[inaudible conversations] >> welcome to c-span2's booktv. ..

computer hacker, kevin mitnick, he spent the three years he hid away from the fbi. he was captured in 1995 served nearly 5 years in prison and is currently a security consultant who has testified before the u.s. senate on information security. this is just over an hour. hacker >> good morning, everyone. and turn blew on, please. just kidding. it's fantastic to be here. ghost in the wires took two years. myself and my co-author, bill simon -- raise your hand, worked

on this. [applause] >> great. use of done it without bill. i mean, we had much -- we had different work schedules because i usually slept into 2:00 pm and worked till 5:00 pm. bill worked 6:00 am to 6 spokes and i put him on spanish time. get ready for the second edition. if you know a little bit about my computer background, i obviously was a computer hacker and ended up in a lot of hot water and for seven years i was actually restricted for writing this book. i was released from custody in 2000, in 2007 after seven years, then i was permitted to go ahead and tell the story. and how i started with computer hacking was for my love of magic. as a young kid, 10 years old i used to ride my bike to the magic store just to learn how the tricks worked because i was

so fascinated with it and when i entered high school and i know you're probably going to read this in the book, is i met this kid who can do magic with the telephone system and he was what you call the phone freak. anyone here read 2600 magazine. okay. a few. he was able to do really incredible stuff. for example, if i call forwarded my phone he was able to break through. if my parents have an unlisted number and he could get it in 15 seconds and he said, hey, kevin i'm going to give you a cool trick, you call this telephone number, you wait for a tone and you put in five digits and then you can call anywhere in the world for free. i go how does it work. well, it must be a fluke with the phone company, later on i learned it was probably some more company's mci code. but he showed me all these cool things he could do. and i just was taken aback with this technology. it was just like, wow, and he

kind of showed me how he can get information from the phone company if he had my parents number he could get the name it was listed to. if he had a friend's name he can get the nonpublished number. it was like the kid had full control over the phone company so i became a phone freak and i loved pranks and i would pull pranks on friends. one of my favorite pranks was to modify my friend's phone service in the phone company switch so whenever he or his parents would make an outgoing call on their phone, it would say please deposit a coin. and i just loved doing this type of stuff. i remember as a kid i was able to intercept directory assistance so anybody intercepting directory assistance operator you got me and you could imagine when you're 16 years old how much fun you could have with that and, of course, i did things like what city, providence, may have the

name please, whatever bill smith and i would say well, that number is 55-3.5 347 and the confused woman. she goes well, how i dial a half. oh, you didn't get our new phones. you have to go down to the phone store. i was fascinated by this stuff and then i got into ham radio and ham radio opened up a whole new world for me. but, again, with my prankster type of persona, i did my favorite hack of all times. and my favorite hack was actually to mcdonald's. and what this hack was -- does this work when i walk around, what this hack was imagine a customer drives up to the mcdonald's drive-thru window and i was sitting across the street. i could overpower the headset and i could be the mcdonald's customer service person and you could imagine what kind of fun. people could up i would hike to

have a hamburger oh, we don't have hamburgers, anymore, we have tacos and i could hear hide the coin, hide the cocaine. and he could hear everything of what's going but couldn't stop it. but we're 16, 17 years old and one of the pranks that's actually in the book is a computer drives forward and can i take your machine our coke machine is broken would you like a apple juice our ice machine is broken would you like small, medium or large and they go, of course, large it's free then we play a recording what like being in a cup. please drive forwarded and after irritating mcdonald's so much, the manager comes out of the store and he's peering into every car in the parking lot trying to find the culprit. we're across the street, across

the major streets. and then he walks over to the speaker on the -- you know on the drive up window and he puts his face close. i go what the heck are you looking at? [laughter] >> and this guy flies back 10, 15 feet stumbling like the mcdonalds windows anyway, i pushed the envelope. after i got involved with, you know, hacking and mainly my hacking was to gain more control over the fun company's systems so i could pull more pranks and then i got involved with, you know, hacking with all the fun company switches, the united states, and i started like really pushing the envelope because as i was doing this, i was having problems with the phone company security department to the point where

when i was 17-year-old they sent a letter to my mom we're removing your photocopy service and my mom was so angry with me that she ground me but, you know, i said, mom, don't worry about it i can get our phone back. [laughter] >> so we lived in a condominium complex and our unit number was 13. and i called a certain department in the phone company and i told them there's a new unit being added to this property. the unit and it's unit 12b to go ahead and provision it and a few days i went to the hardware and i took down 13 and put up 12b for our unit number and called the phone company for unit 12b and i asked for a special number and i asked the telephone company i'd like a number ending in 007 because my favorite shows at the time were james bond she goes no problem and i go jim

