Slashdot Mirror
Kevin Mitnick Answers
Last week, you asked Kevin Mitnick questions about his past, his thoughts on ethics and disclosure, and his computer set-up. He's graciously responded; read on for his answers. (No dice on the computer set-up, though.) Thanks, Kevin.
Do you own a Guy Fawkes Mask?
by blair1q
Do you own a Guy Fawkes mask, or have an opinion of Anonymous' activities?
Anon & Lulzsec
by zero0ne
What are your opinions on the actions of groups like Lulzsec & Anon? Do you feel that they will, in the end, expand freedom on the net or just help government tighten the noose on Internet restrictions?
Kevin Mitnick: Sorry, I do not own a Guy Fawkes mask.
I don't think you can look at Anonymous as a single collective group. There appears to be many factions of it. Some are out there performing hacktivist activities that are being pursued with the true desire of keeping information free and holding our leaders accountable for their actions. Performing civil disobedience through illegal activities is probably not the preferred method, but I can understand what motivates these individuals.
As far as Lulzsec and other groups under the Anonymous banner that are just doing it for the "lulz," it reminds me of the prankster activities that many hackers have been involved in the past. This is part of the culture. Many of the attacks performed by these groups were going after the low-hanging fruit, and those vulnerabilities should have never been open to compromise. We trust these companies with our personal information. It is their responsibility to secure that data to the best of their ability. However, every time a major hack occurs, we are so focused on the attackers and never on the company that left your private information available to be taken. The media feeds this notion.
I don't think that the actions of groups like Anonymous will have much effect on expanding freedom on the net. Though some of their causes may be worthwhile, when you have groups like Lulzsec that just do it for the "lulz," the government has never understood these types of motivations and move harder to prosecute to make an example. So, the answer to your question is no. I would expect law enforcement would just make it a higher priority to curtail the actions of these kinds of groups.
Do as I do?
by wiedzmin
Do you lead by example, as in encourage hackers to do what you did, so that they can end-up as famous and well-paid security consultants? Or are you more of a "do as I say not as I do" type of role models?
KM: My hacking was always for personal pursuits. I never did it to make money. Naturally, I would try to dissuade anyone involved in legally questionable activities. There are so many opportunities these days to satisfy the challenge of breaking into systems and/or networks without breaking the law.
Though the fact that I am able to work as a professional security consultant and public speaker today is a blessing, the price I had to pay for it was pretty high.
How did you choose your targets?
by Rizimar
When you were hacking and breaking into systems, how did you decide which ones to break into? Was it because of the difficulty/ease of doing it with different security setups? Or was it because of the actual people/corporations/entities behind the servers and what they stood for?
KM: Usually, there was something of personal interest to me. I hacked into companies that developed operating systems to look at the source code. The reason I wanted to look at the source code was to discover security vulnerabilities in the operating system(s) that I could exploit. My goal was to become the best at hacking into any system I desired. To me it was like playing the ultimate video game, but with real world danger and consequences.
Later when I became a fugitive, I compromised cellular phone handset manufacturers to gain access to the handset source code for two reasons: (1) to create invisibility by modifying the firmware in my cellular phone; and (2) for the trophy; the harder the target, the more challenging it was to me.
Hi, Kevin. I'm one of your victims.
by Remus Shepherd
Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day. I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.
So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.
KM: I did take a copy of the entire Netcom database, which also included the subscriber's credit card information, depending on the subscriber's payment method. I was never interested in the credit card information itself, only the user information associated with it that would allow me to reset passwords of Netcom users. The fact is, I was not the only one with these credit cards numbers. That database had been circulating on the Internet for months. I was merely one of many that had access to this information. This entire story is detailed in my new book — Ghost in the Wires — and once you read it, my objective for this hack will become clearer.
Was your identity ever compromised? Was your personal data ever leaked? If so, it wasn't me! That's because I never profited from my hacking activities, and there was never any disclosure of what I had come across or any of the source code materials that I obtained.
You stated: "You've done some of the most amoral and harmful acts in modern computing history?" You really need to get your facts straight. You sound like the government prosecutor who once claimed I could dial into NORAD and whistle into the phone to launch a nuclear missile. Or like the prosecutors who argued I caused 300 million dollars worth of loss by reading proprietary source code. It was a ridiculous argument.
