Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [153]
I immediately searched Mark’s file system for “*oki*”; (an asterisk is a wild card that in this case means “look for any filenames that have the character string ‘oki’ in them”). An examination of the files turned up by this search revealed that Mark didn’t have the source code for the OKI 900 but was indeed reverse-engineering it—and that he was getting help from another hacker.
And who was helping Lottor with this project? Surprise: of all people, it was Tsutomu Shimomura, that computer security expert with a big reputation and a bigger ego, who worked at the San Diego Supercomputer Center. Odd: at the time, Lottor was under Federal indictment in the Kevin Poulsen case, and yet here he was, getting help from a computer security expert who did contract work for the government. What was that about?
I had encountered Shimomura once before, something he never found out. The previous year, in September 1993, after getting into Sun’s network, I had discovered that he had been finding and reporting security bugs he uncovered in SunOS, one of Sun’s flagship operating systems. I wanted the information, so I targeted his server. By hacking into a host called “euler” at the University of California, San Diego (UCSD), I was able to get root and install a network sniffer.
The stars must have been lined up in my favor. Within several hours, I intercepted a user, “david,” logging into “ariel,” one of Shimomura’s servers. By capturing david’s password using my network wiretap, I accessed Shimomura’s system and was into it for several days before I was noticed and booted off. Shimomura eventually realized that david had been hacked, and tried tracking me but hit a dead end. In hindsight, he was probably monitoring his own network traffic and saw what was going on.
Before getting booted, I was able to grab a lot of files. Most of the interesting stuff had eluded me, but I knew I would return at some point. Now my interest in doing that had been stirred up, thanks to Lottor.
As I was probing Lottor’s system, I discovered a file that listed the instructions for changing an ESN from the keypad of an OKI phone.
to set the esn, enter debug mode.
the command is #49 NN SSSSSSSS NN is 01 or 02 SSSSSSSS is new ESN# in hex set security code to 000000 for easier access! It appeared that Lottor and Shimomura had reverse-engineered and built a special version of the firmware that allowed the phone user to easily change the ESN from the keypad. There could be only one purpose for doing this: to clone to another cell phone number. I had to smile and shake my head. Here was an even bigger puzzle: Why would the federally indicted hacker and the security expert want to clone cell phones? It was something I never did figure out. In any case, I had come up empty-handed on my real objective: finding source code from the manufacturer, OKI. In looking through Lottor’s files, I discovered that Shimomura had written an 8051 “disassembler” program that Lottor was using for reverse-engineering the firmware. I also read numerous emails between Lottor and Shimomura discussing their OKI reverse-engineering project. In one interesting email, Lottor sent Shimomura a console application named “modesn.exe.” OKI ESN Modifier. Copyright (C) 1994 Network Wizards. The name said it all: the program was designed to modify the ESN on the OKI cell phone. Very interesting. Again, I could think of only one potential purpose: fraud. I archived and compressed all the files related to cell phones, including his email communications with Shimomura. But the process took too long. During the file transfer, my connection was suddenly dropped. Lottor must have come home and noticed that something was going on. Apparently he had pulled the network cable, stopping