bond and i'd like the number ending in 007 and she didn't even flinch and then at the end of the conversation, well, maybe you should make the listing to my real first name and i had a number james bond 895-5007 we had the number for three weeks before the phone company got wise and one day the phone just went dead. about six months later they finally gave us phone service back. so at one point in my life i was for hacking to digital equipment corporation and the government at the time really needed -- like set an example for, hey, we have this behavior, this hacking is scaring us. we need to set an example for everyone, you know, in the united states. so i remembered when i was going for a detention hearing, a bail hearing in the case, the federal

prosecutor had told a judge that -- not only do we have to detain mr. mitnick but we have to make sure he doesn't get near a telephone in prison. and the prosecutor said, the reason is, mr. mitnick can pick up a photocopy, dial into norad and whistle the launch code. [laughter] >> and i'm in court. i actually laughed 'cause i thought that was incredibly stupid of the guy and i figured he was going to lose all credibility and wouldn't you understand the judge bought line and sinker so i was in solitary confinement for a year. can you imagine putting somebody like me in solitary confinement. i had a wife as you can imagine i was allowed to call my attorney, my mom, my father, my aunt and what they would do -- i was in the hole. i was in high security before

they -- before you could -- when you are moved from outside your cell they actually handcuff you and they shackle your legs. and then they move you to a phone room which has three pay phones on the wall and then a guard with me would look in a book, mitnick, who do you want to call today, i want to call mom. he would dial mom 0 plus the phone number and hand me the phone and back 3 to 4 feet and sit in a chair and he wouldn't take his eyes off me, right. and i was thinking how can i defeat this. since a handset chord was long and i would walk back and forth. i would be scratching my back and rubbing my back on the phone and i got the guard used to this behavior and then he actually put my hand behind my back and i could feel the hook and i thought one day and i was in a conversation and i just ended the call and i kept on talking

as if the call didn't end and i leaned down the switch hook and you have 18 cents before the phone is going to go beep, beep, beep. i know this from my own freaking experience. 5 seconds later i go to scratch my back and i dial plus another phone number and then the next thing that's -- the next thing that is going to happen an operator is going to come on and say who's the collect call from so i just said, yeah, tell uncle harry kevin says hello. that's when the operator goes and she said who's the operator, who are you calling from and on a court ordered phone restriction. that last only a few weeks then one day my cell door opens. it's the executive of the prison. they shackle me up. they put me in this attorney/client conference room and they sit me down and the captain says how are you doing it, mitnick. how are you doing it. you're redialing the phone.

our officer is watching you and somehow you're redialing the phone. i said, hey, guys, i'm not david copper field i don't know what's going on with your monitoring system i don't know what you're talking about. of course, i'm in custody, why would i admit anything? so two days later i hear some commotion outside of the door of my cell. and it's pacific telephone installing a jack. and i go maybe you guys are going to install a phone in my room so they don't have to bother with me anymore and i learned what happened the next day is when i had to make a phone call the guard brings the phone and brings in the jack and they have a 26-foot ham cord and kevin couldn't touch the touch-tone pad so it kind of reminded me silence of the lamb and hannibal lecter, right. i'll tell you one of my favorite hacks of all time not because i'm proud of it but it

illustrates i have throughout the book with social engineering and that's where you use deception and influence to get someone to do something they wouldn't ordinarily do. hackers will ask for passwords or usually get someone to do something that lets the hacker in. today in how it works they have a thing called spear fishing where an attacker will do some research, find somebody that works within the company they want to compromise, try to find out who that person deals with, vendors, suppliers, customers, other facilities of the same company and then what they'll do they'll manufacture an email and send a booby trapped pdf and it's booby trap and it exploits it and the hacker is on the desktop that is connected to their internal network. that's kind of an example of using social engineering to get

somebody to do something that will give the attacker some sort of benefit. let's go back to 1993. i'm living in denver, colorado, at the time i wasn't living under kevin mitnick because there were certain federal law enforcement that wanted to talk me and i didn't want to talk to them. in fact, i was using the name eric weiss. that's harry houdini. i thought i had a sense humor i found out the fbi have no sense of humor but that's a story for another day. so my colleague at the law firm handed me this brochure for the mytrotech ultra light cell phone and this cell phone is kind of like the iphone is today. if you're a trekkie fan it reminds you of the "star trek" communication phone. as a hacker i wanted to understand how this worked because i was the type of