According to the Securities and Exchange Commission rules, if any of the victim companies in my case suffered a material loss, they are required to report it to their shareholders. Did Motorola, Nokia, Fujitsu, NEC, Sun, Digital, and other public companies report any losses attributable to my conduct to their shareholders? Not at all. So did all the above companies defraud their shareholders by failing to report a loss, or did the Federal prosecutors lie in order to get me a harsh sentence? You work it out.
I paid a heavy price for my activities. I sleep like a baby!
Is it cool any more?
by Hazel Bergeron
You have gone from hacker/cracker to security consultant via quite a difficult route. If you just wanted the money, there would have been far easier ways.
Today, the most well-known kiddies tend to do something high profile but requiring little technical brilliance and move quickly to "legitimate" jobs. The majority of "security consultants" don't really have much technical knowledge at all, being more public relations/ass-covering types.
With this in mind, what advice do you have to people who like to study security for its own sake? Should they keep quiet about what they do, developing an academic career so they can research to their heart's content without commercial pressures?
Or does everyone clever sell out in the end?
KM: First of all, I disagree with your assessment that the majority of security consultants don't really have much technical knowledge. I have working relationships with numerous security people that have substantial technical skills. I encourage others to pursue their passion in security in either the commercial world or in academia depending on their goals. Even in an academic career, your pursuits will be limited, as there will always be a line. For many security professionals, they continue to research security, even on their own time, to keep up with new developments and techniques.
Cybersecurity Companies?
by bigredradio
Kevin, do you suspect any collusion on the part of cybersecurity companies such as Kapersky Labs or Avast! and virus creators? If there were not so many exploits in the wild, would there be a billion-dollar anti-virus industry?
KM: I don't know about Kaspersky but I think it's ludicrous to assert that any anti-virus company would be involved with malware creators. These are large companies and the risk of being involved in this type of unethical behavior is too great.
Responsible Disclosure?
by gcnaddict
Should you find a security vulnerability (either in an open source project, a commercial product, or a company's hosted systems), what procedure would you consider "responsible disclosure" to the parties who are considered owners of the product? I recognize that each of the three cases listed above could vary significantly.
KM: I think you have to notify the developer of the product, so that they may create a solution for the vulnerability. They should be given a reasonable amount of time to correct the situation, and then it should be made public.
NOTE — Kevin clarified with this addition: Note too, I believe the software vendor ought to pay for the vulnerability information as security researchers should be paid for their time.
cybersecurity
by Anonymous
What cybersecurity threats do you see as the most dangerous to the Internet now?
Re:cybersecurity
by zero0ne
What threat do you see as the most dangerous in 2, 5 and 10 years?
KM: Malware is probably the most substantial threat. Not only because it is so prevalent and being crafted better to avoid detection, but also because a large majority of internet users are oblivious to the dangers involved with clicking unknown links, authorizing Java Applets, opening attachments from people they don't know, and are easily fooled by average phishing attacks. People are still the weak link, and even intelligent ones make poor decisions. Case in point, the recent spearfishing attacks on Google and RSA, which proved highly effective.
Looking into the future is difficult as technology progresses so rapidly. In the next few years, as more and more corporations move towards cloud computing, these servers loaded with information are going to be the new playground for hackers. Layers of security need to be applied in any cloud-computing environment to minimize the risk.
With the recent hacks on Certificate Authorities, I would count on SSL becoming obsolete in the future and being replaced with a new, more robust secure standard, since the "web of trust" is no longer a feasible model.
With the proliferation of consumer devices coming onto the market that are internet-ready, I would expect to see more attacks at the heart of these new technologies. New devices, especially those branded by names like Apple, Microsoft, and Google, always tend to draw the attention of hackers from all over the world.
Cyberwar?
by mewsenews
The minor political movement surrounding your incarceration would likely not happen today. Hacking has become a state-sponsored activity, with China attacking Google and America/Israel attacking Iran. Do you think your life would be a lot different if you were born 10 years later?
KM: If you were asking if the circumstances would have been different had my hacking occurred ten years later, then I would say yes. The prosecutors would not have been able to convince the Court that I was a serious National Security threat, which resulted in me being held in solitary confinement for nearly a year, based on ridiculous claim that I could launch a nuclear weapon by whistling into a phone. Also, they would not have been able to claim the damages were the total R&D costs associated with the development of source code, which I merely looked at, without distributing it. I think my sentencing and treatment in the justice system would have been much different, as they would not have been able to exaggerate the harm like the Government did in my case.
