Contents
* * *
Title Page
Contents
Copyright
Dedication
Epigraph
Author’s Note
The Hacker Next Door
Course 19
Inside Out
The Coffeehouse Club
Earth to Alien
A Death in the Family
In Security
Up All Night
I Spy
Wild Wild Web
A Hackable Heart Transplant
Agents and Jedis
Capture the Flag
Check, Please
Up in the Air
Europe on Five Hacks a Day
Owner’s Manual
The Bartender
The Best Around
Phoning Home
Fast Forward
Acknowledgments
About the Author
Connect with HMH
Copyright © 2019 by Jeremy N. Smith
All rights reserved
For information about permission to reproduce selections from this book, write to [email protected] or to Permissions, Houghton Mifflin Harcourt Publishing Company, 3 Park Avenue, 19th Floor, New York, New York 10016.
hmhbooks.com
Library of Congress Cataloging-in-Publication Data
Names: Smith, Jeremy N., author.
Title: Breaking and entering : the extraordinary story of a hacker called “Alien” / Jeremy N. Smith.
Description: Boston : Houghton Mifflin Harcourt, 2019. | “An Eamon Dolan Book.”
Identifiers: LCCN 2018024873 (print) | LCCN 2018035206 (ebook) | ISBN 9780544911222 (ebook) | ISBN 9780544903210 | ISBN 97805449032109 (hardcover)
Subjects: LCSH: Alien (Hacker) | Hackers—United States—Biography. | Computer security—United States. | Computer crimes—United States. | LCGFT: Biographies.
Classification: LCC HV6772.A5 (ebook) | LCC HV6772.A5 S55 2019 (print) |
DDC 005.8092 [B] —dc23
LC record available at https://lccn.loc.gov/2018024873
Cover design by Albert Tang
Cover photograph © Shutterstock
Author photograph © Sepp Jannotta
v1.1218
“Song to the Earl of the River” from The Pocket Tao Reader by Eva Wong, © 1999 by Eva Wong. Reprinted by arrangement with The Permissions Company, Inc., on behalf of Shambhala Publications Inc., Boulder, Colorado, www.shambhala.com.
To my guides on this journey,
who led me to new worlds
&
To Carl Smith and Crissie McMullan,
who helped me get home
Things are not always as they appear. This is true of locks, doors, walls, and people.
—Keshlam the Seer, “Hacking Tips”
Author’s Note / /
Names and other identifying characteristics have been altered to protect people’s privacy. For the same reason, in a limited number of instances I have changed dates or combined individuals.
Preface / /
The Hacker Next Door
Tall and tan and young and lovely . . .
It’s Saturday night at Bally’s Las Vegas and I follow a woman in black leather—jacket, skirt, boots—down the center of the casino floor. Her hair—also black—is twisted atop her head and held in place with chopsticks. She has on red lipstick and knee-high red polka-dot socks. A portable speaker clipped to her purse plays “The Girl from Ipanema.”
The woman—thirty-three years old? thirty-four?—passes tables for blackjack, three-card poker, and craps. Players turn from their chips to the source of the music. Several smile, entreating her to join them, but she continues through a thicket of ringing, whirring slot machines, emerging again in front of the casino elevators.
There’s a long line here, perhaps two hundred people, stretching to the end of the hallway and around a corner. Almost everyone is trying to get to the pool party a floor below or to the dozen other parties in Bally’s Skyview rooms twenty-five floors above. Making sure no one cuts are two huge bouncers with crossed arms and dark red badges that say GOON.
The woman does not join the line. She smiles at the bouncers. The bouncers do not smile at her. They do recognize her, however.
The woman is a hacker. The bouncers are also hackers. And so are the two hundred people in line, and the several thousand already partying above or below.
In fact, there are close to twenty thousand hackers in Vegas this weekend.
“Access approved,” the bouncers say to the woman. They part—special treatment—and the woman passes between them: first in line.
The next elevator is hers alone.
Or ours. “I’m with her,” I tell the bouncers, and squeeze through before they can stop me.
A door opens and the woman and I step in together. “This is crazy,” I say. “Is it always this crowded?”
The woman rolls her eyes, seemingly put off that of all the questions I could ask right now, I choose this one.
As it turns out, for the next year my life will largely become a series of such strange questions and the even stranger answers she provides.
Of all the ways I might have expected to start hanging out with a hacker, perhaps the last was an impromptu playdate for my daughter.
Alien recognized me first. We had met briefly, fifteen years earlier, when I was a senior at Harvard and she was a sophomore at MIT. By chance, we ran into each other again one fall afternoon. Each of us was out with our preschool-age daughter. Amazing—great to see you again! And the girls liked each other. Can we play together? they asked. Please?
We agreed. Our daughters cheered—and then ran off to a set of swings. We chatted casually for a few minutes. Then I asked Alien—not that this was the name I knew her by—what she was working on these days.
“Well . . . ,” she said. “Tomorrow morning, I have to break into a bank.”
