system privileges]," Seiden said. "This looks vindictive. He's getting destructive now." And, in a show of spite, Mitnick had made New York Times reporter John Markoff's account accessible to anyone on the Internet. He had changed the file permissions on the reporter's account, meaning that anyone who connected to InterNex could read Markoff's electronic mail.
"He understands telephone and computer
technology a lot better than the law
enforcement agencies pursuing him."
When I called to check in with Andrew Gross, the University of California at San Diego graduate student who was working with me, monitoring at Netcom, he said that he, too, had watched Mitnick's session on InterNex, and that Mitnick was clearly acting paranoid. After leaving InterNex, Mitnick had next gone to check an illegal backdoor on Netcomsv - a server used for reading network news - that John Hoffman, the Netcom hardware engineer, had closed on Friday. Discovered several days earlier, it was only one of several of Mitnick's ways into Netcom, but he now seemed truly suspicious to find this particular entry barred.
Mitnick's next action, according to Gross, was to head directly to another Internet site we hadn't seen him use before, operated by the Community News Service in Colorado Springs, where he had a spare copy of test1 salted away. This was the program that allowed him to use Netcom as a base of operations without leaving an easily traceable record. It appeared that Mitnick brought back this fresh copy of test1 to compare with the one he already had squirreled away on Netcom, presumably to see if we had doctored the Netcom version so that it might no longer hide his tracks. Comparing the two copies, he found the Netcom version intact. He was using an account named Wendy on Netcom with a password "fuckjkt."
"Who's jkt?" Gross asked.
"I have no idea," I said impatiently.
Gross then described a series of activities that were fairly routine, by Mitnick's standards, which indicated to us that once he had verified that his copy of test1 had not been tampered with, he had begun to calm down, perhaps concluding that the one barred backdoor was a fluke, having nothing to do with his problems at InterNex. Or so we hoped - at this stage in the game, it was becoming hard to tell what was calculated and what was coincidental. After a few minutes, Mitnick had headed back to InterNex, and Gross stopped watching him. We could tell Mitnick was trying to see if he had been detected and if so, where. "He's still on, so that's good," I said. "But he's suspicious. That's exactly what we don't need. After all the prodding I've been doing to get the FBI's radio surveillance team here, it would be really embarrassing for him to go radio silent for a week."
n Monday night, Levord Burns - an FBI agent based in Washington, DC, who was responsible for tracking computer crime - finally showed up. We met at the Sprint cellular switch and then went out to dinner with a group of Sprint technicians. Markoff had arrived in Raleigh and he was also at the dinner. At one point, Burns went off to a pay phone to return some pages. While he was gone, we moved to the topic of Mitnick's social engineering, and I recalled how he had tried to social-engineer me at Los Alamos.
"We've had a problem like that just in the last couple of weeks," Murph said, surprised. "Somebody called one of our marketing guys pretending to be a Sprint engineering employee, and he managed to talk the guy out of several MIN-ESN pairs."
"You don't happen to remember what name the caller used?" I asked. Murph turned to Joe Orsak, a Sprint engineer. "Do you remember?" Neither did. "Was it Brian Reid?" I offered.
"Yeah, that was it," Orsak said.
"Kevin!" John Markoff and I said in unison. What an amazing creature of habit - to stick to the very name he had used on me several years earlier. The real Brian Reid was now an executive running DEC's Internet networking business.
The Sprint technicians were clearly chagrined to learn that Mitnick had weaseled information from their company. It wasn't their fault, but it was a point of honor with them that they ran a secure shop, and they were newly irritated by their colleague's lapse.
The more our conversation focused on Mitnick, however, the more nervous I became. If we'd had good operational security, we wouldn't have been having such a discussion in a public restaurant. I looked behind me and noticed a Middle American-looking couple sitting in a nearby booth, obviously interested in us. This made me even edgier. I began asking the Sprint guys technical questions to steer the talk in another direction.
Later that night, the FBI radio surveillance team from Quantico, Virginia, arrived at the Sprint cellular telephone switch office. The team talked to me a little about the technology they had toted along in the station wagon, especially something called a cell-site simulator, which was packed in a large travel case. The simulator was a technician's device normally used for testing cell phones, but it could also be used to page Mitnick's cell phone without ringing it, as long as he had the phone turned on but not in use. The phone would then act as a transmitter that they could home in on with a Triggerfish cellular radio direction-finding system that they were using.