Computer Setup?
by Anonymous
What is your computer setup? I mean hardware, OS, software you use to work.
KM: You send me yours along with the IP address, and I'll tell you mine. Good try at information reconnaissance.
SSA
by Anonymous
Has the gal from the Social Security Administration claimed her kiss? if so, was she hot?
KM: No, I don't know if she was hot and she has yet to contact me.
Ham radio license?
by vlm
Are you going to fight to get back your ham radio license or is that all water under the bridge now?
KM: I did fight the FCC and still have my ham radio license. The FCC allowed me to retain my license because they deemed me fully rehabilitated after a long administrative court proceeding.
"Justice ... "
by capnkr
Having experienced "justice" of a rather harsh sort (IMO, & possibly yours, too :) ) given that what you did was relatively inconsequential despite the claims otherwise, do you now do any work towards helping keep the sort of experience you had from happening again to other hackers (note: *not* 'crackers')?
KM: I have, and I do. I don't want to see someone's curiosity or desire to learn how to break into systems land him or her into prison. I remember supporting Dmitry Sklyarov when he was arrested at Defcon for exposing a bug in Adobe's e-books. I remember joining a group of people that were protesting his arrest for alleged DMCA violations in Santa Monica, California a while back.
In the end...
by NabisOne
Was it worth it? Is there an upside to your experiences the last ten years?
KM: I have no regrets in regards to my hacking experiences. I have always had a passion for learning, solving difficult challenges, and satisfying my own curiosity.
However, I do regret the effects that my activities had on my family and the companies that were damaged by my actions. I can't undo the past, and can just move forward to try and help others keep themselves safe from those trying to do them harm.
My recent experiences of the last 10 years have been nothing short of a miracle. One word has changed that for me: authorization! I now get authorization from my clients to test their security controls.
by blair1q
Do you own a Guy Fawkes mask, or have an opinion of Anonymous' activities?
Anon & Lulzsec
by zero0ne
What are your opinions on the actions of groups like Lulzsec & Anon? Do you feel that they will, in the end, expand freedom on the net or just help government tighten the noose on Internet restrictions?
Kevin Mitnick: Sorry, I do not own a Guy Fawkes mask.
I don't think you can look at Anonymous as a single collective group. There appears to be many factions of it. Some are out there performing hacktivist activities that are being pursued with the true desire of keeping information free and holding our leaders accountable for their actions. Performing civil disobedience through illegal activities is probably not the preferred method, but I can understand what motivates these individuals.
As far as Lulzsec and other groups under the Anonymous banner that are just doing it for the "lulz," it reminds me of the prankster activities that many hackers have been involved in the past. This is part of the culture. Many of the attacks performed by these groups were going after the low-hanging fruit, and those vulnerabilities should have never been open to compromise. We trust these companies with our personal information. It is their responsibility to secure that data to the best of their ability. However, every time a major hack occurs, we are so focused on the attackers and never on the company that left your private information available to be taken. The media feeds this notion.
I don't think that the actions of groups like Anonymous will have much effect on expanding freedom on the net. Though some of their causes may be worthwhile, when you have groups like Lulzsec that just do it for the "lulz," the government has never understood these types of motivations and move harder to prosecute to make an example. So, the answer to your question is no. I would expect law enforcement would just make it a higher priority to curtail the actions of these kinds of groups.
Do as I do?
by wiedzmin
Do you lead by example, as in encourage hackers to do what you did, so that they can end-up as famous and well-paid security consultants? Or are you more of a "do as I say not as I do" type of role models?
KM: My hacking was always for personal pursuits. I never did it to make money. Naturally, I would try to dissuade anyone involved in legally questionable activities. There are so many opportunities these days to satisfy the challenge of breaking into systems and/or networks without breaking the law.
Though the fact that I am able to work as a professional security consultant and public speaker today is a blessing, the price I had to pay for it was pretty high.
How did you choose your targets?
by Rizimar
When you were hacking and breaking into systems, how did you decide which ones to break into? Was it because of the difficulty/ease of doing it with different security setups? Or was it because of the actual people/corporations/entities behind the servers and what they stood for?
