Interview: Kevin Mitnick

Written by

Kevin Mitnick’s reputation precedes him. Eleanor Dallaway meets the man known as the ‘world’s most famous hacker’ and finds that there’s a lot of smoke and mirrors around Kevin and his mind-blowing journey from villain to legend

Kevin Mitnick and I meet at the W Hotel in San Francisco. After 12 years writing about information security, meeting the ‘world’s most famous hacker’ is actually a really big deal. I’ve heard so much – some good, some bad – about the man who had the FBI running in circles and who spent a year and a half in solitary confinement, so I am uncharacteristically nervous as I wait for Kevin.

Within a minute of shaking his hand, however, I feel completely at ease. Kevin is warm, friendly and admirably candid. It’s just the two of us, no nervous PR person waiting to tell him to slam on the breaks if he says too much. It’s just Kevin and his hypnotic tales, and me, wide-eyed and captivated by his story.

The first thing I ask him is who is ‘the real’ Kevin Mitnick and interestingly he responds with what he is passionate about rather than what he considers himself to be – perhaps in Kevin’s mind, the two are intrinsically linked. “I’m extremely passionate about technology and I started hacking from my love of magic and doing tricks for friends and family,” he tells me.

Growing up in LA, Kevin recalls days on end of watching the sales guys in the local magic store doing tricks for customers and observing them until he learnt their secrets; a necessity “because I couldn’t afford to buy the tricks,” he explains.

In the 1980s in high school (Kevin was born in 1963) Kevin’s love of magic segued into the hobby of phone phreaking. “I met this kid who could do magic by hacking a phone network with an ordinary phone and I got hooked on understanding how it worked.” It was innocent, he insists, but admits that he later learnt that his antics cost “some poor company somewhere. It was wrong, but I didn’t know,” he says.

Not all of his ‘victims’ were completely accidental, though. “There was a guy who really annoyed me one day, so I reprogrammed his phone remotely so that when he called his saved numbers, he actually got through to Weight Watchers LA, Weight Watchers San Francisco, Weight Watchers New York,” he laughs. It’s the first glimpse I’ve had into Kevin’s exceptional sense of humor and love of mischief.

I wrote the first phishing program – it tricked users into giving up their passwordKevin Mitnick

Later in our conversation, he tells me about a McDonald’s prank where he remotely took over the drive-thru windows. “When a customer drove up, rather than getting the guy with the headset ready to take their order, they’d get me, but obviously they wouldn’t know that. I’d say something like “As you’re the 100th customer today, your order is free so please drive forward,” he laughs.

“I’d actually be hiding across the street and would wait for overweight people to put in their order of Big Mac, fries, coke, apple pies…and I’d say ‘based on the make, model and weight of your vehicle and the weight of your occupants, I suggest you change your order to the McSalad.” He’s laughing, I’m laughing and I'm captivated by his stories.

“Magic, Like Technology, is a Tool”

A friend of Kevin’s suggested he take a computer class in high school, despite his apparent lack of interest, but when he spoke to the computer science instructor he was told he was “below the requisite for the class” as he was lacking credits in physics and calculus as a freshman. The instructor soon changed his mind when Kevin demonstrated that he could fix a problem the tutor was facing: having no phone number in the lab for his wife to call him on. After Kevin got a number for him, he was permitted entry.

The random serendipity of this tale blows my mind. Imagine the paths that Kevin could have taken if that one friend hadn’t persuaded him to inquire about the class, or if the instructor had not accepted the bribe. Having said that, his passion for technology would surely have led him down a certain path at some point.

Kevin started to write code at 16, reading manuals and spending a lot of time at California State University, Northridge “because they had all the manuals for all the computer systems.” At that stage, Kevin wrote code to run on the terminal in the computer lab that simulated the computer. “It was like the first phishing program – it tricked users into giving up their password.”

When the teacher logged into his computer, he actually logged into Kevin’s program. “I took his password, logged in, and just had a huge smile on my face that it worked.” That same week, Kevin ran out of time to do the official class assignment but when the teacher threatened to kick him out of the class, he said “I actually wrote a better program to steal your program.” Kevin proudly recalls how the teacher beamed, declared it “cool” and patted him on the back. That program, Kevin considers, was “how it all started.”