hacker -- my number 1 driver was pursuit of knowledge. i wanted to know how things worked. i had curiosity. and i liked, you know, doing things i wasn't supposed to do for the fun of it. it wasn't about destroying stuff or stealing money but i wanted to get access to know phone ware. and motorola -- you can't call motorola and say i would like your phone ware because the source code is proprietary. you remember the original julius, it's the same kind of concept. while in desk working on this phony left the office and called up directory assistance, you know, for 1-800-numbers and got the number for motorola. and i asked the operator, you know -- you know, i was given an 1-800-number and i called did number, and i said hey, listen, i'm looking for the project

manager of mytrotech lonnic and this was an 1-800-number and the nice receptionist told me all the cellular development is out of schaumberg, illinois and asked me if i would like that number. of course, i want the number. i'm looking for the project number of the mytrotech ultra light project. i'm transferred two, three, eight times and now i'm talking to the vice president of research and development for all of motorola all their mobility devices. and i say, hey, this is rickover in arlington heights and i heard they had an r & d in arlington and i'm looking for the project manager and he said hey that's pam. the extension is such and such and he said can i help you with anything. i said no, i'll just dole with pam thank you very much and then the call ends and then i call pam. and instead of getting pam i get her outgoing reading on her voicemail and she told her

callers that she just left on a two week vacation and if you need any help to please call alia on blah, blah, blah and pretty much that was the voicemail. and she was returning from vacation so on and so forth. who was my next call, no-brainer, alicia. hey, alicia, this is rickover -- hi, alicia this is rick with ar & d in arlington heights. did pam leave on vacation oh, she said she was supposed to send send me the source code for the moycrotech light. and this was -- by this time i'm walking down -- what was it broadway in downtown denver. it was snowing. horns were honking and i was trying to press the cell phone i was using really tight to my ear so she couldn't hear the traffic because i was never expecting this to bork paws it was all

extemporaneous. she said rick, what version do you want? and i'm thinking i don't even know their version number. i didn't even check. how about the latest and the greatest. and she's typing on her computer and i could hear the key clicks going. and she goes, rick, i found the latest release of doc 2. that's what they called it. and there's a problem. what's the problem? she goes there are hundreds of directories and within each director there are hundreds of files. and i asked her do you know how to use tar, that's like wind zhip and i said would you like to learn and she said you'd love to learn new things. so i became her instructor for the day and at the end of that day's lesson we had a 3 mega file that contained the phone source code so i could understand how it worked. my next question was, do you know how to use ftp and she goes

file transfer program. precisely. and then after i'm walking down oh, my god i didn't prepare for this she's actually going to send the code and i couldn't give her my host name hacker@colorado.edu but i have a great knack for remembering ip addresses so i remembered an ip address to a system where i had amon news addresses and when she would try to connect it would time out, two, three, four times and then she goes, rick, yeah, i'm disappointed how am i going to get the file. she goes, i'm going to have to talk to my security manager about what you're asking me to do because i think this is a security issue. and i go, no, no. wait, wait, wait. and i'm on hold. and i'm going oh, my god, the gig is up. and, you know, when you're waiting for somebody to return to the phone and seconds feel like minutes. i'm walking down the street on the way home.

i'm almost to my apartment. and it's like five minutes already. i assume that motorola is already hooking up the tape-recorder because that's going to be exhibit a for a court case later. she comes back on the line and then i'm careful i don't actually talk and she goes rick and i talked to my security manager about what you're asking me to do, that ip address you gave us is outside of motorola's campus. notice i'm not talking and i'm going uh-huh. and she said well, my security manager told me that we have to use a special proxy server to send files outside of motorola. i go uh-huh. i don't have an account on that proxy server. i guess i'm sorry for moving back and forth here. i don't have an account on the proxy server but my security manager was kind enough to give me his personal name and phone word so i can send you the nile by the time i put the key in my apartment in denver, colorado, i

have the source code to the microtech and you think about motorola. they're a great company. they have the best security money can buy, firewall, intrusion detection systems the problem is they didn't train their people well enough to fall for a gag like this and i ended getting prosecuted for it but it was so damn easy to do. right? so easy. so eventually i became a fugitive and a lot of the book covers my cat and mouse with the fbi. the fbi had sent an informant to help them nab me and then i was able to figure out that this guy was truly an informant who was working against me. and then i wanted -- i was curious about what was going on. i just had to know if i hacked into the local cell phone provider kind of like at&t or t-mobile but this was actually a

