Summary8 min read

Risky Business: How the World Got Owned – Episode 2: The 1990s, Part One

Podcast Date: April 3, 2026
Hosts: Patrick Gray, Amberly Jack
Notable Guests: Jeff Moss, Kevin Mitnick, Chris Wysopal, Aleph1

Overview: The Evolution of Hacking in the 1990s

This episode of Risky Business dives into the explosive decade of the 1990s in the hacking community—a time marked by the rise of iconic hacker gatherings (DEF CON, Black Hat), tighter legal crackdowns, tension around vulnerability disclosure, and stories of early digital pioneers transitioning from playful curiosity to high-stakes crime and eventual reform. Through candid interviews with legendary figures (Jeff Moss, Kevin Mitnick, Aleph1, Chris Wysopal), the podcast explores how a tight-knit, chaotic community laid the foundations for both cybersecurity’s professional culture and “hacker lore,” tracing how the world really did get “owned.”

Key Discussion Points & Insights

1. The 90s: From Innocence to Action

The 80s saw hacking as curious and exploratory; by the 90s, “everything started popping off”: stricter laws, people on the run, communities forming, and infamous events unfolding.
The decade saw major milestones, such as the founding of DEF CON and Black Hat.

“All those laws that weren't laws in the 80s, people were now getting pinged for those and responding by going on the run from the Fed.”
—Amberly Jack (02:29)

2. “The Golden Age” of Hacking

Jeff Moss (founder of DEF CON and Black Hat) describes the 90s as a time when a few skilled individuals could control or understand much of the Internet.
The hacking community felt small, approachable, and united by a sense of “secret knowledge.”

“Anything was possible. Individuals could make huge contributions... Those people had the skills to just basically be the lords of the Internet.”
—Jeff Moss (04:06)

3. Community, Ego, and Camaraderie

Early hacker culture in the Bay Area, especially on BBSes, was equal parts collaborative and competitive, with one-upmanship often masking real camaraderie.
Egocentric clashes were common, but so was the free sharing of manuals, exploits, and ideas.

“There's a lot of egos... people raising each other to do something first or to claim credit... but within that there's also a lot of deep friendship and camaraderie and sharing.”
—Aleph1 (07:02)

4. Media, Myth, and Mainstream Anxiety

Mainstream media and Hollywood seized on hacking in the 90s, often fueling public hysteria and misinformation.
Notable moment: the first ever website defacement targeted the Hackers movie site (1995) with hackers mocking the film’s accuracy.

“There was a whole lot of misinformation, almost like hysteria around some of this stuff... hackers will blow up your television set or can blow up your computer.”
—Jeff Moss (08:12)

Sharing manuals and dumpster diving for information were the real reality—far from Hollywood’s imagined criminal underworld.

“We would go dumpster diving like a couple times a month and different people would just bring their haul back and we would sift through it and we would keep the good stuff.”
—Chris Wysopal (10:23)

5. IRL Cons: Finding Your Tribe

Physical gatherings (HOHO Con, SummerCon, and eventually DEF CON) became essential touchstones for hackers, offering acceptance for outsiders and forging deep connections in a text-based world.

“A lot of people from disadvantaged communities, a lot of people from the LGBTQ community. You know, it was a pretty accepting community for all kinds.”
—Chris Wysopal (11:47)

The scene wasn’t utopian—bullying, slurs, and exclusion happened, especially given the lack of real-world context in early online interactions.

“I don't want to make it sound like it was all like Kumbaya...there was still fights and...people that acted poorly towards each other...”
—Chris Wysopal (12:29) “There was no video, no audio...you didn't know their gender, you didn't know a thing about them.”
—Jeff Moss (13:08)

6. The Birth and Bloat of DEF CON

DEF CON’s origin story was serendipitous: started as a farewell party for a Canadian bulletin board operator, it became a legendary, inclusive event—entry was a $20 bill in an envelope.

“I’d love to take credit for this genius insight to open up the community, but it was me being lazy and kind of pissed off that I was not included.”
—Jeff Moss (16:08)

Early DEF CONs leaned into “Fed paranoia” by inviting authorities and even incorporating “Spot the Fed” as a game.

“The first year or two, everybody got caught because they wore penny loafer shoes. No hacker wears penny loafer shoes or khakis.”
—Jeff Moss (19:51)

The event grew rapidly, eventually outgrowing any one person’s ability to keep tabs on it—ushering the era of hacker “rockstars” and elaborate antics.

“I just count myself being really lucky to have been in the right place at the right time, taking the right risks, meeting the right people that didn’t treat me wrong...”
—Jeff Moss (22:00)

7. Crackdowns: Operation Sun Devil and the Rise of the EFF

Operation Sun Devil (1990): coordinated secret service raids on BBSes, marked both real and overhyped law enforcement intervention.
The fallout led directly to the founding of the Electronic Frontier Foundation (EFF), which championed digital rights and provided legal support for those caught up in the raids.

“The raids and the huge publicity...also led to the formation of the Electronic Frontier Foundation, which was founded by Grateful Dead lyricist John Perry Barlow.”
—Amberly Jack (18:56)

8. Crossing the Line: Money, Crime, and Consequence

The decade saw a shift from curiosity and mischief to hacking as a profitable (and prosecutable) endeavor.
Kevin Paulson’s story exemplifies the era’s complexity: becoming a “hacker for hire” while on the run, rigging radio phone-in contests to win prizes for survival.

“So we got some really cheap office space. We put in a bank of phones...We would let 50, 60 calls go through...they get to the 100th caller and we're on the phone and acting excited. This was my primary source of income...”
—Kevin Mitnick (35:31)

9. Life on the Run and Its Costs

Mitnick spoke of the dual thrill and isolation of living under an alias, the psychological toll, and eventual capture.

“I couldn't see a future for myself, right, because I was hiding out from the feds...I couldn't visualize a future for myself. And that wears on you and it becomes depressing.”
—Kevin Mitnick (36:33)

Getting caught was both “jarring” and, in an odd way, a relief.