My old acquaintance, I learned, was a professional hacker—or, as she put it to corporate clients, “a penetration tester and digital forensics specialist.” When institutions or individuals needed to test their security, either physical or virtual, she and her team were guns for hire. And if you’d already been breached, they’d identify what had been stolen, how, and by whom—plus recover any lost information and try to ensure that the problem wouldn’t happen again.
Even with frequent media coverage, hacking is actually dramatically underreported, Alien told me. Only a small fraction of discovered hacks are disclosed to the public. And most hacks are never discovered in the first place.
She knew because, time and again, she or her close associates had either done the hacking or cleaned up after someone else had.
I liked talking to Alien and she liked talking to me. Further conversations (and playdates) led to increasingly revealing accounts, including, at my request, stories about her personal and professional experiences with hospitals and law firms, airlines and art museums, police departments and the Pentagon. She also talked about finding community, fighting assholes, falling in love, and forming a mature adult life within the larger hacker world—topics completely missing in most accounts of hacker culture.
Some hackers have a well-deserved reputation for bragging, exaggeration, obfuscation, and outright lies. Alien, however, seemed modest by nature—earnest, soft-spoken, and reserved. (I had yet to encounter her as the leather-clad woman who parted the Red Sea of bouncers in Vegas.) Before becoming a writer, I’d logged time as a computer programmer, and I had enough early hacking experiences of my own to follow the outlines of her radically more sophisticated—and perilous—exploits. Every detail I could verify checked out.
One Sunday afternoon, when I was in t
own again where she lived, I asked Alien if I could meet her at her office. “Pretend I’m a potential client,” I said. “Give me the big picture.”
Alien agreed. “Here’s what you probably know,” she told me from across a conference table. “Hackers can break into your computer and cell phones, your company network or the network of anyone you do business with. They can read your email and texts, steal your business plans and credit card numbers, or take over your online identity in order to hack someone else.”
I nodded, shifted uncomfortably in my seat, and turned off my phone.
“Here’s what you probably don’t know,” she continued. “Only about thirty percent of hacks target a specific individual or institution. Some seventy percent are opportunistic—hackers trying to break into anything they can, and pursuing opportunities behind any open door. If your information is valuable to you, it’s valuable to someone else. No one is too ‘boring’ to be hacked, and everything has a price on the hacker black market.”
I tried to seem savvy and unfazed. In reality, I wanted to go home and turn off everything.
Not so fast. “Physical access is almost as easy,” Alien said. Someone with skills like hers could enter my home or my hotel room, my office or my safe. She could copy ID cards, impersonate customers or employees, tap directly into phone lines or data centers, and uncover surprising secrets from my trash.
I’m moving to a farm, I told myself. I’m going off grid. I’m bringing my family. And I’m buying a shredder.
At this point the formal presentation started. For an hour, Alien walked me through examples of hack after hack. The health insurer Anthem. Retailers Target and Home Depot. Even security companies like encryption pioneer RSA and defense stalwart Lockheed Martin. The more I learned, the more I was surprised—and alarmed—by how pervasive hacking was and how diverse its forms and targets could be.
It was a story I wanted to share with others.
“Hacking today is a profession,” Alien concluded. “There are well-organized cybercriminals, loose confederations of defenders, and governments and businesses often more motivated to maintain the status quo than to safeguard individuals.”
“Who are you?” I asked. “A good guy or a bad guy?”
Alien shrugged. “That depends on who you are.” At this very moment, she was willing to wager, there were hackers just like her, sitting in a room a lot like this one, only in China or Russia, Israel or Nigeria, England or elsewhere in the United States. “They’re the bad guys to me. I’m the bad guy to them.”
I closed my eyes and tried to remember the quiet eighteen-year-old woman I’d met half a lifetime ago. How did she become this . . . badass? And, given that her career spans the entire twenty-first-century history of hacking, what could she teach me about the evolution of a tiny subculture to an ever more powerful industry, both illicit and legitimate, touching all of us today?
I asked Alien to turn off the PowerPoint. “I want to buy you a drink,” I said. “And I want you to tell me your story. But this time, I want you to start at the beginning.”
// Part I:
Course 19
01 / /
Inside Out
Cambridge, Massachusetts. August 1998.
It was a beautiful seventy-degree night in late August. At two a.m., a young woman wearing one red sneaker, one orange sneaker, jeans, and a big, baggy button-down shirt stood in front of the public computer terminal in the empty lobby of her temporary dorm. She squinted, studying the screen. “Choose your username,” it said.
Her first day at MIT—and already a test.
The default was “ETessman”—her first initial and last name. Boring, the woman thought. Like something her parents would have picked. Mom spent her days running the one-room restaurant supply store in Hoboken that the woman’s great-grandfather, a Russian Jewish immigrant, had founded in 1915. Dad had his own small accounting firm. When she was growing up, they had been so protective that they barred her and her younger sister from crossing the street alone. Once, when she double-pierced her ears without permission, they grounded her for six months. Now, at long last, she felt free to choose her own identity.
But what?
