The real highlight of the show, though, was the talk by Kevin Mitnick, one of the first documented hackers.
He began with an example of a simple hack-a picture of the front of someone's American Express card, complete with the security code, which he had snapped at dinner the night before.
Next, Mitnick explains how his career as a hacker unfolded.
- At 12, he discovered how the Los Angeles bus system ticket-punching system worked, went Dumpster diving for blank transfer paper, rode the bus for free and gave free rides to people waiting at bus stops.
- In his teens, Mitnick was cracking phone systems-making free calls, looking up unlisted numbers and so on. (Steve Jobs, the founder of Apple, started out the same way.)
- In computer class, Mitnick's first assignment was to write a program to find the first 100 Fibonacci numbers. He instead wrote a program to simulate the login prompt at a teletype, capture the password and log into the system.
- Mitnick ultimately became most known for, and most successful, using social engineering techniques to steal, among other things, the source code for VAX/VMS, for which he eventually went to prison. (He was released in 2000 and forbidden from profiting from books or films based on his criminal activity for seven years.)
Kevin Mitnick tells the story of his exploits (and prison time) in his second book, Ghost in the Wires, published in 2011.
Feature: 10 More Infamous Hacks and Hackers
Social engineering is an alternative to "hard" cracking, which exposes ports and weaknesses in software. Instead, Mitnick simply convinced people that he deserved to have key information-user IDs, passwords and, after his first arrest in 1988, when he was on the run from an outstanding warrant, birth and death certificates in order to create a new identity.
Security Professionals: Trust No One
Mitnick's success with social engineering was one recurring theme of GrrCon. Any hardened, secure, asset can be compromised by a single bad judgment about whom to trust.
The other theme? Trust no one.
At one point, I hear that a company, Southfield, Mich.-based 24x7 Security, is hiring. I ask for a picture and quick interview with the company's representative at GrrCon, reckoning that a mention on CIO.com could help lead to new hires. He assumes I am doing some sort of social engineering attack and won't tell me his name or let me take his picture.