Name: Kevin Mitnick
Occupation: Security Consultant
If you were once the world’s most wanted hacker and you’d been put away three times for your crimes, would you want to lay low and hope everyone forgets about you? Or would you put a white hat on your infamy and build a legit security consultancy? Kevin Mitnick chose the later and he’s now making good money telling the corporate world how to cover its arse. Funnily enough, more has been written about how he was busted than about any of his skills or knowledge -- will the release of Mitnick’s second book of security advice change that?
His latest book, The Art of Intrusion – the real stories behind the exploits of hackers, intruders and deceivers
is based on Mitnick’s exclusive interviews with a wide range of criminals -- and the steps we can all take to not fall prey to their tricks. ‘These people have never told their stories before;’ says Mitnick, ‘they only told me because I’ve been busted for hacking myself and refused to inform on others, they respect me and they trusted me to keep their identity secret.’
Atomic: Let’s start with a cheeky accusation: between you and Matthew Broderick you changed the public’s perception of hackers forever -- how do you plead?
Mitnick: Hahaha! Well, I guess I did bring a lot of awareness to the area of phone phreaking and computer hacking through my escapades of many years ago. In fact, coincidentally, a friend of mine knows Matthew Broderick and Matthew said that the next time I’m in New York he could probably hook up with me. That’d be hilarious to have some pictures with him, wouldn’t it?
Atomic: Yes. It is kind of a funny connection. In the movie War Games he was apparently able to start a nuclear war -- and hell, that was something you were accused of being capable of if you’d been allowed access to the prison pay phone…
Mitnick: Unfortunately, one of the journalists who wrote a libellous book about me called Takedown <JOHN Markoff, who wrote the book with Tsutomu Shimomura>basically took that idea from War Games. He said in a story that I hacked into the Pentagon in 1983 and nearly started World War III! So Matthew Broderick as an actor, I guess, had a significant impact on my reputation -- but not through any fault of his own!
Atomic: How about the film about you based on John Markoff & Tsutomu’s book ‘Takedown’? Give us a 10-second review of the acting in that…
Mitnick: Aside from it being not true about me and using my real name but none of the real events… the film was terrible. It was terrible acting -- the only redeeming quality was that Skeet Ulrich played me. I mean, all the other talent was no talent! Maybe it wasn’t as bad as Swordfish. But that would have been a cool scene maybe, you know, that first scene of Swordfish in my movie. I’m kidding…
Atomic: Well… Swordfish had two things going for it…
Mitnick: Yeah and that was about it! But that’s as much truth as some of the journalists have. Unfortunately there’s this ‘myth of Kevin Mitnick’ that was single-handedly created by some journalists who wanted to profit.
Atomic: It seemed Markoff and Shimomura were riding your story to make names for themselves…
Mitnick: Well, I think it was more Markoff than it was Shimomura. Shimomura was more being vigilante and it was Markoff who saw the dollar signs. It was about Good versus Evil – creating a Western in cyberspace, or whatever. And he was the one, I think, who persuaded Shimomura to track me in the first place.
Atomic: Well, given there are these ‘fictions’ out there – the books and film – what are you doing to gain the trust of corporations?
Mitnick: Obviously my transgressions are known to be things of the past and I’m continuing to do successful work, like co-authoring books, doing public lectures around the world and doing private security consulting. I’m getting a lot of clients by referral and by word-of-mouth, and everyone that I work with is satisfied. Of course, I’m sure there are going to be some companies out there that are reluctant to work with me based on the past. You even have companies like Symantec who swear up and down they’d never hire a hacker and yet Kevin Poulsen -- who spent five years in prison -- is their Editorial Director for SecurityFocus, right? Maybe he’s not an employee… maybe he’s a contractor. A lot of the successful security companies today were started by hackers who did illegal things -- like Christopher Klaus who founded ISS (Internet Security Systems) and Mark Mayfray who was raided by the FBI and started at e-Eye. People who were the unethical hackers of years ago have now transformed into the security professionals -- the white hats -- today. And I am one of them.
Atomic: Now, for our younger readers who are interested in getting into security, there’s no way in hell we can recommend they cut their teeth doing illegal activities!
Mitnick: No -- of course! And I wouldn’t suggest that anyone did. That’s just how it happened. Just like with Apple Computer: how they got the money to build the Apple circuit board was that Steve Jobs and Woz sold Blue Boxes on Berkeley campus. Would you encourage your kids to sell Blue Boxes? No. Of course not. It just happened. That’s life.
