I Was A Hacker For The FBI The government sprung Justin Petersen for his hacking skills. Was it the right move? _________________________________________________________________ By Joseph C. Panettieri Conventional wisdom says it takes a thief to catch a thief. Just how that old saw relates to the world of information technology wasn't immediately apparent--until now. "I worked for the FBI," says Justin Tanner Petersen, an admitted computer hacker. Not only that, the FBI got him out of jail to do it. Petersen, an affable, 34-year-old cyberpunk, now awaits sentencing in a Los Angeles County detention center for crimes to which he's pled guilty. His court hearing for severa l computer-related crimes--including crimes committed while working for the FBI--is set for March 27. He faces a possible sentence of 10 years for conspiracy, computer fraud, and other crimes. Court papers filed in Los Angeles in connection with the case show that in 1991, FBI agents working for the U.S. Attorney in Los Angeles bargained to have Petersen released from jail in Texas "to investigate [certain] individuals." The FBI maintained a relationship with Petersen for two years, before revoking his bond. Petersen fled possible prosecution in relation to crimes committed while he was out on bond. He was captured last summer. No one from the FBI or the Justice Department would comment on or clarify just why the FBI was working with Petersen. But several sources speculate that Petersen was tracking computer superhacker Kevin Mitnick. "The Feds turned Petersen against Mitnick," says a computer security consultant who requested anonymity. "Petersen essentially became a bounty hunter for the FBI." "It was pretty much suspected in the hacker community that Petersen was working for the FBI," says Eric Gorley, editor of the notorious hacker quarterly 2600. "He showed up at a couple of hacker conventions trying to track down [Mitnick] and other people." Suspicious Minds According to court documents, Petersen was arrested in July 1991, in Dallas for possession of a stolen car. Police searched his apartment and found more than a dozen stolen or fraudulent credit cards, telephone calling cards, bank cards, five modems, a computer, and some 200 diskettes. He was charged by the federal government in eight counts with breaking into the TRW computer system, among other crimes. In September 1991, while in jail, Petersen was approached by Secret Service and FBI agents, according to court documents. As part of a deal to get himself out of jail, Petersen pled guilty to the crimes he committed in Texas and to computer-related crimes for which he was under indictment in California. His case was transferred to California. Through a series of delayed sentencings, Petersen remained out of jail under FBI supervision from September 1991 to October 1993. During that time he was in repeated contact with members of the hacker community, according to sources. Petersen says that for those two years the FBI gave him an apartment and two computers. His work with the FBI included educating agents about the art of hacking and aiding in the investigations of about a dozen hackers, including Mitnick, he says. At the time of Petersen's alleged surveillance of him, Mitnick was on probation after being convicted of hacking Digital Equipment Corp.'s private network and stealing the source code for several Digital products, including VMS Version 5, and a security inspection tool called XSafe. Petersen, working as an informant, says he learned of additional crimes committed by Mitnick while Mitnick was on probation. When FBI agents moved in to make an arrest in 1992, Mitnick fled. After a lengthy search, the FBI fi nally apprehended Mitnick in February in Raleigh, N.C. "All of the Mitnick coverage fails to mention that I was the one responsible for his becoming a fugitive," says Petersen. Mitnick, while still a fugitive, sought revenge against Petersen by harassing him electronically, Petersen says. What's The Greater Risk? The FBI worked with an outside computer expert, Tsutomu Shimomura, a researcher with the University of California at San Diego's supercomputer center, to help capture Mitnick. The fear of illegal break-ins has also led some companies to hire outside expertise, even their own hackers to do undercover work as well as test the security of corporate systems (IW, June 21, 1993, p. 48). That practice, however, is one that security experts strongly question. "The risks involved with hiring a hacker are simply too great," says Dan White, national director of information security at Ernst &Young in Chicago. "There's no assurance that a hacker will leave systems well enough alon e after his work is done." Petersen admits he committed crimes during his time with the FBI, specifically illegally obtaining electronic monitoring equipment. Petersen recently pled guilty to those crimes. At least one technology manager wonders why the FBI would work with Petersen at a time when corporate networks have never been more susceptible to security breaches . "[Using Petersen] is about as dangerous a thing as the FBI could do," says M. Lewis Temares, CIO and Dean of College Engineering at the University of Miami. "He who strikes first will strike second, especially if he only gets a slap on the wrist." Ultimately, Petersen would become a fugitive himself. In October 1993, the FBI learned that he was committing crimes. At a meeting between himself, his attorney, and Assistant U.S. Attorney David Schindler, Petersen ducked out for a drink of water and fled, according to court documents. "The FBI raided my house and found radio detection equipment and other acc ess equipment that I acquired illegally to trace Mitnick," says Petersen. "I panicked and ran." He remained at large until he was arrested last August in Los Angeles. Right now, Petersen is apologetic. "It's true, I worked for the FBI as part of a plea agreement," admits Petersen. "But I stepped over the line." The 10-year sentence Petersen is facing has him remorseful. Says Petersen: "I take responsibility for [those crimes]. I clearly deserve to be [in jail.] The question is: for how long?" The U.S. Attorney says he will talk about the case after Petersen is sentenced. Then the full details about the FBI's hacker will come out.