Posted by Roblimo on Wed Feb 05, '03 12:15 PM
from the black-hat-turns-white dept.
Kevin Mitnick has been crazy-busy with media tours and book promotion stuff, and apologizes for taking so long to answer your questions. But answer he has, at length and in detail, with a brief intro at the start to correct a story in which he says he was misquoted. He has some other things on which he wants to set the record straight, too. Lots of them. Strong stuff here.
I wish to make a correction to a story that was posted about my interview with Yahoo Internet Life magazine several months ago. The author misquoted a statement of mine that I wish to clarify for the entire Slashdot readership.
I had never recommended that the Federal Government establish a DNA database to track our identities or our locations. I explained to the journalist that I believed the government would use DNA as a means of authentication in the future. Of course, many Slashdot readers flamed me for something I never said, or that was taken out of context by the writer. Consider who I am and what I been through. Do you really believe that I would advocate such a thing? Absolutely not!
1) John Markoff (Score:5, Interesting)
Since 1995, we've been subjected to numerous articles, three books, and (for those who have managed to download a copy) a movie mostly based on information written about you by John Markoff. I've heard you rant about his demonizing writings, the damage they did to your reputation (particularly the '95 NYT article), and your inability to refute his assertions at the time since you were trying to avoid arrest. What are the pieces of misinformation that you'd most like to refute, and how much damage do you think the actions of this one reporter has done to your life?
John Markoff had first libeled me in his book, Cyperpunk, which he co-authored with his former wife, Katie Hafner. In and around 1990, Markoff and Hafner contacted me to request my participation for a book about three hackers, including myself. In considering their request, I asked about their budget to compensate me for my time and/or life story rights. Both Markoff and Hafner were unwilling to compensate me as a source, because it was unethical. I explained that it was unethical for me to give them my story for free. We were at an impasse.
Sometime later, Markoff or Hafner gave me an ultimatum to cooperate, or any statement made by any source would be reported as fact. As it turned out, that's exactly what Markoff and Hafner did. Markoff or Hafner interviewed other phone phreaker or hackers, including my co-conspirator, Steven Rhoades and Lenny Dicicco. One or both of these individuals had falsely claimed that I hacked into NORAD in 1983, coincidentally the year Wargames was released. I never attempted to compromise NORAD or any other military installations. Rather than verify the authenticity of their claims with the alleged victims, Markoff and Hafner just wrote their statements as fact.
When published in the early 90's, the book portrayed me as ultimate "Darkside Hacker." I truly believed that both Markoff and Hafner had acted with malice, because I refused to interview or cooperate unless I was paid. The authors made substantial efforts to cast me in the most unfavorable light, supported by false statements, presumably to get even with me and to increase interest in the "story."
Several months after Markoff's book was published, a movie producer phoned with great news: Hollywood was interested in making a movie about the Darkside Hacker depicted in Cyberpunk. I pointed out that the story was full of inaccuracies and untruths about me, but he was still very excited about the project. I accepted $5,000 for a two-year option, against an additional $45,000 if they were able to get a production deal and move forward. When the option expired, the production company asked for a six-month extension. By this time, I was gainfully employed, and so had little motivation for seeing a movie produced that showed me in such an unfavorable and false light. I refused to go along with the extension. That killed the movie deal for everyone, including Markoff and Hafner, who had probably expected to make a great deal of money from the project. Here was one more reason for John Markoff to be vindictive toward me.
I'd never met Mr. Markoff until February 17, 1995, at my second court appearance in Raleigh, and yet Mr. Markoff has literally become a millionaire by virtue of his libelous and defamatory reporting -- and I use the word "reporting" loosely -- about me in the New York Times and in his 1991 book Cyberpunk.
On July 4th, 1994, an article written by Mr. Markoff was published on the front page of the New York Times, above the fold. Included in that article were numerous un-sourced allegations about me that were stated as fact, which even a minimal process of fact-checking would have revealed as being untrue or unproven.
In that same defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI (I hadn't), that I had broken into the computers at NORAD (which aren't even connected to any network on the outside), and that I was a computer "vandal" despite the fact that I never intentionally damaged any data I've ever accessed. Mr. Markoff even claimed that I foreshadowed the movie, War Games, when a simple call to the screenwriter of that movie would have revealed that he had never heard of me when he wrote his script.
Many of the same rumors were repeated in Markoff's subsequent New York Times stories of my arrest. Among the same false claims made in his 1994 article, Markoff had accused me of planting a false news story claiming that Security Pacific Bank lost millions of dollars when they withdrew a job offer. This claim is also false. Markoff's exaggerations about me were so egregious that one of the alleged victims in this case, the internet service provider The Well, demanded that Mr. Markoff issue a retraction for Mr. Markoff's overstatement of the damages claimed by him to have been caused by me.
I've learned a great many things in the past decade. I've learned that an unethical reporter for the New York Times who had a vendetta against me, had the power to destroy my life, based on his publication of repeated inaccuracies and outright falsehoods. I'll remind the reader that Mr. Markoff has failed to acknowledge a pre-existing relationship with me and with Tsutomu Shimomura since the publication of his false and defamatory article about me on July 4, 1994. Mr. Markoff has been hiding from the truth in this regard for over eight years.
