>>Eran Feigenbaum: For those of you who know
Kevin, he needs no introduction. For those of you that don't some have called
him the world's most famous computer hacker. He's had several books written about him,
a movie made about him. He's the author of several books, with a new
one that came out this week which is a tell-all. His story in short is I'll leave the details
to you but he basically hacked into several Fortune 500 companies, government agencies,
phone companies and spent three years on the run and then finally got caught and spent
five years behind bars. So with that, a warm welcome to Kevin Mitnick. [applause] >>Kevin Mitnick: Thank you Eran. >>Eran Feigenbaum: So I mean how does one
become the world's most famous computer hacker? >>Kevin Mitnick: Wow, that takes a lot of,
a lot of doing. Actually I started as a 10-year old I was
fascinated with magic and I loved doing magic tricks. And then in high school I was introduced to
a student who could do magic with the telephone system. And he's what they called a phone freak. And if you, I don't know how many of you read
2600 Magazine. So you've got a few of you in here. So phone phreaking was like the predecessor
to hacking and, and I was just like taken aback with what this kid could do. I, I gave him my mom's name and he was able
to get our unlisted telephone number at home. I, I, he gave me this special number that
you would call, you'd call this secret number and you'd hear like a weird tone, you'd put
in five digits and then you can call anywhere in the world for free. Not that I had to call anyone, but I liked
calling the time in Australia because I thought it was cool. And at the time I thought it was a fluke with
the telephone system, but it actually probably was some poor soul's MCI account and just
all the cool stuff he could do with the phone. So I was a prankster and I loved pulling cool
tricks, so the first thing that I did was I changed a friend's class of service to that
of a pay phone, so whenever he or his parents tried to make a call, it would say, "Please
deposit a dime." [laughter] >>Kevin Mitnick: 'Cause they'd actually get
this recording, I actually have the recording in my iPhone. So you imagine you're, you're at the, you're
at home, you go to make a call, and this is what you hear: [recording starts] The call you have made
requires a ten cent deposit. [laughter] [recording continues] Please hang on momentarily. Listen for dial tone. Deposit ten cents and dial your call again. [recording ends] >>Kevin Mitnick: And so I was really like
into pulling pranks with the telephone system and that was my passion was really just to
learn all about telephony. And, and then when the phone companies started
switching over to electronic switching systems, that's when they had front end computers that
were involved and that's why I became interested in hacking. Actually, I did, I wasn't really, I didn't
even want to go to learn about computers. I had a friend in high school that says, "Hey
you would really love computer class." And, and then I talked to the instructor and
I said, "Hey, I'd like to take a computer class." And he asked me what my prerequisites you
know what, what classes I had done before and I didn't have calculus and I didn't have
some other prerequisites, so he says I couldn't get it. So then I said, then my friend was there and
he goes, "Show him some of the tricks you can do with the telephone." And then ok, we're gonna let you in, we're
gonna waive the prerequisites. And probably that was, probably he's regretting
that today, [audience laughs] 'cause of all the crazy stuff I did. I mean the first thing I used to do was like
dial up to USC so I could play their computer games, because they were, they had better
games than they did in high school, and they had an Olivetti terminal, a decoustacoupler
110 baud modem, so you can imagine 110 baud. Any of you have, have computed at those, dialed
up at those super fast speeds? Well, in any event, I dialed, they had a phone
in the room, so it was restricted, you couldn't dial out. So what I used to do is call the operator
and say, "Hi, this is Mr. Crist. I need you to connect me to this number. And that would be the dial up for SC. So after he figured out what was going on
because all the kids in class were playing computer games on USC's computers because
they actually had a much better gaming library, he brought in a phone lock. And he says, "I found the one thing that's
gonna stop Kevin from dialing up to USC. He proudly places the phone lock in the one,
you know 'cause it's a rotary phone and number one. And I go, "Hey, that's cool, how much did
that cost you?" And he goes, "Oh like five, six, seven bucks." And I said, "Let me show you a cool trick." So of course I asked him for a phone number
and I just simply pulsed out on the switch hook, you know, the number I wanted to dial. His face turns red and he actually threw the
phone across the room. [laughter] >>Eran Feigenbaum: You were quite, quite the
prankster anyhow. I mean most kids you know in their adolescent
days go you know toilet papering houses. >>Kevin Mitnick: Yeah. >>Eran Feigenbaum: You had your other-- >>Kevin Mitnick: Mine was electronics, you
know. >>Eran Feigenbaum: So tell us like the McDonald's
story, I mean. >>Kevin Mitnick: Oh, my God, that's kind of
my favorite hack of all time is taking over the drive-up window at McDonald's. [laughter] >>Kevin Mitnick: So you could imagine the
fun you could have at 16, 17 years old. I used to sit, my friends and I would sit
like across a busy street in Los Angeles, I don't know if you know the area, it's like
Ventura Boulevard, it's like a huge, it's huge, it's like Broadway here. And when customers would drive up, I had a
ham radio that I modified that I can go on, I can go on McDonald's frequencies so I could
actually take over the drive-up window. So the guy with the headset inside, he could
hear what's going on, right, but was powerless to do anything. So people would drive forward, you know, I'd
take their order, you know, they'd ask for a Big Mac, large fry, large coke. I'd say, "Hey, man, we don't serve burgers
here anymore, you have to go down to Taco Bell." [laughter] >>Kevin Mitnick: You know and stuff like that. But the better one is when the cops drove
up. 'Cause I'd see the cops car and I'd go, "Oh,
hide the cocaine, hide the cocaine." [laughter] >>Kevin Mitnick: And then you know 16, 17
you're a little bit immature, so >>Eran Feigenbaum: You think? >>Kevin Mitnick: Just a little, so a customer'd
drive up, place their order. You know "I'm sorry sir, our ice machine's
broken, but in lieu of sodas we're giving out free apple juice and would you like small,
medium or large?" And they'd always say large, right, 'cause
it's free and then we had a recording of what sounded like urinating in a cup. [applause and laughter from the audience] >>Kevin Mitnick: "Would you please drive forward,
sir?" You know and of course the one time it got
too much for the guy, the manager at McDonald's, and he comes, he's out of the store, he's
