Kevin Mitnick redflagged

Bob Arno and Kevin Mitnick.
Bob Arno and Kevin Mitnick.

At the Atlanta airport last week, a limo driver stood holding a sign marked “Bob Arno.” Next to him stood another driver holding a sign marked “Kevin Mitnick.” You remember Kevin Mitnick, the young hacker imprisoned for five years, released in early 2000. Remember the “Free Kevin” campaign? The guy who popularized the term “social engineering”? Kevin calls himself a non-profit hacker, since he hacked into computer systems for the fun and challenge, and gained nothing of significance.

We knew Kevin would be in Atlanta—we were all there to present at ASIS, the huge security industry conference. But Kevin was flying in straight from a job in Colombia, so we didn’t expect to arrive in sync.

First we social-engineered his driver to learn where Kevin would be staying. Same hotel as us. Then the chatty driver said that Kevin had been due in two hours ago. Huh. We left a note with the driver inviting Kevin to dinner later and left.

The airport parking attendant held us hostage. Our driver had given him the parking ticket, but he wouldn’t raise the barrier to let us pass. Something was wrong with his computer, he said. We waited. After five minutes, we requested our ticket be returned so we could go to one of the other booths, which were all empty. No car was behind us, either. The attendant refused. Bob got out of the car and demanded the ticket back, fed up with our driver’s polite style of dealing with this ticket moron. No luck. The man kept his head down in his glass booth, impervious. Neither logic nor threats worked, and it was twelve minutes before we were allowed to exit the airport parking.

We caught up with Kevin several hours later, and he told a hold-up tale that made thoughts of our little delay evaporate completely. U.S. Customs had detained him and questioned him about his many trips to Colombia.

“I have a girlfriend there,” Kevin said.

“Have you ever been arrested?”

“Yes.” Kevin couldn’t lie to federal agents.

“What for?”

“Hacking.”

“Were you hacking in Colombia?”

“Yes, but that’s my job. I was hacking for a company that hired me, to see if their system is secure.”

As Customs officers began examining Kevin’s luggage, his cell phone rang. It was his girlfriend in Bogota, hysterical. Meanwhile, an officer lifted Kevin’s laptop. Kevin wasn’t concerned about it. He routinely wipes his hard drive before crossing borders, shipping an external drive containing his data to his destination. Everyone in the field of information security knows the Department of Homeland Security’s new policy:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies…

“FedEx called,” the girlfriend said in her poor English, “they found cocaine in the hard drive!”

Kevin’s face went white and was instantly drenched in sweat. He wondered who could have put cocaine in his hard drive: his girlfriend? the packing/shipping storefront where he dropped it off? He assumed, understandably, that the hard drive seizure somehow prompted this Customs search.

“What are you doing here in Atlanta?” the Customs officer demanded.

“Speaking at the ASIS conference, moderating a panel on internet abuses. Here, I’ll show you.” He took the laptop and launched Firefox, intending to open the ASIS keynote web page. First, he hit “clear private data” and glanced at the officer, who instantly realized his own stupidity. The officer snatched back the computer.

HID card spoofer.
HID card spoofer.

Other officers pulled suspicious items from Kevin’s bags. Out came another laptop, which they started up, thinking they’d found gold, unaware that they’d need a password and dongle to access the real guts of that machine. Then they pulled out a large, silvery, antistatic bag and extracted its weird contents.

“They thought they found the mother-lode,” Kevin told us, able to smile in retrospect. And we could imagine why, looking at the thing.

“What’s this, huh?” the agent smirked. Like, how are you going to explain this one away? We gottcha now!

“It’s an HID key spoofer,” Kevin explained to a blank face. “Like your ID card there. You just wave your card at the door to go through, right? I just need to get close to your card and press a little button here. Then I can go through, too. This thing becomes a copy of your card key.”

“Why do you have it?” the officer demands accusingly.

“Because I demonstrate it at security conferences like ASIS.”

Somehow, Kevin kept his cool throughout four hours of grilling. When he was finally allowed to use a phone, he called an FBI agent who was to be on the panel he’d be moderating, and the FBI agent cleared him.

Having lost so much time, Kevin declined our dinner invitation, since he needed to prepare for his presentation. After listening to his long tale, Bob and I headed out to dinner alone. We found the French American Brasserie—quite worth raving about. http://www.fabatlanta.com/ Although we both ordered moules marinière, hardly a test for a brasserie, we enjoyed the meal thoroughly, along with the decor, ambiance, and service.

Kevin had been red-flagged, of course. He found out later that Customs knew nothing of the cocaine in his hard drive. He also found out that there wasn’t any cocaine in his drive. There may have been a few grains on the outside of the package, but it came from Colombia, right? Still, the drive had to be ripped open to determine that it was drug-free, and it wasn’t clear whether or not the disk itself had been damaged.