packtell cellular and i was able to identify the telephone of the fbi agents that were chasing me and i was actually able to do traffic analysis on the phone so i could see who's calling them, who are they calling. who are those people calling. and i was also able to get the location information so i was basically watching the feds trying to capture me and playing this cat and mouse game. eventually, i was able to set up a device at my office -- i was working as a p.i. in los angeles. i was able to set up a device so if any of the fbi phones came within one or two miles of me, it would send me an alert. part of my fbi early warning system. so one day on september 28th, 1992, i'm walking into the office early, which is kind of unlike me and i put in the code to get into the office and i kept -- i keep hearing this beep, beep, beep, i'm going what

do they do, change the code? as i'm walking to my office, the beeping is getting louder and i hear that it's actually coming from my office and i start getting concerned did somebody put some type of tracking device in my office. i go up to my computer and it's actually a detective and fbi cell phone like in the area like two hours ago so after looking into this i figured out the fbi did not come to arrest me. they actually came to search my apartment. so what i did -- you know, i wanted to help them out and i went over to winchell's donuts and i wrote fbi donuts on the box, stuck them in the refrigerator and a couple days they came to search and they were kind of irritated when they found the fox and i was in this like insane cat and mouse game with the federal government. eventually, as always the fbi always gets their man. i was arrested in 1995.

they threw the book at me. i was in solitary again for a while. i went through a long process with dealing with the federal government. we finally settled the case. three months after i got out of custody, who's calling? senator fred thompson and joseph lieberman. they want me to come to washington so i could advise them on how to protect any computer systems that are owned and operated by the federal government and i thought that was quite an honor. i was actually flattered. here i'm walking out of custody after being this bad hacker and now the government is now asking me for my help. so i went and i testified and i offered them all the advice i could. and then i basically from that point became what we call an ethical hacker. because now i hack into systems all the time. in fact, a couple days i broke into a server. the only difference is, is now i have authorization that the company now allows me to hack in so i could find their security holes so they could fix them

before the real bad guys break in and cause some damage. so that's a little bit about my story. i have some cool demos to show you because when i do speaking engagements around the world, nothing makes the audience happier than doing some hacking demos. are you all interested in taking a look. >> great. >> about six months ago i had an assignment to break physically into -- into my client's building in san diego, california. and have you ever seen a lot of -- at least a lot of access devices that are physical using hid cards? these are hid cards. what -- i didn't build it. i simply bought it but it's available. it's called a proxmart3. if i can get close enough to

somebody that's wearing the card, i could steal the access credentials and then replay them into the device. now, imagine if you're wearing a suit, this is -- i kind of like -- you know, you put this in the pocket. you put this device and you run this up the sleeve and you tape it hey, hi, tap somebody on the shoulder and it will be close enough to capture the credentials. i'll show you how it works. it's kind of cool. i have three demos to show you that i think are kind of neat. so if you take -- this is like a h.i.d. reader, all right? kind of pay attention to the screen if you pass the card -- hold on a second. let me restart this. of course murphy's law, right? where's my mouse.

my machine froze. one second. i don't even see the mouse. there it is. all right. all right. all right. who's hacking into my machine? [laughter] >> all right. okay. so this is like a card id 6403. and the site id1103. and you've probably seen this around doors probably around new york city. imagine i'm the bad guys. i'll lay at this way and i want to steal the credentials of this charred so all i have to do is, you know, set this up. i have this little battery pack. you're obviously not going to carry a computer to do it. the battery pack is hidden, kind of like a magician. this is the antenna where you want to steal the credentials so basically how it works is if you

press down this button, it basically goes into a mode where this is -- one led is lit. so if you pass it in front of the device there shouldn't be anything there. can you hold that up for me. i forgot my -- since nothing is there because there's nothing to replay and then what i do is i press down here. and you'll see another led and now it's in listen mode and i'll wait for the card mode and take a look at the light and you'll touch the card and you'll see the light goes off. it's installed in the credentials. now, i toll them. now i want to go use them and all you have to do is go press the button again and now it's in play mode. can you set that up for me, please? as i pass the card and now it spells the credentials, right? this is called an hid card

spoofer and pat it around your back they might just -- they might be, you know, not really a good friend of yours. they might be trying to steal your credentials and i use in security assessments. i find restaurant, starbucks where the employees are and usually a lot of them are wearing it on their hip rather than around their neck. it takes a second just to brush by them and steal their card credentials and now i'm there. that's one impact. kind of cool, uh-huh? all right. so let me show you another cool one. this is called my spy bridge. everyone has heard of phisching, right. have you ever gotten an email from citibank, paypal say there's a problem with your account and click this hyper page and they send you to a link that's not paypal or anything. it's a scammer trying to steal the credentials but now as the

