FBI agents, who chased the identity-swapping "Condor" for three years before catching him in a Raleigh, N.C. apartment in February 1995, saw a much more sinister figure. So feared was he that Mitnick was held without bail, and for eight months was in solitary confinement. Authorities forbade him use of telephones, convinced he could compromise national security by whistling and dialing in tones and codes that would start World War III.
Now a popular speaker and full-time computer security consultant, the 41-year-old Mitnick says both the cops and his adoring hacking progeny were wrong about him.
"At first, I was just a prankster. I used my PC to pull tricks on my friends and family," he says. "What got me in trouble was when I went after telephone codes."
That was in 1981, when the 17-year-old was arrested for stealing manuals for Pacific Bell's Los Angeles switching center. As a juvenile, he got probation. But a year later, Mitnick was legally an adult when caught breaking into University of Southern California computers; a six-month jail term followed. In 1988, more hacking resulted in a one-year prison term; in 1992, he was on the run after violating parole.
During his two-plus years on the lamb, Mitnick was blamed for a series of ensuing computer break-ins. But his fatal error allegedly came when he hacked into files belonging to Tsutomu Shimomura at the federally-funded San Diego Supercomputer Center. His victim turned avenger, helping the FBI track the hacker down two months later.
Mitnick was jailed for nearly four years awaiting a trial that never came. He eventually pleaded guilty to five of the original 25 counts of wire and computer fraud. Credited with time served, he walked out of the Lompoc, Calif., prison in September 2000.
The court banned Mitnick from computers for three more years, but it may not have been necessary. The years in custody had been reflective ones, and Mitnick insists that when he finally tasted freedom again, he was determined to go straight.
At first, he admits, it wasn't easy. When potential computer security clients learned the arch-hacker was claiming an ethical rebirth and offering his services to thwart his one-time colleagues, they were uneasy. In 2003, Symantec security adviser Linda McCarthy's comment to BusinessWeek was: "Do you hire the bank robber to guard your money? I don't think so."
Opinions, apparently, have changed. When asked for fresh comment for this article, Symantec declines.
Indeed, Mitnick Security and its founder are thriving in what has become the $20 billion-a-year computer security industry. Since his release, Mitnick has published two hacking-related books - The Art of Deception (2002) and this year's The Art of Intrusion - and is planning an autobiography next year. Meantime, he has showcased his reformation in dozens of speech venues nationwide.
"Between the speaking circuit and consulting, I am continually busy," he says during an interview from his home in Henderson, Nev. "I guess time heals everything. I'm getting more trust in the community as they look at what I've been doing - legitimate and socially helpful things."
A former victim, Gabe Nault, and a reporter Mitnick still considers his arch-nemesis, John Markoff of the New York Times, both hope the record of reform holds up.
"He basically used my name to gain access to internal programs [in February 1994]," says Nault, a computer engineer then employed by Novell Inc. "I have no feelings about it today, and if he's turned around, that's great."
Mitnick's use of Nault's identity was also a prime example of the hacker's social engineering skills. As Nault, Mitnick called Shawn Nunley, a Novell systems administrator, at home late one night. Mitnick/Nault claimed he was on vacation, but needed access to a network. As a precaution, Nunley - unfamiliar with Nault - called the employee's voice mail to match the recorded greeting with the voice of the caller.
A savvy move, but Mitnick had thought of it first. Earlier, he had schmoozed a Novell technician into resetting Nault's voice mail password, and then recorded a new greeting. Hearing the same voice, Nunley gave the hacker access. Mitnick stole software code, but found no use for it.
Markoff covered Mitnick's pursuit and co-wrote, with Shimomura, Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw - By the Man Who Did It. Neither endeavor won the favor of Mitnick, who still claims the book and Markoff's reporting contained inaccuracies and fallacies - particularly a claim of a 1983 invasion of the North American Air Defense Command (NORAD) computer network.
"I became the target of the 'Free Kevin Movement,'" says Markoff, now working out of the Times' San Francisco office. "There was a break-in at the Times [computer system] that was reasonably harmless, graffiti against me. [But] there also were some death threats."
Markoff, while standing firm on his reporting, says he harbors no ill will toward Mitnick or his supporters.
"I don't track Kevin," he says. "My feeling is if he is doing something legitimate and can make a living at it, that's just fine with me."
Reformation aside, Mitnick remains a hacking cult hero, the inspiration for a new - some say much more malevolent - generation of hackers and their cyber-cousins who author the myriad worms which regularly test and occasionally defeat computer security worldwide.
"That's not a badge of honor I enjoy," Mitnick says, arguing that while he certainly broke laws in his previous hacking career, "I never had malicious intent. I was never trying to hurt anyone or damage anything."
Today, he is happy to be a "white hat," in the nomenclature of hacking, having abandoned the world of illegal, or "black hat" activities.
Still, Mitnick admits it is a kick to digitally explore into data realms that network security designers have done their best to make off-limits to intruders.
"I know that is ironic," he laughs. "All those same skills I used to put into unethical activities I can now use legitimately, and in an ethical way.
"It's still basically just solving a puzzle," Mitnick adds. "Years ago, with poor judgment, I was intrigued to break through security on computer systems. Now I do it with the client's permission, for socially acceptable reasons."
It is the sort of challenge he expects to fill the rest of his life. Along with increasingly sophisticated virus and worm attacks, Mitnick sees computer security threatened by thumb-sized, high capacity, flash memory drives capable of draining large chunks of data from a plug-in port within seconds. The advent of wireless Internet, too, is a growing danger due to inadequate security measures.
"It's a continual game of cat-and-mouse," Mitnick says.
Having been the hunted, he much prefers being the one with the claws.
bmims@sltrib.com
About cybercrime
In 2004, computer and Internet-related crime cost $400 billion in damages and mitigation expenses. The number of virus and worm threats topped 2,000 -
almost a seven-fold increase since 2002.
Fully 85 percent of attacks borne by malicious software are unleashed to make a profit. Cybergangs threaten to attack sites to extort payoffs. Counterfeit e-mails misdirect the innocent to bogus corporate financial sites. And spyware steals credit card and other financial information.
Distributed denial of service (DDoS) attacks are increasing, with PCs infected with malicious code up from 3,000 at the end of March to 13,000 by mid-year.
