Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Kevin Mitnick

Posted by timothy on from the do-you-still-hear-the-screaming dept.

The hacker with perhaps the most famous first name around, Kevin Mitnick, has gone from computer hacking of the sort that gets one on the FBI's Most Wanted list (and into years of solitary confinement) to respected security consultant and author, helping people minimize the sort of security holes he once exploited for fun. His new book is called Ghost in the Wires: My Adventures as the World's Most Wanted Hacker; it's his first since the expiration of an agreement that he could not profit from books written about his criminal activity. Kevin's agreed to answer your questions; we'll pass the best ones on to him, and print his answers when they're ready. Note: Kevin also answered Slashdot questions most of a decade ago; that's a good place to start. Please observe the Slashdot interview guidelines: ask as many questions as you want, but please keep them to one per comment.

43 of 285 comments (clear)

  1. What has changed by Superken7 · · Score: 2

    What and how much has changed nowadays? In other words, how would a (hacker) Kevin Mitnick getting started in 2011 hack and exploit?

    1. Re:What has changed by Anonymous Coward · · Score: 2, Insightful

      You still don't know Microsoft. With more two decades of history behind them, you'd think people like you would learn.

      The fact that you still think it's normal for an operating system to need an anti-virus program on top of it just shows how bad it is.

    2. Re:What has changed by retardpicnic · · Score: 3, Interesting

      you are a pinhead, with no knowledge of either history or computer science. observe
      - What made kevin great what this up this point most errors that were exploited were what were known as fencepost errors, tedious to find and with unpredictable behavior once exploited. Kevin was a pioneer in looking for how to leverage the functionality that made computers worthwhile against them. The man in the middle attacks that exploits a three way handshake is elegant and sophisticated because it puts the defending system in a position of lessened value (that in order to defend against it the computer would be unable to complete a three way handshake). Coupled with the ability to social engineer, this mindset is what is dangerous, this level of clanking balls and imagination.
      Your question is asinine. This man hacked networks and systems. You want to know if he can compromise a fucking home pc?
      Can a brain surgeon remove a fucking wart? Kevin didn't teach people how to hack, he taught people how to think like hackers
      http://www.pogostick.net/~pnh/ntpasswd/
      or just go to fucking bugtraq
       

      --
      sig loading.......
  2. Do you own a Guy Fawkes Mask? by blair1q · · Score: 3, Interesting

    Do you own a Guy Fawkes mask, or have an opinion of Anonymous' activities?

  3. Is it cool any more? by Hazel+Bergeron · · Score: 4, Interesting

    You have gone from hacker/cracker to security consultant via quite a difficult route. If you just wanted the money, there would have been far easier ways.

    Today, the most well-known kiddies tend to do something high profile but requiring little technical brilliance and move quickly to "legitimate" jobs. The majority of "security consultants" don't really have much technical knowledge at all, being more public relations/ass-covering types.

    With this in mind, what advice do you have to people who like to study security for its own sake? Should they keep quiet about what they do, developing an academic career so they can research to their heart's content without commercial pressures?

    Or does everyone clever sell out in the end?

  4. What if they had not cought you? by Superken7 · · Score: 5, Interesting

    How do you think would have happened in a scenario where you managed to escape the FBI and the hackers that helped them?

  5. As a professional white hat... by Dino · · Score: 3, Interesting

    What would you recommend to organizations to curtail the sort of social engineering break-ins for gaining unauthorized entry?

    --
    That's not what I meant.
    1. Re:As a professional white hat... by jhoegl · · Score: 2

      Training....

    2. Re:As a professional white hat... by Abstrackt · · Score: 3, Interesting

      Training....

      ... And strict enforcement of visitor policies.

      You can train people all you like but if they're too scared or jaded to challenge visitors that training isn't going to count for much. Everyone at every level, especially upper management, needs to learn to understand and accept that yes, they might be called on their credentials and that this is actually a good thing.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  6. Colbert Report by Warlord88 · · Score: 3, Informative

    Kevin Mitnick was recently on Colbert Report to promote his book. Here is the link if anyone's interested.

    1. Re:Colbert Report by vlm · · Score: 5, Interesting

      Kevin Mitnick was recently on Colbert Report to promote his book. Here is the link if anyone's interested.

      Yeah, thats the "7 digit UID new school /."