I have stated repeatedly, that the crimes I committed were wrong, and that I deserved to be punished. I served nearly five years in prison as a result. As I said on the day I was released from Lompoc, I offered to plead guilty to the crimes I committed shortly after my arrest. Sadly, Mr. Markoff demonstrates no such sense of responsibility as he continues to insist his lies about me and my life, qualify as "reporting."
I sincerely believe that the Justice Department would not have labeled me a computer terrorist, and treated me as such, if it hadn't been for Markoff's false and defamatory reporting.
2) What were you thinking? (Score:5, Interesting)
During your escapades which eventually landed you in hot water, you used the EFF account at The WELL to hide the files you stole from T. Shimomura. I'm still trying to figure out why the heck you did that. A simple "last" would have shown you that that was an active account, and you could have guessed that the user was probably technically savvy enough to notice the sudden spike in disk usage. Was that just an act of hacker hubris, or were you just not paying attention? Ultimately, it's what led to your downfall (FBI monitoring your keystrokes, live tracing of IPs) so I am well and truly curious.
I wasn't the only person who had access to Mr. Shimomura's computer systems and was storing information on The Well. Interestingly enough, the government never investigated the existence of any co-conspirators, once I was arrested. Kevin Mitnick was the only fish they wanted to fry.
Any accounts that were used by me had been dormant for at least three months. I changed the password to the account and shared it with other hackers. I overlooked checking cron for any scheduled scripts that were looking for disk hogs. We were discovered after a user was notified via a cron process that complained about our excessive disk usage. At the time, we didn't really care because the Well only contained a backup of the information we had stored. The same files were mirrored on several sites in the Netherlands, among others, that Shimomura and the FBI had never found. (No, I don't have any copies.)
While accessing the Well, I was carefree because my location was masked through many other computer systems and the cellular telecommunications network. I could have taken precautions by installing a covert backdoor to avoid the typical UNIX accounting and logging, but I didn't bother.
To avoid any traps and traces, I routinely compromised the local exchange carriers and cellular providers to gain access to their switches. Even if my connection was identified, I routed my data calls in a certain way that was very difficult to track in a reasonable amount of time. In one report, Shimomura had claimed that he and the FBI were unsuccessful at tracing any calls to the point of origin, but were only able to identify the cellular carrier.
As for avoiding detection, I underestimated the speed of the pursuit and that the FBI had been sharing confidential information, such as trap and trace data with Shimomura. Instead of tracing inbound calls, the cellular carrier did a terminating number search in their billing database searching for known Netcom POP dialups. As expected, the carrier identified the cell site and the MIN (mobile identification number) I was presently using. Since I changed my number on at least a daily basis, the cellular engineers monitored the cell site for anyone initiating data calls. Shimomura, Markoff, and the cellular provider's engineers used a Cellscope 2000 to trace the cellular radio signal to its origin (my location.)
Since I had just relocated to Raleigh within the last two weeks prior to my arrest, I was not vigilant in checking the dialup lines I used for caller line identification (trap and trace). Within hours of my arrest, I accessed the DMS switch only to notice that CLI (Caller Line Identification) had been put on the dialup hunt group assigned to Netcom in Research Triangle Park. I immediately started to investigate the extent of the surveillance and the party responsible for initiating the trap request. I found that an unidentified individual had accessed an account I was using at escape.com, from the Well's subnet. As I started to track down any logging of my activity, the U.S. Marshal Service and the FBI knocked on my door.
3) How Do You Plan on Getting Up to Speed? (Score:5, Interesting)
I have read a bit about you, so I know that you were no slouch back in the days prior to your incarceration and release...but if you have actually stuck with the limits of your probation how are you planning to jump into consulting again?
Don't get me wrong, but you can only advise people on social engineering and easy passwords for so long ... what kind of knowledge did you already have on PKI, VPNs, Firewalls, IDSes? There seems to be so much that has changed that just a cursory understanding of the principles behind these technologies does not seem sufficient to serve as a consultant (or at least one I would pay for).
Since so much has changed radically in the last few years, how have you kept up or do you plan to keep up at the moment? I can't see just reading a book on the latest OS specs and administrative tasks and being able to consult on them without hands on experience, and in your case you have quite a few years of language, os, security, and other operational technology advances to get up to speed with, etc.
So basically....what's you game plan to get back to a modern day equivalent of the proficiency you had several years ago?
There's a widespread misconception that I only used social engineering attacks to compromise my targets. Not so. I do admit, however, that social engineering was extremely effective in reaching my goals without resorting to using a technical exploit. I would look for the weakest link in the chain that was the least risk and cost to me. This involves looking at the big picture, rather than focusing on a single access point. For instance, if an attacker can walk into the server room without much chance of detection, that's all she wrote.
