Kevin Mitnick: The hacker extraordinaire speaks out on security
OVER THE LAST decade, Kevin Mitnick has worn many identities: cyberspace cult icon,
fugitive on the Federal Bureau of Investigation's Most Wanted list, former federal
prisoner, and now a man trying to reinsert himself into society.
Granted release last January after five years of time served at the Federal
Correctional Institute at Lompoc, Calif., Mitnick must wait at least two more years
before he can legally touch a computer keyboard, check e-mail, or surf the Internet.
That's part of the price Mitnick, one of the world's most legendary hackers, must pay
per his negotiated guilty plea on five felony counts. Mitnick had faced 25 counts on
federal charges that he committed wire fraud and illegally removed computer files from
Nokia and Sun Microsystems.
Turning his computer talents to the written and spoken word these days, Mitnick is
edging himself back into public view through speaking engagements and literary
critiques; he recently reviewed a how-to guide for personal identity theft called
Who Are You: The Encyclopedia of Personal Identification, by Scott French.
Mitnick recently spoke with InfoWorld reporter Brian Fonseca, sharing some
of his thoughts on the modern-day perception of hacking, how the Internet has changed
computing, and the state of online security risks and digital identity theft.
InfoWorld: Do you think that step-by-step instructions found online and in print
detailing methods of hacking or ways to commit identity theft belong in public hands?
Mitnick: I'm a proponent of free speech and the freedom of information, and that
kind of goes into why I got involved with hacking. Not on the freedom of software or
the information being proprietary -- I'm talking about how to do something. I believe
in the right to publish this. However, it's the same issue in the computer security
space with publishing vulnerabilities. The controversy is over publishing
vulnerabilities or not publishing them. They both have their pros and cons. Somebody
could read Scott [French's] book and take it step-by-step and create a new identity and
maybe clone someone's identity for identity theft and steal their money and property
InfoWorld: In Scott's book, he said it's up to the users to safeguard themselves
from computer and personal identification theft. Do you agree?
Mitnick: All my identification information is public record, like my social
security number -- you can probably find it on the Web because somebody put it in the
book. Anybody could pretty much apply for my birth certificate and probably get away
with it because the information is readily available. If they want to do that, that's
fine. They'll probably bite off more than they can chew. With the average person,
usually if somebody has some fraudulent intentions, it's for financial gain. So what
[criminals] are going to want to do is establish credit under [a stolen] name. They can
basically adopt your credit profile. I [also] know a lot of people that haven't been
accused of any criminal activities [because they] were really privacy advocates. They
establish a new identity, not for fraudulent purposes to deceive or steal money or
property, but for the process of protecting one's own property. People have multiple
identities for that reason.
InfoWorld: What's your opinion of the state of privacy and personal identification
Mitnick: I think there's vulnerability there. Authentication these daays is
basically based on something you know, like a password or something you have or an
access device or biometrics, and I guess what protects the confidentiality of
information now is cryptography. One of the weaknesses that is easy to take to the
physical space is how does the certificate authority -- when you obtain a certificate --
really know that you are who you say you are?
InfoWorld: What do you think about some of the security breaches that have happened
in the last eight months to a year, such as the "I Love You" virus?
Mitnick: I don't really consider that a security breach. "I Love You" is just
online vandalism in my mind. Hacking in my mind is a skill set. People can take that
skill and use it in any way that their conscience lets them use it. People can use it
to do good things or bad things.
InfoWorld: As you know, there is conflicting public opinion on the state of hacking
today -- are hackers rogues or cavaliers?
Mitnick: I think what's happening is the public [thinks], because of how the media
reports all these bad things, [that] only bad things are being done by hackers and that
it's a bad thing to be labeled as a hacker. But it was honorable back when I was
started. When I was hacking myself, it was kind of like an OK thing. And then what
happened was society changed around me, and it became not OK.
InfoWorld: So, in the past, the skill was appreciated rather than seen as malicious?
Mitnick: Right. Now it's only seen as malicious, [although] there are a lot of
different characterizations. Like you characterize a person as a cracker rather than a
hacker -- because that's the one that breaks into a system, and I don't consider them
[a hacker]. I really don't think I ever was the malicious hacker, and by malicious I
mean wanting to cause anybody harm or trying to profit. I broke the law and was
definitely mischievous. ... I don't think it's clear what the definitions are today.
