Hacker who was trapped by his vanity

He plundered the citadels of cyberspace but the computer thief's urge to show off snared him, writes Andrew Brown
Click to follow
The Independent Online
For two years, Kevin Mitnick was uncatchable as he roamed the computer networks of the world, on the run from therapy that a court in the United States had ordered to wean him off his addictions to junk food and computers. In the end it was a different urge that betrayed him: the compulsion to show off, and to steal from the most secure and respectable citadels of cyberspace.

His nemesis was a quiet Japanese physicist and computer expert, Tsutomu Shimomura. At nine minutes past two in the afternoon on Christmas Day, Mr Shimomura's network at the supercomputing centre in San Diego, California, was probed by a computer calling itself toad.com. Returning 10 minutes later, this time disguised as a university computer in Chicago, Mitnick jemmied the network open in 16 seconds, using the weakness he had found in his probing attack. By ten to three he had gained access to Mr Shimomura's computer at home, and plundered its security programs.

Then he withdrew, and left two mocking messages on the voice mail system.

All these activities were, unknown to Mitnick, logged automatically. Mr Shimomura was alerted to the break-in as he set off on his annual skiing holiday. He cancelled the trip at once, and set out to trap the hacker.

He watched him for some weeks before discovering his identity. According to some reports, Mr Shimomura was able to monitor Mitnick's progress as he broke into the computer systems of the Apple company and Motorola, one of the world's largest makers of chips.

Most progress, however, was made through publicity. In the curious world of hackers and counter-hackers, publicity is useful to both sides. The hackers demand respect for their feats, while their opponents believe that public discussion of known weaknesses makes systems safer. The crack in the security of the Unix operating system used by Mitnick to get into Mr Shimomura's network had been known since 1985.

Mr Shimomura electronically published details of the attack on his system on 12 January, after a conference on computer security. And the technique of "protocol spoofing" that Mitnick used was explained on 23 January in a bulletin issued by the Computer Emergency Response Team, a group of computer-security experts based in Pittsburgh.

Mitnick's next known attack was on the Well, a commercial bulletin-board system, in Sausalito, outside San Francisco. The Well has a reputation for high-minded litism and among its more earnest denizens are those who discuss "Computers, Freedom, and Privacy". Mitnick acquired a list of participants in these discussions, and cracked the account of one of them, Bruce Koball, a computer programmer who had not been using the system much. Mitnick started storing his plunder there, like a burglar stashing his loot in the garage of an empty mansion.

Among the files he apparently stored on the Well was a list of 20,000 credit-card numbers belonging to customers of Netcom, a company which offers access to the Internet from all over the United States for the price of a local phone call. There were also copies of the files he stole from Mr Shimomura.

Staff at the Well were puzzled by the sudden huge expansion of Mr Koball's storage space. When they contacted him, he was just as surprised. When he examined the files, and recognised the name of Shimomura from the Computer Emergency Response Team bulletin, he realised that they were probably dealing with a serious hacker.

Mr Shimomura, with a colleague from the Supercomputing Centre in San Diego, set up monitoring computers at the Well's building. With agents from the FBI and the Justice Department, they watched the cyber-burglar as he returned, night after night, to stash his loot.

Soon the monitoring operation moved to Netcom. From phone-company logs they found that Mitnick was using a cellular phone to connect to a modem in North Carolina.

Mr Shimomura flew 2,500 miles and drove around with a car-load of FBI agents until, at 3am on Monday, they found the phone signal coming from a block of flats. After 48-hours' surveillance, the FBI moved in.

Mitnick seems not to have made any profit from his activities. But when he appeared in court yesterday in leg-irons, he was charged with computer fraud and illegal use of a telephone access device, crimes which carry a maximum penalty of 35 years in prison and $500,000 in fines.