      The old school 5 digit UID and below /. crowd would have reported that Kevin was on 2600 / off the hook "recently" to promote the book. Which show was it? I donno, probably one of these:

      http://www.2600.com/offthehook/2011/0811.html

      I listened; it was a fairly interesting interview.

      Somewhere in between old school and new school, he was on some TWIT network show recently too, apparently this one:

      http://www.twit.tv/show/triangulation/21

      The twit network is generally a little too non-technical / mass market for me, although they certainly easily are more interesting than TV. I think it would be hilarious if Leo purchased the "tech tv" trademark from whoever owns it using his apparently voluminous petty cash fund (if you've seen his new studio, you'd know what I mean)

      Now someone else chime in with his Dr. Phil episode for that / newbie tone. thats what the 8 digit UIDs watch, or so I hear.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:Colbert Report by interkin3tic · · Score: 3, Funny

      Yeah well MY UID is 2 digits. It's just cold in here. Plus my penis is 21 feet long, so I think we know who wins THIS discussion. (/thread)

  7. Responsible Disclosure? by gcnaddict · · Score: 4, Interesting

    Should you find a security vulnerability (either in an open source project, a commercial product, or a company's hosted systems), what procedure would you consider "responsible disclosure" to the parties who are considered owners of the product? I recognize that each of the three cases listed above could vary significantly.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  8. cybersecurity by Anonymous Coward · · Score: 4, Interesting

    What cybersecurity threats do you see as the most dangerous to the Internet now?

  9. In the end... by NabisOne · · Score: 4, Interesting

    Was it worth it? Is there an upside to your experiences the last ten years?

  10. Re:Remember, kids... by somersault · · Score: 2

    Huh? If they're dead, what's the problem? It would be much more evil to steal the identities of living people. If he killed the infants to steal their identities, then I think you'd have a point.

    (Note: I don't actually know anything about this guy or what he did)

    --
    which is totally what she said
  11. Security-Convenience tradeoff by Superken7 · · Score: 4, Interesting

    Would you agree that mostly there exists a tradeoff between security and convenience? If so, how much security (or convenience) do you think is worth sacrificing for the other?

  12. How did you choose your targets? by Rizimar · · Score: 2

    When you were hacking and breaking into systems, how did you decide which ones to break into? Was it because of the difficulty/ease of doing it with different security setups? Or was it because of the actual people/corporations/entities behind the servers and what they stood for?

  13. Anon & Lulzsec by zero0ne · · Score: 5, Interesting

    What are your opinions on the actions of groups like Lulzsec & Anon? Do you feel that they will, in the end, expand freedom on the net or just help government tighten the noose on internet restrictions?

  14. Hi, Kevin. I'm one of your victims. by Remus+Shepherd · · Score: 4, Interesting

    Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day.

    I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.

    So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.

    --
    Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
  15. Computer Setup by Anonymous Coward · · Score: 5, Interesting

    What is your computer setup? I mean hardware, OS, software you use to work.

  16. SSA by Anonymous Coward · · Score: 5, Funny

    Has the gal from the Social Security Administration claimed her kiss? if so, was she hot?

  17. A question & follow-up by Pollux · · Score: 3, Interesting

    What is the primary purpose of hacking? Has this purpose remained constant over the decades, or has it changed from your rise as a hacker up to today?

  18. Why wait? by jeffmeden · · Score: 5, Interesting

    TFA Asserts that "Mitnick has agreed that any profits he makes on films or books that are based on his criminal activity will be assigned to the victims of his crimes for a period of seven years following his release from prison." The summary asserts that this is the reason you chose to wait before arranging for the publishing of a personal autobiography.

    Given you had the opportunity to publish a copyrighted work and sell it for a profit prior to the release of your "official autobiography" under the pretense that the profits would be sent to the victims of your crimes (a number of which included theft of trade secrets and violation of copyright), why have you chosen to wait until the end of the agreement so that you could personally profit from this? And in a related question (unless you have answered it in the first), do you believe all of your crimes were vitcimless, some were, or perhaps none were?

    1. Re:Why wait? by FrangoAssado · · Score: 2

      Well, given how much he already suffered for his crimes (e.g., eight months in solitary confinement) and how much scumbaggery there was against him during his prosecution, I don't think he feels much sympathy for his victims. For example, from his previous answers to /.:

      Federal prosecutors simply added up all the R&D costs associated with the source code I had accessed, and used that number (approx $300 million) as the loss, even though it was never alleged that I intended to use or disclosed any source code. Interestingly enough, none of my victims had reported any losses attributable to my activities to their shareholders, as required by securities laws.