industry has pushed down on that bubble of fraud, on phisching, what it does it just pops up somewhere else. and now phischingers are using voice response systems to scam people. >> have you ever call your bank and you hear -- you never get a person anymore. what happens you get an automated system. and they want you to put in your credentials, your password and then if it's correct they eventually transfer you to somebody. so imagine if i could send you an email, make it looks like it's coming from your financial institution. but instead of asking you to click on a link because you're told not to do that because everyone in this room is smarter than that and you're not going to fill out a form but it says we found a problem with your account please call us within the next 24 hours or your account will be terminated. what are the chances you just simply call the bank? let me show you what happens -- what happens if i send you the email and you go ahead and call your bank. so i want you to watch the screen. and then try to put this on

speakerphone. does this actually work so everybody could hear it because i don't have a phone here. what we're going to do during the call chase -- let me -- does anyone have a chase card here? [laughter] >> i don't know why nobody volunteers. i have one. so imagine you get an email and it says to call chase. i'm going to call the number on the back. whoops. i'm going to put this on speakerphone so you'll hear it. and then i want you to watch my computer as this happens. and this is the real bank. can you hear that? >> your credit card account number. >> it's asking for my credit card account number.

that's weird. >> we're sorry the number you entered was not recognized, please enter your full 16 digit credit card number. people enter the 16 number and it's capturing the number in real time. >> please enter your zip code. >> and it's having me authenticate with my zip code. 89094. >> please press 0 at any this time your current balance is 11,000 -- >> it's a big balance. probably these expensive hotels in new york. anyway, how this actually works is i did a man in the middle account. when the victim calls it, they're calling a number that i have control of.

it connects to a system running open source asterisk and my system calls out to the bank. so i'm the man in the middle so you could do all the transactions, talk to the customer service rep and i get all your credentials. and there's no way to detect this. the only way to detect it is to be worried if someone sends you an email to actually check that that phone number actually belongs to the bank. so this is -- so hackers were doing it before and i thought of it as a better system. they set up open source asterisk which is an open -- open source pbx. what they would do is they would call banks and credit card companies and they would record all the prompts and what they do they would set up their own number so it sounds like the bank and feels like the bank but if you put in your real credentials it doesn't work because it's a fake and what they do they'll basically say, well, we're sorry. there's been a problem with your account and then please talk to our customer service rep and we'll transfer you to music on

hold forever. so this is a better way and one last demo i thought it would be cool to show of is about getting information on people. so i said a volunteer. what i'm going to try to do -- i'm going to try to get your address, your phone number, your date of birth and social security number within about 60 seconds. so if i could do it, many of you know that the identity thieves could do it too and this is kind of a wakeup call to show you how easily somebody can get your information on the internet. so i'm looking for somebody that doesn't have a name like bill smith. somebody, you know, that has established credit. not somebody that's not right in high school. you have to allow me to display all your stuff in this room. [laughter] >> come on down. you have to give me your real time. i know you're not donald trump.

[laughter] >> all right. you live in new york. >> yes. >> all right. so here's a database that anybody could describe for. let me make the window a little bit different here. so what we're going to do -- i'll just go name and state. so what's your name. [inaudible] >> that's good. that's not going to be a bill smith or a terry jones, is it. [laughter] >> let's see what we've been in new york. how long have you been in new york? >> 23 years. >> for like a 1.50, let me show you what identity thieves can do. it's kind of scary. is that you?

[inaudible] >> you're younger, 22. so this is how easy identity thieves could use databases to get your social, your date of birth, to get driver's license information that's easy as well. [inaudible] >> what? [inaudible] >> it doesn't matter. it doesn't matter. in fact, people think their mother's maiden names are secret. i'll show you another cool -- in fact, what's your mother's maiden name? [inaudible] >> hold on a second.

