California Computer Security Expert Helps Agents Track Fugitive Hacker By David Bank, San Jose Mercury News, Calif. Knight-Ridder/Tribune Business News SAN JOSE, Calif.--Feb. 17--Tsutomu Shimomura took the Christmas Day attack on his computer system personally. It wasn't simply that a hacker had penetrated the electronic defenses that the 30-year-old security expert - one of the world's best - had installed on his computers at the San Diego Supercomputer Center. That was, perhaps, inevitable in the escalating combat between those who protect computer data on the Internet and those who steal it. This attack was becoming a major affront. For starters, it began almost under his nose. Shimomura was visiting a friend in San Francisco when the intruder remotely commandeered a workstation housed in the same apartment and used it to send the first electronic probes to Shimomura's home computer near San Diego. Second, the intruder made off with a huge cache of files, including high- powered software tools developed by Shimomura that were used in subsequent break-ins during an eight-week cyberspace crime spree that rattled the computer network establishment. Third, the hacker left a series of taunting messages on Shimomura's voice-mail. And finally, Shimomura's relentless tracking of the perpetrator kept him away from the backcountry ski trails around Lake Tahoe during one of the best ski seasons in years. Shimomura's efforts led to Wednesday's capture of Kevin Mitnick, the country's most notorious hacker. Mitnick, known as "Condor," had been a fugitive from justice for more than two years. With Shimomura's help, federal agents arrested Mitnick at an apartment in Raleigh, N.C. "Kevin was a pain in the ass," Shimomura said by telephone Thursday. "He cost a lot of people a lot of time and effort. I'd rather go ski." The savvy and software skills demonstrated during weeks of tracking Mitnick across the Internet have made Shimomura a celebrity in the normally shadowy world of computer network security. "You've got to paint him as the knight in shining armor," said Jim Settle, former head of the FBI's computer crimes squad and now a private computer security consultant. "He had all the smarts needed to know how to solve it." Brilliant and intense, Shimomura keeps a foot in both the world of the computer security establishment and the loose-knit fraternity of hackers. He's a regular at the annual Hackers' Convention but unlike many of his friends also undertakes research projects for government agencies such as the Air Force and the National Security Agency. Though Shimomura is on the side of the law, friends say he has broken into computers around the country to demonstrate weaknesses in the systems' security. He has insisted on publicizing the Internet's security flaws, even when others feared such disclosures could lead to additional break-ins. Shimomura has long lived by his own rules. As a high school student in New Jersey, Shimomura skipped school and attended classes at Princeton instead. Without even a high school diploma, he was given a position at the Los Alamos National Laboratory in New Mexico. Since 1992, he has been a senior research fellow at the supercomputer center, which is affiliated with the University of California. Appearing before a congressional committee last year, Shimomura demonstrated the ease with which a conventional cellular phone could be turned into a scanner - and then proved the point by tuning in to calls being made around the Capitol. Though the software tools he has developed are among the most sophisticated in the field, Shimomura prefers to spend his time cross-country skiing and roller-blading. Shimomura, trained in physics and computational theory, first became interested in computer network security as an interesting sidelight. "He's a sculptor. He's a design theorist," said John Gage, chief of the science office at Sun Microsystems Inc. in Mountain View. "He thinks about how things work in computers constantly. It's his total focus. "He tries to model how computers work as a physicist would. Then he can see the holes that are implied by the structure of that computer. Then he can see how to use those holes, or how to plug those holes." Those skills made him a prime target for hackers. In the wrong hands, the same software tools he developed to bolster network security could be potent weapons for attacking computer systems. Among the programs taken from his computer in the Christmas Day attack was a network monitoring tool that Shimomura modified under a grant from the National Security Agency, according to an affidavit filed by an FBI agent in the case. The tool is unique because it can be installed in a computer operating system without needing to shut down the machine. "Tsutomu's tools were designed to be invisible," Gage said. "Of course, that gives people the power for good and evil." Shimomura put the same tools to use to catch Mitnick. The hacker had tried to cover his tracks, but Shimomura was able to reconstruct the sequence of the attack from traces left behind. He described his forensic methods to a group of high-level corporate security experts in Palm Springs earlier this month. "It was quite impressive to those around the room, and it was quite a group of people to be impressed," said Larry Smarr, director of the National Center for Supercomputing Applications, who was at the conference. "It wasn't just the techniques, the software tools. It was the smarts. People said, 'Gee, it never would have occurred to me to use the sequence he did.'" Shimomura, in weeks of tracking Mitnick's activities, used sophisticated network "sniffers" to monitor the flow of data packets over the Internet. At times, Shimomura's team wrote new software on the spot. Mitnick was outmatched. "None of those sophisticated tools that he's got could prevent us from finding him," Shimomura said. "Perhaps we can't stop him from breaking in. But I can't think of a lot he can do to stop us from finding him." Finally, when Shimomura and his associates tracked Mitnick to Raleigh, he used a radio signal meter to locate the building. Federal agents took it from there. Shimomura said the capture of Mitnick would not stop the growing number of attacks on computer networks, which are a result of weaknesses inherent in computer operating systems and protocols. "The real problem is still there," he said. "He was just exploiting it." Shimomura said he hoped Mitnick's capture sent a message: "This is not acceptable behavior. It will not be tolerated." The ability to enforce that message makes Shimomura a valuable asset to the private companies and government agencies seeking to make the Internet and other computer networks safe for electronic commerce. Shimomura's associates say he is considering a move from the academic world to the private sector, but Shimomura has not disclosed his plans. "I'm going to go back and ski," he said.