Man On The Run -------------- by Chris Warren My cell phone is ringing. I pick it up off the table of a busy Los Angeles restaurant and look to see who is calling. Weird. The caller ID flashes my home phone number, but I know for certain that nobody is there. ¶ Across the table from me, Kevin Mitnick is smiling. Once the most notorious computer hacker in the country -- he was the FBI's most-wanted hacker and a fugitive for three years -- Mitnick has more than a passing knowledge about using technology for devious, deceptive purposes. Using his own cell phone, Mitnick takes just a few seconds to demonstrate how he accomplished this telephonic sleight of hand known as caller ID spoofing, a particularly effective trick for identity thieves and con artists. (Think about it: How likely would you be to withhold personal or financial information from someone who your caller ID says is from your bank?). Equally as quickly, Mitnick pulls upGeorge H.W. Bush's driver's license number and then offers to retrieve mine, but I demur. On the day we meet, Mitnick, 43, certainly doesn't look like much of a threat. Wearing a dark T-shirt and jeans, he is engaging and self-deprecating; he bemoans his latest doctor's visit because his physician was pestering him about losing weight. These days, Mitnick -- who served five years in federal prison for breaking into the computer systems of large companies like Motorola and Nokia and then fleeing from prosecution -- has very much gone legit. Instead of covertly, and illegally, breaking into corporate computer systems, Mitnick -- through his Las Vegas-based company, Mitnick Security Consulting -- uses those same skills to protect companies. "I get paid to do what they call ethical hacking," he says. "Companies call me mostly to do security assessments, which is when they want someone to evaluate their technical, physical, and human-based security to find out if they have any holes in their infrastructure that bad guys can break through." The short answer is, yes, there are holes. "There has never been a client who has hired us that we couldn't break," he says. Once Mitnick and his colleagues find security lapses, they work with companies to fix them -- a process called "hardening" -- and train employees to thwart hackers. Mitnick insists that, although it's commonly thought to be largely a technical issue, true company security involves a variety of elements, people being the most important. That's because social engineering, a fancy term for manipulating people to get information, is so effective. In some of his classes, which are held over two days, Mitnick demonstrates how social engineering works by way of a little ploy the night before the first session. Students in the class will get a call at one a.m. in the hotel where they're staying from someone claiming to be from the front desk. The person on the phone tells the sleepy guest that his credit card didn't go through and that he needs to come down and sort the matter out. Naturally, most people don't want to do that. No problem. The front desk generously offers to send someone right up to get new credit card information and a signature. Just like that, an identity thief has all the information he needs -- a fact that class members are made aware of when they're handed their own signature and credit card info the next day in class. In Mitnick's view, defending against social engineering -- which takes building both awareness and resistance to all of the common scams -- is every bit as important as installing the very best technology; indeed, if an employee decides to use his own name as a password to get into a company's computer system, or simply writes it down and tapes it to his screen, there's not going to be much protection. "If you have all the best technology in the world but your users are giving out their authentication credentials, all that money is wasted," says Mitnick. Magical Mischief It's hardly an exaggeration to say that Mitnick has been preparing his whole life for the work he does now, albeit in a somewhat unusual way. It all started with a fascination with magic. "On weekends, I would just hang out at the magic store because I wanted to learn how to do illusions, and I wanted to learn the secrets about how they worked," says Mitnick, who spent his childhood in various locales around Southern California. As Mitnick got older, he became interested first in CB radio and later in telephone systems. With telephones, he found a less traditional but certainly effective way to perform magic. By learning how telephone switching systems work, Mitnick pulled off some pretty ingenious pranks: He rigged it so that whenever a friend's family would pick up their home phone, it would ask them to deposit 10 cents; later, he learned how to intercept calls placed to Rhode Island's directory assistance. Mitnick was first introduced to computers when telephone companies began using them as their front ends. It wasn't long before he became a full-fledged hacker. To hear Mitnick describe it, computer systems at big companies gave him the opportunity to be the ultimate magician. "Houdini was the best at breaking out of jail cells and handcuffs. I wanted to be the best at picking the lock," he says. The reason for his ventures into corporate operating systems, Mitnick insists, was never personal enrichment; it was just to get better at breaking in. "The goal was not to steal the software to develop a competing company or to sell it or to use it for profit. It was more of a cheat sheet for a game, to use it to become better at getting in." Law enforcement officials didn't see it so benignly, though, and Mitnick was caught in 1988 and sent to prison for a year on a computer-fraud charge. Prosecutors alleged that Mitnick could somehow start a nuclear war by hacking into the NORAD computer system and whistling into the phone -- a charge Mitnick calls laughable -- so he wasn't allowed to use the prison telephone, and he was placed in solitary confinement. After he was released, Mitnick learned that the government was planning to charge him with supervised-release violations, so he fled. Mitnick managed to elude his pursuers for three years. He moved across the country -- sometimes under the alias Eric Weiss, a variation on Houdini's real name -- and chose his new homes based on Money's rankings of the best places to live. Eventually, he was caught in North Carolina, where he copped a plea deal and was put back in prison for five years, from 1995 to 2000. According to the U.S. Department of Justice, Mitnick admitted that he broke into computer systems and stole proprietary software. As part of his scheme, the Department of Justice said in its news release announcing the plea deal, Mitnick acknowledged that he tampered with college computer systems, stole e-mails, monitored computer systems, and tried to obtain software by posing as a company employee. The Department of Justice said the victims of Mitnick's hacking lost millions of dollars in damages from lost licensing fees, marketing delays, lost research and development, and repairs made to compromised computer systems. Government Payback After his release from prison, Mitnick had few prospects -- he wasn't allowed to use a computer for three years -- and no real ideas of how he could make an honest living. Out of the blue, Joe Lieberman, the Democratic senator from Connecticut, and Fred Thompson, then a Republican senator from Tennessee, invited him to testify before their committee on how to improve the government's computer security. Though usually they are very dry, sober affairs, Mitnick made his appearance before the Senate panel entertaining, engaging in friendly and humorous exchanges with the senators. People must have been watching C-SPAN that day. "People saw that and said, `Hey, I want this guy to speak.' And that's how I started my career, thanks to the U.S. government," he says. Mitnick began giving lectures all around the world and has since written two books (The Art of Intrusion and The Art of Deception) and become a much-sought-after security consultant. His checkered background doesn't seem to deter employers. "If you think about it, a guy like that has everything to lose. He's already under a microscope, so if he does something stupid, he's done forever," says Connor Haggerty, controller for Food Industry Services, a consortium of Midwestern grocery stores that hired Mitnick to do some security work and give a speech. Mitnick is looking forward to releasing his memoir in 2007, something he hadn't been able to do before because one of the conditions of his release from prison was that he not be allowed to profit from his life story for seven years. And in case there's any doubt whether Mitnick has fully joined the ranks of regular folks, there is this: The great hacker himself had his identity stolen a couple of years ago. "The only thing that went through my mind was, `Why didn't they steal my identity 10 years ago?'?" he says. "That would have been poetic."