Q&A: Kevin Mitnick, from ham operator to fugitive to consultant

by Elinor Mills

There is no question who the most famous hacker is. One of the first computer hackers prosecuted, Kevin Mitnick was labeled a "computer terrorist" after leading the FBI on a three-year manhunt for breaking into computer networks and stealing software at Sun, Novell, and Motorola.

Known more for social engineering his way into networks than actually hacking them, Mitnick frustrated law enforcement not only by staying one step ahead of them but also with pranks like leaving doughnuts for them to find when they raided his home.

Finally arrested in 1995, Mitnick pleaded guilty to wire and computer fraud charges and was released from prison in 2002. His notoriety has helped him get lucrative speaking engagements and launch a security consultancy, where he gets paid for doing some of the very actions that landed him in jail.

In the first in a three-part Q&A series with hackers, CNET News talked to Mitnick, now 45, about what got him interested in computers in the first place, the differences between hacking today and three decades ago, and whether it's wise to hire a former black hat hacker to do security work.

Q: When did you start hacking?
Mitnick: When I was 16 or 17 years old, when I was in high school--1979 time frame; before it was even illegal.

How did you get into it?
I became very interested in phones. I was a ham operator, an amateur radio operator, for about three years and in high school I met this other student whose dad was a ham radio operator and this other student had a hobby of phone freaking and he introduced me to this. He was able to do amazing things with the telephone system. He was able to get unlisted numbers. If he had my number he could get the name and address...He could do all these magic tricks with the phone system. I also had an interest in telephony over ham radio. He introduced me to phone phreaking and when the phone companies started converting over to electronic systems from electromechanical systems they used front-end computers to control it. So the phone company was in the process of automating their processes. To further my phone phreaking I needed to become familiar with the phone systems' computers. So that was my foray into hacking.

So you went from phone phreaking into hacking?
Yes. The phone company had this computer system called COSMOS, which stood for Computer System for Mainframe Operations. Well, my first hacking occurred as a student at Monroe High School in Sepulveda, Calif., in the San Fernando Valley. I met another student who was very heavy into computers and at this time it was the Commodore VIC-20. They offered a computer training course for seniors but I wasn't a senior so he introduced me to the professor. He wasn't going to let me into the class. So I did all these electronic tricks with the phone system and the teacher was amazed and he waived the prerequisites and let me in the class. I think he regrets that decision today.

What could you do with the phones then?
I think I demonstrated calling into comp systems. You could interact with them with your voice and control them by touch-tone. He gave me his name and the city he lived in and I was able to get his telephone number. I was able to interface my ham radio with the telephone system and dial into computers and access them through the touch-tone pad. At that time it was pretty advanced because you didn't have voice response systems then like you do today.

What's the hacking activity you are most proud of?
Ethical or unethical (laughing)? You probably want to hear about when I was a hacker. I guess my intrusion into Motorola. I was able to call an employee at Motorola and convince her to send me the code for the MicroTAC Ultra Lite cell phone...Motorola had their whole campus protected by SecurID and I was able to use an elaborate social-engineering scheme by also manipulating the telephone network and set up call-back numbers within Motorola's campus. So I convinced a manager in operations to tell one of the employees to read off his RSA SecurID code any time I needed it so I could access the network remotely. That's how I was able to access their internal network and then I was able to use technical means to hack into their development servers for cell phones...I was able to find the source code to all the different cell phones.

I was interested in the MicroTAC series because it looked like a Star Trek communicator. I wanted to understand how these phones worked, how the codes controlled the processor. I wasn't interested in selling the source code or doing anything with it. It was more about the challenge of getting it. I had to breach like four layers of security to get in. I'm not really proud of it because it was obviously wrong...I made a stupid and regrettable decision and decided to go after the source code.

When you say it was about the challenge of getting it, can you elaborate?
At the time I was actually a fugitive in Denver, Colo., and one of my colleagues handed me a brochure of this phone and I thought it was ultra cool, like the iPhone of today. I really wanted to understand what are the protocols used, how does the phone talk to the communications network, how does the whole thing operate? And I thought maybe I could modify the firmware for the code in my phone and make it more difficult for the government to track me. For example, there are certain methodologies the government uses, like any time your phone is on, it is communicating with the mobile telephone company. I wanted to be able to toggle that off and on, so basically take my phone offline and do extra things to it. At the time I had that idea, but I never went through with it because I was so busy hacking...It was pretty much the trophy. Once I got the source code, that Motorola phone intrigued me. I looked at it, read through it, and tried to understand what I could understand.

After that I went after other different cell phone companies and it really was about the trophy. It was the challenge of getting in and getting the code, storing it at USC in Los Angeles, and moving onto the next one. That's how I got caught. The USC administrators noticed that a lot of their disk space was being used and that their systems were breached and they called the FBI. The companies themselves didn't realize they were hacked. It was USC that discovered it...I didn't spend any time trying to hide it (source code). That was my downfall.

Did know what you were doing was illegal?
I started hacking back in the '70s and there were basically no laws against it, against phreaking or hacking. In school, my parents and other people actually encouraged it. There were no ethics taught. If you could hack into the school's computer you were considered a whiz kid. Today if you do it you get expelled or they call the cops. It was like a reward of intellect back when I got started. Then they criminalized it later. I was so hooked into the adventure of the hacking game, doing it for a number of years even though it became illegal. It was thrilling, adventurous. It was all about solving the puzzle, using intellect to get around obstacles. It was like a huge game.

