Cyber Alert: Portrait of an Ex-Hacker
It's April, and more than 1,600 corporate techies crowd into a ballroom in San Francisco's Moscone Center. The room buzzes with excitement as the star attraction, convicted computer hacker Kevin D. Mitnick, saunters onto the stage. He's on a panel of security gurus and legal experts ready to talk about whether companies should hire ex-hackers to safeguard their computer networks.
It's an explosive subject in the industry, and sparks fly as Mitnick takes on other panelists, including Ira Winkler, chief security strategist at Hewlett-Packard Co. After Winkler warns against hiring convicted ex-hackers, Mitnick mocks him, claiming Winkler himself once hired ex-con hackers to work at a consulting company he owned, a charge Winkler denies. "I know them personally," Mitnick says acidly. "I had traded [break-in secrets] with them."
The world's most notorious hacker is back in circulation. Known by his handle, "Condor," Mitnick spent 15 years marauding through the computers of the world's largest tech corporations, conning his victims into letting him into their systems. He served more than five years in jail. Only when his probation ended in January was he able to get back on the Internet and start a consulting company, Defensive Thinking LLC, which helps clients to prevent hackers from snagging credit-card numbers, medical records, and trade secrets.
His timing is impeccable. Hacking has reached epidemic proportions because of the explosive growth of the Internet. While Mitnick says he hacked for the sheer thrill of the break-in, never stealing money or destroying property, many of today's computer criminals have far more destructive goals in mind. The recent SQL Slammer "worm" shut down 13,000 Bank of America (BAC ) automated teller machines and slowed worldwide Internet traffic to a crawl. And intelligence experts fear terrorists could use the Net or other computer technology to attack the U.S. The Homeland Security Dept. is concerned that al Qaeda or another group could launch cyber and physical attacks simultaneously, attempting to disable safety systems at nuclear plants or air traffic control systems. "[The prospect of such an attack] is a tremendous threat," says Sallie McDonald, deputy chief of the information and warning division of Homeland Security.
Faced with such threats, companies and government agencies have been pouring cash into their defenses. The amount of money spent on computer security is expected to hit $13.5 billion this year, according to market researcher Forrester Research (FORR ) Inc., twice the total in 2000. The forecast for 2006: $20 billion.
Just spending money on the latest security software isn't enough, though. Corporations and governments are especially vulnerable if they ignore the human side of hacking. In security consultant parlance, it's called "social engineering" -- and it's Mitnick's specialty. Hackers use it to dupe their victims into coughing up passwords and other sensitive information. In nearly all his attacks, Mitnick broke through the toughest network firewalls with persistence, a telephone, and a string of lies. His message to corporations: "There is no patch for stupidity."
His own crimes show that the best key to any locked system is neither a computer nor a modem. It's a gullible human being. Mitnick once pulled a fast one on Motorola (MOT ) Inc. by posing as an employee and calling a Motorola engineer to persuade her to send him the core software for one of the company's new phones.
Mitnick's story is a journey inside the slippery mind of a hacker. It's Catch Me If You Can for the computer realm. A tour of Mitnick's psyche provides a clearer understanding of the dark forces that thrive in the digital world. His criminal career, say experts, is a point-by-point primer on what spawns hackers, how they think and operate, and how difficult it is for them to mend their ways. It's an alert to parents and educators to steer potential "Condors" in the right direction -- before normal teenage rebellion turns into something poisonous. And it's a warning to government and corporate leaders to arm themselves against hackers and cyberterrorists.
These days, operating from the 17th floor of a fashionable West Los Angeles high-rise, the 39-year-old Mitnick strives to present himself as a reformed, mature tech consultant. His Defensive Thinking has attracted nine clients, whom he declines to identify. He has lined up more than 25 speaking gigs at seminars and private companies, each paying $5,000 to $20,000. And he has become something of a celebrity, publishing a book called The Art of Deception and making a cameo on television's Alias as a CIA agent.