      Still, if the money from this book had any chance to repair any real damage he did in any meaningful way, I'd agree that it would be descent to publish earlier. I don't think would, though, and I think it's pretty clear that neither does he.

  19. Re:Remember, kids... by surgen · · Score: 2

    Mitnick made his way by stealing the personal identification of *dead infants*. He's a sociopath.

    Maybe if he stole them for shits and giggles, but the identities of dead infants have two significant properties: They're real identities and they're not in use. If there was another class of people with the same or better potential for clean identity theft, he probably would have stolen their identities too.

  20. Re:anonymous from home? by gshegosh · · Score: 2

    For you, after posting this question - it's not possible ;-)

  21. Re:Cybersecurity Companies by frank_adrian314159 · · Score: 4, Insightful

    I've worked for two of the major AV companies. In both cases, there were enough controls in place that, if it was financially happening, it would have become known. Even if you could have hidden the financials, if there was any sort of "collusion", someone would have leaked hard evidence by now, if only for the notoriety. Your paranoid imagination is just that.

    The bottom line is that malware writers don't need the help. Think of it as information pollution. A manufacturer "saving" a few thousands per years in dump fees can cause a mess that costs millions to clean up. The malware writers' desires to get their botnets up and running to provide themselves collectively with a few million dollars per year are all of the incentive needed to produce the mess that requires billions in prevention and cleanup.

    --
    That is all.
  22. Re:Will the authorities ever understand by Tubal-Cain · · Score: 3, Informative

    It isn't. The crime is the digital equivalents of Breaking & Entering, Trespassing, Vandalism, Industrial Espionage/Sabotage...

  23. Have you ever... by sdguero · · Score: 3, Funny

    hacked your way into a girl's panties?

  24. Why did you never go after Microsoft? by lednik · · Score: 2

    I read the book and absolutely loved it. Best non-fiction I've read in a looong time. As I read it I kept wondering when you'd get to the part where you got into Microsoft's network and snagged the source code to NT or Excel. But you never did. Why not?

  25. Re:anonymous from home? by hvm2hvm · · Score: 2

    everyone was posting as AC and I wanted to be special :D

    --
    ics
  26. Re:Hi, Kevin. I'm one of your victims. by Remus+Shepherd · · Score: 4, Interesting

    As soon as I was told about it I canceled the card. Which was a hardship for me, considering I had just gone through a divorce and I was in bad financial straits at the time. He didn't hurt me much, but he frightened me plenty. There are others who were hurt far worse.

    It frosts my chaps that this guy is treated as a hero by the hacking community. But I suppose people get the heroes they deserve. I was just wondering how Kevin feels about that.

    --
    Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
  27. Re:Will the authorities ever understand by gnick · · Score: 2

    Right - "I wasn't in her house to rob her, I just wanted to see what was in her fridge and see what kind of undies she liked."

    --
    He's getting rather old, but he's a good mouse.
  28. Re:Hi, Kevin. I'm one of your victims. by icebraining · · Score: 4, Insightful

    The people who shouldn't sleep well at night is whoever thought credit cards where a good idea. Mitnick was responsible for 'stealing' 20k cards - they're responsible for all.

    Seriously, a system where you have to give all the authorization info necessary to charge money to the company/person you're paying, and where there's only one single set of numbers, making it impossible to revoke access without canceling the whole card?
    Who can trust it?

    I don't know about yours, but here we have accounts where we can set up 'direct debits', which not only can have limits, but can be revoked on an individual basis without affecting the account. This is the minimum for a decent payment system.

    --
    Dilbert RSS feed
  29. Re:Hi, Kevin. I'm one of your victims. by Hatta · · Score: 3, Insightful

    The reason was something akin to the fact that because the DA told the judge that Mitnick had the ability to call up NORAD and whistle in the phone and cause all sorts of havoc on our defense system, part of his sentencing stipulated that he be kept away from telephones.

    This is the reason prosecutors should not have immunity. Solitary confinement is torture. DA tortured Mitnick based on a completely implausible rumor. Both the DA and the judge that signed off on it belong in jail.

    --
    Give me Classic Slashdot or give me death!
  30. Re:Hi, Kevin. I'm one of your victims. by inkscapee · · Score: 2

    The people who shouldn't sleep well at night is whoever thought credit cards where a good idea.