hopefully my account still works here. and this is kind of scary -- i was surprised. in case you're looking for my password it's kevin123. so mother's maiden name. who played catch me if you can. who played abegnale, dicaprio, let's find his mother's maiden name. we'll do a search. there we go. so we found leonardo dicapio, his mother's name is indeber. you live in a database nation so basically crooks can get your mother's maiden name your driver's license number your social security number your date of birth and your phone number

but never use those as a password. i remember calling my bank five years ago and you go, you know, having to authenticate me as my last social i kind of want to use a password, no, no, your social is secure. nobody can get it. can i get your name i want to show you cool. oh, no, sure. i can't do that. so i wasn't show the bank employee that the social is kind of like an open book. so i'm here to sign books or we could open it up for q & a. i have a gift for all of you that have shown up tonight. and the gift is, my business card. so what's cool about this business card? what's cool is if you get locked out of your house, this is a lock pick set. so every time i go through the airport at tsa because i'm carrying a lot of them, you know, they get -- i get a bag check and then they look at it that's kind of cool that's a circuit board. no, it's not a circuit board. and then explain it's a lock

set. cool, can i have one. so i make friends with everyone at tsa as i travel. after my talk i have a card for all of you. as kind of a gift. [applause] >> so you could ask me anything you want. except my password. [laughter] >> well, i'll be happy to, you know -- i guess do some book signings or whatever. >> if everybody would please wait for the mic so everybody can hear, just a second, please. >> now that you've revealed -- i know your name. >> now that you revealed everything and i hockey conceal it and keep it private in the future. >> as scott mcnealy says you have no privacy. get over it. i mean, that's the proper be. that's why there's such a problem with identity theft in america. it's just so easy to steal the

information. it's just simple. and that's the problem. the system is broken. because you authenticate on your social security number or your mother's maiden name which is not the thing to do nowadays. >> do you agree with your friend -- with your friend adrian lammo. do you agree with his decision to go with the authorities? >> i don't agree why he went to the authorities. he's the guy who turned in bradley manning who was the i think the private in the u.s. army who stole the documents and turned them over to wikileaks. and what i know adrian's background and i know the only reason he did it was for the media attention he didn't do it because he was a patriot or that he was afraid to be a coconspirator so i think he did it for the wrong reasons. to basically inform on somebody for his own personal benefit. so for that reason that he did it, i don't agree with it.

if on the other hand he did it because he wanted to protect the country or he did it because he was afraid of being prosecuted as a coconspirator, then 100% he should have done it. so there's my answer. >> thanks. >> you're welcome. you want to wait for the mic? >> hi. >> hi. >> i wondered -- when people use a service like reputation.com or get themselves out of removed out of a lot of databases, whether that actually works. >> you get removed out of some but the information is already out there and it's bought and sold so there's no -- the only way to get yourself out of databases is do what i did. create new identities but i wouldn't suggest it. that's the only way, unfortunately. yeah. yes, sir. you have the mic? thank you. >> hi, my name is steve. first i wanted to thank you for the radio interview this morning. that's how i learned about this. >> ah great.

>> now, i've been involved in education, and i teach a lot of stuff with teachers and robotics. now a number of years ago i personally got into this thing with a company that was developing software basically that was encrypting your own personal email, your own personal messages. one of the companies was using an algorithm called blow fish. >> yeah. >> exactly. that was his company. and after that i've seen ppg. i've seen other things like this. do you have any idea why in the present society people are so open with these communications and they send stuff basically through the internet and through the air and through everywhere without encrypting it or do you feel that encryption is something that just can be hacked and broken into and it's meaningless to use? >> well, i mean, when i was a fugitive the fbi used encrypted

radio transmissions. and i really wanted to know what they were saying in case they were close to me so ensure they're not talking about me so i can get the hell out of there. rather than trying to crack the kryptowhich was developed by motorola or try to get the key which would have been impossible. the attack i did was what we call a denial of service attacks is when one side of the fbi was communicating with the other. i would jam the signal. and i did this for like three or four times and then the agents thought their radios were malfunctioning and they went into the clear so i could hear the whole conversation and that was a way cracking government kryptowithout breaking the key. >> i wasn't talking about government. i was talking me sending you an email so that i know only you you would be getting it. in fact, i'm so terrified of this email business -- >> you can use krypto -- >> most of my communications with the outside world i seriously use u.s. mail for

almost everything -- >> but if i wanted to get your communications i wouldn't be worried about intercepting it in real time. i'd basically break into your system using some sort of exploit and plant malware so i could just intercept your key strokes. >> 'cause i've had problems -- >> just because you use encrypted email doesn't mean you're secure. >> you're saying the epgripped email is really hackable even if -- >> it depends on the end point. you have a sender. alice or bomb's computer, you can get the unencrypted communication without bothering by cracking the -- you know, the key. >> 'cause i've been a victim of two banks. this is why i get to be so fearful of this. where a municipal bond was being transferred from one bank as the other as paying agent and between the two banks, it was literally robbed spoke never ware. it took them three years to try to trace it because i had a sales receipt for the bond.

at this point i do robotics and programming and i'm very much into public domain and i'm terrified of email and i think you can understand. >> i understand. thank you for coming. you want to pass the mic to the gentlemen over here. >> how did you get started with the free kevin movement? >> i actually didn't get started with it. it was 2600 magazine. and what had happened is -- because of the unusual things that said in my case that i was held for 4.5 years without a trial and there was a lot of -- they wouldn't give us access to the discovery. there was a lot of issues in the case and then emanuel goldstein -- after about three years of this happening started the free kevin movement to get out the word about what was happening in my case. >> how did you hear about it originally? >> basically by family, by people sending me snail mail when i was in custody. that's how i found out -- through telephone calls that i had with family and friends.