walking around the parking lot looking to every car, to see who the culprit is. He sees nothing, 'cause we're way across the
street. And we're kind of laughing, we're sitting
there laughing. And then he, he walks up to the drive-up window
speaker and he places his head in the speaker like he's gonna see something. Of course I couldn't resist, I press down
the microphone, "What the fuck you looking at?" [laughter] >>Kevin Mitnick: And this guy, he flew back
like 25 feet, right? So that's actually my favorite hack, is McDonald's,
so. >>Eran Feigenbaum: But earlier on, right,
you got caught even for, for some of those hacks, right? >>Kevin Mitnick: Not for McDonald's, I got,
I got, my first time really in trouble was we went dumpster diving at a Pacific Bell
building and then we, I decided to see if we could social engineer our way inside because
we were very interested in the system at the phone company called Cosmos. And our objective there was just to go in
there and like look at the manuals, try to see if we can get a few passwords. But we went a little overboard. We decided we're gonna take some manuals out,
copy them, and return them, but since it was so late at night >>Eran Feigenbaum: Return them to the dumpster? >>Kevin Mitnick: No, we actually got into
the building and that's what I got in trouble, you know, obviously, you know. And we tried to return them, but then we were
afraid to go back, so ended up getting into hot water for that. >>Eran Feigenbaum: What kind of hot water
did you get into? >>Kevin Mitnick: Oh, well, like arrested. [laughing] Actually because somebody told
on, one of the friends of a friend told on us and ended up, it's all in Ghost in the
Wires. It was like, I mean I remember when the police
pulled me over, I was working at, in the San Fernando Valley, is one of the District Attorney
actually showed up. And actually he's kind of a friend of mine
now, Stephen Cooley, he's now the District Attorney in Los Angeles County and he's yelling
to the guys, "Search the car for a logic bomb, search the car for a logic bomb." Because he thought it was like an explos-,
an IE, you know an explosive device, when they didn't know it was a piece of code. So that was kind of like ok. [laughter] >>Kevin Mitnick: [laughing] So what. >>Eran Feigenbaum: But other than the final
big arrest, you, you've had several run ins with the law. >>Kevin Mitnick: Unfortunately, yes. I mean I was so, I was so passionate with
hacking it came to be like a somewhat of an obsession for me. And it wasn't about stealing money or causing
damage or writing viruses or worms, it was really about the, the thrill of getting in
and this thrill was you know overpowering my, my common sense. And I ended up getting into, into some trouble
like, and then, then I started playing cat and mouse with the government. And at one point I, I knew that the federal
government was investigating me, so what I did is I hacked into the cellular phone company
at the time because back in those times you had wire line and wireless and I found the
cell phones that belonged to the FBI agents that were like watching me, so I decided I
would watch them. So I had real time access to the CDRs to the
call detail records so I can kind of see who they're calling, who's calling them, where
they physically were. And then at one point I, I had this device
that could monitor the cell site in my local area and it would monitor the data channel. And this was on AMPS, this is not an AMPS,
this is not GSM, this is the AMP system. And anytime you pass into a cell site, your
phone registers. Anytime you get a call it does a page and
this is on the old AMP system. So I had all these FBI cell phone numbers
and I put 'em into my computer. Ok, so you had a scanner that's listening
to the control channel, interfaced into this special box to a piece of software, so I can
simply program in the list of phone numbers and if those phone numbers ever register in
that cell site, it alerts me. So one morning I go to work. I was working as a private investigator. I go into work. I put-->>Eran Feigenbaum: Do we see the irony
there? [laughter] >>Kevin Mitnick: So I go into work, I put
in the code to disable the alarm to the office and I still hear this beeping sound and I
hear beep, beep, beep. And I started walking in the hall towards
my office and it's getting louder. And I go what the hell's going on? Did somebody bug my office? And I'm going to the, and then I finally go
up to the computer and it's actually the alarm, my FBI alarm, that there was an agent in the
area, so I, I realized it was like the main guy that was like hunting for me and I realized
that he actually called a pay phone across the street from the apartment I was at. Now I slept home, I was there at the time,
so I knew, well, they didn't come to arrest me, did they come to follow me? And then I thought, oh, maybe they came to
search. So, you know, of course I cleaned up my apartment
and 'cause I didn't want to leave anything there they'd be interested in and then the
next day I thought to go to Winchell's Donuts. So I got a big box of donuts and I wrote "FBI
Donuts" on it and put it in the refrigerator with a note [laughter] >>Kevin Mitnick: with a note on the refrigerator
that I had donuts for them. So the next day they actually came and searched
and they were pretty unhappy. [laughter] >>Eran Feigenbaum: Did they take any donuts? >>Kevin Mitnick: They didn't eat any donuts
though. I don't know why. Maybe they thought I poisoned them or something. So as a kid I just did these like you know
crazy things, you know. I was mostly interested in hacking telephone
systems, really as a trophy. So I'd like try to compromise switches in
all these different areas just to see if I could do it. It wasn't really and to pull pranks. And then, then I started moving on, I wanted
to learn about how to become a better hacker, so I would get access to source code, like
VMS source code, you know, that DEC had developed, so that I could analyze it for security vulnerabilities,
so I could find holes that would make me more adept at compromising those systems. So it was more like hacking into the companies,
get the source code, leverage the information to become a better hacker. Yeah. >>Eran Feigenbaum: But in reading the book,
earlier on you also took interest in creating false identities, almost like you knew what
was coming on. >>Kevin Mitnick: Well not really, this is
when I was 11 years old. I always liked to know things that you shouldn't
know. And there was this book >>Eran Feigenbaum: Keep an eye on him. >>Kevin Mitnick: Yeah. There was this bookstore in Los Angeles called
the Survival Bookstore and they had books on lock picking, on creating new identities,
I mean just all the secret underground stuff and then they actually sold lock pick sets. And I remember you had to be 18 years or older
to buy a lock pick set, so one of the books that I bought at the Survival Bookstore showed
where you could mail away and get a false I.D. that said you're 18. I'm 12. So I get a false I.D. that I'm 18. I go to the lady at the same store and I go,