Still, many corporations don't trust him. Not only is he a convicted con man but he's also world famous for it. "Do you hire the bank robber to guard your money? I don't think so," says Linda McCarthy, an executive security adviser at antivirus software maker Symantec (SYMC ) Corp. The same fame that Mitnick relies on for marketing collides head-on with his credibility. Unless Mitnick can resolve this conflict, his consulting business may not thrive. And if his speaking engagements peter out once the novelty wears off, he might be tempted to fall back on his old ways. He denies it will happen. "I just won't fall back. It's not an option," he says.
Mitnick is out to prove to the world that he really has changed. He gave BusinessWeek access to his new life through a series of interviews and referrals to his family and friends. And he recounted the long, strange trip of his hacking career, the prison stints, the years on the run, and his attempts to come to terms with himself and society.
As an overweight, nerdy teen in Van Nuys, Calif., Mitnick was desperate for a place to belong and a way to succeed. The hacker's life gave him what he needed. He was the only child of Shelly Jaffe, a waitress who dragged him through four divorces and countless failed romances, mostly with men who gave little thought to keeping her bright but hyperactive son on the straight and narrow path. His father, Alan, a record promoter, was rarely around.
Left to his own devices, Mitnick escaped by learning magic. But card tricks soon bored him, so he sought out the hacker crowd in high school. Their high jinks -- stealing computer passwords and cracking phone lines so they could make free calls -- seemed like magic, but on a grander scale. "It was about the intrigue, the adventure, the pursuit of knowledge," says Mitnick. "I wanted to be in that clique." Recalls Ronen Rahaman, a friend of Mitnick's in high school: "Some guys wanted to do varsity football. Kevin wanted to do varsity hacking."
Mitnick was driven by the need to prove himself. Hackers are typically wallflowers, shunned by the in-crowd, so they look for ways to show off their smarts. "They show their power by screwing over the system," says Dr. Jerrold Post, director of the political psychology program at George Washington University. Mitnick shocked his friends with his audacity. At 16, he phoned a Digital Equipment (HPQ ) Corp. system manager. Pretending to be the lead developer of a new DEC product, he snookered him into handing over a password. Once inside, he didn't steal anything. Breaking in was reward enough.
Computer crime can be addictive, and Mitnick knows it all too well. In his mid-20s, he hacked into DEC again, got arrested, and was convicted of felony computer fraud. He served a year in prison -- including eight months in solitary confinement. Yet after his release, he couldn't resist the draw of the flickering computer screen, the challenge of that next great hack. "It's like being sober and having a guy show up at your place with a line of coke," Mitnick says. "He's enticing you. 'Come on...it's just one time...it won't hurt."'
When the FBI started investigating his renewed hacking, he fled -- leading to two wild years on the lam. As he ran from city to city, he took on phony identities and supported his hacking habit by working odd jobs -- from systems administrator for a law firm to help desk analyst in Seattle. He was so convincing as Mr. Ordinary that his co-workers never suspected that after hours he was breaking into some of the best-protected computer systems in the world. He dodged the cops by monitoring police scanners to spy on the very people who were tracking him.
Even while on the run, Mitnick kept hacking obsessively. How wily was he? Shawn Nunley remembers Mitnick's incursions well. In February, 1994, Nunley was a systems administrator at software maker Novell (NOVL ) Inc. Late one night, he got a phone call at home from Mitnick, who introduced himself as a Novell employee named Gabe Nault. He said he was on vacation and needed to connect to the network to work on a project. Having never met Nault, Nunley called Nault's voice mail to make sure the voice on it matched the one that had woken him in the middle of the night.
Mitnick was a step ahead of Nunley. The hacker had called a Novell network techie and convinced him to reset Nault's voice mail password. Then Mitnick left his own voice on the recording. "It seemed plausible. I gave him an account," says Nunley, now director of technology development at NetScaler Inc. in Santa Clara, Calif. Mitnick proceeded to steal a copy of the secret code for Novell's most important software product, NetWare. He just looked at the code, never using it for anything else.
