KEVIN MITNICK OPENED THE DOOR ON A RAINY SUNDAY night dressed in black drawstring pants and a 2600 Hacker T-shirt, a homecoming gift from the magazine on the occasion of his January 21 release from Lompoc federal prison. The 36-year-old hacking legend is living in a sprawling, anonymous apartment complex on the outskirts of Los Angeles County where he helps care for his father, who recently underwent triple-bypass surgery. He dropped plans to move to Las Vegas after a probation officer told his mother that his release conditions — no computers, cell phones or Internet access for three years — would bar him from working on a 7-Eleven computerized cash register. “These restrictions force me to live as if I was part of the Amish,” he says.
That will be quite a change for a man whose hacking career spans two decades. While at least three books and a still-unreleased movie fill out the Mitnick mythology, the most accurate history is probably contained in police and court documents. The guy has been busted time and again for messing around with computers and telephones.
While still a teen, Mitnick was accused of compromising national security by breaking into the NORAD computer (he denies it). In 1983, he was alleged to have used computers at the University of Southern California to access the military's ARPAnet. In 1987, he was busted for penetrating the computers of a software publisher and received three years' probation. In 1988, he was charged with illegally copying proprietary software from Digital Equipment Corp. He also did a stint in a halfway house for “computer addiction.”
In 1992, Mitnick apparently violated his probation by hiding out after the FBI searched his home computers for evidence that he broke into telephone-company computers. He was then accused of stealing software from Motorola, Sun and other companies. Finally, in 1995, he was tracked down by national-security insider Tsutomu Shimomura and arrested in Raleigh, North Carolina. The spy-vs.-spy game was chronicled most famously by New York Times reporter John Markoff, whose dramatic reportage Mitnick blames for what many now see as the criminal-justice system's punitive overreaction to his case.
“At the time my story appeared, Kevin was already being hunted by four law-enforcement agencies,” Markoff responds. “The idea I created his problems is just false.”
U.S. District Judge Mariana R. Pfaelzer, in L.A., initially refused Mitnick a bail hearing; he had already waived his rights to one in North Carolina under the threat of continued solitary confinement. His discovery requests were denied. And, of course, for a long time he was denied use of a telephone, under the theory that, with a phone and a whistle, he could set off a nuclear attack. By 1996, the heavy-handed actions of the court gave rise to the “Free Kevin Mitnick” movement, turning this not particularly popular denizen of the computer underground into a martyr and a hero.
Mitnick eventually pleaded guilty to seven charges in the software-theft case, although he contends that the system's bias forced him to admit to crimes he didn't commit.
“Poor Kevin,” responds former federal prosecutor David Schindler (he entered private practice in October). “He only pleaded guilty to the crimes he committed . . . The sad thing with the guy is he's never going to get on with his life.”
Whatever prosecutors might think, Mitnick over the past year has undergone a media rehab, going from cyberterrorist to — well, not that bad a guy. An influential May 1999 Wired News article challenged claims from Nokia, Sun and others that Mitnick's theft cost them $300 million. That paragon of conservative business sense, Forbes magazine, described Mitnick's actions as the equivalent of pieing the mayor. The former hacker got reasonably sympathetic treatment from 60 Minutes, and this week he wrote a guest column for Time magazine.
With all the old fury about Mitnick supplanted by new hysteria over the recent attacks on e-commerce, what was it that he actually did? He read some people's e-mail, and he downloaded some proprietary software. And how sensational is that?
TRIM-LOOKING AFTER HIS PRISON WORKOUTS, THE ONCE-chubby Mitnick handed out soft drinks and a plastic package of rugala cookies before sitting down with the Weekly's Gale Holland to discuss hacking, justice and the recent e-attacks.
L.A.Weekly: Why are you reined in so tightly?
Mitnick: If the government succeeds in creating me as the cyberbogeyman, they can convince the public to give up more rights to privacy in exchange for protecting them against people like me.
Weekly: Why you?
Mitnick: The whole reason why I became a poster boy for the government was John Markoff's false and defamatory article in 1994 on the front page of The New York Times.