"Oh, I'm 18." She looks at it. She laughs. She goes, "Ok, Kevin." [laughing] [laughter] >>Kevin Mitnick: Guess who got a lock pick
set? But, so I learned like at a very young age
of how the system works and the holes in it. There's this book called The Paper Trip by
a guy named Barry Reed that described how to create new identity in America and disappear. So I, I, but I never expected I'd have to
use it later. I just wanted to know how. >>Eran Feigenbaum: So when, when did you start
using that knowledge? >>Kevin Mitnick: Oh, when I, in about 1992,
right after the FBI donuts thing. [laughing] >>Eran Feigenbaum: And one of the first identities
that you picked was Erik Weisz. >>Kevin Mitnick: Yes, Erik Weisz because my,
you know, my idol at the time was a man named Harry Houdini and his real name was Erik Weisz,
so at the time I was living in Denver, Colorado, and I had to get a job, you know, because
I was running from the government at the time and I had to get a job and I needed a legitimate
identity, so I chose Erik Weisz. And I found out later, you know I had a sense
of humor, but much later I found out the FBI had no sense of humor. So this is when I did like one of the, you
know one of the attacks that I discussed in the book was on Motorola. And I [laughter] >>Kevin Mitnick: And I forgot to bring something,
I just remembered, I wish I could've shown you the brochure for this thing called the
Microtek Ultralight. And this thing was like the iPhone of today. This device, I don't know if you remember,
these like Star Trek type flip phone cell phones and as a hacker I wanted to understand
how it worked. I wanted to know, you know, the internal protocols,
how the, you know, the firmware was put together, so I made a very stupid and regrettable decision,
I decided to go after the source code for the handset. So one afternoon I left the office early in
Denver. I called the toll-free number, you know for
800 directory assistance. And I asked for Motorola. And I was given the number. And I called the number and got a receptionist
and I said, "Hey, I'm looking for the project manager of the Microtek Ultralight project." And a nice lady told me that all the cellular
development was handled out of Schaumburg, Illinois. So she goes, "Would you like that number?" And I go, "Certainly." She gave me that number. I called the Schaumburg receptionist and I
tell her I'm looking for the project manager of the Microtek Ultralight project and I'm
transferred around two, three, four, about eight times, I'm talking to different people,
and then I end up talking to the vice president of all of research and development for Motorola
cell phones, all their mobility. And I say, "Hey, I'm looking for the project
manager of the Microtek project. This is Rick over in Arlington Heights", because
during the last eight calls I found out they actually had an Arlington Heights facility. And he goes, sure. He gave me her phone number and says, "Well,
can I help you with anything?" I said, "No, no, no, no, I'll just talk to
Pam." Because Pam was the lady that was the project
manager. So I called Pam and I don't get her, I get
her voice mail outgoing greeting saying she just left on a two-week vacation, the date
she was returning and she said on her voice mail, "If you need any help with anything
whatsoever, please call Alicia on extension blah, blah, blah." Who's my next call to, right? I call Alicia. I go, "Hey, Alicia, this is Rick over in Arlington
Heights, I'm looking." I go, "Wait a second. Did Pam leave on vacation yet? Because when I spoke to her you know last
week she said she might be going on vacation. Oh she has? Well before she left she promised to send
me the source code to the Microtek Ultralight." [laughter] >>Kevin Mitnick: And I was walking, now imagine
I'm already walking home, I live a 20 minute, I live 20 minutes away by walking from the
law firm and it was snowing that day. So as I'm walking through traffic I'm trying
to press the cell phone really tight to my ear so you can't hear all the traffic 'cause
I never expected this to work because it's all extemporaneous. And, and then, and then Alicia goes, "Well,
Rick, what version do you want?" [laughter] >>Kevin Mitnick: And I didn't even know the
version numbers because then again this was all off the cuff and I just go, "How about
the latest and the greatest?" So she's fishing around on the computer, I
could hear her typing. I'm trying to walk out of traffic on to side
streets and she goes, "Rick, I found, I found the latest source code release, it's dock
two, but there's a problem." I go, "What's the problem?" She goes, "Well there's lots of directories
and there's you know tons of files in each directory." And I go, "Do you know how to use tar and
gzip?" [laughter and applause] >>Kevin Mitnick: And she goes, and she goes,
"No, I don't." I said, "Would you like to learn?" [laughter] >>Kevin Mitnick: And she said, "Yes." [laughter] >>Kevin Mitnick: So I became her instructor
for the day and I taught her how to use tar and gzip and at the end of the lesson there
was a three megabyte file, the source code I wanted to look at. So of course my next question was, "Do you
know what FTP is?" [laughter] >>Kevin Mitnick: And she goes, "File Transfer
Program." And I go, "Yes, exactly." And then as I'm walking, I go, 'cause I didn't
prepare for this is I couldn't give her, oh, my host name is hacker@ you know colorado.edu,
right? [laughter] >>Kevin Mitnick: So I actually had to remember,
I remembered an IP address to a server that I had a bunch of accounts on and I gave her
the IP address. She tries connecting two, three, four, five
times, times out each time. Then she goes, "Rick?" I go, "Yeah?" She goes, "I need to talk to my security manager
about what you're asking me to do." I go, "No, no, no" because she's already putting
me on hold, 'cause that's the last person, I didn't want her to talk to someone like
Eran. That'd be bad. [laughter] >>Kevin Mitnick: So I'm walking, I'm walking
and the time is like the seconds feel like minutes and I'm really nervous, they're gonna
like record my call. And so I was very careful when she you know
was gonna return to the line. I was gonna, I was going to be not saying
words, you know, I was just gonna be try to feel it out. So about five minutes later she comes back
on the line and she goes, "Rick?" "Uh huh?" "I, I talked to my security manager about
what you want me to do." I go, "Uh huh." "That IP address you gave me is outside of
Motorola's campus." "Uh huh." You know, notice I'm not talking. She goes, "And we need to use a special proxy
server to send these files." [laughter and applause] >>Kevin Mitnick: "And I don't have an account
on the proxy server. But my security manager was kind enough to
give me his personal user name and password." [laughter] >>Kevin Mitnick: "to send you the file." So within 15-20 minutes I have a source code
to the Microtek Ultralight. All I really did was look at it, 'cause I
was you know curious how it worked. What I really wanted to do at the time, since
