Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [88]
TWENTY
Reverse Sting
Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae
awvnh “HZO, hzl jaq M uxla nvu?”
The California Department of Motor Vehicles would turn out to be one of my greatest sources of information and also, later on, the source of one of my narrowest escapes. How I got access to the DMV is a story in itself.
First step: find out what phone number the cops used for official calls to the DMV. I phoned the Orange County sheriff’s station, asked for the Teletype Unit, and told the deputy who answered, “I need the DMV number to find out about a Soundex I requested a couple of days ago.” (In DMV terminology, curiously, when you want a copy of someone’s driver’s license photo, what you ask for is a Soundex.)
“Who are you?” he asked.
“This is Lieutenant Moore,” I said. “I was calling 916 657-8823, but that number doesn’t seem to work anymore.” Three things were pulling in my favor here. First, I had reached the deputy on an internal number that he would presume wasn’t available to anybody outside the Sheriff’s Department. Second, taking a small but reasonable gamble, I had given him a wrong phone number with what I was almost certain was the correct area code and prefix, because at the time (as I noted earlier) the DMV was assigned the entire 657 prefix, making it highly likely that the number used by law enforcement would also be a 916 657-XXXX number. The deputy would notice that I had everything right except the last four digits. And third, I had elevated myself to the rank of lieutenant. People in a police department or a sheriff’s outfit think like people in the military: nobody wants to say no to somebody with bars on his shoulders.
He gave me the correct phone number.
Next I needed to know how many phone lines there were in the office that handled law enforcement calls, and the phone number for each line. I had found out that the State of California used a telephone switch from Northern Telecom, the DMS-100. I called the State of California Telecommunications Department and said I needed to talk to a technician who worked with the DMS-100 switch. The technician I was transferred to accepted my claim that I was with Northern Telecom’s Technical Assistance Support Center, in Dallas, so I launched into my spiel: “In the current release of the software, we have an intermittent issue where calls get routed to the wrong number. We’ve come up with a patch—it’s a small fix, and you won’t have any problems with it. But in our customer support database, I can’t find the dial-up number to your switch.”
Now I was down to the tricky part. I liked to get this piece of it done by using wording that left the other person no opportunity to object. I said, “So what’s the dial-in number, and when’s a good time to apply the patch?”
The tech was glad to give me the dial-in number to the switch so he wouldn’t have to do the update himself.
Even in those days, some telephone switches, like corporate computer systems, were password-protected. The default account name was all too easy to figure out: “NTAS,” the abbreviation for “Northern Telecom Assistance Support.” I dialed the number the technician had given me, entered the account name, and started trying passwords.
“ntas”? Nope.
“update”? Nothing doing.
How about “patch”? No luck.
So I tried one that I had found being used on Northern Telecom switches for other Regional Bell Operating Companies: “helper.”
Jackpot!
Because Northern Telecom had wanted to make things easy for its own support technicians, every switch was accessible using the same support password. How stupid is that?! But great for me.
With the account name and password, I now had full access to the switch, and I had gained control