“What I remember is how jarring it was just as an interruption to my day...That was really my first thought was, you know, I'm not going home. Who's going to feed my cat here?”
—Kevin Mitnick (38:11) “It was nice in a way to be able to just be myself again, to use my name and to not be pretending anything anymore. That was a relief.”
—Kevin Mitnick (38:34)

10. The Aftermath: Realization, Reform, and Parallels

Mitnick accepted responsibility, drawing comparisons with other inmates to gain perspective on justice and punishment.

“I learned, like, to stop feeling sorry for myself very quickly...even as much time as I wound up doing it was like nothing compared to what most of these guys were facing now.”
—Kevin Mitnick (41:38)

He later transitioned into journalism, seeing strong parallels between hacking’s and journalism’s lust for exploration and truth.

“Journalism, it kind of scratches a lot of the same itches as hacking...you get interested in something, you get to look into it and you can dive deep.”
—Kevin Mitnick (42:32) “I can talk to a hacker or a criminal of any kind, and they don't get any sense that I think I'm better than them...I've talked to very, very few hackers that have done anything worse than what I used to do.”
—Kevin Mitnick (43:24)

When asked whether he’d be drawn into hacking in today’s era, Mitnick is unsure. The allure was unique to the varied technologies and culture of the telephone network.

“If I was turning 16 right now, I don't actually know if I'd have wound up like in that kind of trouble or drawn into something like that again.”
—Kevin Mitnick (44:45)

Notable Quotes & Memorable Moments

"If you were around them, you could sort of figure out how the whole world worked." —Jeff Moss (00:08)
“The hacking stuff was...fun at that age, right? Being...free, completely unaccountable. Not having a day job, like that was my thing.”
—Kevin Mitnick (35:43)
“It wasn't camp, but...they ended up finding their tribe or their community...I'm proud I didn't F it up.”
—Jeff Moss (20:12)
“I fell behind on the rent for the storage locker. And they cracked it open and they found all this stuff...and then they called the FBI.”
—Kevin Mitnick (32:53)
“I said, well, DEF CON is going to be. You don't need to be invited. All you need to do is get a $20 note, put it in an envelope and mail it to Jeff and you're in.”
—Amberly Jack (15:54)

Timestamps for Key Segments

00:08–04:06 – Reflections on the Golden Age by Jeff Moss
05:50–07:30 – Aleph1 on the early Bay Area scene, egos, and camaraderie
08:12–09:47 – Jeff Moss on media hysteria and the first website defacement
10:23–11:41 – Dumpster diving; in-person cons and community diversity
12:29–13:53 – Chris Wysopal and Jeff Moss on exclusion, bullying, and online anonymity
15:25–17:01 – The founding story of DEF CON and its open, anarchic roots
17:01–19:22 – Operation Sun Devil and the genesis of the EFF
20:06–22:00 – DEF CON’s rapid growth and shifting social dynamics
28:33–36:33 – Kevin Mitnick on entering hacking, phone phreaking, crime, life on the run
38:11–38:34 – The emotional impact of getting caught and the relief afterward
42:32–44:18 – Parallels between hacking and journalism; ethics of reporting

The Takeaways

The 1990s were a transformative era for hacking: curiosity gave way to audacious feats, playful mischief turned to profit, and ostracized loners found family in fledgling tribes. Laws formed, legends were made, and the world’s digital spine became both playground and battlefield. The voices in this episode vividly convey how tightly the personal, the technical, and the political became intertwined—and lay the groundwork for the hackers, defenders, and stories that would shape cybersecurity for decades.