KM: Usually, there was something of personal interest to me. I hacked into companies that developed operating systems to look at the source code. The reason I wanted to look at the source code was to discover security vulnerabilities in the operating system(s) that I could exploit. My goal was to become the best at hacking into any system I desired. To me it was like playing the ultimate video game, but with real world danger and consequences.
Later when I became a fugitive, I compromised cellular phone handset manufacturers to gain access to the handset source code for two reasons: (1) to create invisibility by modifying the firmware in my cellular phone; and (2) for the trophy; the harder the target, the more challenging it was to me.
Hi, Kevin. I'm one of your victims.
by Remus Shepherd
Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day. I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.
So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.
KM: I did take a copy of the entire Netcom database, which also included the subscriber's credit card information, depending on the subscriber's payment method. I was never interested in the credit card information itself, only the user information associated with it that would allow me to reset passwords of Netcom users. The fact is, I was not the only one with these credit cards numbers. That database had been circulating on the Internet for months. I was merely one of many that had access to this information. This entire story is detailed in my new book — Ghost in the Wires — and once you read it, my objective for this hack will become clearer.
Was your identity ever compromised? Was your personal data ever leaked? If so, it wasn't me! That's because I never profited from my hacking activities, and there was never any disclosure of what I had come across or any of the source code materials that I obtained.
You stated: "You've done some of the most amoral and harmful acts in modern computing history?" You really need to get your facts straight. You sound like the government prosecutor who once claimed I could dial into NORAD and whistle into the phone to launch a nuclear missile. Or like the prosecutors who argued I caused 300 million dollars worth of loss by reading proprietary source code. It was a ridiculous argument.
According to the Securities and Exchange Commission rules, if any of the victim companies in my case suffered a material loss, they are required to report it to their shareholders. Did Motorola, Nokia, Fujitsu, NEC, Sun, Digital, and other public companies report any losses attributable to my conduct to their shareholders? Not at all. So did all the above companies defraud their shareholders by failing to report a loss, or did the Federal prosecutors lie in order to get me a harsh sentence? You work it out.
I paid a heavy price for my activities. I sleep like a baby!
Is it cool any more?
by Hazel Bergeron
You have gone from hacker/cracker to security consultant via quite a difficult route. If you just wanted the money, there would have been far easier ways.
Today, the most well-known kiddies tend to do something high profile but requiring little technical brilliance and move quickly to "legitimate" jobs. The majority of "security consultants" don't really have much technical knowledge at all, being more public relations/ass-covering types.
With this in mind, what advice do you have to people who like to study security for its own sake? Should they keep quiet about what they do, developing an academic career so they can research to their heart's content without commercial pressures?
Or does everyone clever sell out in the end?
KM: First of all, I disagree with your assessment that the majority of security consultants don't really have much technical knowledge. I have working relationships with numerous security people that have substantial technical skills. I encourage others to pursue their passion in security in either the commercial world or in academia depending on their goals. Even in an academic career, your pursuits will be limited, as there will always be a line. For many security professionals, they continue to research security, even on their own time, to keep up with new developments and techniques.
Cybersecurity Companies?
by bigredradio
Kevin, do you suspect any collusion on the part of cybersecurity companies such as Kapersky Labs or Avast! and virus creators? If there were not so many exploits in the wild, would there be a billion-dollar anti-virus industry?
KM: I don't know about Kaspersky but I think it's ludicrous to assert that any anti-virus company would be involved with malware creators. These are large companies and the risk of being involved in this type of unethical behavior is too great.
Responsible Disclosure?
by gcnaddict
Should you find a security vulnerability (either in an open source project, a commercial product, or a company's hosted systems), what procedure would you consider "responsible disclosure" to the parties who are considered owners of the product? I recognize that each of the three cases listed above could vary significantly.
KM: I think you have to notify the developer of the product, so that they may create a solution for the vulnerability. They should be given a reasonable amount of time to correct the situation, and then it should be made public.
NOTE — Kevin clarified with this addition: Note too, I believe the software vendor ought to pay for the vulnerability information as security researchers should be paid for their time.
cybersecurity
by Anonymous
What cybersecurity threats do you see as the most dangerous to the Internet now?