>> now i just thought it was interesting story of you putting the sticker up to the window and everything in prison -- >> oh, yeah, when i was in custody they sent me some free kevin bumper stickers on my 35th birthday some people from 2600 magazine came out to the prison and i knew they were down there and i said wait until 1:30 i can get past the law library and while i was in custody in federal detention i was able to put the free kevin before you were sticker and they were able to snap a photo. that's on the box of freedom downsize. >> thank you very much >> i think you're in next. you go ahead since the mic's next to you. i can't hear you. >> did being a -- >> the microscope. >> is being a white hat hacker did you have enough thrill -- >> oh, yeah, my drivers for

hacking was intellectual curiosity, pursuit of knowledge. seduction of adventure. it was never stealing money or writing malware so i did get a huge endorphin rush when i was able to crash a system because it was like a video game that bypasses the security obstacles so i get the same endorphins today. like when i get into a client's system, you know, i really of the good about it and it's still a little bit like thrill-seeking. i get paid for what i did illegal years ago which is pretty good. you know, it's like take something that was a criminal activity and make it illegal. >> so when i call you on the hid intercept my immediate thought was nfs cell phone payments where they basically want to have, you know -- just so everybody knows it's an rfit kind of attack. is that easily breakable as well. >> i haven't worked with rfid.

there's a guy named chris pageant, which is a defcon and they intercept rfid cards at a pretty substantial distance and i happened to research -- again, the hid technology is the only hid that i had looked at because of doing physical pin testing. i haven't really looked at rfid stuf stuff. >> hi. >> hey. >> so obviously, you've experienced the problems of the system. >> just a bit. >> and what type of advocacy do you do today in order to fix some of the these things? i know you've testified before congress and stuff like that. but is there any more underground stuff going on? >> really i haven't advocated anything because i feel i'm powerless to change the system. the world has changed.

you know, my case was prior to 9/11 and everything has completely changed. now we have the patriot act and we have a lot of laws that are passed to protect us from terrorism. but then the government still want to, you know, keep those laws on the books, you know, even after, you know, threats dissolve because it gives them more power. so -- i mean, it's actually gotten worse than it was back in the mid-'90s. and, unfortunately, we have to live with it, you know? yes. >> a question for you, my intrigue started as a young age of computers. much inspired but you. >> oh, thank you >> what was your first experience with a computer system that caught your intrigue? >> high school. i was a senior in high school and i tried to actually get into a computer class and the instructor refused because i didn't meet the prerequisites of having calculus and all these other prerequisites under belt

and i started showing him the tricks with the phone company and he said, okay, you can come in the class. of course, the teacher probably regrets that decision today 'cause i kind of drove him crazy. one of the first competing -- one of the first programming assignments in four tran was to write a program that would find the first 100 numbers and i thought that was kind of boring. i thought a cooler program would be a program that would steal everybody's passwords. so that's kind of cool so the students would be at their terminals and they would log in but i actually wrote what we call a log-in simulator so when they're logging in, they're actually talking to my program not to the computer's operating system. so, unfortunately, i didn't have enough time to finish the assignment but then i turned in my password stealer program and the teacher was actually impressed and gave me an a. [laughter] >> and a lot of atta boys hey, kevin wrote this cool program and showed it to the class. today, if you did it in school,

you'd probably be arrested. you know, so back in my day, hacking was not illegal. and you were actually encouraged by teachers in high schools that it was a cool thing to do. and because probably of he's ethics is kind of what led me on the path write started out, you know, hacking and i got so passionate with it that i just didn't stop. any other questions we got a question over there. >> i got it right here. >> okay, i'm sorry. >> when you were doing all of your hacking and when you were on the lam, did you think that you were going to get caught and, you know, was it worth it at the end of the day? >> no, actually when i was running from the government, i was so adept at creating new identities that i thought it would be really difficult. i always thought in the back of my mind i could keep doing the same thing 'cause i continued the hacking and i felt if i made