the government was chasing me, I wanted to create invisibility. So if I had the firmware I could actually
modify it because how AMPS worked that day is you can control the registration and the
paging processes and I wanted to have better control so I couldn't easily be tracked. But you know like a company like you know
Motorola had you know all the best technology money can buy and it, and it was an extemporaneous
attack that actually worked. I was really surprised, you know. >>Eran Feigenbaum: So let's fast forward to
actually getting caught. >>Kevin Mitnick: Oh. >>Eran Feigenbaum: [laughing] >>Kevin Mitnick: Ok. [laughter] >>Eran Feigenbaum: What was ultimately the
demise that got you caught? >>Kevin Mitnick: Well, actually there was
a guy, Tsutomu Shimomura, that became involved because his, his server was hacked. And this guy, this guy is kind of an arrogant
security expert, if you Google him you'll find out who he was and we wanted to like
to take him a couple notches down, it was more of that type of thing. And then he went on a vigilante mission. And he, he and the FBI actually teamed up
to capture me. And they ended up, you know, in the long run
they ended up actually going out with the radio direction finding gear and tracing the
cellular signal to determine my whereabouts, because I was in a fixed location in Raleigh,
North Carolina, because I just moved there and I underestimated the amount of time that
the government would work, because ordinarily they are quite slow. And, and they were able to trace the rad-,
the signal and then I get a--, and then I was just--, they were able to trace a signal
and then the night this happened, I actually was out. I was actually going to work out at the gym
that night. And I got, I arrived home late, around I don't
know about, I went, then I went to go eat dinner. I arrived home around 11:30 that night, something
like that, 11:30 or 12:00, and by that time the FBI has this whole apartment building
under surveillance because they believed the signal was on the other side of the complex
in North Carolina. So I just parked my car, I have no idea that
it's all full of Feds. I go up to my apartment and the story is in
the book, there's a lot more to this, but I'm just trying to get to the, cut to the
chase. And then I just had a gut feeling that something
was wrong. I just had this sense, nagging gut feeling,
so I opened the door around one in the morning and I peered out into the parking lot and
I just go, "I must be being paranoid." And I shut the door. That, me opening the door and looking out
was how they actually found me. 'Cause they couldn't track the signal because
the signals were bouncing. And then I get a knock on the door and it's
1:30, and to me, I keep hacker's hours, I stay up late and I sleep late. And I guess just my reaction was, "Who is
it?" And it was "FBI, open up." And I go, "Who are you looking for?" They go, "Are you Kevin Mitnick?" I go, "No, go check the mailboxes downstairs,
because you have the wrong apartment. And they left for about ten minutes. [laughter] >>Kevin Mitnick: And at that time, in that
ten minutes I'm looking for, I'm on the second story, I'm looking for a rope to go down the
other side of my patio to get the hell out of there. And I, and I, there was nothing, you know,
I didn't prepare, so I didn't have a rope and I wasn't gonna tie bed sheets together
because I didn't want to you know get shot on the way down. So they, they knocked again and I was already
on the phone with my family and with an attorney. And they're knocking and I go, you know, they
go, "Are you Kevin Mitnick?" "I already told you I'm not. It's 1:30 in the morning, you have the wrong
apartment." You know, and then I finally, he goes, "Well
open up, we wanna talk to you." I crack the door, all these agents pour in,
they start searching and they ask me for a driver's license, I go, "Here I am" because
I had, had, I was under a new name. And, and they started searching and I'm asking
where their search warrant is and they're just ignoring me and eventually it gets to
the point, you know this is going on for a long time, they're searching my apartment,
they really didn't find much. And they finally were asking again, "Are you
Kevin Mitnick?" And I said, "No, I just showed you my driver's
license, I'm not this guy Mitnick." And then they handed me a wanted poster of
myself and said, "Doesn't that look like you?" [laughter] >>Kevin Mitnick: So I take the wanted poster
and I'm looking at it. I study it, and I'm thinking to myself, "Could
I really get out of this?" Right? And I'm looking at it and I finally, I finally
go, "No, that doesn't look anything like me" and I hand it back. [laughter and applause] >>Kevin Mitnick: So eventually this, this
thing is going on for awhile. One of these agents opens a briefcase on my
desk, you know, unlocks a briefcase, and he's about to go through it and I had some very
important papers in there, like blank birth certificates I didn't want him to find. I figured that'd be suspicious. [laughter] >>Kevin Mitnick: So I, I, I went over to the
table because I wasn't under arrest. And I said, "Hey!" And he looks up. I slammed the briefcase down and I lock it
and he goes, and his face turned red of course and he took the briefcase to the kitchen because
he was gonna use a carving knife to actually open it up. And then the other agent stopped him because
it'd be illegal search, right, to open up a container. So then finally the FBI went to go get a search
warrant and, and then during that process they found a wallet and then they found a
paystub in the name of Kevin Mitnick because I had a ski jacket that I had a paystub from
like 1980 something that I inadvertently left in there. And then they finally arrested me. So it was like this whole three and a half
hour ordeal and I was trying to get out of, and at one point before they found it they
said, "Well, you know what, we're not sure if you're Mitnick or not, so we're gonna take
you down to the FBI and fingerprint you and then we're gonna compare the fingerprint records
to rule out that you're, you know to rule out that you're Mitnick. I said, "Why didn't you think of that before? We could've saved all this time. In fact, tell me what time you want me to
show up at your office tomorrow and you can fingerprint me." [laughter] >>Kevin Mitnick: I tried my best. It didn't work. But the craziest thing is I think is the time
that when I was in court and they had told the judge that not only do they have to detain
me, but because I'm a national security threat that they actually have to keep me away from
the phone. And the reason they had to keep me away from
the phone is I could pick up the phone and I could whistle the launch codes to start
a nuclear war. So. [laughter] >>Kevin Mitnick: I'm serious. So I actually laughed in court, right? Because, because I figured the prosecutor's
gonna lose all credibility with the judge. Unfortunately the judge bought it and I ended
up, you know, in solitary confinement for eight and a half years. So during this time in solitary confinement