Re:cybersecurity
by zero0ne
What threat do you see as the most dangerous in 2, 5 and 10 years?
KM: Malware is probably the most substantial threat. Not only because it is so prevalent and being crafted better to avoid detection, but also because a large majority of internet users are oblivious to the dangers involved with clicking unknown links, authorizing Java Applets, opening attachments from people they don't know, and are easily fooled by average phishing attacks. People are still the weak link, and even intelligent ones make poor decisions. Case in point, the recent spearfishing attacks on Google and RSA, which proved highly effective.
Looking into the future is difficult as technology progresses so rapidly. In the next few years, as more and more corporations move towards cloud computing, these servers loaded with information are going to be the new playground for hackers. Layers of security need to be applied in any cloud-computing environment to minimize the risk.
With the recent hacks on Certificate Authorities, I would count on SSL becoming obsolete in the future and being replaced with a new, more robust secure standard, since the "web of trust" is no longer a feasible model.
With the proliferation of consumer devices coming onto the market that are internet-ready, I would expect to see more attacks at the heart of these new technologies. New devices, especially those branded by names like Apple, Microsoft, and Google, always tend to draw the attention of hackers from all over the world.
Cyberwar?
by mewsenews
The minor political movement surrounding your incarceration would likely not happen today. Hacking has become a state-sponsored activity, with China attacking Google and America/Israel attacking Iran. Do you think your life would be a lot different if you were born 10 years later?
KM: If you were asking if the circumstances would have been different had my hacking occurred ten years later, then I would say yes. The prosecutors would not have been able to convince the Court that I was a serious National Security threat, which resulted in me being held in solitary confinement for nearly a year, based on ridiculous claim that I could launch a nuclear weapon by whistling into a phone. Also, they would not have been able to claim the damages were the total R&D costs associated with the development of source code, which I merely looked at, without distributing it. I think my sentencing and treatment in the justice system would have been much different, as they would not have been able to exaggerate the harm like the Government did in my case.
Computer Setup?
by Anonymous
What is your computer setup? I mean hardware, OS, software you use to work.
KM: You send me yours along with the IP address, and I'll tell you mine. Good try at information reconnaissance.
SSA
by Anonymous
Has the gal from the Social Security Administration claimed her kiss? if so, was she hot?
KM: No, I don't know if she was hot and she has yet to contact me.
Ham radio license?
by vlm
Are you going to fight to get back your ham radio license or is that all water under the bridge now?
KM: I did fight the FCC and still have my ham radio license. The FCC allowed me to retain my license because they deemed me fully rehabilitated after a long administrative court proceeding.
"Justice ... "
by capnkr
Having experienced "justice" of a rather harsh sort (IMO, & possibly yours, too :) ) given that what you did was relatively inconsequential despite the claims otherwise, do you now do any work towards helping keep the sort of experience you had from happening again to other hackers (note: *not* 'crackers')?
KM: I have, and I do. I don't want to see someone's curiosity or desire to learn how to break into systems land him or her into prison. I remember supporting Dmitry Sklyarov when he was arrested at Defcon for exposing a bug in Adobe's e-books. I remember joining a group of people that were protesting his arrest for alleged DMCA violations in Santa Monica, California a while back.
In the end...
by NabisOne
Was it worth it? Is there an upside to your experiences the last ten years?
KM: I have no regrets in regards to my hacking experiences. I have always had a passion for learning, solving difficult challenges, and satisfying my own curiosity.
However, I do regret the effects that my activities had on my family and the companies that were damaged by my actions. I can't undo the past, and can just move forward to try and help others keep themselves safe from those trying to do them harm.
My recent experiences of the last 10 years have been nothing short of a miracle. One word has changed that for me: authorization! I now get authorization from my clients to test their security controls.
The CA setup using SSL has never relied on the /web of trust/ model (where you can say how much you trust our neighbours), it's always relied on the /chain of trust/ model (where all trust is inherited).
However, I agree that our CA setup should be clearly moribund now.