    Good, blame the victim. Mitnick was a thief and con man. I suppose you believe that people should only do the right things when they're forced to.

  31. Re:Hi, Kevin. I'm one of your victims. by Anonymous Coward · · Score: 2, Informative

    Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day.

    You moron.

    He didn't 'steal' anything. That file with credit card numbers had been floating around for MONTHS. He was only guilty of having a copy, not for being the one who 'stole' it.

    http://blockyourid.com/~gbpprorg/2600/the_world.txt
    "With regards to the credit card numbers, this is far more misleading. For one
    thing, only one computer system (Netcom) had its credit card numbers accessed,
    not "computer systems around the nation." And this compromise was not even news
    the Autumn, 1994, issue of 2600 reported it nearly half a year ago     Apparently,
    Netcom did nothing to secure the credit card numbers of its subscribers and,
    despite multiple warnings and basic common sense, kept this sensitive
    information online."

    "Little mention is made of the fact that not one of the
    20,000 credit card numbers lying around on Netcom was ever used by Mitnick, nor
    was he ever suspected of benefiting financially or causing any damage.    "
    [emphasis mine]

  32. Re:Hi, Kevin. I'm one of your victims. by Nyder · · Score: 3, Funny

    Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day.

    I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.

    So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.

    Seriously, put the kool-aid down.

    First, when did Kevin Mitnick get into credit card stealing? Granted it's been awhile, I don't recall that being in any of the charges against him. And if he was stealing credit card info, i would imagine that would be part of the charges against him.

    Second, Netcom isn't even listed in the targets he hit.

    I'm going to guess, netcom fucked up, and to save face, they blamed Kevin Mitnick, and sent everyone info saying it was him, so you'd be pissed (which you still are) at him, when he wasn't the one responsible.

    So, how does it feel to be played? Twice even? Seems like Netcom screwed ya twice. Hope you got a reach around with that.

    --
    Be seeing you...
  33. Re:Hi, Kevin. I'm one of your victims. by Nyder · · Score: 2, Insightful

    As soon as I was told about it I canceled the card. Which was a hardship for me, considering I had just gone through a divorce and I was in bad financial straits at the time. He didn't hurt me much, but he frightened me plenty. There are others who were hurt far worse.

    It frosts my chaps that this guy is treated as a hero by the hacking community. But I suppose people get the heroes they deserve. I was just wondering how Kevin feels about that.

    The more you post , the more you seem like a complete idiot.

    Of course, your too stupid to understand, but whatever.

    All Kevin ever did was show that people are stupid everywhere, and your post confirms this.

    Please, I need some proof that he hacked netcom and stoled credit card info, because all I've found is some "alleged that Kevin broke into netcom and stoled credit card info" of course, it goes to say that credit card info was commonplace on the net.

    So, like i said in my other post to you, you got played by netcom.

    Netcom security sucked dog shit, and they got broken into. They then decided to blame Kevin Mitnick, because he was hacker public enemy #1.

    That is not unlike how we blame terrorist for everything today.

    You sir, not only need to turn your geek card in, you need to stop posting.

    Where did you buy your low UID from? Because it's apparent you haven't been on here that long and still be so clueless.

    --
    Be seeing you...
  34. Hi, Kevin. I'm a troll. by Mr.+Firewall · · Score: 3, Funny

    How does it feel to be blamed for other people's stupidity? I mean, when someone is too stupid, or lazy, to secure their systems and allows my personal information to get stolen, how does it feel when I blame you instead of the idiot that didn't take security seriously?

    I guess what I'm really asking is, when someone hides their housekey under the doormat and some thief uses it to walk into their house and take stuff, how do you sleep at night?

    Honestly.

    --
    In times of universal deceit, telling the truth gets you modded -1 Troll
  35. Re:Hi, Kevin. I'm one of your victims. by amicusNYCL · · Score: 2

    Of course, your too stupid to understand, but whatever.

    That line simply screams "Brilliant!"
    But whatever.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  36. Re:Hi, Kevin. I'm one of your victims. by Phil+Urich · · Score: 2, Interesting

    So I assume that your credit card info getting into Kevin's hands caused you grievous financial harm? Oh, it didn't? Well then.

    I've yet to hear about any truly harmful acts Kevin Mitnick ever "perpetrated". Maybe I just never heard about something truly terrible and destructive, but I have my doubts.

    --
    I remember sigs. Oh, a simpler time!