Mitnick Testifies on Telco's Security

← Back to Stories (view on slashdot.org)

Mitnick Testifies on Telco's Security

Posted by michael on Monday June 24, 2002 @11:57PM from the what-me-worry dept.

Woefdram writes "Our favourite computer criminal (?) Kevin Mitnick testified in a case against Telco Sprint that their security was like Swiss cheese: full of holes. The story on SecurityFocus quotes Mitnick, saying, 'I had access to most, if not all, of the switches in Las Vegas,' and tells how he came up with a list of 100 challenge-response codes." We've written about this case before.

7 of 206 comments (clear)

Min score:

Reason:

Sort:

Re:Publicity grubbing... by CodeMonky · 2002-06-25 00:12 · Score: 4, Insightful

You left something out, Mitnicks response to the question.

Mitnick suggested calmly that Sprint try the list out, or check it with Nortel. Nortel could not be reached for comment after hours Monday Perhaps he knew that spring/nortel couldn't be reached. But you should still at least include the response if you're gonna quote something like that.

--
--"Karma is justice without the satisfaction"
Re:Publicity grubbing... by Your_Mom · 2002-06-25 00:44 · Score: 3, Insightful

Let's face it, there have been thousands of better crackers...
I have to say that Mitnick is one of the better crackers in recent memory, sure he gets the spotlight a lot, but I think thats because he got thrust into the public spotlight back during the Shimomura episode. I mean, how many crackers made the front page of newsweek?

Yes, there are other deserving people out there, but I don't mind Kevin cashing in on his "fame". Who wouldn't?

--
Objects in the blog are closer then they ap
from a former Nortel employee... by deander2 · 2002-06-25 01:08 · Score: 4, Insightful

I worked for a year and a 1/2 on a project designed to replace the DMS-100 provisioning and configuration systems. I can tell you that those systems are complex in the extreme to set up correctly. I knew people who had worked with them for 20 years and still had questions about how they worked. It's not through Sprint's stupidity that they were hackable, it is a by-product of overly complex system engineering.

This is a common problem in this industry. Having complex systems when you're the defacto standard makes a great revenue stream in your consulting and training systems, but kills the reliability of said systems. Nortel/Cisco/IBM never take the fall for it however, because they can just say "well, you didn't configure it right" and Sprint/etc can't even argue - it would take 2 years and 10 consultants to even find out.

--
http://kered.org
1. Re:from a former Nortel employee... by WolfWithoutAClause · 2002-06-25 01:15 · Score: 3, Insightful
  
  To be fair to Nortel, these particular systems were hacked 7 years ago, at a time where encryption on the internet was a rarity, and orginally designed well over a decade ago. Security features weren't much of an issue with customers at that time, clearly security is becoming much more of an issue now.
  However, very few systems are proof against social engineering, encryption or not.
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
2. Re:from a former Nortel employee... by JUSTONEMORELATTE · 2002-06-25 01:35 · Score: 5, Insightful
  
  To be REALLY fair to nortel, while the web was young seven years ago, (the net was old, even then) that has absolutely nothing to do with this crack job.
  The DMS-100s were broken the good old fashioned way -- use a war dialer to find the dialup number, then call the switch directly. Once connected, try the obvious passwords first (either admin/admin or admin/NORTEL_DEFAULT_PASSWORD, which Mitnick had learned from Nortel docs)
  
  Deander2 got it right -- Nortel designed an absurdly complex product, and was unmotivated to clean house because they were able to rake in the consulting bucks. WHEN (not if) this comes back to bite a client in the butt (like it did with Sprint) Nortel takes no heat for it, and in fact most likely gets even MORE consulting dollars for a hasty clean-up effort.
What's the '?' for... by nochops · 2002-06-25 01:54 · Score: 3, Insightful

Why use a '?' in the post?

Is there any doubt that Mitnick is a criminal?

Since is when is cell phone cloning, carding, and cracking legal?

Since when is running from the law (he was a fugitive) legal?

I think there's no question as to the legality of Mitnick's actions. Weather or not the legal system handled the case correctly is another story, but he is definitely guilty of those crimes.

--
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Re:Publicity grubbing... by Your_Mom · 2002-06-25 03:25 · Score: 3, Insightful

I'll say it again: He's the computer equivalent to the shaking junkie who sticks a gun in the face of a 7-Eleven clerk to get money for a fix...

No disagreement there, I think hes been quoted along the lines of not being able to stop despite knowing that he will eventually get caught.(Link anyone? I could be wrong)

He left a trail a mile wide...

I have to disagree here. There were no real ties between him and the Shimomura attacks. I think he was the target that first popped up on their radar screen after the attacks and was lassoed. There are a lot of weird bits in the "official" version of the story (unsigned warrants, etc) and instead of detailing them I will say:
I strongly recommend reading both The Fugitive Game By John Littman and, to get the other side Takedown by John Markoff, I find Littman a much better read and does much more research into the story then Markoff. Littman presents the story from a impartial 3rd person, and scrutinizes both accounds (Mitnick, who he interviewed via phone while on the lamb, and Markoff's story from his book, NYT stories, and interviews.) I've lent Littman out to techie and non-techie friends and it always recieves high marks, and I think the "Something was Fishy with the govt's case" viewpoint usually results.

--
Objects in the blog are closer then they ap