What I encourage people to do if they want to learn about computer security is set up a network with friends. If you want to learn about vulnerabilities by hacking into your friends’ computers you can do it legally and still experience the same pursuit of knowledge. Of course, you don’t get the same thrill of being sneaky… but encouraging people not to trespass into innocent peoples’ computers is important.
Atomic: How much of what you used to do was about that thrill of doing something sneaky?
Mitnick: That was part of the components: it was an intellectual challenge, it was pursuit of knowledge, being somewhere I shouldn’t be… The thrill seeking was kind of like going into the Star Trek sitcom: ‘going where no hacker has been before’. My first attraction was telephones and that’s why I went after all the cellular phone companies when I was hacker: to get the source code for the cellphones so that I could see the brains inside these things. But that regrettable decision -- that stupid decision on my part -- landed me in a whole lot of hot water. Obviously.
Atomic: What are you thoughts on the Paris Hilton phone hack? How would you…?
Mitnick: Well… I was chuckling when I found out that Fred Durst got hacked too!
Atomic: Oh man, you didn’t watch that video did you? It’s…anyway, how would you…?
Mitnick: What was funny was that you’d have to be a complete moron to have your sex vids with your girlfriend on your Sidekick. I mean… like… why? What’s he going to do? Sit at the bar having drinkies by himself one night and go and have a look at the sex vid? What’s possessed this guy? With Hilton, I guess they thought she’d have some… you know, naked shots or bare breasts… you know the girl. I believe that social engineering could have played a part in getting her password, because with Caller ID spoofing it would have been relatively trivial to go onto T-Mobile’s website and do a password reset and it SMSes it to the phone.
[They] can, with Caller ID spoofing, call her phone and it says ‘T-Mobile Customer Service calling’ and she’d have no reason to believe that it wasn’t T-Mobile Customer Service, and you’d ask her to read off the SMS. And then they’d just log onto her T-Mobile account online and they’d access her Address Book and everything. Or… she could have just chosen a simple password, like her dog’s name. Who knows?
Atomic: Maybe the second one’s as likely as the first…but why target her?
Mitnick: Because she’s a celebrity. And because of her other … issues… that came up in the past. I thought it was quite amazing when I saw the phone book released on the Drudge Report with the private numbers of people like Eminem. I just chuckled! I mean, I was chuckling more about the Fred Durst thing, but with everything I was just going ‘My god, T-Mobile is really going to be embarrassed here!’
Atomic: One of the things the Atomic community is into is pulling something apart and modding it…Is that something you’re still into -- the hardware hacking side?
Mitnick: I’ve just bought a Zaurus <SHARP’S PDA>and I’m thinking about taking that thing apart. But I’m afraid of taking it apart because I want to make sure I can get the damn thing back together. I bought the Zaurus because it runs Linux on the PDA platform. I’m doing a talk on wireless security, so I have to use it for 802.11 stuff, Ethereal stuff.
Atomic: Some of the people interviewed in Art of Intrusion seemed very willing to share their stories with you. How does that trust happen? Is there such a thing as ‘honour among thieves’?
Mitnick: We changed the names of a couple of people in there to protect their identity. But two of the security professionals we interviewed had actually authored security books and I couldn’t believe it, because they were still doing some crafty things.
Atomic: How do you feel about some of the tech community’s response to your books and work, for example, in places such as Slashdot…
Mitnick: …I don’t even read Slashdot... they’re a bunch of… well, a lot of the people on there are trollers!
Atomic: So you don’t care about their reaction?
Mitnick: Most of them are trollers. Someone sent me something that said ‘Ooh… Is he out yet?’ I mean… stupid… trollers. OK, not all of them, but a lot them.
Atomic: Well, some might say that your security business, your lecture tours, and your books are among your greatest achievements in social engineering…
Mitnick: No I wouldn’t call it social engineering, because that means it’s a deceptive practice…
Atomic: Well that’s basically what you’ve been accused of…
Mitnick: Right. That’s because they’re jealous.
Atomic: Maybe that’s also what motivates script kiddies and others to attack others’ systems -- because they’re jealous?
Mitnick: I have no idea what their motives are.
Atomic: Ah. To understand a hacker’s motives, does someone tracking them down have to have been a hacker too or at least know how they think? In the same way TV/film detectives say they need to think like a serial killer to hunt one?
Mitnick: I wouldn’t analogise it to a serial killer… but they have to understand the technology and how it works. How connections are made. And it could be that the attacker is easy to detect because they’re doing a direct IP connection from home. Or they could be very clever, sitting on a mountain top or a boat here pointing a wireless antenna at a wireless access point and it would be extremely difficult.