I perfected how I could whistle the launch codes and I want to share that with all of
you today. [laughter] >>Kevin Mitnick: Ok? I, I, I, you know now I need a phone because
if I'm gonna connect to NORAD I need some connectivity, so I'm gonna connect to the
phone here. So give me a second, and what we're gonna
do here now, you might have to take cover, [Mission Impossible whistling sound] [laughter] [sirens] [laughter] [sirens continue] >>Kevin Mitnick: I'm sorry, New York's gone. But I mean the timing was wrong in that, but
I thought that would be funny, but. [laughter] >>Kevin Mitnick: Yeah, so, back then when
I was involved in hacking I mean it was all mysterious. The internet wasn't really so popular it is
today. You know, they looked at you like as a dark,
like as a witch, like a dark you know magician or warlock and they had such fear that they
would actually that people actually believed you could whistle the launch codes. So. >>Eran Feigenbaum: That wasn't the only myth
that was made about you, right? I mean you have several. >>Kevin Mitnick: Oh, yeah. I mean there's just so many, I mean. [chuckles] Oh yeah, that I you know hacked
into NORAD and nearly started world war III, that actually was stated as fact in the New
York Times, and that was actually from a movie called War Games in 1983. [laughter] >>Kevin Mitnick: Yeah. But I was under this severe, you know I was,
I was in high security in federal prison during this you know, when I was detained and I was
in what they call "the hole." And this was a solitary confinement, so if
you are like the Mexican mafia, if you're, you know, Al Capone, if you're kill a prison
guard, they put you in this place that you're just under 23/24 hour lockdown. And I had a special phone restriction that
I was only allowed to call like five people, my mom, my grandmother, my aunt, my attorney. And so I figured, you know, I'm kind of at
the bottom of the bucket here in solitary confinement in a federal detention center,
but you know that didn't stop me from phone hacking. [laughter] >>Kevin Mitnick: Not at all. >>Eran Feigenbaum: So you were hacking from
prison? >>Kevin Mitnick: Hacking from prison. Let me tell you how, is [laughter] >>Kevin Mitnick: Is whenever I had to make
a phone call, they would actually shackle my arms, shackle my legs, they'd walk me like
30 feet to this room that had a bank of pay phones and the guard would look at you know
the numbers I can call. He'd say, "Which number do you want, Mitnick?" And he would dial zero plus the number to
get, 'cause it was a collect call obviously. And he'd place his chair four feet away from
the payphones. So he'd just sit there and his eyes would
never move from what I'm doing. And I'd, and the handset cord on the payphone
was a little bit longer than it is like on the street, I guess they're longer in federal
prison, who knows. So I'd walk back and forth when I was talking
and I would constantly be scratching my back, you know, switching phone, just getting him
used to this behavior, scratching my back, and actually rub my back against the payphone. And then I figured when I ended the call,
I acted like I was still talking to the person that he dialed and I just, you know, keep
talking and I'd be rubbing my back and then behind my back I would just hang up, you know,
hang you know push down the switch hook. And then I'd move my hand to the front because
I knew that I had 18 seconds before the phone went into reorder, meaning beep, beep, beep,
beep, so I had 18 seconds to do this. So I'd just continue to scratch and then I'd
put my hand behind again and dial zero plus the number I wanted, 'cause I was able to
dial the touch tone behind my back, touch tone pad, I was able to dial the phone number
behind my back. And then I'd have to continue in the conversation
because I knew within a, you know, 30 seconds the operator was gonna come on the phone,
you know come on the line and ask who the collect call was from, so I'd have to say,
"Well, you know, tell Uncle Harry that Kevin says hi." And when I said Kevin that's when the operator
was asking who the collect call was from. So this is how I was able to call anyone I
wanted, you know, even though the guard, even though I was in plain site of this you know
this officer. [laughter] >>Kevin Mitnick: And this was working for
like three weeks. [laughter] >>Kevin Mitnick: And then early one morning
my door opens and it was like the executives of the prison, they put me in handcuffs, they
take me to this like attorney-client visiting room and they sit me down and the captain
of the prison goes, "Mitnick! How you doing it? How're you redialing the phone?" [laughter] >>Kevin Mitnick: I go, "What are you talking
about?" [laughter] >>Kevin Mitnick: "Our officer is watching
every move you make and somehow you're redialing the phone.'' [laughter] >>Kevin Mitnick: I said, "Hey, guys, I'm not
David Copperfield." [laughter] >>Kevin Mitnick: 'Cause I wasn't gonna admit
to anything. Then they say, "Well, we're monitoring everything
you do downstairs." Which I knew they were. And I just said, "Maybe there's a failure
in your monitoring system." You know, 'cause I still, you know, I'm not
gonna admit anything because then they could use it against you. So, so a couple days later I hear some commotion
outside the door and I peek out and it's Pacific Bell and they're installing a phone jack across
the corridor from where my, where my room was. And I'm thinking, are these guys actually
gonna install a phone in my room and then try to restrict who I can call? That's gonna be fun, you know. And I found out what happened afterwards. They actually, the next time I had to make
a call, the guard brings a phone, he plugs it in, he dials the number I want, then he
puts the hand cord through this like trap door in the door. So I only have the handset, I can't touch
the touch tone pad, it's beyond the locked door. And then I'm having a flashback to Hannibal
Lecter in Silence of the Lambs. [laughter] >>Kevin Mitnick: So that was crazy. They were so embarrassed by this they never
told the court, so the court never found out that I was calling anybody that I wanted to,
'cause they would look like fools, so. [laughter] >>Eran Feigenbaum: Let's talk a little bit
about, you know, finally getting out, the Free Kevin Movement. >>Kevin Mitnick: Oh, yeah, well, I mean a
lot of stuff was happening in my case, like I was detained for four and a half years without
trial and I, you know, and a lot of civil liberties issues so then 2600 Magazine actually
started this Free Kevin Movement to kind of you know like why is this guy denied the ability
to help his lawyer look at the evidence? Why has he been held for so many years, you
know, in custody without a trial? So they started this whole Free Kevin Movement
and it was, and, and I, I couldn't believe this one day I was in my room in, in detention
and I looked out this like, they have this slitted window, and I look out and I heard
they were having Free Kevin protests that day and I look and I see an airplane flying,