Weekly: Why would Markoff defame you?
Mitnick: The guy never disclosed he had a prior business relationship with me that went sour. He was writing a book [Cyberpunk] with his wife, Katie Hafner, and he wanted to interview me. I told him, sure, I'd cooperate for a fee. He said, “Well, I'm not going to do that. I guess whatever I hear from other sources about you I can assume is true.” I thought, big deal, whatever this guy was doing with the book, it would disappear. Then I was released from prison the first time. They were optioning the book for a movie. It was a package deal; if everybody cooperated, we'd get $5,000 for a two-year option and, on filming, an additional $45,000. After two years, they wanted to extend the option, I said no, and the whole movie deal went down the tubes . . . Also, Markoff never disclosed that he participated in the federal investigation [Mitnick's latest case]. He and Shimomura were ski buddies, and Shimomura was his source on technical issues.
Weekly: What exactly do you contend Markoff got wrong in his book about your 1995 capture?
Mitnick: He said I broke into NORAD and compromised national security, wiretapped FBI agents, placed a false story about Security Pacific, and reprogrammed a phone switch, causing agents to burst in on a Middle Eastern couple watching TV. To say I compromised the security of the United States and taunted FBI agents as too inept to catch me, on the front page of The New York Times above the fold, turned me into Public Enemy No. 1. He never checked these things. He was hyping the story while trying to sell a book and become a millionaire, and he did. Markoff made $1.4 million on Takedown . . . All the other news organizations repeated his claims over and over, and it had a huge snowball effect.
Weekly: Markoff and the prosecutors have suggested you don't appear to be accepting responsibility for your actions. Do you think you did anything wrong?
Mitnick: What I really was, was a computer snoop. I accessed proprietary codes and I trespassed on other people's computers. It was a despicable act of invasion of privacy, a gross act of invasion of privacy, but I don't believe it rises to the level of fraud.
Weekly: Then why did you plead guilty to fraud and admit $5 million to $10 million in damages?
Mitnick: U.S. District Judge [Mariana] Pfaelzer denied me a bail hearing; she also refused to pay my attorney's bills for four months. It was very clear to me in her court I didn't have the presumption of innocence. It would have been suicide to go to trial. So my attorney cut the best deal he could.
I believe I caused some loss, less than $250,000 for ã labor to restore computer systems and the long-distance cell charges I used to mask my location. The $5 million to $10 million was a legal fiction. In the plea bargain, they came up with the number of months they wanted me to be in prison and then picked the number from the guidelines for that amount of time, basically so they could use it for publicity value.
Weekly: Why did you hack?
Mitnick: Basically I did it for the thrill, curiosity, the knowledge, but mostly the intellectual challenge. I took the software as a trophy, proof that I managed to do it. Remember, I was hacking in 1978 before there were any laws on computer crime. I was so enthralled in this activity, society changed around me, Kevin didn't change with it. I've never engaged in any hacking activities for profit or harm. I knew it was wrong at the time, but I justified it in my mind because I just really enjoyed it. It's fascinating. It's like Star Trek: Go where no hacker has gone before. I don't like to use the word addicting, but you get so focused, hours could pass. I got a divorce over hacking. Basically it was just a big ego boost. I was having a blast.
Weekly: So were you after bragging rights?
Mitnick: I was more of a solo. I wasn't associated with a group of hackers like Legion of Doom or anything. I'd tell maybe one friend when I did something. The reason I didn't associate with a lot of people is I wasn't interested in having help. I felt more of a sense of accomplishment doing it on my own.
Also, hacking was an escape from my own personal problems, things that haven't gone away. Personal tragedies that happened to me as a child. It was an escape from reality.
Weekly: Anything you'd care to discuss
Mitnick: No, they're nobody's business.
Weekly: Do you remember your biggest hacking rush?
Mitnick: I can't discuss it; the statute of limitations hasn't run out . . . Going after a computer run by an individual in a foreign country, that was a real challenge. Also, what was really neat was to play with the phone switch. When Pacific Bell didn't yet offer caller ID, it was already built into the switch. You could get everybody's number.
