Criminal Exploits of Super Hacker Described as More Myth Than Fact

The hero was Tsutomu Shimomura, a cool, brilliant scientist who brought an evil hacker to justice as a matter of honor, and whose good looks and flowing mane had women scouring the Internet for his e-mail address.

The villain was Kevin David Mitnick, a dangerous, antisocial computer wizard, a thief who stole 20,000 credit card numbers, who legend has it broke into the North American Air Defense Command computers as a teenager and later wreaked millions of dollars in damage on corporate computer networks.

The day after his arrest in connection with a daring and mysterious Christmas Day 1994 break-in on Shimomura’s computer, Mitnick’s bloated, sullen face peered out from newspapers across the country--the uber-hacker in custody.

What unfolded was a tale of derring-do that seemed too good to be true--and much of it was.

After the fanfare over his arrest, prosecutors dropped 22 federal counts against Mitnick in exchange for his agreement to plead guilty to a single count of possessing the cellular phone numbers that he was using illegally to make free calls.

And despite some hyperbolic jacket promos--”He was the world’s most notorious computer outlaw. Invisible. Incorrigible. Unstoppable. Until he crossed the wrong man. . . .”--three books due out this month knock down the widely circulated proposition that Mitnick was sophisticated and nefarious enough to single-handedly topple the Internet.

The first whisper of Kevin Mitnick’s latest exploits came in a January 1995 front-page New York Times story that outlined the infiltration of Shimomura’s computer in San Diego--an extremely sophisticated maneuver based on obscure security flaws in the very fabric of the Internet.

What added to the stakes considerably was that Shimomura was a top computer security expert, employed by the San Diego Supercomputer Center.

It was this break-in that started Shimomura on the chase, first by painstakingly reconstructing the perpetrator’s original attack. The trail led to Raleigh, N.C., where, after days in the back of a roving van spent tracing Mitnick’s late-night cellular phone calls, Shimomura found him on Feb. 15.

The only trouble with the story is that everyone now acknowledges that Mitnick didn’t have the technical expertise to pull off the attack alone.

“It’s highly probable, in fact darn near a sure thing, that Kevin Mitnick was not the one who broke into [Shimomura’s] machine,” said Jeff Goodell, the author of one of the three books, “The Cyberthief and the Samurai.”

“The sophistication of the attack virtually precludes Kevin from having done it without some help,” Goodell said.

All three books acknowledge that Mitnick must have had help, though the only possible suspect is given as a shadowy Israeli hacker. But in the script that unfolded in news reports, Mitnick was a lone, master hacker, capable of doing almost anything with a computer or even just a phone.

In reality, Mitnick’s technical skills were only fair. Where he excelled was in the area known to hackers as “social engineering”--talking people into giving out information by pretending to be a supervisor or befuddled new employee.

“He piggybacks off other people’s knowledge,” said Katie Hafner, a Newsweek senior editor who profiled Mitnick in a 1991 book co-authored with the New York Times’ John Markoff, who broke the news of Mitnick’s arrest and is accused by some of hyping the story. Markoff and Shimomura, longtime friends, also have a book out this month, “Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw--By the Man Who Did It.”

Mitnick, dubbed by the Times as “the FBI’s most wanted hacker,” has broken the law numerous times. Only 32, he has been arrested six times and served jail sentences for his computer crimes--his first arrest coming at 17 when he brazenly walked into a Pacific Bell office and took a handful of computer manuals and codes to digital door locks.

Mitnick was reared in the Los Angeles suburb of Panorama City by his mother, who divorced his father when he was 3. An overweight, lonely teenager, he dropped out of high school and found friends only when he stumbled into the world of “phone phreaks”--teenagers who used stolen phone codes to make free long-distance calls.

Phones led to computers, and Mitnick showed himself to be a persistent, if not stellar, hacker. Enthralled by the possibility of using computers to gain power and control, rather than riches, Mitnick had no use for legal standards of privacy or intellectual property. From his teens on, he broke into voice mail and computer systems, rifled through private files and taunted those who crossed him.

Another side of Mitnick becomes clear in his many hours of conversations with investigative journalist Jonathan Littman during his year on the run, some reprinted verbatim in the author’s new “The Fugitive Game: Online with Kevin Mitnick.” At times friendly, at times clearly troubled, Mitnick seems less a global threat than a fearful, disturbed young man, more annoying than vindictive.

Under closer examination, many of the stories told to illustrate the danger that Mitnick posed fail to pan out. For example, in all her research, Hafner said she could find no evidence that the NORAD story was anything but a myth.

“Kevin really takes the rap for a lot of stuff he didn’t do,” she said.

Some people have earmarked $4 million as the damage figure stemming from Mitnick’s 1988 hacking into the computers of the Digital Equipment Co., a crime for which he served a year in jail. But the Los Angeles Times later estimated the true cost probably was closer to $160,000, including lost computer time and human labor.

And though a computer file containing 20,000 credit card numbers copied from the Internet service provider Netcom was found on Mitnick’s computer after a 1994 arrest, there is no evidence that he ever used any of the accounts.

“The fascinating thing about this case is that his past and current crimes have been exaggerated,” Littman said of Mitnick, who is being held in Los Angeles’ Metropolitan Detention Center.

“He has committed crimes--but he should be charged and sentenced on what he really did, not the hysteria of the last year.”