like a puddle jumper, and it was pulling a Free Kevin banner on an airplane and I could
see this from my prison cell. So it was like kind of like, wow!, you know,
like I never expected this. And anyway, they were trying to get the word
out to, it wasn't like the Free Kevin Movement was saying hey, this guy shouldn't be punished
for his hacking, but it was more like you know why is he held for, detained for so long,
you know why, why is the judge not allowing his lawyers to look at the evidence? So it was kind of to get the word out. And they did a good job of it, you know. And ultimately did it help my case? No. 'Cause the government doesn't care, really
about, you know, protests, but eventually I made a deal with the government after, well
the reason I made the deal is I found this case. Since I was hacking for more curiosity, I
wanted to look at source code to become a better hacker. It wasn't about selling the source code, it
wasn't about, you know, doing anything with it but using it to leverage it to hack in. And I found this case called Rich, this case,
this IRS agent called Richard, his name is Richard Sabinsky and he was doing the same
thing. He was working for the IRS but actually looking
up people's tax returns because he was curious. You know he wanted to know how much money
they made and all this sort of thing. And he was prosecuted for the same charge,
you know crimes that I was. And he actually appealed his case, and this
was a federal case, saying well he did it out of curiosity. He didn't sell the information, he didn't
disclose it to anybody, it was a case of curiosity. And the, and the federal appellate court said,
well if it's, if you didn't use or disclose the information, it's not a federal crime. So I actually wanted to go to trial, say hey,
I did all this hacking, you're right, you know I admit everything, but I did it for
this purpose, you know, it was more my curiosity and learning, it wasn't about using or disclosing
it for monetary gain. And my lawyer told me that the federal prosecutor
at the time said, told him, warned him, that if your client doesn't take a deal, we're
just gonna, we're gonna try him here, let's say we, we lose, we're just gonna move him
to this jurisdiction and try him there. We don't care if we win or lose, because we'll
keep your client in custody so long that it won't matter anyway. >>Eran Feigenbaum: 'Cause you hacked in many
jurisdictions? >>Kevin Mitnick: Right, well, when you're
doing, you know when you're hacking over dial up, I mean this was dial up in these days
over the internet, you're going through so many jurisdictions, they could just put you
on the bus for this ever ending, you know, series of trials, so I just figured, hey,
you know I, I wanted to settle it on the best terms possible and one big negotiating point
is they didn't want me to tell my story for life. In fact another hacker named Kevin Poulsen
recently wrote a great book called Kingpin, he's a editorial, I think he's the editorial
director of Wired.com and his deal is he can't write his story for life, right? And so, we, my attorney negotiated and it
was a seven years. For seven years I was pretty much blacked
out from being able to tell my story and that expired in 2007, then I teamed up with this
awesome co-author, his name is Bill Simon, and he's actually here today in this audience
with his girlfriend. He's right over here. Bill, why don't you come up here and say hi
to everybody? [applause] >>Kevin Mitnick: Ok. He doesn't want to do, he doesn't want to,
he doesn't want to come up to stage, but this book would have not been possible without
Bill. I mean Bill put up with my hacker's hours
for two years. I mean Bill's the type of guy that rises at
6:00, has breakfast at 7:00 and he's hard at work at 8:00. I'm going to bed at 8:00. [laughing] So, so, but we finally got it done
and I, I thank Bill because without him the book Ghost in the Wires would not be here
for all of you to read, and so thank you Bill. I appreciate your hard work. [applause] >>Eran Feigenbaum: Not only not being able
to tell your story for seven years, you also had some other restrictions as part of your
release. >>Kevin Mitnick: Oh yeah, I couldn't, I couldn't
touch a transistor. Anything with a transistor in it was restricted. I, the federal government was so, I don't
know if they were scared or if they were trying to punish me or what the reason was, but anything
with electronics I wasn't allowed to touch without their permission. So even to use a fax machine. And then after two years, it was really interesting
because I was commissioned to write Art of Deception, again with Bill, which was my first
book on social engineering. And what had happened is I called the probation
department, saying, hey, I was researching word processors that have no way to connect
to a modem, no way to connect to the internet, just like stand alone and I spent like a couple
weeks researching the stuff and then I presented the case to the probation department, hey,
I could use this word processor so I could, you know, work on this book with my co-author,
and my, and the probation officer said, "Hey, you know Kevin, we're gonna let you get a
laptop." "What?" Yeah, they're gonna let me get a lap, they,
they allowed me to get a laptop under two conditions. One, is I don't tell the media. That was the biggest condition. Two, is I don't connect to the internet. So then I was able finally to write you know
Art of Deception with Bill. I mean there are just so many stories to tell
I don't know where you, I mean there just, it's just crazy, so. >>Eran Feigenbaum: One last one and then >>Kevin Mitnick: Ok. >>Eran Feigenbaum: we'll open up to questions. Through the book it it's pretty obvious that
you have an addiction to hacking. >>Kevin Mitnick: I would call it an extreme
passion. [laughter] >>Kevin Mitnick: [laughing] I mean, that's
what drove me. I mean I remember when I was in my younger
years when I, this is how I guess passionate I was is when I was young my parents couldn't
afford a computer. Oh and let me remind you how I started off
on this path is when I went to my first programming assignment in high school was to write a Fortran
program to find the first 100 Fibonacci numbers. And I thought that was a boring assignment. So I thought it would be cooler to write a
program to steal everyone's password. [laughter] >>Kevin Mitnick: Just for the fun of it. And what we had at school was an Olivetti
110 baud terminals, acoustic coupler modems and we had a PDP 11, I think it was like an
11/34 running RISC to CED , in downtown Los Angeles. So all the students used VT100 terminals to
connect to the school's computer. So I wrote a program that would be a log-in
simulator, kind of like a fishing tool, so people would think they were logged out, they
would type in "Hello", we'd ask them to put in their user name and password, it would
log them in. This was my first program. The first one that I ever wrote. It wasn't Hello World, it was I'm Gonna Steal
