Chapter 1
Kevin's Story
by Kevin Mitnick

From Phone Phreak, to Hacker

My first encounter with what I would eventually learn to call social engineering came about during my high school years, when I met another student who was caught up in a hobby called phone phreaking. Phone phreaking is a type of hacking that allows you to explore the telephone network by exploiting the phone systems and phone company employees. He showed me neat tricks he could do with a telephone, like obtaining any information the phone company had on any customer, and using a secret test number to make long-distances calls for free (actually free only to us--I found out much later that it wasn't a secret test number at all: the calls were in fact being billed to some poor company's MCI account).

That was my introduction to social engineering-my kindergarten, so to speak. He and another phone phreaker I met shortly thereafter let me listen in as they each made pretext calls to the phone company. I heard the things they said that made them sound believable, I learned about different phone company offices, lingo and procedures. But that "training" didn't last long; it didn't have to. Soon I was doing it all on my own, learning as I went, doing it even better than those first teachers.

The course my life would follow for the next fifteen years had been set.

One of my all-time favorite pranks was gaining unauthorized access to the telephone switch and changing the class of service of a fellow phone phreak. When he'd attempt to make a call from home, he'd get a message telling him to deposit a dime, because the telephone company switch received input that indicated he was calling from a pay phone.

I became absorbed in everything about telephones-not only the electronics, switches, and computers; but also the corporate organization, the procedures, and the terminology. After a while, I probably knew more about the phone system than any single employee. And, I had developed my social engineering skills to the point that, at seventeen years old, I was able to talk most Telco employees into almost anything, whether I was speaking with them in person or by telephone.

My hacking career started when I was in high school. Back then we used the term hacker to mean a person who spent a great deal of time tinkering with hardware and software, either to develop more efficient programs or to bypass unnecessary steps and get the job done more quickly. The term has now become a pejorative, carrying the meaning of "malicious criminal." In these pages I use the term the way I have always used it-in its earlier, more benign sense.

In late 1979, a group of fellow hacker types who worked for the Los Angeles Unified School District dared me to try hacking into The Ark, the computer system at Digital Equipment Corporation used for developing their RSTS/E operating system software. I wanted to be accepted by the guys in this hacker group so I could pick their brains to learn more about operating systems.

These new "friends" had managed to get their hands on the dial-up number to the DEC computer system. But they knew the dial-up number wouldn't do me any good: Without an account name and password, I'd never be able to get in.

They were about to find out that when you underestimate others, it can come back to bite you in the butt. It turned out that, for me, even at that young age, hacking into the DEC system was a pushover. Claiming to be Anton Chernoff, one of the project's lead developers, I placed a simple phone call to the system manager. I claimed I couldn't log into one of "my" accounts, and was convincing enough to talk the guy into giving me accessing and allowing me to select a password of my choice.

As an extra level of protection, whenever anyone dialed into the development system, the user also had to provide a dial-up password. The system administrator told me the password. It was "buffoon," which I guess described what he must have felt like later on, when lie found out what had happened.

In less than five minutes, I had gained access to Digital's RSTE/E development system. And I wasn't logged on as just as an ordinary user, but as someone with all the privileges of a system developer.

At first my new, so-called friends refused to believe I had gained access to The Ark. One of them dialed up the system and shoved the keyboard in front of me with a challenging look on his face. His mouth dropped open as I matter-of-factly logged into a privileged account.

I found out later that they went off to another location and, the same day, started downloading source-code components of the DEC operating system.

And then it was my turn to be floored. After they had downloaded all the software they wanted, they called the corporate security department at DEC and told them someone had hacked into the company's corporate network. And they gave my name. My so-called friends first used my access to copy highly sensitive source code, and then turned me in.

There was a lesson here, but not one I managed to learn easily. Through the years to come, I would repeatedly get into trouble because I trusted people who I thought were my friends.

After high school I studied computers at the Computer Learning Center in Los Angeles. Within a few months, the school's computer manager realized I had found a vulnerability in the operating system and gained full administrative privileges on their IBM minicomputer. The best computer experts on their teaching staff couldn't figure out how I had done this. In what may have been one of the earliest examples of "hire the hacker," I was given an offer I couldn't refuse: Do an honors project to enhance the school's computer security, or face suspension for hacking the system. Of course I chose to do the honors project, and ended up graduating Cum Laude with Honors.

Click here to go to the next section.