What would you do differently if you could go back in time?
In hindsight, I wouldn't do what I did because now I'm much smarter and wiser, and I caused a lot of network and systems administrators a lot of headaches undeservedly. It was the wrong thing to do. But at the time there was no such thing as penetration testing and no school curriculum on security. You had to be self-taught. That's how I learned about security and systems--through hacking. I took the wrong road in doing it. I wouldn't repeat it. Today there are degrees, pen testing, books on the subject. At the time, a lot of companies and universities didn't give much thought to security.

When I was 17 years old, the phone company was so livid with me for hacking their systems--and not hacking through a computer but through social engineering and calling and controlling touch phones or calling employees. There were no laws against it. They actually yanked out the phones in our house, and I was living with my mom at the time. I was in high school. They wouldn't let us have a phone and cited California Public Utilities Commission rules that if there's fraud or abuse the phone company can yank the phone.

Rather than stop my activities I figured I would one-up them. We were living in a condo. The condo had unit numbers and we were unit 13. I went to the hardware store and got the numbers 1, 2, and a B for unit 12B. I called the phone company and told them the builder had built another unit in the condo complex. Then the phone company came out and installed a phone for a new subscriber in 12B under my name or my mother's. Then we had a phone for two weeks and one day it just went dead. The phone company was livid because I had done this elaborate thing to trick them. After about six months we got the phone service back but we could only make outgoing calls.

Let me ask about your time in jail. How much time did you serve and what was that like?
I served five years, and I ended up in solitary confinement for a year because a federal prosecutor told the judge that if I got to a phone I could connect to NORAD (North American Aerospace Command) and somehow launch an ICBM (Intercontinental Ballistic Missile). So the judge, reflecting on the movie War Games, put me in solitary confinement. I think it was a strategy they used to get me to plead out or cooperate. I was held for four and a half years without a trial. I spent a lot of time focused on the defense and reading cases and serving as assistant to my attorney. At the end of the day I realized justice is economic; unless you have enough money to properly mount an effective defense you always lose.

I wanted to admit that I was hacking, but the intention and the purpose of it wasn't fraud because to commit a fraud you have to convert property to your own use and benefit, to profit. In my case that was lacking. I was doing it for the trophy. I was cloning my cell phone to random subscribers and dialing into computers from the cell phone. The purpose wasn't to make free calls; it was to make it more difficult for the government to track me. They claimed all my hacking into those companies was a huge elaborate fraud and that I caused $300 million of damage. They said the value of property I copied, the R&D development cost, was $300 million. The government tried to use the old (definition of) loss for tangible property. If I copied that code and they no longer had use of it, it would be a $300 million loss or whatever.

They told my attorney that if I didn't cooperate and plead out, not only would they take me to trial in Los Angeles, but they would put me in a revolving door of trials and put me on a bus and take me from federal jurisdiction to federal jurisdiction. So I signed the deal and admitted causing between a $5 million and $10 million loss. I signed it not believing it. I signed it to get out. I really don't believe to this day that my actions caused that amount of loss, because none of the victim companies lost use of their code, they never claimed any losses due to my activities. Sure there were losses, maybe in the thousands of dollars, for their time to investigate who hacked into their systems and to secure them. Those are the real losses. But I was the example for the federal government, so they needed to put me away for a long time. That's why I was very angry and bitter against the government at the time, because I wasn't being punished for what I did. I was being punished for what I represented at the time. I have no qualms about being punished for what I did. The punishment should fit the crime.

So, if someone were to ask you what lessons you've learned, what would you say?
Don't break the law. Don't intrude on other peoples' property. It's just the wrong thing to do. It's unethical and immoral. And now of course it's illegal. It's trespassing. You're violating somebody's property rights. And they have the right to control and keep their property confidential. What I attribute my change of heart to is growing up. Back then I was young and immature, and never damaged anything intentionally.

Do you feel that your hacking has led to positive change in some way?
Yes. It led to my career. Today I speak around world, I do pen testing all the time--and deep penetration testing, where I go after the most sensitive credentials at a company to see if I can get to the crown jewels. I see what I can do as an ethical hacker. I really enjoy this work because when is it that you can take a criminal activity, legitimize it, and get paid for it? Ethical hacking. It's not like you can be a drug dealer and go work for Walgreens...A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer. A dumb terminal was like $2,000. A 1,200-baud modem was like $1,200. The cost of this technology was out of my range as a high school student so I used to go to local universities and use their system, albeit without their knowledge, to learn.

Any advice for young hackers?
Yeah, don't follow in my footsteps. There are definitely other roads or other opportunities and ways that people can learn and educate themselves about hacking, security, and pen testing. Today it's a huge market. It's become a huge issue within the federal government with critical infrastructure.

Some people say companies shouldn't hire former black hat hackers. What are your thoughts on that?
I'm hired all the time. So far it has not really been an impediment. You have to evaluate the person's skill set, their maturity, and what they did before as a hacker. Were they getting credit card numbers and buying merchandise on the Internet? Or were they hacking systems for their own intellectual curiosity? You can't just lump black hat hackers into one category. You have to look at what they did in the past, what they've done since then, and what credentials they have to get the job done. People who have operated on the other side of the law, like Frank Abagnale, he is a prime example. He reformed himself and now is the leading authority on counterfeit money and checks. Look at Steve Wozniak. He even started out as a phone phreak (and sold blue boxes on UC Berkeley campus). But he took a whole different direction. He's done a lot of good for the community. That's another factor--what good has that person done for the community and industry since the transgression?

What are you doing now?
Consulting, author, public speaker. I go around the world speaking. That's my primary activity--ethical hacking, pen testing, system hardening, training, education. And I'm working on my autobiography. It's due out in spring 2010.

Corrected at 9:10 a.m. PDT:This post was updated to correct the spelling of MicroTAC Ultra Light, SecurID, the acronym COSMOS and clarify that Mitnick was at home when his apartment was raided.