The FBI agents thought Mitnick
wouldn't recognize their spy antenna.
Shimomura knew better
and hid it with a cardboard box.
Clever as the technique sounded, I pointed out that it might be risky to use on Mitnick. "You're dealing with someone who has source code for all sorts of cell phones," I said. "He might be able to detect it."
They conceded that it might not be worth the risk, and their look added an unstated, Go away kid, you're bothering us. I don't think they liked the idea of dealing with a civilian, particularly one who was in a position to learn all about their techniques.
Fred Backhaus, one of the technicians, had by now backed up his van to the front door of the Sprint building, and the agents began moving back and forth between their station wagon and the van, installing their gear. The Triggerfish direction finder, a rectangular box of electronics about a half a meter high controlled by a PowerBook, was placed in the center of the van's back seat. From one of the agents, who was sitting in the van calibrating the unit, I was able to extract that the Triggerfish was a five-channel receiver, able to monitor both sides of a conversation simultaneously. Next they strung a black coaxial cable out the van's window and ran it up to the radio direction-finding antenna they had placed on the roof. The roof unit had a black base, about 30 centimeters square and several centimeters thick, which held four long silver antenna prongs, each nearly 30 centimeters high, reaching skyward.
This apparatus seemed none too subtle, and I pointed out again that they weren't dealing with some technically illiterate cocaine dealer. "This guy's paranoid, and he's been known to use scanners to monitor the police before," I said. "He's wiretapped the FBI in the past."
They didn't want to talk to me at all now, but I wasn't going to give up. "No, this is ridiculous," I said. "You guys are going to park out there, and he's not stupid. I'm sure he knows what a direction-finding antenna looks like."
They didn't buy it. "It's not that visible," the short agent replied. I looked at it ruefully. "Can't you put it inside?"
"No, that would degrade the performance," the taller one said.
"Why don't we put a box on top of it?" Murph suggested. "No, that would be too obvious," the taller one said. I looked again at the top of the van, which had two parallel rails running across it from side to side as a carrying rack. What we needed was a box that looked as if it was meant to be carried there.
"Wait a minute," I told them. "Murph, you have fluorescent lights. Do you have any of the boxes they come in?" We were in luck; they were in a storage locker off the switching center's main room. We came back out with a 2 1/2-meter-long box that could be lashed on top of the van. I cut a hole in it so it could be placed over the antenna, completely hiding it in case Mitnick was in an upper-floor apartment and might see the van from above.
After we were done lashing and taping the box, the vehicle looked like a respectable electrician's van. The agents had agreed to the camouflage mainly to humor me, but they had to concede that the disguise worked pretty well.
It was nearly midnight when the three FBI agents were ready to roll. "So what happens if we see him outside his apartment?" one of them asked. It seemed probable that Mitnick would shop in the strip mall across the road from his apartment complex. "Do we grab him?"
"He's a probation violator, so we can take him in," Burns said, "but would any of you recognize him on sight?" The photos that all of us had seen were old, and the FBI documents indicated that his weight had fluctuated.
We decided that it seemed unlikely they would get further tonight than simply identifying which apartment was his, so the FBI team left with Backhaus, while Orsak and Burns followed in my rented green Geo, which they decided was the least suspicious vehicle in our fleet. Burns said they would do a quick surveillance and be right back.
By early the next morning, they had narrowed Mitnick's location to a group of apartments. However, because the signal was reflecting off an apartment wall, the agents were still not certain in which apartment the fugitive was located.
hortly past 4 p.m. the next day, Tuesday, Julia and I finally reached the US attorney's suite. We had to wait for a while for John Bowler, an assistant US attorney, to finish a meeting, before he came out to the reception area, introduced himself, and invited us into his office.
The prosecutor, a balding man in his early 40s, had a toothy smile and a rosy-cheeked, almost mischievous demeanor. We sat down in two chairs in front of his desk and began to explain our reason for turning up at his office late on a dreary Tuesday afternoon.
"How much of this do you already know about?" I asked. "Very little," Bowler answered, but he seemed intrigued that two California computer hackers had wandered into his office with a tale to tell.
I told him that we were pursuing Kevin Mitnick, who was wanted by the FBI and the US Marshal Service, and I gave him as precise a rundown as possible of the events of the past weeks, up through tracing Mitnick to the Player's Club apartment complex on Sunday night.
"The FBI has been in town since last night," I said, "and since we all now know where Mitnick is, I don't understand why things aren't moving more quickly. He's managed to elude the bureau for more than two years, and it looks as if they're giving him every opportunity to get away again."
