February 21, 2002, 1:50 PM PT
A decade ago Kevin Mitnick tricked a Novell employee into giving him access to sensitive corporate data. This week the legendary hacker and his unsuspecting target met for the first time.
"This is ironic," Mitnick said as he and Shawn Nunley shook hands and greeted each other like old pals at the RSA Conference on computer security. The two laughed and swapped stories about the days when they were antagonists.
Labeled a "computer terrorist" by the FBI, Mitnick kept frustrated authorities on the hunt for three years as he hacked into the networks of Novell, Sun Microsystems and Motorola, among others, in the early 1990s.
Mitnick, who is now 38 and lives in the Los Angeles suburb of Thousand Oaks, Calif., was finally arrested in February 1995. Held without bail for nearly five years, he served eight months of it in solitary confinement.
"I was the only person in U.S. history ever held without a bail hearing," he said in an interview Wednesday.
Fearing he wouldn't get a fair trial, he pleaded guilty in March 1999 to wire fraud, computer fraud and intercepting communications. He was released but is required to get government approval before traveling or using any technology until his probation is up in January of 2003.
Although permitted to carry a cell phone, Mitnick still can't use e-mail or surf the Web, and now authorities are trying to cut him off from the hobby he's had for 25 years--ham radio.
Mitnick and Nunley's paths first crossed in 1992 when Nunley worked for Novell. At the time, Mitnick was interested in getting access to operating-system source code to see how computer users were authenticated.
"I was interested in log-in programs, to find out where I could place back doors," Mitnick said.
Impersonating an employee who was on vacation, Mitnick called Novell's wide-area networking department asking for an account so he could dial into the company's network as any legitimate employee using a laptop would be able to do.
The engineer on duty referred Mitnick to Nunley, who was the only employee at the time authorized to create dial-in accounts. So Mitnick called Nunley at home.
Nunley agreed to do it, but only if Mitnick first left a message on his voice mail at work as proof of the request in case his boss questioned it later. That voice mail was the evidence authorities eventually used to nail Mitnick.
Knowing that Nunley would call the impersonated employee's voice mail to verify his identity, Mitnick had already changed the employee's voice mail using his own voice after convincing someone in Novell's telecommunications department to surrender the password.
Mitnick also had earlier persuaded another engineer to move a compressed copy of a file containing source code for the company's operating-system software to a different server in the network.
Nunley, satisfied with the voice mail verification, created the account, and within minutes Mitnick went to work transferring the source code to a computer outside the company.
Nunley, who now works as director of technology development at NetScaler in Santa Clara, Calif., says he quickly realized his mistake after seeing Mitnick traverse the network, but it was too late.
"At Novell, we felt violated and we wanted justice done," said Nunley. "We spent a lot of manpower cleaning up the mess he left."
But then Nunley came to believe that prosecutors were exaggerating the damage estimates and trying to "make an example out of" Mitnick. "I went from being happy about Kevin being punished" to being angry about it, Nunley said.
So he called Mitnick's lawyer to offer his help. The two men have been in telephone contact since.
Of the conference, Mitnick said he was struck by experts' statements regarding just how insecure wireless networks are.
"It's like the old days of war dialing," Mitnick said, referring to a practice in which hackers would use a program to scan networks to get dial-up numbers from inside a company.
"Now you just sniff," or eavesdrop, Mitnick said. "The new wireless vulnerabilities are even worse than the old methods."
Much has changed since Mitnick was hacking and phone phreaking, or breaking into telephone networks, as a teenager.
"It's a different world out there," Mitnick says. "When I started there weren't even laws against it."
While he is prohibited from consulting on security, Mitnick is allowed to give speeches. His talk-radio show about the Internet was canceled recently, but he's hoping to get another one going soon that will be syndicated.
He got a gig playing a CIA agent in the ABC TV show "Alias," but was turned down for the part of a computer hacker for a TV commercial for Internet Security Systems.
Mitnick is barred from profiting from telling his story until 2010, but he can write about security if it's not a memoir. So he's writing a book tentatively titled "The Art of Deception."
It's about a common hacker technique he was notorious for: social engineering, in which a hacker dupes people into giving out information rather than using technology to get it, which Mitnick said is much harder to do.
"A lot of businesses overlook social-engineering attacks," Mitnick said. "Out of this whole conference there's not one session that talks about it."
Nunley, who saw Mitnick's skills as a trickster firsthand, said, "It's a performance art."