From that very first phishing attack that he engineered, Kevin insists that he never, ever had ambitions of financial gain or causing harm. He categorizes himself as a “funster,” motivated entirely by ‘trophy hunting’.

“It was my playground and it’s what I did instead of playing basketball. I wanted to conquer the Mount Everest of hacking – I wanted to have access to all phone company computers throughout the United States and I decided to go after the NSA from the computer lab in high school.”

You’d be forgiven for questioning whether hacking the National Security Agency could ever be truly considered the behavior of a “funster,” but sitting across from Kevin, there’s something about his openness, his candid words and his wide eyes that make me believe that he at least totally believes what he tells me.

“Magic Lies in Challenging What Seems Impossible”

It may have been the hacker’s equivalent of climbing Everest but Kevin, at the age of 17, successfully wiretapped the NSA. “I compromised the phone switch to allow me to listen in to their conversations, which I did for about 10 seconds.

“It wasn’t about listening,” Kevin insists, “I couldn’t care less what they were saying, it was just about capability. I was setting myself seemingly impossible goals but managing to carry them out.” Back then, Kevin recalls, there was no law against computer crimes. It’s therefore unsurprising that the first time Kevin “got into trouble” was not for a computer crime, but for burglary, in the form of a social engineering attack carried out by him and a friend who gained entry to a phone company building to access their computer systems manuals.

Years later, Kevin’s attorney told him that his earlier antics were used to convince Congress to pass a law to criminalize computer crime. “It surprised me because I never viewed myself as a criminal, just a prankster, but as they started to criminalize this stuff, I just thumbed my nose; I was hooked so I decided to continue.” A decision he now considers “both stupid and incredible” and that landed him “in a whole boat load of trouble.

“It was a vicious cycle. I got busted, did it again, got busted, did it again. In a way, I still do it today…but now I just get permission from my clients and get paid.” I ask him whether he was addicted, whether the hacking was a result of an addictive personality. He considers this and eventually settles on a response: “I couldn’t stop because I was totally hooked.” In my book, that’s an addiction.

I never viewed myself as a criminal, just a prankster, but as they started to criminalize this stuff, I just thumbed my nose; I was hooked so I decided to continue

He was first prosecuted as a juvenile, but recollects how the press didn’t go as easy on him as the law. “They played me up to be a dark magician of cyberspace that could literally take over the world.” He tells me how USA Today superimposed his photo onto Darth Vader on its front cover, something that clearly and justifiably hurt him.

“I had made a very bad decision to hack into telephone company manufacturers that made phones like Nokia and Motorola at the time. I wanted to get access to the firmware, go after the source code and get the secret recipe on the chip.” He insists this was not an espionage attack, but merely a case of curiosity. He then uses a line which he repeats multiple times during the interview: “I just wanted to understand how it worked.”

It was his 10 years of snooping in the Digital Equipment Corporation (DEC) network that eventually led to Kevin being caught by law enforcement. A decade after he first gained access, the computer manufacturing company released a new operating system called VMS. “One of my hacking friends and I wanted to get the VMS source code to analyze, find flaws and become better hackers.”

DEC engineers realized they had a hacker when Kevin and his friend transferred the VMS system source codes to USC in California. “This started a war – their tech engineers versus me. They thought I was a team from Russia, they’d keep knocking me off their network and I kept breaking us back in.”

Things went sour when Kevin had a falling out with his hacking friend who decided to turn them into DEC. “He was an idiot because he got himself convicted of a felony. He didn’t go to jail but basically that’s how they got me.”

“A Little Magic Can Take You a Long Way”

The consequence of this desire to understand how things work landed him in very serious trouble with the law.

“I started compromising all the Bell operating companies in the USA. That’s when I wanted to gain control of the entire United States just for the challenge and the trophy.