Loading summary

Transcript117 lines

[00:08]
Jeff Moss
In that room, those people had the skills to just basically be the lords of the Internet. And if you were around them, you could sort of figure out how the whole world worked.
[00:18]
Kevin Mitnick
I couldn't see a future for myself, right, Because I was. I was hiding out from the feds.
[00:23]
Chris Wysopal
There were slurs and there was other things that happened. And I don't want to make it sound like it was all like, Kumbaya, Rosie, because it wasn't.
[00:32]
Aleph1
There's a lot of egos. Anytime you have, like, folks that are smart, they know they're smart, they think they're smart, that there's also going to be a lot of egos involved.
[00:42]
Patrick Gray
This is how the world got owned. The Risky Business Media documentary series about the history of hacking. I'm Patrick Gray, and this is part one of our second installment in this series, a look at hacking in the 1990s. Of course, we've already published our 1980s episode. If you missed that, you can go back and find it in our feed or on our website at Risky Biz. But yes, today we are looking at the 90s. And joining me now is the presenter, the producer, the interviewer, and the editor of this whole project, Amberly. Jack. Amberly. How's it going, Patrick?
[01:19]
Amberly Jack
G'. Day. I'm doing good, man. I'm. I've emerged from a couple of very deep rabbit holes looking into the 1990s, and I'm excited. This one's going to a good one.
[01:28]
Patrick Gray
Yeah. So basically what happens is Amberly does a whole bunch of interviews and then disappears into a cave where she listens back to all of the audio and then. And then what comes out is, is a documentary. I should mention, too, before we get going, that all of this work is brought to you by Sentinel One, the security company, the cyber security firm. And, you know, Sentinel One is all about the future. They've done their big AI push and off they go into the future. So they have commissioned us to take a look at the past, back on the past of hacking. And we will be hearing from one of the Sentinel Oners a little bit later on in this podcast. But look, Amberly, let's get into this. This is going to be so much fun. Why don't you, why don't you set the scene for us? The 1990s. Because, look, as everyone's going to hear it, like, you know, we talked about the 80s. That was very early days, hacking and whatever. And the 90s was. I mean, you could certainly call it an action decade, right, when it comes to computer security.
[02:30]
Amberly Jack
Yeah. For sure. And as you mentioned, you know, we look back at the 80s and the 80s seemed very kind of innocent and curious and exploratory. And then the 90s came along and it just felt like everything started popping off. All those laws that weren't laws in the 80s, people were now getting pinged for those and responding by going on the run from the Fed. So we've got a couple of those stories coming up. It was also the decade where DEF CON and Black Hat were started as well. So gonna have a chat to Jeff Moss, the founder of both of those. And later on, particularly in the decade, there became, I guess, a real disconnect between vendors and hacking communities. There was a lot of, I guess you could call it animosity around kind of bug disclosure and full disclosure and gray hat hackers. And so gonna have a chat to two people, Elias Levy, who wrote a very famous buff of overflow paper Smashing the Stack for fun and Profit in frack magazine 30 years ago this November, if you want to feel old. And also to Chris Wysopol, who is a member of Loft Hacking Think tank, who famously testified to Congress about weak computer security and government in 98 as well.
[03:41]
Patrick Gray
Yeah, very famous, very famous hearing there with very famous photographs to come out of that as well. But yeah, look, I think, you know, the Jeff Moss stuff is very interesting because his contribution sort of shadows the whole decade as well. Right. Like, which is that it was really about people getting together and learning stuff. So speaking of Jeff Moss, here he is to kick us off getting a little misty eyed about the 90s.
[04:06]
Jeff Moss
I always think of that era for me as sort of the golden age. Anything was possible. Individuals could make huge contributions. I remember we were at this Hohokan once and we're in a room and there's like about four or five guys in that room and no, they could take over the Internet. That guy is like a phone system expert, that guy's a UNIX expert. That's like a Sonos or whatever in that room. Those people had the skills to just basically be the lords of the Internet. Yeah. And nowadays you could have a room with 20, 30 people and they could barely figure out like how to deobfuscate the JavaScript. It's so complicated. Everything is so specialized, but back then it wasn't. And so you could have these people that in their head kind of knew how it all worked and if you were around them, you could sort of figure out how the whole world worked. And then that was part of it. It was approachable, digestible and for somebody young and interested, if you could get to the information, you could sort of feel like you had the secret knowledge where you understood how it worked. And there was no Google, there was no Amazon, there are no bookstores on this, but you knew how the world worked.
[05:16]
Patrick Gray
Now you mentioned you spoke with Aleph1 and you know already in our intro, from what we just heard from Jeff Moss there, it's all about sort of secret knowledge and everybody learning from each other. And you know, straight off the bat, you know, this is, this is, this was a big theme for Aleph1 talking about the 90s.
[05:33]
Amberly Jack
Yeah, definitely. So Aleph1 is kind of chatting here about how he literally stumbled into the hacking scene in the Bay Area in the early 90s.
[05:41]
Patrick Gray
And I'll just let those listening who aren't familiar know that a red box and a blue box, they were used in phone phreaking. Right. So when Aleph1 starts talking about them, that's what he's talking about.
[05:50]
Aleph1
I had the good luck of meeting a couple of folks at a radio shock where I went to buy actually some crystals to make a red box. There were like these two shifted looking guys on the store and when I come out, they're waiting for me. And so they asked me what I'm building and then I tell them, well, I'm building the red box. What are you guys building? And they're like, oh, we're building a blue box. And so one of them gives me the phone number for bbs, which was Lunatic Labs, an old school, pretty famous bbs. And that really sort of opened up the world, if you will, a big scene and people just being friends with each other and sort of sharing information.
[06:38]
Patrick Gray
But you know, it's funny, right, because another theme that emerges in this episode is while everybody was all about connecting and sharing information, like there was a lot of sort of Becky like behavior in the scene. It was a little bit, it was a little bit sort of Mean Girls, you know.
[06:53]
Amberly Jack
Yeah. And I get, I mean you've got a lot of smart people who are kind of the first to do their thing. So you're very clearly going to have a lot of one upmanship here.
[07:03]
Aleph1
I mean, don't get me wrong, there's a lot of egos. Anytime you have folks that are smart, they know they're smart, they think they're smart. There's also going to be a lot of egos involved. I mean, there's definitely disagreements and people raising each other to do something first or to claim credit or things of that sort. But within that there's also a lot of data, friendship and camaraderie and sharing.
[07:31]
Patrick Gray
Now, of course, the backdrop to all of this sort of exploration and ego nerd fights and sharing of knowledge was, I guess, mainstream media kind of cottoning onto all of this, but not in an entirely productive way. Amberly?
