The return of the super-hacker

It's eight years since Kevin Mitnick, dubbed the world's most-wanted computer hacker, was jailed for a litany of cyber-crimes…

It's eight years since Kevin Mitnick, dubbed the world's most-wanted computer hacker, was jailed for a litany of cyber-crimes against some of the US's most powerful organisations. Next week, his parole ends and he'll be back on the Internet again. Should we be afraid, asks Oliver Burkeman

When an earnest, slightly nerdy 29-year-old called Eric Weiss applied for a job in 1994 as an administrative assistant at the law firm of Holme, Roberts and Owen in Denver, there was no reason to turn him away. He was presentable, articulate, easy to get on with; his computer skills, usefully, were second-to-none. If anybody there knew that Eric Weiss was also Houdini's real name, they saw no reason to bring it up. Certainly, nobody knew that Eric Weiss, legal assistant, was really Kevin Mitnick, fugitive computer hacker, target of a year-long FBI manhunt, or that there were intelligent people in American law enforcement who believed he had the ability to launch nuclear missiles by whistling into a telephone.

That kind of rumour was typical of the legend that had grown up around Mitnick, who vanished in 1992 after violating the terms of his probation for a hacking conviction. For years, he had been electronically breaking and entering - first the phone exchanges of his native California, then, finally, the world's biggest computer firms and branches of the US government. He wrought no damage - he just studied confidential information, then vanished. He was frequently in a position to steal millions of dollars. He never did.

But the Internet was young, the fears it evoked still nebulous and, worst of all, Mitnick was making the FBI look stupid. So when they finally caught up with him in 1995, knocking on the door of his North Carolina apartment at 1.30 a.m. on a rainy night, after a nerve-jangling cat-and-mouse game between Mitnick and a rival hacker - who turned out to be working with the police - they made sure that prosecutors spared no effort.

READ MORE

Mitnick got five years in jail - unprecedented for hacking - four of those prior to his trial, including eight months in solitary confinement. When he was released, in early 2000, they added a stringent term of probation, forbidding him from using a phone or computer or connecting to the Internet for three years.

Which is why, on January 23rd, Mitnick will send his first e-mail in eight years. "Mark your calendar," he says sardonically. "I'll be having a party." He is 37 now, smartly groomed, no longer the stick-thin figure that emerged from jail, and not now - if he ever was - the antisocial Mitnick of media legend, all pallid skin, greasy hair and questionable personal hygiene. He has switched sides, and his new book, The Art of Deception, presents itself as a manual to help companies defeat hackers. Above all, it is about the hacker's most lethal weapon, "social engineering", or using the gift of the gab to get people to give you information they shouldn't: passwords, and other people's credit-card numbers, for example.

But there is still the legend to contend with - the aura of malevolent power that has always followed him. According to the thousands of Internet users who campaigned for his release, the justice system swallowed the myth whole, imposing a punishment out of all proportion to his crimes.

Mitnick blames this almost entirely on one man, New York Times journalist John Markoff, who adopted Mitnick's story as his personal specialism. And the myth won't go away. "People at my own publisher's IT department were afraid of me coming into the building. There's this fear that I can destroy people's credit, or find anything out about you," he says. "Or launch nuclear missiles."

It all started because he wanted free bus rides. "I was a bored kid," he says. Growing up in Los Angeles - too young to drive, his father long since vanished, his mother at work - he would study the patterns of holes the bus drivers punched in tickets to validate them for future journeys. "Then I went over to the bus station and looked in the garbage can, and found that they would discard all these blank tickets.

"I talked to a bus driver - 'Where do you get those punches? I'd like to get one for school' - and I bought one and travelled the bus system for free. I don't feel sorry for it. My mom knew. She never said don't do it. The bus drivers knew. Maybe if I'd been condemned for it, I'd have thought, 'Hey, this stuff is wrong'. But I just thought it was cool."

It was a bus driver who got him into CB radio, and a fellow ham who introduced him to phone phreaking - what hackers did before personal computers were widespread. Using numbers supposedly only known to phone company technicians, they ran wild on the network for free.

Then, in the early 1980s, came the first personal computers that could be linked to phone networks, and around the same time, Mitnick's first taste of trouble: his arrest, age 17, for stealing technical manuals from a phone company. He violated the terms of his non-custodial sentence and ended up spending several months in juvenile detention. But by then it was too late: he was deeply involved with a group of hackers who met in an LA pizzeria called Shakey's.

"I wasn't a hacker for the money, and it wasn't to cause damage," he says, when asked about his motives. "It was all about getting the information, learning more. It was all about the intoxication for the technology."

And it was easy. "When you combine technical attacks with attacks against people's common sense," Mitnick says today, "it's a lethal substance. Like, for example, where you set up a website that purports to offer a prize.

"Somebody sends out 5,000 e-mails to a company. Say 10 per cent of the employees visit the website, then they have to register with their e-mail address and a password. Let's say 10 per cent of those people pick a password they use at work. That's 50 ways in. It's that simple."

