In Ghost in the Wires, legendary computer hacker Kevin Mitnick recalls life on the lam for the crime of purloining source code.
You went to prison for hacking computer and telecom companies, but you say that you never made money from it. What was the allure?
It was a trophy hunt. Hacking today is about stealing credit cards, but I was interested in the hack itself; it was like the high you get from climbing Mt. Everest. It was also a bit obsessive-compulsive. Hacking was the only entertainment that would occupy my mind—like a huge video game, but with real consequences. I could have evaded the FBI a lot longer if I had been able to control my passion for hacking.
Your book actually made me feel sorry for the phone company. Why were you always picking on them?
I was fascinated with the phone system and how it worked; I became a hacker to get better control over the phone company. There was a practical side to it later—for example, when I was cloning cellphones to avoid getting traced when I made phone calls into computer systems. But it was also intellectually stimulating—the pursuit of knowledge, the thrill of adventure.
You posed as programmers, telephone linemen, bank executives, and even cops to worm information out of people. How important was plain old con artistry to your hacks?
They call it "social engineering" in computer security—using manipulation, deception, or influence to get information. That was a key in a lot of my attacks. In one of them I hacked into the target company's computer network but couldn't find the code I was looking for. So I reverted to social engineering and spoke to an engineer I convinced to put the code up on his workstation so I could copy it—and that was after the FBI had warned them about me.
You currently work in computer security. Are systems any safer now?
There are major brands being hacked nearly every week, so it's still a huge problem. Look at the Albert Gonzalez case; he and his cohorts have stolen hundreds of millions of credit card numbers. I get hired by companies to hack into their systems and break into their physical facilities to find security holes. Our success rate is 100%; we've always found a hole.
I get the feeling reading your book that rule #1 should be to avoid telling anyone anything over the phone.
Sometimes I get a call from my bank, and the first thing they ask is, "Mr. Mitnick, may I get your account number?" And I'll say, "You called me! I'm not giving you my account number!" Unfortunately, 98% of people would give up their Social Security and account numbers instead of saying, "I'm not giving you anything until I verify that you're really [from my] institution"—and criminals know that.