[07:46]
Amberly Jack
Yeah, well, when you've got a lot of mainstream media, Pat, reporting on hacking, that at the time, it probably doesn't really understand to an audience that most likely largely doesn't understand it. And then you throw in Hollywood blockbuster into the mix as well, you're going to get some scared people. And here's Jeff on that 1990s media interest in the scene, the very first
[08:12]
Jeff Moss
website ever was defaced, which was the movie Hackers. And so this is when, in the early 90s, this first part, this is when all of a sudden there's all these portrayals about hackers. Now all of a sudden they're starting to pop up in movies, they're starting to be interesting plot devices and TV shows or whatever. And you can see it really, really start to take off, capturing the public's imagination. And this is also the period where people fear what they don't understand. And they clearly didn't understand hacking. Your parents didn't, nobody did. And so there was a whole lot of misinformation, almost like hysteria around some of this stuff. There is one, you know, like hackers will blow up your television set or can blow up your computer. And, and so on one hand you're feeling like you have this great view of how the world operates. And on the other hand you feel like the disaffected youths where nobody can understand my secret group and they're making up stuff and it's all bull.
[09:11]
Amberly Jack
So just jumping back, you heard at the beginning there that Jeff mentioned, in 1995, the first recorded website was vandalized. And I said to you, Pat, that I'd been down a few rabbit holes and tangents with this. So looked it up and these guys took over the website and I just wanna read you what they wrote. Cause it did make me laugh. Hackers, the new action adventure movie from those idiots in Hollywood, takes you inside a world where there is no plot or creative thought. There's only boring, rehashed ideas. And then they helpfully added a link to the Sandra Bullock film the Net and suggested that people go and see that instead. So there you go. The first website to be vandalized by hackers. It's the Hackers film.
[09:48]
Patrick Gray
Well, what's really funny too, right? Is that, you know, the portrayal in one sense was all very interesting and, you know, suspenseful and whatever. Right. And, you know, we just heard Jeff saying, oh, you know, but it was bad because like they're, they're, you know, portraying us in a way that isn't accurate when really, like as you're about to hear from Chris Wysopol, or World Pond, as he is known in some circles, a lot of what these guys were doing was getting together so that they could swap manuals on computers, which, I don't know, I don't think Hollywood would have really been able to do much with that if they were going to stick to the reality.
[10:24]
Chris Wysopal
You know, back then you actually had to have the physical manual for some of these systems. So if it was a system like a mini computer, you're either getting it out of a corporate closet because someone worked there and they were throwing it away, or you got it out of a dumpster. It wasn't something like you could just order. And even then it was super expensive. So, you know, the shared resources is, was huge back then. Like we would go dumpster diving like a couple times a month and different people would just bring their haul back and we would sift through it and we would keep the good stuff.
[11:04]
Patrick Gray
Cons, and this is going to keep coming up through this episode is 1990s. If we, if we had to say, like it was the decade of what it was. Cons, it was like everybody getting together like irl, right? Like in real life, people actually meeting up.
[11:18]
Amberly Jack
Yeah, definitely. And we'll hear from Jeff Moss very shortly as well, who started DEF con. But even before DEF con, there were a few HOHO Con, which was held at Christmas time, and summer Con, which was held in the summer. And here's Chris Weissopel sort of talking about meeting people in real life and how the community kind of accepted a whole lot of people kind of on the fringe of society.
[11:42]
Patrick Gray
Weirdos were welcome, I think is what you're trying to say.
[11:45]
Amberly Jack
Widows were welcome here.
[11:47]
Chris Wysopal
And so when you would go to these early cons, you're like, hey, I'm meeting all these people that I only know from a handle on irc. I think it did attract a bit more of the, the people that were more on the fringe of, of, of society in certain ways. A lot of people are self taught, a lot of people from disadvantaged communities, a lot of people from the LGBTQ community. You know, it was a pretty accepting community for all kinds.
[12:19]
Patrick Gray
Now that said, you know, it wasn't all smiles and sunshine, right?
[12:23]
Amberly Jack
I mean, you've got young people and young people are horrible. Let's go with horrible. Young people can be horrible.
[12:30]
Chris Wysopal
Pat we were very crude and, you know, there were slurs and there was other things that happened and you know, so like it's a young group of people. I, I don't want to make it sound like it was all like Kumbaya, Rosie, because it, because it wasn't. So I think you can have people from all kinds of diverse areas coming in and feeling accepted by at least the majority. And, but there was still, there was still fights and there was still people that act acted poorly towards each other and all that. And you know, it's just, just part of the territory.
[13:06]
Patrick Gray
Here's Jeff Moss on that.
[13:08]
Jeff Moss
In those bulletin board days, there was no, there's no video, there's no audio, there's no way to judge a person. You know, you didn't know their gender, you didn't know a thing about them.
[13:20]
Patrick Gray
Amberly when you think about it, this dynamic kind of makes sense given the technology at the time and given the way people were interacting. It was all very much text based. Like the hacker community was kind of ahead of the curve on this whole, you know, texting thing.
[13:37]
Amberly Jack
Yeah, definitely. I mean, it's not, you know, there was no sort of top friends or favorite songs or profile photos or anything. It was literally, as Jeff's talking about here, you had to judge people based on what they typed and how they typed. That was your only option back then,
[13:53]
Jeff Moss
you know, 300 baud, 1200 baud, 2400 baht. It took sometimes a while for messages to load. And so people were pretty brutal. If you wasted a lot of their time and their bandwidth downloading messages that were useless, people would get kind of bitter. I remember everybody at that day. Some people had their own personality. So like there would be like a Robin Hood type character and you'd always kind of have ye olde Englishy type posts because he was sort of living this Persona. So the handles, the Personas were much bigger.
[14:24]
Patrick Gray
Now, of course, Jeff Moss's big contribution to the hacking scene was founding defcon and the origin story. Like any awesome thing that sort of just comes along, it's not like he sat down and really thought about it. It just kind of happened, right?
[14:42]
Amberly Jack
It really didn't. This was never intended to be a conference, let alone a conference that would be one of the biggest hacking conferences of the last 30 odd years. So the first DEFCON was held in June 1993 in Vegas. And Jeff was telling me the story about how this came about. And he ran a network of bulletin boards and one of those included the kind of US hub for Canada network, PlatinumNet. Now the owner of PlatinumNet hit up Jeff and said, hey, my dad's taking a job, he's gotta move away. And so I'm not going to be around to do this. We need to have a going away party. But because everyone's in the U.S. we need to have the going away party in the US And Jeff, can you organize it?