Weekly: You went after sites with the toughest security?
Mitnick: Yeah, to get into a system that's not protected is no challenge. If all the companies didn't have passwords, there would be no hacking. What would be the challenge?
Weekly: Some people have said you were not a great technical hacker, but relied on “social engineering” like talking people out of their passwords, etc., to break into systems.
Mitnick: It depended on my objective. If I wanted to remain stealth, I would use a technical attack or very careful social engineering. Usually I didn't care if they knew I'd been in their system, because once I got in I moved on to the next one.
But my first line of attack was social engineering, and I was so successful I rarely needed to go to a technical attack. Let's say you wanted all of a system's modem numbers; even though I wanted to remain stealth, I would contact accounts payable and say I needed to check my billings. The computer department would never be clued in, because accounts payable and computer information would be autonomous. The bottom line was, I didn't care: If social engineering would be the quickest, I'd go for the jugular.
Weekly: So were you a great hacker or not?
Mitnick: I don't think I was the best hacker in the world. If I was, I wouldn't have been caught. There are people out there who have been hacking as long as I was and were never caught. I know of one, I know him by his code name only, who has technical skills far superior to mine, and he's never been caught. If it's a him; it might be a her.
Weekly: Should hacking even be a crime?
Mitnick: Is hacking a public service? I don't think I'd go that far. I think these companies I hacked were extremely fortunate it wasn't somebody from a foreign company or competitor who hacked them. I had the potential to cause them extraordinary harm. Company executives probably had a lot of sleepless nights over me.
Weekly: Did Internet security improve after they got on to you and other hackers?
Mitnick: With Digital Equipment, I was in their network for eight years, and their security improved, but it didn't improve to the point that they could keep me out. The problem with any big corporation is there's an outside threat and an inside threat, and the inside is much more onerous.
Weekly: What do you think about last week's computer DOS hacks?
Mitnick: A DOS attack is analogous to crashing a system. In all my hacking,
I never crashed a system or damaged a computer. That's just being destructive. In fact, I don't consider the people behind the DOS attacks to be hackers. A hacker is a computer enthusiast who intensely enjoys the thrill and challenge of circumventing security. These are just people who used a computer to commit vandalism.
Weekly: What was it like for you in prison?
Mitnick: In my first case, the judge went along with a government request that I not use the phone unless officials could dial for me. The Bureau of Prisons responded by putting me in the hole for eight months. I was in a small little room 10 by 6, 23 of 24 hours. I pled out. Anyone would have.
Weekly: How did the other inmates respond to you?
Mitnick: They certainly wanted my knowledge, and I dare say they wouldn't have been using it for the benefit of society. Especially the credit cards. When I left Lompoc, quite a few gave me their address and number; most I left in the garbage can.
Weekly: How do you feel about your newfound fame?
Mitnick: The reality hasn't hit me yet. You should see the e-mails I get. “Can you teach me how to hack?” That's one thing the government can't stop me from doing, writing a book on how to hack. Not Son of Sam or any other law would apply. What's barred is discussing my unauthorized criminal conduct. But I'd want to also write about how to prevent it from happening to you.
Weekly: Will you hack again?
Mitnick: Yeah, if I'm getting paid for it. You know, now they're hiring these teams to go in and test systems and if they're able to circumvent to plug up holes, and it's legal. I'd have to consider it under a cost-benefit analysis. In the last round, I was doing it for fun, was it worth five years? No. In this round, if I was doing it for $50 million, then the cost benefits would be more.
Weekly: Several Fortune 500 companies have said they'd jump at the chance of hiring you for computer-security work. Would you be
Mitnick: I'd be good at it. I'm a natural in the field of circumventing computer security. As long as I'm challenged and I like the work and the fee is commensurate with my skills, creativity and energy. I'd have to see what the market is for that now; they'd have to go in the high range for me. I certainly wouldn't be dead weight like so many management executives. Any job I take has to be challenging.
R.U. Sirius is editor-in-chief of www.gettingit.com a news Web site.