Also FatPhil on SoylentNews, id 863
If you were asking if the circumstances would have been different had my hacking occurred ten years later, then I would say yes. The prosecutors would not have been able to convince the Court that I was a serious National Security threat, which resulted in me being held in solitary confinement for nearly a year, based on ridiculous claim that I could launch a nuclear weapon by whistling into a phone. Also, they would not have been able to claim the damages were the total R&D costs associated with the development of source code, which I merely looked at, without distributing it. I think my sentencing and treatment in the justice system would have been much different, as they would not have been able to exaggerate the harm like the Government did in my case.
They might have used it as an excuse to label him a terrorist though. At least back then they had to work around the law to pull off such shady stuff...
Come on, we're all adults here. So let's cut the bullshit and call a spade a spade. Government doesn't "tighten the noose" on human rights (including freedom of speech), nor do they "crack down" or cause "erosion". All of those terms imply that there was something immoral or unjust about what the victims were doing in the first place, and government (the criminal) is merely getting around to dealing with it, business as usual. As if government had more important things to worry about, but now the time has come to "crack down" on what they "should have" cracked down on long ago.
This couldn't be further from the truth, and almost sounds like it came straight out of a propaganda committee. The correct term for what government is doing is oppression. Human rights can NOT be "eroded" or "tightened"; they can be either respected or oppressed. Period.
Anyone not living free in Mommy's basement is a sellout. There is nothing wrong with paying the bills.
Surely he'll milk his fame for all it's worth. Endorsed mice, keyboards, perhaps a Kevin MitNIC Extr3m3 Networking Card?
Last night Kevin slept like a baby. He woke up three times, wet himself twice and cried himself back to sleep each time. /rimshot
It is hard to tell if what Kevin Mitnick did in the past was harmless pranks or not. In his case from these replies he seems to have paid the price and is now acting like a responsible person. I do not think anybody needs to give him a hard time about the past anymore.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Huh. I wasn't expecting my question to actually be chosen.
In any event, Kevin shows no remorse for being a criminal, which means he essentially still is one. Time served and a stamp of approval by the white hats doesn't matter; what matters is that a person grows from their experiences and becomes better. I see no evidence that Kevin is a better man than he was.
The people defending him should take note that their hero is a crook. And he always will be in my eyes, until I see some contrition and some remorse for what he's done.
Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
I really enjoyed his book, but it's clear that if you ask him, he hardly ever hurt anyone. It's hard to believe a lot of what he says, since it comes from someone who achieved most of his goals by nonstop lying.
The Daddy casts sleep on the Baby. The Baby resists!
"If so, it wasn't me! That's because I never profited from my hacking activities, and there was never any disclosure of what I had come across or any of the source code materials that I obtained."
If anyone was expecting honest gritty answers they were nuts.
Honestly, he answered everything exactly the way I expected. Nothing at ALL that will be incriminating in any way, nothing revealing, PC and clean. Tow the line of "I was simply a curious kid that got into trouble! Help your local law enforcement!" response. and honestly after the legal and physical ass-raping they gave him I also would respond the same way.
The united state government gave him a loud and clear message," The constitution is a ruse we have in place to pacify the masses. If we get our hands on you we can do to you anything we want and your lawyers cant do shit about what we do to you." Want an example? let's trout out the ridiculous "whistle launch codes" stunt...
The Government pulled that on him as a clear sample of "we own you and can do what we want to you, so do what we tell you"
OF course all his answers are very PC and very clean. What I want to read is his autobiography he has hidden somewhere to be released upon his death that covers what REALLY happened and names names. I really hope he is writing a detailed and 100% honest book that exposes everything that he is afraid to talk about.
Do not look at laser with remaining good eye.
You send me yours along with the IP address, and I'll tell you mine. Good try at information reconnaissance.
What's the risk in saying I use an AMD based PC/ATX with 4GiB of RAM running Ubuntu? Or that I use Wireshark to diagnose network issues? Or is he buying into obscurity now?
What is your computer setup? I mean hardware, OS, software you use to work.
KM: You send me yours along with the IP address, and I'll tell you mine. Good try at information reconnaissance.
I have to imagine this would be a good deal, provided you could make yourself reasonably secure and reasonably trust his rehabilitation. I mean, no one cares what my hardware, OS, and software I use to work are, whereas "Hey, Kevin Mitnick uses _____" would probably be of interest to a lot of people.
Don't thank God, thank a doctor!
I expected something similar to this AMA but about hacking: http://www.reddit.com/r/IAmA/comments/aca82/i_am_a_former_reverse_engineervirus_writer_amaa/. Waste of time this story.