[15:25]
Jeff Moss
I said, that'd be great. Yeah, let's do that. But if you're going to do it in America, we got to do it in Vegas. He's like, okay, it sounds like a great, great idea. And then he disappears. So I don't know what happened. I don't know if his dad took the job early. I don't know if his dad ripped out the phone line. And I keep telling this story in hopes that one day he'll reach out to me. I can't remember his name for the life of me to this day, you
[15:47]
Patrick Gray
know, and some of the aspects of DEF CON that people might think was part of some grand strategy, like actually, no, yeah, definitely.
[15:54]
Amberly Jack
And one of the ones right off the bat was Jeff was kind of bitter that he wasn't getting invited to these conferences. He was like, well, DEFCON is going to be. You don't need to be invited. All you need to do is get a $20 note, put in an envelope and mail it to Jeff and you're in.
[16:09]
Jeff Moss
And I'd love to take credit for this genius insight to open up the community, but it wasn't, it was me being lazy and kind of pissed off that I was not included. I think part of the energy was nobody knew what to expect. Now there's some people that have been feuding online. You know, I want to see you at defcon. We're going to settle our scores. And, but largely when you get to DEF CON and you see the guy that you've been chatting with is like a 50 year old dude or a, you know, 30 year old lady, like cool, I guess.
[16:39]
Patrick Gray
Now of course, 20 bucks in an envelope and anybody can come in.
[16:43]
Amberly Jack
That meant fed paranoia, definitely fed paranoia. And here's Jeff kind of talking about that. Not only the Fed paranoia, but how he decided, I'm actually going to lean into this, I'm not going to try and hide for them, we're going to include them in the conference as well.
[17:02]
Jeff Moss
So there was a bit of this Fed hysteria. I mean, looking back, it's really quaint, but really, in those days, if you were going to get busted, it was really three people in the whole fricking country that were going to bust you. It was Pat Sisson from MCI that was going to be for toll fraud. Then if you're hacking government systems, you feared Jim Christie and his OSI investigators. And it was going to be Secret Service for fraud, for credit card fraud, for all the hackers or not hackers, the Carters. And. And so the early DEFCON days, the very first one, we invited a prosecutor, Gail Thackeray, who prosecuted Operation Sun Devil, which was the first case against, I think, organized pirate bulletin boards. And so she was famous and she had this experience, so we invited her crazy because she was up there and one of the people she was prosecuting was in the room, had been swept up in it. But because, you know, they're out of the state and whatever, they got along.
[18:03]
Patrick Gray
Jeff mentioned Operation Sun Devil there. Amberly. What is that? I've got no idea.
[18:07]
Amberly Jack
Yes, Operation Sun Devil. So this was, and it turned into quite a big thing. It was a Secret service operation in 1990. It went over three days, May 7th to 9th, where there was a whole lot of raids of bulletin boards over 14 cities in the U.S. there were 150 agents, local police, 42 computers seized, 23,000 floppy disks, and three arrests.
[18:33]
Patrick Gray
What were the arrests for? Was it like software piracy or something stupid like that?
[18:36]
Amberly Jack
I've actually gone digging and read many articles about this, and I can't find exactly what the guys were arrested for. But a couple of stories do mention that they were arrested for things that weren't even computer crimes. So like, you know, possession of a firearm or something like.
[18:50]
Patrick Gray
Yeah, so they just, like, kick down the door because they're doing naughty computer things. Oh, unlicensed gun, easy. They. You just made our job pretty much.
[18:56]
Amberly Jack
And so there was a big idea that this was just a massive publicity stunt. But the raids and the huge publicity from the raids also led to the formation of the Electronic Frontier foundation, which was founded by Grateful Dead lyricist John Perry Barlow. And it's kind of a organization that sort of fights for freedom of digital rights for America. And it's still active today. And these guys kind of put some money towards legal fees for anyone that was caught up in this.
[19:23]
Patrick Gray
Oh, we know the EFF Amberly, the E. Hippies of the Internet. We know them well. Now, of course, you know, Jeff Moss decides, instead of excluding the Feds, yeah, invite them. But then Also play spot the Fed for anyone who's turning up, who's undeclared and feds being feds who all eye on their underwear didn't, didn't exactly make it hard the first couple of times because they would all turn up in like the same, like, you know, government approved footwear.
[19:51]
Jeff Moss
The first year or two, everybody got caught because they wore penny loafer shoes. You know, it's like no hacker wears penny loafer shoes or khakis. You know, come on guys, try.
[20:02]
Patrick Gray
But in amongst all of this, Amberly, a true community was formed.
[20:07]
Amberly Jack
And here's Geoff sort of talking about that community of defcon.
[20:12]
Jeff Moss
It wasn't camp, but it was like you said earlier, they ended up finding their tribe or their community. And later on people would say, you know, I showed up. And I immediately knew in the first hour that these are my people. And I never quite had that experience because I never, I was, I always felt ostracized in high school because there weren't any people really like me. But I never felt like this moment where I realized it because I think maybe I was too close to it for so long. I'm proud I didn't F it up. If I had treated DEFCON like a business and tried to maximize returns, I don't think it wouldn't have worked. And so we still, to this day, we do a lot of things for the community that don't make any financial sense, except it's really cool. I really like what DEFCON is and I want to see it continue. I'm not beholden to vc. I don't have to achieve some metrics. And so for me, I think that's probably the thing I'm most proud of, is managing to maintain my independence and not be forced into a corner.
[21:19]
Patrick Gray
Now, your brother Barnaby Jack became quite a sort of famous, you know, computer security researcher back when we had Rockstar computer security researchers. When was his first defcon?
[21:28]
Amberly Jack
I think I found his badge and I think it was 98. Yeah, I distinctly remember because Mum cosigned a credit card for him for emergencies and he maxed it out when he was.
[21:40]
Patrick Gray
Now it started small, but it wasn't too long before DEF CON just kind of, I mean, it ran away from Jeff a little bit. Like, let's be honest, I said to
[21:48]
Amberly Jack
Jeff, do you still love it? And he came back and he said, I don't love it like I did, but I still really like it. And this is him kind of talking about how DEF CON just kind of grew bigger than him.
[22:00]
Jeff Moss