"Is he armed, or is he dangerous in any way?" Bowler asked. I said I doubted that he was armed, but that he was dangerous in unpredictable ways. Whether or not he would actually wield that power, at the moment he was in a position to damage computer systems used by tens of thousands of people and containing property worth hundreds of millions of dollars. Several Internet companies were operating at considerable risk in an effort to help us catch this criminal and were not likely to keep exposing themselves much longer. Both The Well and InterNex knew the intruder had root access on their computers, and they had agreed to do nothing while I attempted to track him.
"Mitnick isn't your ordinary criminal," I said. "This is a game to him, and he understands telephone and computer technology a lot better than the law enforcement agents pursuing him."
Officials at The Well
were concerned that Mitnick
might have turned vindictive,
intent on permanent damage.
Soon Bowler was busy pulling together documents and delegating tasks to two assistants. As they were working, I received a page from Hua-Pei Chen, a technical manager at The Well.
"Something new has happened," she reported when I reached her. Mitnick had destroyed some login accounting data, she said, and while they had been able to recover it, Well officials were concerned that he might have suddenly turned vindictive and would now aim to do permanent damage. "Tsutomu," she said, "our management is worried about leaving ourselves vulnerable like this."
I phoned Bruce Katz, the online service's owner, who recounted what Chen had told me about the deleted accounting file. "Tsutomu, I want your advice," Katz said. "How vulnerable are we?"
Katz raised a series of questions. Had Mitnick figured out that The Well's staff was watching him, and had he decided to take them with him if he himself was about to be taken down? What were they risking by not shutting their systems down or locking him out immediately? "What's going on here, Tsutomu? Is he trying to get revenge?" Katz asked.
"We haven't done anything to turn Mitnick against The Well," I answered honestly. "We're this close to getting him," I said. "Give us a little more time."
While I didn't think Mitnick had any reason to believe The Well was on to him, I couldn't say the same for Netcom. I phoned Gross, who reported further signs of paranoia from Mitnick. He was continuing to move his data stashes and change passwords, and as a gesture of contempt for all who cared to review the log files, he had attempted to log into Netcomsv with the password .fukhood, no doubt for Netcom system administrator Robert Hood's special attention. Unfortunately, there was also an indication that Mitnick was suddenly approaching The Well with new wariness: the "dono" account, a secret account he had created and which he had been using for weeks with the same password, fucknmc, now suddenly had a new password. There may have been some hidden meaning in the choice of dono's new password - no,panix - but what mattered far more was that Mitnick had apparently felt a need to take a countersecurity measure at The Well, even though it turned out to be an ineffectual measure, given the level of our surveillance. Had something, or someone, tipped him off?
inally, shortly after 7 p.m. in Bowler's office, we had the warrants assembled. Since Burns had gotten no further on narrowing the address list, the assistant US attorney bundled up all four packets, and we headed off for Federal Magistrate Wallace Dixon's home.
While we waited in the car in front of his house, I decided to use my cell phone and send a message to Gross's pager: the ready code we'd agreed upon, which turned out to take some doing. We had set up a code to alert Gross that the arrest was being made, and Kevin Mitnick's birthday was supposed to be the "get ready" signal. I wanted to bracket the number 080663 with dashes, to make clear at a glance that this was not a regular phone number. On many numeric pagers the dash is created by punching the * key, but when I entered the combination *080663* followed by the # key to send it, I got a fast busy signal, indicating some sort of error. After I tried it again, with the same result, I entered the code number without the dashes, and after it was successfully transmitted, hoped Gross would interpret it correctly.
Unfortunately, he misread my intent. Four hours later, we received a page from Gross at Netcom.
"You're not going to like this," Julia warned. When I had taken several attempts to transmit the "get ready" message, Gross had interpreted the flurry of signals to mean that Mitnick had already been arrested. For evidence, he had started to make backup copies of the files that Mitnick had stashed around the Internet, and then began deleting the intruder's own versions. I had wanted to make sure that my software and data was removed before it was stolen again. But prematurely tipping him off might alert him and allow him to escape.
There was also one piece of good news - Gross had analyzed Mitnick's deletion of The Well's login accounting file earlier in the day and had determined that it was the result of a simple typo, not an act of sabotage. But the bad news was devastating - our surveillance had now been irredeemably compromised.