Finally, though, Mitnick screwed up. On Christmas Eve, 1994, he hacked into the computer of Tsutomu Shimomura, a highly respected security expert at the San Diego Supercomputer Center. Bad move. Shimomura was incensed. He teamed up with the FBI and tracked Mitnick for two months, until they ran him to ground, surprising him in a Raleigh (N.C.) apartment, surrounded by telephone gear and fake driver's licenses.
It was during his second jail stay that Mitnick says he decided to mend his ways. He was denied access to anything his guards thought he might be able to use to hack from his cell -- even a portable radio. "I was treated like Hannibal Lecter," he says. "It was absolutely the worst." So he channeled his energy into helping his lawyer fight his case. "Kevin's desire to hack came from a need to be successful at something," says his aunt, Chickie Leventhal, a bail bondswoman. "He just redirected that to his defense." He had been charged with 48 counts of computer, wire, and cell-phone fraud in 1995. By the time he pleaded guilty to seven of the charges in 1999, he had already served most of his five-year sentence.
Mitnick spent his probation trying to craft a normal, law-abiding life. He wrote the book. And even though he was not allowed to go on the Internet, he looked over other people's shoulders when they surfed the Net -- like a modern-day Rip Van Winkle, fascinated with how much the cyberworld had changed during his long absence. He also has forged family bonds. He now lives in suburban Thousand Oaks, Calif., with his girlfriend, Darci Wood, and her 7-year-old daughter.
In his office in West Los Angeles, he's the picture of meticulous organization. He carries his BlackBerry handheld organizer wherever he goes, so he's sure to be on time for every appointment. "He's learning to channel his obsessiveness into something other than being obnoxious," says Don Wilson, a former boyfriend of Mitnick's mother and one of Mitnick's closest friends. "There's a sense of urgency to turn his life around."
The cops doubt that Mitnick is truly reformed, though. FBI agent Kenneth G. McGuire III, his relentless pursuer for years, worries that Mitnick is simply putting on an act -- and that he won't be able to resist getting into trouble again. "He showed no remorse," says McGuire, whose office building is visible from the lobby of Mitnick's office. "He was laughing as he took the keys to the kingdom. He has no history to make him trustworthy."
Indeed, Mitnick is still furious at those who convicted him. When asked how people will be persuaded to trust him now, he launches into a fiery diatribe, raising his voice and slapping a conference room table in his office. He angrily denies prosecutors' assertions that he caused $5 million to $10 million in damage, and he insists he didn't deserve to be thrown in prison for five years. "The judge bought into the myth of Kevin Mitnick, as if I was the Osama bin Mitnick of the Internet," he says. "They wanted to create a cyberbogeyman." He rages on for 40 minutes, listing all of the computer crimes ascribed to him that he didn't commit and attacking the government, the press, and the prison system for treating him unfairly.
Then he abruptly calms down, becomes sheepish. It's like the transformation of Mr. Hyde back into Dr. Jekyll. After he left prison and met some of his victims, he says, he realized the gravity of what he had done. He has apologized to several of them. "What I did was absolutely wrong. Unfortunately, I can't go back in time and fix it," he says. "There's nothing I can do but just live my life differently."
Mitnick acknowledges that it's a struggle to resist the urge to hack. One day, he says, he signed on to AOL Instant Messenger and was bombarded by greetings from teenage fans who had heard him reveal his screen name on a radio program. One, with the screen name Spikey 551, confessed that, at 14, he tried to hack into America Online and steal passwords. "I got caught in the first 10 minutes," Spikey lamented. Mitnick says he dashed out a quick reply. "Stay out of trouble," he advised. "You don't want to end up like me."
And corporations don't want to end up like Mitnick's victims. They are well advised to heed his warnings and plug the holes in their security systems caused by employees' gullibility. While he claims he has traded in his black hat for a white one, a whole new generation of con men is out there in cyberspace trying to one-up the master.
By Arlene Weintraub in Los Angeles, with Jim Kerstetter in San Francisco