For Different Reasons, Arrest of Hacking Suspect Elicits Surprise

Many people who know Nicolas Jacobsen said Thursday that they were surprised the 21-year-old had been accused of hacking into a massive cellphone network that guards millions of private messages.

Former neighbors, including some who witnessed his arrest last fall after federal agents arrived at their aging Santa Ana apartment complex, said he was just too bright to do such a thing.

“He could talk about politics. He knows about the law,” said Victor Gonzalez, 60, a retired construction worker. “I couldn’t believe that he got arrested. I thought he was a smarter guy than that.”

Computer security experts who said Jacobsen turned to them for help also expressed surprise, but for a different reason: They weren’t so impressed with his technical skills.

On one occasion during an online conversation with security experts, Jacobsen asked for basic pointers on how to penetrate an IBM mainframe computer, noting that “anything would be helpful.”

Although the case became public only this week, Jacobsen was arrested in October on suspicion of breaking into a national database maintained by T-Mobile USA Inc. He has been charged with two counts of computer intrusion and has been negotiating a plea bargain with federal prosecutors in Los Angeles.

According to Secret Service investigators and T-Mobile, Jacobsen looked at information from 400 customer accounts and offered to give other hackers access to many more among the wireless carrier’s 16 million users. Investigators said he could access voice messages and e-mail of any customer whose cellphone number he knew.

Investigators said that some in Jacobsen’s circle trafficked in credit cards and other personal information used for fraud, though Jacobsen had no access to T-Mobile credit card data.

The Secret Service said Jacobsen even read e-mails from one of its agents. He also reportedly looked at pictures snapped with T-Mobile Sidekick communicators. Jacobsen was betrayed by an informant inside a major fraud ring shut down in October, court records say.

According to a resume posted on the Internet, Jacobsen grew up in Oregon, where he was home-schooled and attended Umpqua Community College. He launched a small business that, according to an old website, offered computer security services to companies.

By 2003, that company was apparently out of business. In June he moved into a $650-a-month studio apartment that he shared with a girlfriend in a large complex in a run-down area near the Santa Ana Freeway. He told managers there that he made $30,000 a year at a computing job with Pfastship Worldwide Logistics Inc., a small company that sells shipping software.

Pfastship executives declined to discuss their former employee’s history. Jacobsen declined to discuss the charges against him. But former neighbors readily recalled him.

“We were bummed when they took him away,” said Marthen Lumingkewas, manager of Saddleback Lodge Apartments. “We were wondering why, why, why. It was the talk for months around here because he was a friendly, joking, brilliant guy.”

After posting bail, Jacobsen’s girlfriend and his mother helped him pack up and move back to Oregon, former neighbors said.

Simply gaining access to the underground world of high-level hackers would require technical skills, experts said. But some of the veteran software workers with whom Jacobsen corresponded said they found it difficult to believe that he masterminded the mammoth hack at T-Mobile.

Computer security expert Harlan Carvey recalled that his online conversations suggested Jacobsen was “trying to speak from a position of authority” without the required know-how.

He could have carried off the intrusion, however, using published techniques to probe for vulnerabilities or by getting a tip from a more experienced hacker.

Two inches shy of 6 feet and weighing 210 pounds, Jacobsen could also be assertive, online and off.

He expressed concern when a security website made it harder to find stored tools for invading computer networks, asking if anyone had made copies. Both malicious hackers and defensive specialists frequent such sites.

On other sites, authorities said, Jacobsen consorted only with the ill-intentioned variety of hackers known as “black hats.” In a posting to www.muzzfuzz.com, the Secret Service said, he offered to look up the voice-mail passwords of T-Mobile users.

Yet Jacobsen may have tried to keep a foot in both camps and may have changed his mind when he failed to successfully launch a computer security firm of his own.

The name of that company: Ethics Design.