“What really pissed the FBI off is that when they traced the calls I was making, I had them routed to some random business; they’d serve a search warrant, but of course, they’d find nothing and they’d then have a lot of egg on their face because I was playing with them.” He reflects on this as “a lot of fun” and considers that “it was like injecting myself into a TV show. I was playing cat and mouse with the government and I didn’t realize that what I was doing was crazy.”

As the cat and mouse game intensified, Kevin left Vegas for the Rocky Mountains with only one suitcase filled with $5000. He officially became a fugitive.

Landing in Denver, Colorado, Kevin looked at job advertisements and tailored his resume 95% to match his applications. “Through my ability to control the phone network, I set up phone numbers to various pay phones so I could give myself references.” The name he gave himself was Eric Weiss, the real name of Harry Houdini and a nod to his passion for magic and his mischievous nature. Under this cover, Kevin got a job at a law firm in Denver as a system operator.

Kevin knew the government were monitoring his family, so used his ability to control the phone network to maintain communication with his mum and his grandmother when he was on the run. “We got pagers, we had a list of 20 casinos in Las Vegas and we had a code to say ‘emergency’ or ‘call when you can’. There was no way in hell they would be able to trace the call because I knew exactly how long it would take to trace.”

Being apart from his family was the hardest thing about his fugitive years and the thing that he later tells me is his biggest regret.

“The way I was able to psychologically deal with being a fugitive was to pretend I was an undercover operative on an assignment, I adopted a cover identity, I became an actor,” he admits.

“Disbelief in Magic Can Force a Poor Soul into Believing in Government and Business”

After a well-publicized pursuit, the FBI arrested Kevin in 1995 at his apartment in North Carolina, on federal offenses related to a 30-month period of computer hacking, which included computer and wire fraud.

Kevin served five years in prison, including over a year in solitary confinement in 1989. When writing about his past shenanigans in one of his four books, Ghost in the Wires, he says “putting it all onto paper, I’m actually surprised I only got five years!” He explains to me that he has always separated his various hacking incidents in his mind, but when he looks at the past 20 years as a whole, “I think ‘oh my god, no wonder I was public enemy number one.’”

He says that without doubt, solitary is the hardest thing he has ever done. “I was in a high security prison with killers. They’d let me out – in handcuffs – for an hour a day. It was a very scary time and I spent every day thinking there’s no light at the end of the tunnel.”

I’m curious as to how a hacking case resulted in solitary. All these years later, Kevin seems equally as bemused. “I thought I’d get out on bail,” he remembers. After all, it was a hacking case that involved no money. “I ended up in federal court. The prosecutor said not only do we have to hold Mr Mitnick without bail because he’s such a great danger to national security, we also have to make sure he can’t get access to a phone.”

The judge, who Kevin recalls was in his seventies and had probably never used a computer, believed the prosecutor’s insistence that Kevin, with access to a phone in jail, “could call up NORAD, whistle into the phone and launch nuclear weapons.” As a defendant, Kevin committed the ultimate mistake – he laughed at the judge in court. “He got really pissed at me laughing, but this claim was ridiculous. How could a grown man say something so stupid?”

I was in solitary for a year based on this myth that I could whistle the launch codes..They just did it because they were annoyed I’d made a fool out of them

The prosecutor, insisting that Kevin had the capability to start World War III, ordered that he be held in solitary without access to a phone. “I was in solitary for a year based on this myth that I could whistle the launch codes.” Kevin is adamant they had no genuine belief that this was true, “They just did it because they were annoyed I’d made a fool out of them.”

“Magic Becomes Art When it Has Nothing to Hide”

Kevin says he hugely regrets the trouble he got into for two reasons. “Firstly for causing a bunch of hassle for all my victims, and secondly for the hardship I caused my family in dealing with my antics for all those years.”

He’s emotional when he talks about his family. “My mother and grandmother were so supportive of me no matter what happened and what I did. My grandmother passed suddenly and my mum was fighting lung cancer for five years.” Luckily Kevin was out of prison when she passed away, “but I still feel awful because of all the time I lost as a fugitive. I wish I could go back in time.”