I saw him on Montel Williams shilling for Lifelock "identity theft insurance". I know, opiate of the masses, but I just happened to be near an idiot box that was tuned to the show, and Montel's been good for a chuckle since the "MOUNTAIN! GET OUT OF MY WAY!" days.
Montel hypes him up as the big bogeyman hacker, then the Lifelock guy comes out and says, "Don't worry! I'll protect you! Sign up now and we'll send you a free shredder so Kevin Mitnick can't come and dig your bank info out of your trash can!"
It reminds me of bear-baiting, except this particular bear never seemed to have any real teeth or claws to begin with.
Okay, let me break into your home, read your personal diary and e-mails on your computer, look through private photos and family albums, browse through your secret box in the closet and sniff your underwear, then leave and say I didn't do anything wrong because I didn't take anything
Oh please. The poor fanboy just wanted to have the same setup you are using. From your visit to Atlanta in 2008:
(Source: Kevin Mitnick Detained in Atlanta for having computer equipment on flight)
He's said he's sorry. He's assured you that he personally didn't directly cause you financial harm. What else do you want him to do?
As other have noted, this "most amoral and harmful acts" thing is lunacy. Were you frightened? Yeah, probably so. But causing you angst isn't the most amoral and harmful act in modern computing history. Draining your bank account and sending you and your family compelling death threats--now that would probably rank on up there. If he really could whistle into a phone and launch a nuclear missile and actually did it, yeah, that would rank on up there.
As it is, though, you come off as needlessly engaging in hyperbole because, as someone else pointed out, you have a personal ax to grind with the guy. I'm not saying that you weren't hurt by this, but certainly not to the level that you're trying to escalate it.
By the way, one thing I see notably absent from your question and your posts is anger at the company and/or companies that stored your information in a manner in which it was vulnerable to Kevin's attacks. While Kevin bears the lion's share of responsibility for the attacks, the companies certainly aren't blameless. This information--names, credit card info, etc.--is information that is foreseeably valuable to hackers, and they should have taken better precautions to secure it. Have you expressed your outrage to Netcom as well, or are you under the impression that they were merely innocent victims like you, helpless against the mean and evil hackers?
KM doesn't want other "hackers" who are out to "learn" from getting into trouble. I see it as them trespassing on my property.
Here in Texas, trespassers can be shot.
KM is so full of himself, his ego is worse than Steve Jobs'.
You can see he's old-school when he wanted to see the source code to find bugs. Modern reverse-engineering techniques and tools make source code mostly irrelevant, even for embedded devices.
I used to hack (dark side) at the same time but in a more restricted manner than Mitnick (I was never on the run). People accuse him of selling out, of being fake, or exaggerated. To some extent, he has sold out - sold up, and made the best of his situation. He paid dearly for his misdeeds, and had prosecutors lie in order for him to wind up with incarceration a lot longer than he deserved. Don't you think he's entitled to a bit of slack? Shouldn't he be able to make a little money on the side? I haven't bought any of his books, though I have been tempted to. I understand why they bother people, but you have to put them and Mitnick's life in perspective: He spent his youth as a hacker, and then years as a prisoner, then released and not allowed to touch computers (for a while) - what else did have to do to support himself? He did the best he could. What else could he do, sink into obscurity and desperation (ala Bill Landreth)? It's not like he could just casually take a job as a SysOp somewhere; his name is too widely known.
How good of a hacker was he, during his heyday? I'd say he was pretty good, from what I could tell. He wasn't as social as many of the others, but he did trade information with other hackers (including myself). He wasn't as reckless as some others who also had great talent (Mark Tabas), even though he was eventually caught, so he must have made some mistakes. He wasn't a destructive bastard, a gangster, a spy, or any other of a myriad nasties. But, when someone has skills which make them a good black-hat, this influences their attainment of other skills. I've never seen any evidence to suggest that he is more than an average competent programmer (and I do not claim to be any better). He has a broad knowledge of systems and methods, but these systems are often twenty to thirty years old. Who knows what MIZAR is these days? I am in the same basket - lots of old knowledge, much of the technical stuff is irrelevant these days. There are others skills, hunches, and an intuition brought by years of experience which make Grand Old Hackers surprising in the ways go about things, and difficult to predict.