Rock music blared in an adjacent courtyard—a party put on by one of the fraternities to recruit her fellow first-years. Finish this little login ritual and she could run out and join them. After seventeen years in stifling conformist suburbia, she could finally play.
With seven stabs of the Delete key, the woman erased all but the first two letters of the suggested name. “ET,” it said now. Much cooler. She hit Enter.
“Too short.” The grayish-blue dialogue box rejected her. “Try again.”
She thought. This should be easy. Creativity was her strong suit. Harvard was just a mile and a half away, but MIT was arguably the better school—the best private research institution in the world, by many rankings. A serious place for uniquely brilliant people. Yet she had received a D in math her freshman year in high school. And because she was consistently late to school, she had a long list of unexcused absences from first-period physics. Unlike the typical MIT entrant, she wasn’t an expert or genius or prodigy in anything. Especially not anything technical.
Her admissions application essay had gotten her into this place when her grades alone couldn’t. In the essay—two thousand words when the limit was supposed to be five hundred—the young woman had described an abduction by well-meaning aliens. At the end, the aliens offered to make all human beings think and act exactly alike so there would be peace on Earth. To their surprise, the woman refused, preferring individual choice and variety, whatever the consequences. The essay was a thinly veiled plea: Get me out of suburban New Jersey. And so MIT—either by mistake or out of a wicked sense of amusement—had.
Aliens. The woman smiled. Like E.T., but even better.
Without another thought, she typed a-l-i-e-n and hit Enter.
The initial dialogue box disappeared, replaced by a second prompt to create a password.
Okay, Alien, she told herself. Welcome to MIT.
Tie-dyeing and stilt-walking, deep-frying and drilling. Balloon animals. Tire swings. Mud-wrestling matches. DIY cannons, catapults, and trebuchets. All-you-can-watch cartoons or Star Trek episodes. All-you-can-eat burgers, Pop Tarts, or ramen. This was Rush at MIT.
Rush was the right word for it. Ten days before classes started, one thousand freshmen arrived at randomly assigned dorms on campus. Everyone knew not to get too comfortable. In a week, all but a handful would move out again, choosing different permanent housing from among MIT’s fifty-plus student-led living groups. You arrived, you chose, you moved. It was crazy, but that was MIT. Sink or swim.
Alien explored the scene all afternoon and well into the evening. The living groups competed fiercely for recruits, often via spectacular combinations of architecture, engineering, and pyrotechnics. One living group built a spinning amusement park ride from scratch in their courtyard, for example. Another made an LED dance floor. A third set off fireworks. A fourth boasted a steer roast. A fifth offered rapid passage from the top floor to the ground level of their residence via a fire pole instead of the “hassle” of an elevator or stairs.
“Want your hair dyed?” a woman at one of the student living group booths asked her.
Alien nodded emphatically.
“What color?”
“Red and blue.”
Several other freshmen picked red or blue, but not both. Over the next few hours, whenever one of them passed Alien, he or she nodded approvingly, and Alien nodded back.
Soon it was midnight. This was two hours past curfew at home, but Alien, a born night owl, had finally found her natural habitat. If she could help it, she didn’t intend to be asleep before four a.m. the entire semester. What to do now?
She took off her backpack in the student center and consulted the stack of handouts and fliers various living groups had pushed on her from their recruiting booths. There was another frat party, but t
hat was too far. A water polo contest, but that was too cold. A “cruft”-smashing activity—“cruft” being an MIT term for old electronics—but she didn’t quite see the point.
Finally her attention turned to a slip of bright orange paper half the size of an index card, crumpled under everything else in the bottom of her bag. When Alien smoothed out the slip to read it, she found a shorter—and surely more mysterious—invitation than that in any other handout:
“Meet in the East Campus courtyard tonight at midnight for a real tour of MIT.”
It was already at least ten minutes after midnight. If she wanted to know who or what was behind this invitation, she’d have to hurry.
Outside the student center, it was completely dark. Alien retreated briefly back indoors to find her bearings and chart a path to the East Campus courtyard on a campus map. When she pushed the door open again, gusts of wind blew up dust.
Save for a single speeding taxi, Massachusetts Avenue—the wide thoroughfare splitting the campus in half—was empty. Still, Alien looked both ways before crossing the street to the grand stairway and soaring columns of Building 7, the main entrance to MIT. Inside, she entered a lofty windowed vestibule—Lobby 7, naturally—and the start of the Infinite Corridor: a chute-like 825-foot-long hallway leading through five separate buildings.
Alien ran through it, ignoring a handful of other students she passed en route, late-night workers illuminated by weak light inside classrooms and laboratories, and the various signs and posters promoting different majors and upcoming events. Still, by the time she was outside again, it had to be closer to twelve thirty than to midnight.
Cutting hurriedly across courtyards, Alien finally found herself out of breath before the East Campus courtyard’s red metal picnic tables. It was quiet here—and seemingly empty. She was alone. Alien sat down and caught her breath, unsure whether to be disappointed or relieved. She stared past tree branches rocking in the wind to the crescent moon.
Breaking and Entering Page 1