But I can tell you that whether it's the "I Love You" worm or breaking into Microsoft
or snooping in your girlfriend's e-mail account, it's all going to be considered
hacking by the mainstream media. Therefore, it becomes a problem.
InfoWorld: Does a hacker really have the opportunity to explain his or her
intentions, or is it perceived as a black-and-white issue?
Mitnick: Yes, in magazines and stories. I was labeled on the front page of The
New York Times as breaking into NORAD and wiring the FBI, and I never did those
things. I was never accused by the government or prosecuted or convicted on any of
those things. Yet The New York Times claimed it as fact, and that is probably
one of the biggest reasons why I sat in prison for four and a half years without a
trial. I became the poster boy, and a lot of it was because of the image. People wanted
to make money off of my coattails. You know my argument is yes, I broke the law and I
deserved to be punished, but my case was really taken to the extreme. When I was in
prison, they put me in solitary confinement at one point because they said I could
launch missiles by whistling into a telephone. They told that to a judge. And then, the
other time, they put me in solitary confinement for a week because they thought I could
take my AM/FM Walkman that you can buy in the prison commissary and turn it into a bug
and break out of jail and bug the warden's office or something. They actually thought I
was going to make a transmitter out of it. I don't know where they got the idea --
maybe one of the prison officials watched McGyver. But that's how ridiculous it
was, and I'm kind of bitter over that experience because of the stupidity.
InfoWorld: How have things changed since the initial arrest and your incarceration?
Mitnick: The explosion of the Internet for one. Since I was incarcerated, the
Internet wasn't like it is today. With all the research the government and
universities use now, [the Net] is just a conduit for doing business. Now people can
get a global market share and at the same time reduce their costs. With business
partners and customers and suppliers and all this sort of thing, now security has moved
to the top of the list of importance.
InfoWorld: You did the time for the crime that you admitted. What has the
experience taught you?
Mitnick: Don't trust the federal government. It doesn't go over very well. That's
the lesson I learned. They have power and they can do anything they want, and the best
thing to do is to stay out of their hair. Other than that, with respect to hacking, I
encourage it, but only to the point where you don't affect anybody else because there's
a price on systems nowadays. If you can, go buy a desktop computer for probably 500
bucks and run [a program] on it or one of these open-source operating systems, and you
can have the challenge of breaking into a system. The only thing it doesn't give you is
the thrill of being somewhere where you really shouldn't be. Some people will want the
thrill of doing something they shouldn't, and they take the risk. But I wouldn't
encourage this because you can at least get the intellectual challenge portion met by
experimenting on your own systems or even networking your systems with a group of
people. The stakes are much higher [today] because there are so many connected systems,
and one glitch or one hack in one spot can really cause a ton of damage.
InfoWorld: So what are you up to these days? A radio gig?
Mitnick: Yes, with KFI Talk Radio. I'm going to be probably starting that in
January and then also making my living by speaking engagements, but I'm restricted [as
to] where I can travel, so they are far and few between. I'm doing interviews and also
writing articles. I critique computer magazines. I'm learning to be a writer as well.
It's hard to do without a computer. I'm not allowed to use a computer.
InfoWorld: Is that part of the terms of your parole?
Mitnick: I'm on supervised release. It's not parole. It's probation.
InfoWorld: How long does that last?
Mitnick: For another two years.
InfoWorld: So in two more years you're free of all restrictions?
Mitnick: Yes, on January 20th, 2003. Now, the probation department has full
control. They could allow me to do anything. All my conditions are under discretion,
but I have no degree of trust. You know it's easier for them to say no, that way they
cover their ass and they don't have to take risks.
InfoWorld: If you can't use a computer to write, what do you use?
Mitnick: I use an electronic typewriter, and I hire people to help me, and I work
with them over the telephone. My dad has a computer at the office and sometimes he has
his secretary [help] or he will type in things for me.
InfoWorld: When can we expect the autobiography?
Mitnick: I just was propositioned to do a book on social engineering by Wiley and
Sons, so I'm excited about that.