Taking a brief break from actual studying to take in some Kevin Mitnick. Kevin was an important figure in my younger days. I was associating with hackers and phone phreaks as early as high school. I was naturally curious, and very interested in technology and computers. Two exploits stand out in my mind.
In one, I social-engineered someone into sharing his Compuserve password with me, then logged in, changed the password and stayed online for two days straight, downing pitchers of powdered iced tea and eating peanut m&ms in bulk.
The other was far more serious. It’s probably a bad combination to have an interest in, and knowledge of, phone phreaking, and land a job at a telephone answering service. Somebody I knew knew somebody, and somehow I ended up working at a small answering service in the Wheaton, Maryland area. At first, everything was fine, I was excited to have a job and get paid.
Gradually, I let my guard down and began to take advantage of the situation. First, since I worked alone on weekends, I’d have my girlfriend over and get a little carried away in between calls. Second, I realized that the newer equipment, which did not have dialers or touch-tone buttons, nevertheless had a dialtone. I used the click method of pulse dialing and was able to get calls to go through. At my young age, I was naive enough to think that if it was an incoming-calls only line, then any outgoing calls made on them fell somehow outside the system and would never be noticed, tracked, or more importantly, billed. I was wrong, oh so wrong. After making a number of calls to recorded information lines, some of them international, just because I could, I was brought into the office to discuss the matter. It turns out that since it was an incoming calls only line, that did NOT mean that calls didn’t count. It meant that the customer did not choose a long distance service. I mean, why would they? And do you know what happened when a customer did not choose a long distance service? It happened to default on a very expensive service. So the answering service got a very expensive bill, and invited me to explain what I did, why I did it, and most importantly, how I did it.
Apparently, they had worked out some sort of arrangement with my parents and the local military recruiter, and agreed that if I would talk to the recruiter, they would not press charges. I talked to the recruiter, who told me I could be anything but a truck driver. I was close, perilously close, to joining, when I realized that they COULDN’T force me to join; that there was no relationship between their threats and reality, or between law enforcement and the recruiter; and that by entertaining the recruiter, I had fulfilled my side of the bargain. I walked, and was never charged.
I kept a much lower profile after that, plus I found other interests to keep me out of the hacking and phreaking world for a while (girls, punk rock, girls, etc.). But when the Mitnick thing happened, I was both aware and understanding. What happened to Kevin was very similar to what happened to a friend of mine. With my friend, he got arrested for LSD possession. When uninformed or aggressively corrupt agencies make drug busts, things can go wrong. He was charged with the entire weight of the LSD PLUS the medium on which it was delivered, which made it look like WAY more LSD than it actually was. Similar to Kevin, accused of information theft in the many millions of dollars range, as though by merely looking at source code he can invalidate all of the R&D money that went into creating it. I stand by my analogy.
I also went to at least one 2600 meeting in the general time period as the big bust happened at Pentagon City Mall — that notorious event which appears to have been orchestrated by the Secret Service where a bunch of hackers’ personal gear was confiscated. Though I wasn’t at that meeting, thank goodness. And I don’t think I was really close with any serious hackers. I read the magazines, I learned the tricks, but I had other things going on that prevented me from being a full-on lifestyle hacker.
Fast forward to now, when I’ve been in an infosec position for over nine years now, and performing infosec roles for significantly longer than that. And this weekend, I finally got around to watching the 2600 film Freedom Downtime, a documentary about the Free Kevin movement, and about the terrible ordeal that Kevin had to endure, unfairly and unconstitutionally, because of the hype that a few people built up around him. There’s an extended interview with him as well from 2003, after things had cleared up for him.
I’m also reading his books. The Art of Intrusion has some great stories of exploits.
A few years back, I picked up one of his business cards somewhere. It’s a metal business card with an actual lockpick set cut out and ready to break off and use. Genius.
Once I finish this book, it’s back to the studying grind for me. I just wanted to share, because reading and watching films about Kevin brought up memories of my own youthful hacker experiences.