And it had happened several hours ago. Gross had not called sooner, fearing my anger. This was unbelievable. Here I'd been riding the FBI as hard as I could, and now if everything fell apart and Mitnick escaped, they were going to be able to come to me and say, "Your guys blew it."
But there was no time to fret about the error now: my cellular monitoring gear indicated that Kevin Mitnick had just signed on for the night shift. And if he hadn't noticed before dinner that his stashes had been destroyed - and his presence now indicated he might not yet know - he was about to find out.
I wasn't the only one who'd heard Mitnick come back to life. Suddenly Burns's car and several other vehicles sped through the parking lot and disappeared behind a bowling alley at the end of the strip mall. It was a quick, final coordinating meeting of the federal and local law enforcement agencies, and Bowler drove the van around to join the half-dozen plainclothes men who had assembled. He handed Burns the amended warrants, and I warned the group that Mitnick might have been inadvertently tipped off, so haste was more crucial than ever. Someone mentioned that the Triggerfish agents now had a "beacon" to home in on and could now use a handheld signal-strength monitor for close-up work, so it shouldn't take long to find him. The meeting lasted less than a minute, and the others were off to take up their assigned positions around and on the far side of the Player's Club.
It was clear that Mitnick
was beginning to understand
what was in store for him:
this game had real penalties.
Something strange was happening, however. Although Kevin Mitnick was south of the cell site, I was now picking up a data carrier from the north. It was the first time I'd seen another cellular telephone data call being placed within this cell from anywhere but Mitnick's vicinity since I'd come to Raleigh. Because of the spotty reliability of cellular connections, and the fairly high cost of the service if a person is not stealing it, it is not common to use cellular radio for transmitting data.
After I picked up the MIN - the cellular phone number - of this new data caller, I told Bowler, "Drive over to the phones." It was 12:40 a.m. He positioned the van as close to the pay phones as he could get it, with the vehicle between me and the apartment complex, and I slid out and called the Cellular One technician.
"Gary," I said, when Gary Whitman picked up his phone. "Are you watching?" He was indeed monitoring the Cellular One site, so I read him the new MIN and asked him to let me know each time our mysterious caller placed a new call and moved to a different frequency. He could do so by paging me with the new channel numbers.
Once again Bowler returned to our parking spot, and almost immediately I got the first of a series of pages, which allowed me to quickly flip between Mitnick's sector and the mystery man's, confirming that we indeed had two separate data callers using the cell site. For 45 minutes, I continued watching the two.
Then, at almost precisely 1:30, Mitnick's carrier went dead. We immediately saw the Triggerfish station wagon zip past, first down Duraleigh Road, and then a short time later in the other direction. The car now had the directional antenna that had been on Fred Backhaus's van the previous night. The second data carrier was still on the air, and it was obvious that the Triggerfish agents had spotted it, too. Other vehicles were now moving in on the Player's Club as well. "Something's happened," Bowler said. "Let's go have a look."
He slowly pulled the van out of the parking lot and onto a side street nearer the apartment complex, stopping behind some bushes just to the east of it, where we could see directly into the parking lot. We stepped out of the van. We could now see that the area was well staked out. There were at least four government cars, and at least a dozen plainclothes men standing or walking around. The Triggerfish station wagon returned.
I wanted to go tell the agents what I knew about the new signals from the north, but Bowler came over. "No, no, no," he said, standing close to me. "There's nothing you can do at this point. Besides, we don't know if they have Mitnick yet. He might see you."
I handed Bowler my cell phone so we could wake Judge Dixon for authority to search Kevin Mitnick's home.
A little while later, Levord Burns came over to the van again to report progress. I asked if I could have a look at the apartment, to see how my opponent had spent his days and long nights, but he declined.
"We've taken lots of pictures of the inside of his apartment, but they're evidence for the trial, and no one else will see them until after it's over."
Despite the steady cold drizzle that was now soaking us all, Burns came around to the side of the van and shook my hand.
"Congratulations," I said. "We managed to do this without killing each other."
He didn't reply, but for the first time since I'd met him, Special Agent Burns smiled at me.
slept for a few hours, and then I was wakened by a call from John Markoff. "Kevin's court appearance is at 10 o'clock," he said. It was already a few minutes past nine. "We'll meet you in the lobby as soon as we can get dressed," I told him, gently shaking Julia awake, then pulling the hotel room curtains back on a gray, wet Raleigh morning.
