Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [193]
Around the summer of 2001, I got a phone call from a man named Eddie Muñoz, who knew of my past hacking exploits and wanted to hire me to fix a rather unusual problem. His highly successful service in providing “dancers” available on call in Las Vegas had dropped off very significantly. Eddie felt certain that the Mafia had hacked Sprint’s phone switch and reprogrammed it so that most of the calls to Eddie’s service would be diverted to other call-girl services run by the Mob.
Muñoz had filed a complaint with the Public Utilities Commission (PUC) against Sprint, claiming that his business was suffering because the company had not secured its infrastructure properly against hackers. He wanted to hire me as an expert witness for the commission hearing. Initially I was skeptical that Sprint was at fault for Eddie’s declining revenue, but I agreed to testify about the company’s vulnerabilities.
During the hearing, I described how I had been hacking into phone companies for years, including Sprint. I explained that the CALRS system Sprint used for testing was similar to Pacific Bell’s SAS, but with what I thought was even better security: anyone trying to access the remote CALRS test units in each central office had to give the correct response to a challenge in order to get access. The system was programmed with a hundred different challenges—double digits from 00 to 99, each of which had its own response of four hex characters such as b7a6 or dd8c. Hard to crack… except through wiretapping or social engineering.
The way I’d gotten around it, I told the commission, was by calling the manufacturer of the system, Northern Telecom, claiming to be with Sprint’s Engineering Department, and saying I was building a custom testing tool that needed to communicate with the CALRS test units in each central office. The technician faxed me the “Seed List” of all one hundred challenges and responses.
One of Sprint’s attorneys challenged my testimony: “Mr. Mitnick is a social engineer, lying was part of his stock-in-trade, and you can’t believe anything he says.” Not only did he absolutely deny that Sprint had been hacked or could be hacked in the future, but he pointed out that I’d literally written “the book on lying”: The Art of Deception (about which, more in a moment).
One of the PUC staffers confronted me, saying, “You have offered all these claims but haven’t offered a shred of evidence. Do you have any way of proving Sprint can be hacked?”
It was a long shot, but there was just a chance I might be able to prove it. During the lunch break, I went to a storage locker I had opened while in Las Vegas just before going on the run. It was crammed with cell phones, chips, printouts, floppy disks, and more—stuff I couldn’t take with me but didn’t want to lose and couldn’t risk leaving at my mom’s or Gram’s, where the Feds might show up with a search warrant and find it all.
Incredibly, in that big pileup of old goods, I found what I was looking for: a sheet of paper, by now tattered, dog-eared, and dusty, containing the CALRS Seed List. On my way back to the hearing room, I stopped at a Kinko’s and had enough copies made for the commissioner, lawyers, clerk, and staff.
Kevin Poulsen, who by this time had become a highly respected technology reporter, had flown to Las Vegas to cover the hearing as a journalist. Here is what he wrote about my return to the witness stand:
“If the system is still in place, and they haven’t changed the seed list, you could use this to get access to CALRS,” Mitnick testified. “The system would allow you to wiretap a line, or seize dial tone.”
Mitnick’s return to the hearing room with the list generated a flurry of activity at Sprint’s table; Ann Pongracz, the company’s general counsel, and another Sprint