a mistake i probably wouldn't get caught but i wasn't thinking when i was on the run that i'm going to get caught. i actually thought i was going to outsmart the fbi which, obviously, was a ridiculous notion but then it was, you know, many, many years ago. it became a cat and mouse game between me and the government and i looked at it as a video game. when i was running i didn't look over my shoulder and i wasn't ever afraid of every cop card that went by because i had a bona fide id. i was working in a law firm in denver. i was working at a hospital in seattle. and i set up early warning systems at the law firm. one of my responsibility was supporting the law firm's telephone system which was kind of cool. i couldn't have written this job description better myself because now i was able to insert code into the photocopy system so if anybody in the law firm called the u.s. attorney's office or the fbi it would immediately send me a page with a four digit code that was 6565

which happened to be the last four digits of the number that was the fbi system. if anybody would be able to hit the trip wire i would be able to get out fast enough. >> i want to know -- it seems like, obviously, you were animated to do all of this for the thrill of it. >> right. >> is there anything out there that kind of scares you that people are doing things -- >> it's all changed. the trend for hacking has changed. it's all about organized crime, leveraging hacking skills or recruiting hackers to steal credit card accounts, identity theft, bank fraud. now it's become a real huge problem because back in my days, the people i associated with, like myself, again, it wasn't about the money. it was about the thrill and exploration. and it's all changed. you still have groups of people

of lusec which is more to send a message. but most of the trends has gone towards profit. that i've seen. >> so i have kind of a funny question. i've heard a couple of different versions of the day you got actually arrested. >> yes. >> so what of the versions has you coming to the door and the fbi say you're kevin and you kind of denied it and i said you want me to show up tomorrow and they threw you for a loop. >> it's actually detailed in the book. >> oh, excellent. >> but, yeah, the full details of what had happened is i actually had the fbi -- they weren't sure that i was kevin mitnick for about 3.5 years because i guess i was a good actor that day. and i remember at one point when they were searching my apartment, they actually handed me a wanted poster wanted for

supervised release and they handed it to me and they said doesn't that look like you and i studied it for a moment thinking maybe i could really get out of this. [laughter] >> i go, no, it doesn't. what am i going to say, right? [laughter] >> so i have them going for 3.5 games they don't play games and they knew i was mitnick and they arrest me and take me down. they want have time to joke around so -- i was really hoping -- and at up with point i was really hoping i could get out of that situation. one of the case agents says, well, we're going to have to take you down to the fbi office and fingerprint you to try to -- to see if you're really mitnick or not. and i said why didn't you think of that idea earlier and then we wouldn't have wasted all this time. in fact, tell me what time to show up tomorrow morning and i'll be at your office. i tried. [laughter] >> i had nothing to lose, right? i did my best, of course, it didn't work and, of course, i

did my best. >> my question was actually about -- i think, in essence, your book is a lot -- your hacking is social engineering -- >> it's both actually. >> but like -- do you consider yourselves more analogous to frank abegnale, jr. like a stereotypical understanding of what we have in what we see in movies in hackers and sneakers is that more what you do as opposed to what frank was doing? >> when i was doing attacks it was a hybrid of social engineering and technical attacks and then, for example, let's say i use a technical exploit to get into a large company and i was looking for a piece of code and if i could get access to that code i could break into that system and i could do social engineering to figure out what server the code i was interested in was on.

because it would be much faster than me sitting on the network looking for it. i basically used social engineering and i've used technical exploitation but in the book we focused more on the social engineering side because we thought that was more interesting. and frank actually reviewed the book and he liked it. he called me a master social engineer i don't know what that means in his category but i guess it's a compliment. i was happy at the time because he never reviews book and it was great honor to have him review my book. any other questions? john markoff, oh, you follow me on twitter. [inaudible] >> well, obviously, john marroff and i haven't done -- john markoff is a "new york times" reporter who wrote about me in the 1990s and in his reporting he actually had stated things as

facts that weren't true. that i hacked into norad in 1983 and nearly started a nuclear war but that was right out of war games. amongst other ridiculous accusations as fact and what it did it elevated the interests the government had in the kevin mitnick case and his agenda -- i think his agenda was actually he wanted to write a book and do a movie so if you have the "new york times" at your disposal imagine the interest you can create -- you can cash in. on twitter the other day as far as -- i'm a naturally born smart ass and i twittered the new york timing did a book review and i twittered, i don't understand this. "new york times" did a book review but the last three times they wrote about me i was on the front page and i'm not on the front page this time so markoff, who this wasn't directed towards actually responded one or two days later well, maybe that's because it wasn't written well. kind of like a dig. and so