Your Password. [laughter and applause] >>Kevin Mitnick: So I worked really hard on
it because I had to like do sys calls, interact with the operating system, it wasn't as easy
as finding the first 100 Fibonacci numbers and, and because I spent so much time on this
assignment, I wasn't able to finish or even do, start the Fibonacci assignment, so it
was due. So when the teacher goes, "Kevin, where's
you assignment? I let you into class. I waived your prerequisite, and you're not,
you're not even, you know, holding your weight here." I said, "Well, I was busy working on this
other program, let me show you how it works." [laughter] >>Kevin Mitnick: So I showed him the program
of stealing passwords. And he goes, "That's awesome." [laughter] >>Kevin Mitnick: And he gave, and he gave
me an A. [laughter] >>Kevin Mitnick: [laughing] That's awesome. He actually showed it to everyone else in
class. "Look what Kevin did." And like all these atta boys so the ethics
taught when I was in high school [laughter] >>Kevin Mitnick: that hacking is cool. And it wasn't even illegal. It was 1979, they didn't have the first computer
crime law until 1984. So I started in an era where it was encouraged
to do this stuff because it was like no harm, no foul, you know. I wasn't stealing passwords 'cause I wanted
to get in their accounts, it was more like just for doing it. So it was kind of like a cool thing. The teacher liked it, you know, so. [laughter] >>Eran Feigenbaum: So do you still have this
deep passion today? >>Kevin Mitnick: I hack every day. But I do, there's only one difference. I have authorization. So companies that hire me to break into their
systems give me a jail, get out of jail free card and as long as I have that card in my
pocket I feel really comfortable and I still get to do the same thing I was doing 20 years
ago today. And all, and the techniques still work, like
social engineering. I mean the technical exploits change, you
know as we build more complex systems it creates more vulnerabilities as you know, so we, you
have the technical side, which you know now you could download Metasploit you have commercial
products like Canvas and Core. Metasploit is awesome if you're into, I don't
know how many of you know Metasploit here in the audience, but these tools weren't available
when I was hacking. It was like you had to do it on your own. There was, there was, you know there was no
you know frameworks, not where you can go and Google, you know Google didn't exist by
the way. I couldn't, I couldn't Google you know exploits,
you know it was all on your own and today, I mean, what kids can do, which I didn't have
this option, was you know, they could, you know, have, you know, open source Linux boxes,
you know, for, you know, next to nothing. They could get access to frameworks like Metasploit,
so they could experiment and have fun hacking you know legitimately, and I didn't have this
option when I was a kid, it just didn't exist. So what I chose to do was go to universities,
all the Cal state universities in Los Angeles and I would, until I wore out my welcome,
right, and all the Radio Shacks in Los Angeles, yeah. >>Eran Feigenbaum: Great. Let's, we have a couple of microphones if
you could just raise your hand a microphone will come to you. [pause] >>male #1: I had [inaudible] [laughter] >>Kevin Mitnick: Somebody hacked your mic. >>male #1: I don't need a mic, I'm loud enough. I had a free [inaudible] >>Kevin Mitnick: [laughing] >>male #1: So did you ever use the name Nussbaum? >>Kevin Mitnick: No. That was a myth. >>male #1: Because a friend of mine got arrested
at [inaudible] >>Kevin Mitnick: Yeah, I heard about that. They thought he was me and they arrested him
when I was a fugitive, unfortunately, and then I guess they thought I was using his
name, I never used it. The names I used was Erik Weisz, Brian Merrill,
they're all in my book, the names I used. It was a handful, but never his name, never
even talked, I never even knew the guy. So that again was another myth. >>male #1: [inaudible] [laughter] >>Kevin Mitnick: Tell him, tell him it wasn't
me. >>male #1: That's why I asked. >>Kevin Mitnick: Yeah, they also arrested
another guy who they thought was the informant on my case, a guy named Eric Hienz, his real
name is Justin Petersen and, and they actually were almost gonna arrest I think Robert Steele,
who was an ex-CIA agent who does a lot of talks at conferences. The agents actually asked him to pick up his
pants on one leg because the real Justin had a you know had a prosthetic leg. And they were almost gonna arrest him. 'Cause they're just going crazy. They wanted to arrest somebody, but they kept
getting the wrong people. [pause] Any other questions? Yes? [pause] >>male #2: With the, is it on? >>Kevin Mitnick: No. >>male #2: Alright. [pause] >>male #1: Just speak loud. >>unknown: Right. >>male #2: With everybody getting so connected,
I mean that's kind of what we do here, making sure that everybody's connected, that everything's
accessible to everybody as much as possible, is security intractable for regular people? I mean I know that social engineering always
worked and probably always will work, but you can get so much further with it now because
you can you know send out >>Kevin Mitnick: Spear fishing. >>male #2: Yeah. You can try and scam ten million people at
a clip. Is this an intractable problem that we're
just gonna be in this situation forever? >>Kevin Mitnick: No, I don't really know. I mean the, I look at the solutions to social
engineering as using technology whenever possible to take the decision making out of the you
know human actor's, you know, hand so to speak. And then training and ed-, you know a lot
of training and education. A lot of the, you know don't forget the, the
social engineering usually re, also relies on some technical vulnerability like an older
version of Adobe Acrobat, you know, that the person's using, so I mean by keeping the technology
up to date I think you mitigate the social engineering because if you look most of the
attack vectors today are client side. So you're looking to exploit the browser,
you're looking to exploit Adobe Acrobat, Flash, Java, the Media Players, the Instant Messaging
tools, so I find that a lot of my clients, they're not keeping that stuff up to date
and that's how I'm able to exploit them. You know I just had a client, a multimillion
dollar client, and they were running like version I think 9.1 of Adobe. And how I found, what I did was I used social
networking to find, to create my target list on LinkedIn and so, you know it's easy, you
could even use Google of course, but you know you find, you try to look for network administrators
and engineers and people that are likely have domain admin rights and you target those people
first, right? So I was able, so I found out who this administrator
works with at one of the companies that supports one of their IT functions and e-mailed him
a PDF that had an exploit in it. He opened it up and I was able to get into
his box. He had domain admin rights and the game was