Even given the luxury of time travel, however, complete redemption seems unlikely. Kevin, whether willing to use the word ‘addiction’ or not, was unquestionably hooked on hacking and striving to become the absolute best.

His website calls him “the world’s most famous hacker” and I ask him whether this is true. After considering Julian Assange and Snowden, he eventually settles on himself for that title. “I guess it fits,” he grins. I ask him whether he considers himself a black, white or grey hat and after giving it extensive thought he says “I guess I fit all three.”

Today, Kevin runs, a penetration testing and red team consultancy, and he does a lot of the work himself – again due to his perfectionist nature. “If a client hires me for a week and I don’t get in, I’ll spend an extra week at my own expense because I never ever give up.”

Kevin is also a 50% partner in KnowBe4, a security awareness training company. Through a chance encounter with KnowBe4 founder Stu Sjouwerman, Kevin learnt about the company and was keen to accept Stu’s offer of a partnership. Now with series A and series B investment, KnowBe4 is going from strength to strength. “My whole life I have never been unsuccessful at compromising a target, so I liked Stu’s idea.”

At the time, Kevin had been working on an idea for security awareness videos with actor Kevin Spacey. Wide-eyed, I ask him to expand. “He actually got in contact with me because he wanted to make a movie about my life, so we went to lunch a couple of times but I told him I couldn’t do the movie because I was under a restriction with the federal government for seven years. He actually tried to get me to do it anyway, holding the money secretly to give to me later, but I didn’t trust him, so I said no.”

“The Real Secret of Magic Lies in the Performance”

Kevin doesn’t take being the world’s most famous hacker lightly, investing a lot of time into continuing his hacker education. “I’m a public speaker so to keep up-to-date with the trade craft I take week-long classes to beef up my skill set,” he explains.

“After a keynote I gave, all these people queued to take photos and have autographs like I was a rock star,” he recalls fondly, remembering that one ‘fan’ was an FBI agent who flashed his credentials in the photo. “That was surreal,” laughs Kevin, clearly very aware of the irony. Almost as ironic as the fact that both the FBI and NSA have hired Kevin to speak at events.

His public speaking takes him around the world – despite his fear of flying – and rarely gives him time at either of his LA or Vegas homes, which is why he takes his girlfriend wherever he goes.

“Always being on the move” is one of the positives he takes from his fugitive days. “I really like the lifestyle of just moving around,” he explains.

Public speaking is something he loves doing and Kevin draws parallels with his dream of being a magician. “When I’m on stage, I’m demonstrating exploits and how the bad guys practice their trade craft. I’m a performer of hacker magic.” When I ask him what the future holds for him, he tells me that he plans to build out his public speaking business even further because he adores performing.

All of his friends, he says, are magicians. “Like David Copperfield,” he casually adds, “oh and Teller from Penn and Teller. I know him really well, he calls me for advice on hacking.” I tell Kevin that I too love magic. “Want to see a trick?” he grins at me. His trick is actually very impressive and we spend some time talking about what it is about magic that captures us.

His other passions include travel, going to the movies, jet skiing or wave running and reading, but mainly books about computer research and information security.

“You Have to Make the Magic Happen”

I want to end our time together not by focusing on Kevin’s misdemeanors, his regrets or his darker days, but instead on what he looks back on with warmth and pride.

“I started off in this world as a hacker and got myself into a lot of trouble, so being able to turn that around to being a respected security expert, a successful business man and a New York Times best-selling author, makes me very proud,” he says.

He compares his story to that of Frank Abagnale of Catch Me if You Can. Again, his obsession with illusion, with magic, with pretending to be someone he’s not is apparent. It’s fascinating, but resisting the urge to psycho-analysis, I am pleased that Kevin seems legitimately happy and largely at peace with his past and regrets.

It was magic that led Kevin to become the world’s most famous hacker, and all these years later, he is still utterly hooked on the magic of magic. I wonder where it will lead him next.

It took me 12 years as an information security journalist to meet Kevin, and it was very much worth the wait. 

What’s hot on Infosecurity Magazine?