I guess in the early days you could know everything that was happening at DEF con. You were present, it was just small. You saw everything that happened. You heard every story. You felt like this was your crew, you knew them all. And then around three or four, it's just too big. And people would come up to you and tell you stories. Oh my God, did you see so and so do the thing like, I didn't know so and so was here and what the hell's the thing? You know, and so all of a sudden you start feeling like, oh, you're missing out. You know, I did all this work, I took all these risks, and I don't even know what's going on at my own thing. And that lasted for a couple of years. And then you're like, you know what? I don't care. It's awesome that stuff's happening. I don't know what it is. And more of that should happen because that means you're being successful, right? And, and I'm not doing this for my, for, for me to learn every story. You know, it's just a, it's a growth of kind of that original bulletin board thing. Like you don't know what's happening on every bulletin board, but you still want to participate. And, you know, there was a bit of like one upsmanship in those early years where people really felt like, you know, like Dan Kaminsky would just up his game every year, right? There are like certain hackers who just like fx, always brought the goods. Like certain people just, they couldn't help themselves, right? Maybe it was showmanship and they were ultra smart and they loved a stage to perform on. And so it turned out like we're, we're providing a stage cult of the Dead cow with their, you know, throwing meat at people and launching the Back Office 2K. It became a bit of a spectacle. So I just count myself being really lucky to sort of have been in the right place at the right time, taking the right risks, meeting the right people that didn't, you know, treat me wrong and making the right friends that to this day, you know, I still have.
[23:54]
Patrick Gray
It's time for a quick break now and we're going to hear from the sponsor of this entire documentary series, Sentinel One. Now, Sentinel One commissioned this series because they've done a big push into the future. And when we're screaming headlong into the future at the speed of light, sometimes it's good to turn around and, you know, occasionally take a look at where we've come from. Hence this documentary series. But what does it mean when I say Sentinel One has done a big push into the future? Well, they've embraced AI and we're one of the earliest security platform companies to do that. They know that cybersecurity is going to be AI enabled both on the attacker side and the defender side. Drea London leads the Global Incident Response team@sentinel1. And she says after a slow start, adversary use of AI to get things done has really kicked off in earnest.
[24:46]
Drea London
We have seen a very large shift in AI generating malicious binaries, malicious code and fates which are really hitting like the lower hanging fruit. You know, we're seeing prolific amounts of sophistication, but the lower hanging fruit is, is really creating a breadth of scope. So we're seeing more and more and more. It's a lot more volume of effective trending than we've seen before.
[25:13]
Patrick Gray
Now the good news, according to Dreher, is that sentinel1 and others are accelerating their responses also with AI.
[25:20]
Drea London
Being able to use AI to model behavior has made us so much more effective and efficient. And I mean, this has been happening with incident response for the last few years. We're seeing less and less of this, like boots on the ground type of incident response and much more really target and focused amount of breach response through technology, whether it's the use of more sophisticated EDR telemetry, which we've all been benefiting from for a few years now, but now also the AI technology. So we're really able to get a pretty good idea of what a threat actor is doing, how they've likely come to be in an environment, all of these things. It's in the same amount of time that 20 years ago I was booking an airplane ticket and flying somewhere.
[26:11]
Patrick Gray
So there you have it, a bit of a glimpse into how the world will keep getting owned and how companies like Sentinel One will keep working to stop it. Big thanks to Sentinel1 for being the sponsor for this documentary series, how the World Got Owned. Now, you know, there we are, like a lot of kumbaya in that first part of the podcast, right, of people getting together, teaching each other about computers, how to hack them, how to do stuff. And look, I'm sure a lot of those people right, at early defcons and stuff were doing, you know, what were at the time criminal acts, but sort of criminal acts that we would look back on today with our 20, 26 eyes and go, oh, how quaint.
[26:52]
Amberly Jack
Quite, quite, yes, very quaint.
[26:55]
Patrick Gray
But you know, there was, I guess the 90s is where stuff started to kind of evolve into, oh, you can make money doing this sort of stuff. Right. And one very interesting character through the 90s. Well, there were the two Kevin's. Right. There was Kevin Mitnick, who's sadly no longer with us. And also Kevin Paulson, who these days is known as a, you know, a very well respected journalist in the United States. I actually did some work for him when he was the editor of Security Focus back in, I think, what, like the early 2000s? Kevin's a great guy. He's somewhat mild mannered, as you would discover, which is why it's funny that he's got this really crazy criminal past. Right. Because Kevin actually wound up spending a bunch of time in prison for doing hacking for profit. And this was because he'd been doing freaking and hacking and then wound up being investigated. And the feds were trying to put an espionage case on him. So he basically went on the run from the feds for quite a while and needed to find a way to put a roof over his head. That wasn't a square job. Right. So he did it with Hacken. And, you know, Kevin's whole arc sort of explains how we went from, you know, curiosity exploring technically illegal, but not really that bad, into like, oh, okay, there's like some potential for real criminality here.
[28:21]
Amberly Jack
Yeah. And here's Kevin sort of remembering getting his first computer. He was 16 at the time. And how that kind of led him from phone fricking into the hacking world.
[28:33]
Kevin Mitnick
It was a TRS 80 color computer, which is a fine machine, don't let anyone tell you otherwise. So I got into that. That actually drew me away from phones for a while. Then I got a modem and I started dialing up into things and dialed into bulletin board systems. And eventually kind of crossed over into phone hacking again. But this time I started hacking phone company systems. So that was kind of my first foray into what we would now call hacking, like breaking into phone company systems, looking around sometimes doing things, giving myself free custom calling features, stuff like that.
[29:09]
Amberly Jack
So Kevin almost did have a chance to take a bit of a straight path there. He got a job at SRI Stanford Research Institute, which was a defense think tank contractor. And as much as they loved the job, that job almost got him kind of sucked in a little bit to the dark side. As well as he talks about here,
[29:28]
Kevin Mitnick
my boss, though, he turned out to be a former phone freak himself. And it was kind of like two recovering alcoholics, I guess, hanging out your old drinking buddies who were also recovering hanging alcoholics, hanging out like we, we got to talking about the old days. He actually, since he never got busted, he actually had like some old phone company manuals and stuff. And he brought them into work and showed them to me, and it kind of got the juices flowing. And so, like, together we wound up kind of first dipping a toe back in this stuff. I've always had a problem, like dipping a toe into anything and not just like plunging wholeheartedly into it a couple minutes later. So at that point, I kind of left him behind and I was just like, all in.
[30:13]
Patrick Gray
Now, Kevin's crimes didn't just stay in the cyber realm. Like he was doing B and E into phone company buildings to swipe manuals and get access to stuff. I mean, it's funny, right? Because like, as I say, Kevin's like a tremendous, you know, he's a real professional in the media industry. He's very mild mannered. And I remember once, something like 20 years ago, having a beer with him in San Francisco and we were walking, you know, down the street afterwards or whatever. He's like, you know, I broke into that building once and it's just so crazy coming out of a guy like Kevin because, yeah, you just don't pick him as the type. You know what I mean, right?
