Great Rivalries in Cybersecurity: Tsutomu Shimomura vs. Kevin Mitnick

Tsutomu Shimomura

photo: www.gizmodo.com.au/

Although many cyber-rivalries are intense, not many of them are packed with enough drama to fuel a full-length feature film. But the 1995 showdown between hacker Kevin Mitnick and security consultant Tsutomo Shimomura did just that, spawning first the non-fiction book and then the straight-to-DVD movie release “Takedown” … hey, nobody said it was a good film.

The confrontation between the two had the dramatic ingredients it took to pique the interest of B-movie Hollywood producers, but by today’s standards, it would look almost quaint, a slapstick version of the darker and more serious hacking attacks we’re now accustomed to hearing about. Although the conventional wisdom at the time was that the good guy won and the bad guy went to jail, developments since have cast this binary storyline into question.

New York Times technology correspondent John Markoff chronicled the game of cat and mouse between Shimomura and Mitnick as it unfolded, and in those more innocent times, it captured the attention of the nation.

Curious Minds, Converging Interests

Hacking, in the 1980’s and early 1990’s, was not yet seen as something that was necessarily nefarious. In those days, the term hacking didn’t necessarily denote a bad actor. Having a mind that was bent toward solving puzzles and deconstructing systems to see how they worked was something that existed outside the moral or legal framework that later split the hacking community into black-hat and white-hat camps.

It didn’t even necessarily start with information technology. Like many of the early generations of information security researchers, Shimomura had leaned toward harder sciences initially. He studied physics under Nobel laureate Richard Feynman and worked at Los Alamos National Laboratory. In 1989, he took a position at the San Diego Supercomputer Center, researching computational physics.

Working with the big iron computers and networks used in advanced physics simulations also gave Shimomura some real programming street cred, which gradually leaned heavily into computer security. Shimomura became known as a hacker of no small repute, albeit one who occasionally consulted with the NSA and used his knowledge to assist system administrators and programmers in securing their systems.

Like many hackers, he had an interest in telecommunications systems, and by the mid-90’s, he was known to be one of the leading researchers looking at the security issues endemic of the growing cellular phone network at that time.

Kevin Mitnick was already well-known and once convicted by that time. An inveterate hacker, he’d been circumventing control systems since he was thirteen, when he had used social engineering and some clever dumpster diving to bust open the L.A. bus system and give himself free trips anywhere in the city. His curiosity eventually lead him to information technology, and he brought his habit of poking at the cracks in systems right along with him. Caught stealing software from DEC systems, he was convicted of the crime in 1988.

He served a year in prison and was at the tail end of a three-year probationary period when the bug bit him again, and he cracked into Pacific Bell’s system. Caught again, and facing more jail time, Mitnick went on the lam.

Hacking The Hackers

Knowing that hacking from a fixed landline would quickly get him caught again, Mitnick turned his attention to cellular phones for mobile network access. Needing specialized software to hack the cell phones but not being a particularly accomplished coder, he naturally went looking for someone to steal the code from.

Which was how he found Shimomura.

Although Mitnick was not known for his technical skills, he employed an elegant and elementary technique on Christmas Day in 1994, taking advantage of the fact that Shimomura would be out of town to attack his home. The TCP/IP protocols underlying the Internet were never designed to provide security, and the versions in use at the time had a number of flaws built into them. Mitnick used techniques called source address spoofing and TCP sequence prediction to impersonate another, trusted computer to connect to Shimomura’s home server and gain root access.

He downloaded the software he wanted and the game was on.

Shimomura, naturally, took the affront personally. A series of creepy phone calls purporting to be from the hacker alleging that “My kung fu is superior” didn’t help (although these later proved to have been left by an unrelated third party). When a copy of his stolen software turned up on a server at the San Francisco-area service The Well in January, Shimomura jumped on the evidence logged there and began stalking the attacker’s trail back through a dozen systems, eventually identifying him and narrowing his location down to somewhere in Raleigh, North Carolina.

But somewhere in Raleigh was as close as he could get—Mitnick was using cellular connections to obscure his true position. Shimomura, with the assistance of the cellular company (and, by this time, the FBI, which became involved when the attacker was identified as Mitnick, still wanted for other crimes) could narrow the connection down to a single cellular site, but that left hundreds of residences within range.

Mitnick, however, was not as safe as he assumed. In February 1995, Shimomura met an FBI radio surveillance team in Raleigh and, again with the cooperation of the cellular company, tracked down the exact apartment Mitnick was operating out of using radio direction finding. When the federal agents captured him, he was found with more than 100 cloned cellular phone codes, false ID, and cloned phone hardware. Mitnick was eventually sentenced to six years in prison, most of it in solitary confinement because the judge was afraid he would hack the payphone that was available to prisoners in the general population.

In the End, Mitnick Emerges as a Respected Cybersecurity Professional

Despite being on the losing end of the exchange, Mitnick has in many ways become the better known and more respected cybersecurity professional today. Mitnick’s hacks had rarely been damaging and his sentence was seen as excessive by many, leading to a certain rehabilitation of his reputation even while he was still serving time.

Takedown, while it popularized the confrontation, was later criticized as portraying a rather inaccurate, one-sided perspective. The film, starring Tom Berenger, wasn’t exactly a box office success in the United States considering it skipped the box office altogether and went straight to DVD.

After his release from prison in 2000, Mitnick has operated on the other side of the law, working as a paid security consultant, popular lecturer, and best-selling author. He is particularly well-known for helping businesses harden their systems against the same kind of social engineering attacks he was notorious for conducting.

Shimomura, on the other hand, moved out of cybersecurity work and into semiconductor development, founding a startup called Neofocal creating smart LED networks. Having prevailed over the most legendary hacker in the world, perhaps there were simply no more cybersecurity worlds left to conquer.