Kevin is doing what he does best, as a media figure and security consultant. I doubt any of you naysayers could do much better than if you were in his shoes, post-prison.
Maybe a couple of you might recognize my handle. But I am not famous. I paid for my crimes, but luckily did not have to pay nearly a high price as Kevin Mitnick did.
Back when Kevin was at the height of his illegal activities I was working at one of the companies he was targeting. His dismissive "all I did was look at the source code" does not begin to cover the havoc his illegal activities caused. The productivity lost trying to find out what he was doing and how he was doing it was huge. The loss of confidence from our customers was impossible to measure.
Is there anyway to know for sure he didn't manage to add back doors into the source? Certainly neither he nor any of the target companies are going to readily admit that.
He runs a hacked version of CP/M on a DEC PDP-11 (on an upgraded Fonz-11 chipset) and a 300 baud modem for internet access. After being locked up for so long, he's had a hard time adjusting to all the newfangled gear running around.
Rumor has it the news of his setup emerged when he brought in a fried Qbus board to a local Radio Shack looking for some replacement ICs. Since it wasn't an RC car or Cell phone, he had to explain what the board was what it did. Alas, they had no ICs in stock.
Join the Slashcott! Feb 10 thru Feb 17!
Name someone that got hurt? I'd have to agree with the second part of what you say though.
His goal now is to make money - witness the plug for his new book in the answers. Why else would he even do a slashdot interview now?
I think I just realized who you are. Minor Threat just recently (relatively, anyway) got his computer ban lifted.
Suddenly, I feel old.
I feel ya.
Got out of the game back when phf still meant something.
Sometimes I miss it.
On the upside, our home network is quite nice.
I'm surprised Mr Mitnick has not been diagnosed as a psychopath or as having antisocial personality disorder:
The Diagnostic and Statistical Manual of Mental Disorders, fourth edition (DSM IV-TR), defines antisocial personality disorder (in Axis II Cluster B) as:[1]
A) There is a pervasive pattern of disregard for and violation of the rights of others occurring since age 15 years, as indicated by three or more of the following:
1. failure to conform to social norms with respect to lawful behaviors as indicated by repeatedly performing acts that are grounds for arrest;
2. deception, as indicated by repeatedly lying, use of aliases, or conning others for personal profit or pleasure;
3. impulsiveness or failure to plan ahead;
4. irritability and aggressiveness, as indicated by repeated physical fights or assaults;
5. reckless disregard for safety of self or others;
6. consistent irresponsibility, as indicated by repeated failure to sustain consistent work behavior or honor financial obligations;
7. lack of remorse, as indicated by being indifferent to or rationalizing having hurt, mistreated, or stolen from another;
B) The individual is at least age 18 years.
C) There is evidence of conduct disorder with onset before age 15 years.
D) The occurrence of antisocial behavior is not exclusively during the course of schizophrenia or a manic episode.
He doesn't once apologize or say he feels bad for his victims. He does make a mention of:
However, I do regret the effects that my activities had on my family and the companies that were damaged by my actions. I can't undo the past, and can just move forward to try and help others keep themselves safe from those trying to do them harm.
But I suspect this is more a combination of what he has been coached to say, and the entities that have an impact on him (i.e. his family is probably pissed off at him, and companies are pissed off at him and did pursue him legally).
Minor Threat? Hmm. I wonder how Mucho Mas is doing...
We already trust DNS to decide who can say where something is, why not include the ability to declare that you made it to the right place?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
"Computer Setup?
by Anonymous
What is your computer setup? I mean hardware, OS, software you use to work.
KM: You send me yours along with the IP address, and I'll tell you mine. Good try at information reconnaissance."
Oh come on! That was a general question that he should have answered! I would have liked to know what processor, speed, memory, and OS he was running. Not exactly enough detail to hang anybody or trade secrets. I would expect him to be secret about which applications he modified to break security though.
http://slashdot.org/comments.pl?sid=2403266&cid=37262912
http://slashdot.org/comments.pl?sid=2403266&cid=37247822
http://slashdot.org/comments.pl?sid=2403266&cid=37247744
http://slashdot.org/comments.pl?sid=2403266&cid=37247664
Or in short, I told you so.
Be seeing you...