[30:46]
Amberly Jack
Yeah, I know exactly what you mean, Pat. You're talking way to Kevin. He is, as you said, super mild mannered, softly spoken, super nice guy who just happens to be casually recounting his criminal history.
[30:58]
Patrick Gray
So here he is talking about the adrenaline rush of his break and enter sprees. Back in the day, what I came
[31:04]
Kevin Mitnick
to learn about myself is that I needed things to stay interesting. I was kind of an adrenaline junkie and a nerd. And if you combine those two things, you wind up like being a hacker. So whenever something got comfortable, I got very comfortable in phone company computers. I was all over their system statewide. And so then it starts to get, or threatens to get boring. So I have to find something else to keep it exciting. So one day, my boss and I were passing by a phone company central office. It was the phone network's version of like a server room. And we, we started looking for a way in. It was the middle of the night. We knew that they were usually unmanned at night. I climbed up a phone pole onto the roof of the central office. It was in Palo Alto, and found an open door and went into the door and down the stairwell and let in my friend. And we kind of wandered around this central office together, looking at the equipment and exploring. So it was like Hacking, except now it's physical. And it had a lot more adrenaline, it was a lot more of a rush, and it was totally immersive in a way that looking at a computer screen never is. So once again, you know, not able to just dip a toe in it, I had to go all in. And that turned into like a crime spree of breaking and entering over the course of a couple of years, almost every week.
[32:32]
Patrick Gray
But like a lot of crime sprees, it kind of came crashing down, right?
[32:39]
Amberly Jack
It did. And when you hear all the stories about the break ins and the crime spree and everything else, how it came crashing down just feels a little bit sad. He had a storage locker in California and just got behind on rent.
[32:53]
Kevin Mitnick
I fell behind on the rent for the storage locker. And they cracked it open and they found all this stuff. And they called the phone company, the phone company came out and looked at it, and then they called the FBI.
[33:03]
Patrick Gray
And this investigation got heavy real quick.
[33:07]
Kevin Mitnick
There were agents working this case that genuinely thought I might be working for the kgb, gaining access to critical telecommunications infrastructure, holding a security clearance for defense contractor during the day. Like, to them, this all just spelled espionage. So they started building an espionage case against me.
[33:27]
Patrick Gray
So Kevin goes on the run, and he needs cash. So what is he to do, Amberly?
[33:32]
Amberly Jack
So now it's 1990, Kevin's on the run, he needs money, as you said. And a California radio station, KISS fm, was giving these massive giveaways. You know the ones. Win a Porsche, win a trip to Hawaii, win $20,000 cash or something. And so Kevin explained to me how in 1990 they managed to rig the the phone system so that Kevin, under the name Michael B. Peters, could win himself a Porsche.
[34:00]
Kevin Mitnick
We came upon, like, these massive radio station giveaways that were particularly huge in la, where I was hiding out. And it all came down to being the right numbered caller after they say something in particular on the air or play a particular sequence of songs.
[34:16]
Patrick Gray
Now, this wasn't just something he was doing out of an apartment like this. He turned this into like a pro operation, right?
[34:22]
Amberly Jack
He treated this like a real job and rented himself an office.
[34:26]
Patrick Gray
I mean, to me, this has got like organized crime vibes. I love it.
[34:31]
Kevin Mitnick
So that turned out to be like Hollywood, like the seediest part of Hollywood. So we got some really cheap office space. We put in a bank of phones, Radio Shack phones, chosen for their liberal return policy. We would let 50, 60 calls go through, we would press a button, the calls would stop. And at that moment we start hitting our bank of eight phones and just hitting the switch hook over and over again to keep the phones ringing so they could chalk up the other 50 calls. They get to the. To the 100th caller and we're on the phone and acting excited. This was my primary source of income during the couple of years that I was living under an assumed identity in LA and trying to evade capture by the FBI.
[35:20]
Patrick Gray
Now, another thing that I find funny about Kevin is when he reminisces about the stuff he did, the illegal. All the illegal stuff he did in his youth. Like, he's obviously having fond memories, right?
[35:32]
Amberly Jack
Yeah, definitely. I actually. Because I. Because I asked him when he was on the run, just how. Whether it was exhausting. And he said, well, the things that most people would find exhausting were just fun.
[35:44]
Kevin Mitnick
The hacking stuff was. It was fun at that age, right? Being. Being free, completely unaccountable. Not having a day job, like that was my thing. I was still breaking into phone company building. So I would get to the point where I was in night mode, where I was sleeping during the day, and I would. Two in the morning, three in the morning, felt like noon to me. And I would be, you know, in some phone company switching center making Xerox copies of some manual and brewing coffee. And it was almost like a job, except it was, you know, it was fun.
[36:17]
Patrick Gray
There were some lows to go with the highs though, as well, right?
[36:21]
Amberly Jack
Yeah, definitely. And for Kevin, the downsides largely came down to the things that you kind of take for granted when you're not on the run from the feds, like using your real name or catching up with people that you love.
[36:34]
Kevin Mitnick
I couldn't see a future for myself, right, because I was hiding out from the feds. And when I started living under an alias, it was an investigation. Then that investigation became an indictment, potentially carried serious prison time. And all I was doing to handle it was not handle. And I was just hiding out and doing more crimes, like, so there's just no way forward. I couldn't visualize a future for myself. And that wears on you and it becomes depressing. And I couldn't see my family. I lived in la, they lived in la still, for obvious reasons, like it couldn't pop by and say hello. All in all, it was deeply unsettling and unpleasant experience, punctuated by, like, occasional highs like the radio station contests.
[37:26]
Patrick Gray
The FBI is searching for an electronics whiz kid who allegedly used his talents to break into classified government computer networks, obtain military secrets and wiretap private phones. An innocuous Case of computer. Computer hacking or a breach of national security. So it's funny, right? Like, yeah, like, living on the run, not so much fun. Crime. Crime is awesome. Crime's heaps, heaps of fun.
[37:47]
Amberly Jack
Crime's great fun.
[37:49]
Patrick Gray
You know what else is not fun? Getting caught. Getting caught and thrown in prison. Not, not, not fun.
[37:55]
Amberly Jack
Amberly getting caught, not so much fun. So this was, this was April 1991, and Kevin got, eventually got caught at his local grocery store in California. And I asked him if he remembered kind of exactly what went through his head at that moment when he knew the gig was up.
[38:12]
Kevin Mitnick