Exactly why Mitnick came to the attention of the police again is a matter of dispute - he denies Markoff's claim that he broke into the US army's high-security Norad network - but two more convictions followed, the second ending in imprisonment. His lawyer brokered his release on the then-unprecedented grounds that he was suffering from a "computer addiction", and needed treatment, not prison.

"Was it an addiction? I know people who come home from work and stay on the Internet until four in the morning. Is that addiction?" He considers the question. "Certainly, I was a little obsessive." Of course, the "treatment" - in a real Californian halfway-house for addicts - didn't work. When he started hacking again, and the FBI took note, Mitnick feared he could be looking at another long sentence. So he vanished - and Eric Weiss was born.

"Being on the run wasn't fun, but it was something I had to do," Mitnick says, matter-of-factly. He wasn't always Eric Weiss: sometimes he was Brian Merrill, a hospital assistant. "I was actually working in legitimate jobs. I wasn't living on people's credit cards. I was living like a character out of a movie ... It was performance art." This was the philosophy that governed Mitnick's hacking, and that defined a whole generation of hackers: they weren't grifters, looking to steal money, they told themselves, nor "script kiddies", using pre-written codes to cause havoc. They were in it for the intellectual challenge. Mitnick simply applied the approach to the rest of his life, too. Choosing Houdini's old name, he says, "was a kind of joke to the FBI".

"But," he sighs, "they didn't think it was funny." Markoff's story appeared on the front page of the New York Times on the 4th of July, 1994, under the headline: "Cyberspace's Most Wanted: Hacker Eludes FBI Pursuit." From this, Mitnick claims, followed everything else. His argument smacksof bitterness, but, then again, it's hard to overstate that newspaper's influence on American public life.

"My argument is not that I shouldn't have been punished, but that the punishment didn't fit the crime," he says. "I wouldn't have sat in prison for five years, I wouldn't have been held without trial for four-and-a-half years, if it wasn't for Markoff creating this fear. When you write a story and it ends up on the front page of the New York Times, the department of justice is reading that. The director of the FBI is reading that, the director of the CIA is reading that. The government needs to send a message that they can't just have some desperado hacker on the loose who could start a nuclear war."

Markoff says that Mitnick's argument that "he was in some way given a harsher sentence is both absurd and pathetic. This is a guy who didn't learn the lesson over two decades ... So he claims parts of my reporting are inaccurate. I'd just ask you to think about the title of his book - this is a guy who's written a book called The Art of Deception. Caveat emptor, that's all I have to say."

But the FBI, if they were newly alert, got no better at catching him. Mitnick, calling himself Glen Case, moved to the city of Raleigh, in North Carolina. Alone on Christmas Day 1994, he found himself with little to do but hack. He chose to target the networks of a renowned security expert, who styled himself a "good samaritan hacker" named Tsutomu Shimomura. Shimomura alerted the FBI, and over several weeks they traced Mitnick as he ranged across the phone networks, leaving taunting messages on Shimomura's answering machine. Then Mitnick made a mistake.

"Every city I went to, I'd compromise their telecommunications infrastructure, so I could keep track of them trying to track me," he says. "I had control over the switches in Raleigh, but I got lazy. I used to check it every day to see if they had set a trap. I just stopped looking for a week. Just my luck: that's when they started ... "

The details of the criminal charges deeply offended his intellectual hacker's pride. "Sun Microsystems," he splutters. "I looked at their source code and moved a copy of it over to a university computer so I could look at it. The government said I'd caused them over $80 million of loss, because they'd spent $80 million making the operating system - and it had been rendered useless by Kevin Mitnick looking at it."

Prison was "boring. Totally boring," he says. He has little more to say on the matter; certainly, incarceration seems not to have prompted a transformative repentance. He admits to "exercising extremely bad judgment", but says he only feels bad for the mobile phone customers who would have ended up getting billed for his exploits. (And even they wouldn't have had to pay once they had complained to the phone company, he reckons.) It is hard to find in Mitnick a trace of real regret.

"If I had it to do all over again, would I do it? No. But do I feel sad, emotionally sad, for doing it? No. Do I regret it? In a sense, for the trouble I caused people. But not for looking at stuff that I shouldn't have looked at." He stops. Then, after a pause, sums it up this way: "You want to know why I did it? Fun. I know it sounds crazy to you, but that's why."

It hasn't escaped my notice that Mitnick has spent our conversation periodically checking a mobile phone.

"According to the parole terms, I'm not allowed to use or possess any type of technology," he says cheerfully. "Like this cellphone here. Or like the computer I have upstairs that I used for writing the book."

Yes, the terms are stringent, he says, and he still isn't allowed to connect to the Internet. But he didn't get where he is today without developing an expertise at ferreting out pieces of information people don't want him to know. And what most people don't know is that probation rules, in the United States, are all at the discretion of the probation service. So Kevin had a few words - and cracked the system.