Markoff drove us downtown through a light rain, and because I was feeling a bit out of touch since the crashing of my RadioMail terminal, I decided to use my cell phone to check my voicemail in San Diego. I couldn't believe it. The intruder had been sending me regular voice messages taunting me. Now there was a new message in that phony Asian accent, and it had been delivered just before 7 a.m. West Coast time, a full eight hours after Mitnick's arrest, but well before the media reported his capture.
The message was long and rambling with none of the cockiness or bravado we'd heard before but, instead, in a delivery so nervous and rapid that the accent occasionally fell away altogether. After listening to it, I played back the message twice more, first holding the phone to Julia's ear, then to Markoff's:
"Hi, it is I again, Tsutomu, my son. I just want to tell you - very important, very important. All these phone calls you received with, ah, making reference to kung fu movies - nothing to do with any computer thing whatsoever. Just a little, ah, interesting call.
"I see now that this is getting too big, way too big. I want to tell you, my son, that these have nothing to do with any computer activities whatsoever. Just making fun of kung fu movies. That's it. That's it.
"And making reference to, ah, you know, trying to make a reference to putting kung fu movies into the ... into a computer reference. That's it. Nothing to do with any Mitnick, hacking, anything, nothing. I tell you it was just an interesting call that's ... it. All coincidence. This is getting too big, and nothing wrong has been done by anybody who left any messages on your voicemail. Just to let you know. OK? It's getting way too big."
We were amazed.
"So the tables have turned," I said. I wondered aloud where Mitnick's friend had gone to ground. I was curious if he was hiding right here in Raleigh. Whom had Mitnick called in the minutes before he opened the door for the FBI the night before? Was this the owner of the second cellular phone who had been making the data calls that the Triggerfish team had been chasing?
We were still talking about this new mystery as we entered the federal building. It was just a brief prearraignment hearing, and word hadn't yet got out that Kevin Mitnick had been arrested. We walked into a small empty courtroom and sat down in the last of the three short rows that had been reserved for spectators. It was like US courtrooms all over the country, an austere, windowless space with a high ceiling.
After a short time, Mitnick was led in from a door at the front of the room to the right of the judge's dais by a dour US marshal. Mitnick didn't look ill, but he also didn't look anything like the overweight, bespectacled "dark-side hacker" who had once terrorized Los Angeles. We saw a tall young man, neither thin nor stocky, who had metal-rim glasses and shoulder-length flowing brown hair. He was wearing a charcoal gray sweat suit, and he was handcuffed and his legs were chained.
Handcuffed, his legs in chains,
Mitnick turned to face his captor.
"Tsutomu, I respect your skills," he said.
Halfway into the room, he recognized us and paused for a moment. He appeared stunned, and his eyes went wide.
"You're Tsutomu!" he said, with surprise in his voice, and then he looked at the reporter sitting next to me. "And you're Markoff." Both of us nodded.
As the judge read the charges - telecommunications fraud and computer fraud, each carrying a maximum potential sentence of 15 years or more - it was clear that Mitnick was beginning to understand what was in store for him. This game had real penalties. In a soft voice, he said he wanted the court's permission to contact his attorney in California. The judge noted that whatever happened in his legal entanglements, the US Court of the Eastern District of North Carolina would "have its way" with him first. The detention hearing was set for two days later on Friday morning.
The whole thing lasted less than 10 minutes. After the judge adjourned the court, Markoff made his way to the railing that separated the spectator gallery from the rest of the courtroom. Julia and I followed him. Mitnick rose and turned to face us.
He straightened and addressed me. "Tsutomu, I respect your skills," he said.
I returned his gaze and just nodded. There didn't seem to be much to say. In our contest he had clearly lost.
Strangely, I felt neither good nor bad about seeing him on his way to jail, just vaguely unsatisfied. It wasn't an elegant solution - not because I bought some people's claims that Mitnick was someone innocently exploring cyberspace, without even the white-collar criminal's profit motive, but because he seemed to be a special case in so many ways. This was the sixth time he'd been arrested. He certainly knew what the stakes were, and I hadn't seen any evidence of a higher moral purpose to his activities or even just innocent curiosity.
The marshal started to lead him away and Markoff said, "Kevin, I hope things go OK for you."
Mitnick appeared not to have heard him at first, but then he stopped for a second and turned back toward us. After giving a slight nod of his head, he turned away and was led out of the courtroom.
Copyright © 1996 HotWired Ventures LLC. All rights reserved.