over. I mean it was just that easy. If he had a, had an updated version of Adobe
at the time, because the problem was patched, you know, maybe the social engineering side
would have worked, but it wouldn't have gotten me anywhere, right? >>Eran Feigenbaum: Switch your clients to
Chrome OS or Chrome? [laughter] >>Kevin Mitnick: I use Chrome. I shouldn't tell you this because now maybe
I could be a target. [laughing] [laughter] >>Eran Feigenbaum: One last question. Let's give somebody a, oh, go ahead. >>male #3: So you mentioned writing a Hello
World program. >>Kevin Mitnick: Right. >>male #3: And you mentioned how your teacher
kind of encouraged you to, you know it was encouraged to, to hack and it was cool. >>Kevin Mitnick: Well, it was after I wrote
the first program because I didn't tell the teacher what I was doing the first, during
the first, during that development. >>male #3: So I'm curious if you feel that
education for developers has changed in any regard. 'Cause I still find that when we're trying
to get people into computers and development, we still kind of go, "Look how easy this is! Print Hello World. Great, you wrote your first program. It's real easy." >>Kevin Mitnick: Well >>male #3: We don't build on a stronger foundation
of oh, well, here's the building blocks and security. >>Kevin Mitnick: Well absolutely, I mean most,
most of the, most of the time we're methodology, well, most of the time when we're able to
get into a client's infrastructure is easy by exploiting a web app, usually with something
like SQL injection. I mean it's, I mean, and so if the developers
of those applications, you know, you know sanitize their input, we wouldn't be able
to get in you know at that point, so I find that there's a lot of low-hanging fruit out
there. There's lots of web applications, interfacing
web applications that are insecure and easy to exploit. I mean case in point is you have like LulzSec
right? They're out exploiting everybody in the world,
you know, they're doing some stupid attacks with DDoS attacks, but a lot of, all the other
victims are you know simple sequel injection. Look at Sony, they were hacked 12 times, and
I think like 10 of those hacks were SQL injection hacks, alright so the developers are obviously,
they either bought the code from somebody else, bought the application from a third
party who obviously didn't have secured coding practices you know in their development cycle,
and, or they did it in house and it was a shoddy security and got, got hacked. >>male #3: So I guess the question is then,
why hasn't education changed for developers or -- >>Kevin Mitnick: Well they have it available,
it's just the question of companies actually using it in the development cycle. >>male #3: Well companies and schools, right? Why are -- >>Kevin Mitnick: Oh, schools. >>male #4: Liability laws, Eric. The liabilities are in the wrong place. I mean credit cards used to be if you. The thing that enabled, the problem is that
the liability laws are in the wrong place. When credit cards first came out, there was
a question of who gets, who has to pay for the fraud. >>Kevin Mitnick: Right. >>male #4: And the answer was the user has
to pay for the fraud and so users didn't want it. And then when the law said the bank has to
pay for the fraud, there's 50, you know the >>Kevin Mitnick: Right. >>male #4: both the user or it was either
the user or the merchant, but somebody you know if the user has to pay for the fraud,
the users don't want it. So they say, well, let's make the merchants
pay for the fraud. Then the merchants don't want it. So they made the bank pay for the fraud. All of a sudden the liability and the incentives
are in the right place. And the banks fought against it, they said,
oh no, you can't make us pay for the fraud, it's not our fault, you know, then and you
know the law just said, well, pay for it anyway. Which then the banks said oh, all right. At which point credit cards had this amazing
round, you know, round of growth. Because the banks said, ok, well we'll cut
down the fraud to a level that we are willing to, that people are willing to pay for in
the interest rate. And so it's really just liability. >>Kevin Mitnick: Right. I mean and I think today it's on the merchant
actually, is the fraud. I mean unless you know Visa and MasterCard,
you know, if you go through secure code, they have, if you what is the product called, MasterCard
Secure Code and Visa Verified. If you go through those mechanisms then the
bank takes the risk. But I think today it's the merchant still
takes, still takes the risk on transactions, right. >>Eran Feigenbaum: Hey, Kevin, I think we're
gonna broadcast this, so maybe just parting thoughts >>Kevin Mitnick: Oh, yeah, we're recorded. >>Eran Feigenbaum: It's been inspiring hackers
or security researchers, for somebody that's been there, done that, been behind bars. >>Kevin Mitnick: [laughing] I mean, I just
love what I do. I mean I, my primary reason for getting involved
in the hacking was the intellectual curiosity, the challenge and most importantly the learning. And I wanted to learn everything that I possibly
could and I still have those drivers today. When I'm testing my client's security, I still
get that endorphin rush when I'm able to find a security hole. So I really enjoy what I do, it's almost like
you know it's almost like not working, but I mean my recommendations is if you're developing
applications is you do use secure coding practices so people like me can't get in. You can make our pentests harder. Yeah. And I, I, I guess unless you have any other
questions I don't know what else to say. >>Eran Feigenbaum: Check out the book. >>Kevin Mitnick: Oh, yeah, book. Why am I here? Ghost in the Wires, I mean you get a lot more
detail about what had happened, why I did it, how I did things, that's in the book. Again it was a two year, a two-year project. I told Bill what I wanted this book to be
was like a catch me if you can thriller, so we were able to take my, my story because
of all the crazy stuff I did as a kid and I thought we actually met the goal. And I'd love to hear your feedback. You'll have my e-mail address on my card. If you like the book, dislike it, find an
error, let me know. I definitely would appreciate it and I love
Google. You guys are, you guys, Google is my home
page on my browser and I do use Google Chrome and I loved touring your campus in Mountain
View, it was awesome, it was like a little city. So I think you guys are working for an awe-,
a great company. So thank you for being here and I have business
cards for everybody. I didn't run out, I just wanted to get, kill
some time until Eran came and was ready to interview, so. >>Eran Feigenbaum: Thank you. >>Kevin Mitnick: Thank you so much. Thank you. [applause]
Impressed Google let him in the building - surely he could use the iron fillings in his teeth, combined with the electronics in the microphone, to remote access their servers, and use their hardware to start WW3? /s
I'm actually reading a chapter or two of that biography every evening, pretty interesting.