What I remember is how jarring it was just as an interruption to my day. When you leave your house to, like, go grocery shopping or run some errand, you never think, this is the last time I'm going to be here. That was really my first thought was, you know, I'm not going home. Who's going to feed my cat here?
[38:30]
Patrick Gray
He reflects, though, that, like, it being over was kind of a relief.
[38:35]
Kevin Mitnick
It was nice in a way to be able to just be myself again, to use my name and to not be pretending anything anymore. That was a relief.
[38:49]
Patrick Gray
Then it came time to actually put this thing through the courts and figure out what on earth he'd actually done that was illegal and if he was a spy or not. And, you know, here's Kevin on that.
[39:00]
Kevin Mitnick
So the second indictment became. Is a lot more accurate in most ways. But they also went all out and charged me under the Espionage act, not with spying, but with unlawful retention of classified material. So it came down to the, the espionage charge. Like everything, everything that I did, they had me called for. There was no, there was no point in doing anything except pleading. But this espionage charge, I refused to plead to that even when they offered me time served, because it was wrong. It was something that I didn't do and wouldn't have done. So we got very close to trial when I had a private investigator on the case, and he wound up basically getting the evidence that exonerated me. It was. He got the right interviews with the right people and they were candid and it all came together. The feds were kind of watching what he was doing. So as we neared our trial, they knew that this case had become a loser for them. So they finally agreed to drop that charge. I pleaded guilty to the stuff that I was guilty of at that point. I had served five years in pre trial custody. So as part of my plea deal, I agreed to an upward departure where basically I accepted extra time, like more than what the sentencing guidelines called for for my crimes, just to absorb the time that I had already spent in pre trial detention. Because if I hadn't done that, like, I'd have. They'd have owed me a free felony when I got out.
[40:39]
Patrick Gray
The way he reflects on that whole experience, though, I mean, I do think it's admirable in a lot of ways that Kevin looks back on that whole experience is just like, well, it's an unusual experience, isn't it? You know what I mean? And I got to live that. Like, I don't think he views it as a positive, but I, you know, I just think there's a lot to be said for the way he looks back on it all.
[40:56]
Amberly Jack
Yeah, definitely. And he's, he's sort of talking, like you said, just very kind of pragmatically looking at it like this thing happened. And it was interesting and I got
[41:04]
Kevin Mitnick
to observe it in a lot of ways. It was a really interesting experience. It went on a bit longer than I'd have liked, but I met a lot of people with very interesting stories.
[41:14]
Patrick Gray
Another thing I find admirable as well is that Kevin took a look around at his fellow inmates and said, well, compared to them, I kind of actually do deserve to be here. Right. So he took his licks.
[41:26]
Amberly Jack
Yeah, he did. And here he is talking about the kind of people that he met in jail and that kind of realization that, you know, he probably deserved to be there more than they did.
[41:38]
Kevin Mitnick
Like, all the drug, all the drug cases were just crazy. Like they, these people were being handed decades like it was candy. So that part of it was sobering. But all in all, it was, it was an experience that I think I got a lot of value out of. And I learned, like, to stop feeling sorry for myself very quickly, like, because even as much time as I wound up doing it was like nothing compared to what most of these guys were facing now.
[42:10]
Patrick Gray
You know, I've mentioned it a couple of times, but Kevin is a serious business journalist these days in the United States. I mean, he worked for Security Focus, and I did a bunch of work for him there. He worked at Wired as well, and then it was the Wall Street Journal.
[42:25]
Amberly Jack
Yeah. And I spoke to Kevin about his career path, and as he's talking about here, when you get to the crux of it, journalism and hacking, not really
[42:32]
Kevin Mitnick
that different journalism, it kind of scratches a lot of the same itches as hacking. Like, a lot of what I was doing as a criminal was looking into stuff that interested me. Like, that was 90% of it. Most radio station contests like that, that gets all the attention. And yeah, I got a Porsche and woohoo. But almost everything I did was completely pointless and served no purpose, except it satisfied some curiosity and gave me a little rush of adrenaline at the same time. And that's what journalism does, right? Like you, you get interested in something, you get to look into it and you can dive deep.
[43:09]
Amberly Jack
I asked Kevin about his, his journalism, and he is in a really unique situation where having been reported on so many times when he was younger, really gave him an idea of what not to do as a journalist.
[43:24]
Kevin Mitnick
Being a subject of a lot of reporting when I was a hacker made me sensitive to what doesn't work and what I should avoid, what mistakes not to make, like how to be scrupulously honest and get the information right and portray people in a way that's true to them as well as being factually accurate and how important that is to the subjects that you're writing about. Something else I think I've brought to the table is I'm not judgmental under any circumstances. Like, I, I can talk to a hacker or a criminal of any kind, and they don't get any sense that I think I'm better than them. Like, I, they get no judgment from me whatsoever because I, I've talked to very, very few hackers that have done anything worse than what I used to do.
[44:18]
Amberly Jack
Now, as I was wrapping up my conversation with Kevin, I asked him, look, if you were a teenager today, with technology as it is today, do you think that hacking would have had the same draw that it had for you when you were a teen in the 80s and 90s. And he sort of said, look, I've, I've actually wondered about this a few times myself. And, and largely the big draw for him, the siren song for him was the phone systems at the time.
[44:45]
Kevin Mitnick
And there was so much about it that was unique to it. It's not the Internet, it's not homogenous, it's not built off Cisco routers. Like, there were parts of the phone network that were 100 years old and still operating, and down the hall there would be a fairly modern computer that was doing the same thing. There's just so many little things about this vast network that was running on so much, so many different types of technology from different eras that drew me in. And I, if I, if I, if I was turning 16 right now, I don't actually know if I, if I'd have wound up like in that kind of trouble or drawn into something like that again.
[45:32]
Patrick Gray
And that concludes part one of the second installment of how the World Got Owned the 1990s. Part two will be hitting the feeds soon, and if you want to get the full part 2 of this installment of how the World Got Owned, please do subscribe to our new RSS feed. Our new podcast feed Risky Business Stories. So just search for Risky Business Stories in your podcatcher and you'll be able to find it that way. Or you can always head over to our website at Risky Biz to find the subscription links for that feed. Our thanks again to Sentinel One. This whole project is only possible because they commissioned it. Interviews for this podcast were done by Amberly Jack. This podcast was edited and produced by Amberly Jack with a little bit of help from me, Patrick Gray and the how the World Got Owned musical theme was composed by Noel Sanger and yours truly in Noel's studio. Thanks mate. That's all for now. Bye bye SA.