You are correct that security technologies have evolved in the last decade. I haven't been living in a vacuum, even though the Bureau of Prisons made efforts to restrict my reading material. I've kept up with the many trends in the industry and have been able to use computers for the last year prior to the expiration of my supervised release, as long as I didn't access the Internet. I have plenty of previous experience working with security technologies such as firewalls, operating systems, configuration and patch management. As far as PKI and IDSes, I've kept up with the technology by reading until the time I was finally permitted to use computers in January, 2002. Of course, I still have a lot to learn since security technologies are evolving rapidly, but I have no doubt that I'll be up to speed in no time.
As you know, security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology.
4) Social Engineering (Score:5, Interesting)
I read your book and attended H2K2 last summer (I look forward to seeing you speak at the next one). I meant to ask this question to the Social Engineering panel:
Do you have any stories about Social Engineering gone awry? That is, a situation where the mark saw right through your ruse and you just couldn't pull it off.
If the target was uncooperative, or skeptical, I would backpedal out of the request to avoid generating suspicion, and move on to the next person.
On one occasion, I was challenged by a friend of mine to get his Sprint Foncard number. He said he would buy me dinner if I could get it. I couldn't pass up a good meal so I phoned customer service and pretended to be from the IT department. I asked the rep if she was having any difficulties with her computer. She wasn't. I asked her the name of the system she uses to access customer accounts, to verify I was working with the right service center. She gave it to me. Immediately thereafter, I called back and got a new service rep. I told her my computer was down and I was trying to bring up a customer account. She brought it up on her terminal. I asked her for the customer's Foncard number? She started asking me a million questions? What was your name again? Who do you work for? What address are you at? You get the idea. Since I did not exercise any due diligence in my research, I just made up names and locations. It didn't work. She told me she was going to report my call to security!
Since I had her name, I briefed a friend of mine on the situation and asked him to pose as the "security investigator" so he could take a report. He called back customer service and was transferred to the woman. The "security investigator" said he received a report that unauthorized people were calling to obtain proprietary customer information. After getting the details of the "suspicious" call, the investigator asked what information the caller was after. She said the customer's Foncard number. The "investigator" asked for the number. She gave it to him. Whoops! Case closed!
5) Big question (Score:5, Funny)
What is the password to my PayPal account? I forgot it a while back.
It's guym0nt4g. Hope that helps!
6) What's it like? (Score:5, Interesting)
Slashdot has no shortage of technological "Rock Stars" (Linus, ESR, RMS, Bruce Perins, etc), but most of them didn't attain their fame as a result of being prosecuted to the fullest extent allowable by law ... You are a notable exception. What's it like being a rock star, and how great is it that you'll now be able to fully capitalize on your fame in the financial sense? Would you be in as promising a position today had you not run afoul of the law?
A rock star? That's funny. My senior editor at Wiley had said the same thing when I was at the RSA security conference last year. I don't feel like a rock star, at least my bank account doesn't reflect it. Maybe I should partner up with Eminem?
The truth of the matter is I never was a hacker out for fame or prestige. I have to thank two reporters (John Markoff, New York Times and John Johnson, LA Times) and overzealous Federal prosecutors for over sensationalizing the Mitnick case.
Soon after my arrest in February 1995, my attorney told me that Federal prosecutors were demanding that I participate in a CIA debriefing because of national security interests. I laughed out loud, asking him to repeat the request. He did. After I agreed to the ridiculous demand, they immediately lost interest. It appears that the prosecutors were hoping to try the first hacking-spy case. It must have been extremely disappointing for the Justice Department, once they realized the true facts of the case in comparison with my larger-than-life reputation. Nonetheless, I was treated worse than a person accused of industrial espionage, in large part because of the appearance that I was a "computer terrorist", although the government never pointed to any facts that supported this hypothesis.
On a positive point, my case has received world-wide attention, in large part, because of hyperbole and the total disregard of my constitutional and statutory rights as the accused. More specifically, I was held in solitary confinement for eight months, in order to prevent a possible nuclear strike being initiated by me from a prison payphone, and was held for an unprecedented four and one-half years without a bailing hearing.
I can honestly say that I paid a heavy price for trespassing into global networks and copying source code. I plan to capitalize on my knowledge and talent by helping businesses mitigate their security risks. Of course, having name recognition can help attract potential clients. One of my initial goals is to turn my image around from the most notorious hacker in the world, into a positive one.
7) Question about Trust (Score:5, Interesting)
I realize that you may have put your cracking days behind you but can you really address the question of trust in the computer security industry? How has your move into the security industry been received by the establishment, and how have you been dealing with the obvious question of you being trusted in the very area you manipulated?
My career in the information security profession has been met with much enthusiasm and good wishes. Of course, there are people that believe that hiring reformed hackers is out of the question. I don't agree with that blanket assessment. In fact, many retired or former hackers have legitimate careers in the security professional to assist businesses with risk mitigation.
The issue of trust has been a difficult challenge for me to face. Many people have bought into "The Myth of Kevin Mitnick" that was fueled by John Markoff's reporting in the New York Times. I have been wrongly accused of computer-related crimes that never happened, let alone committed by me. I strongly believe these myths have caused people to form opinions about me that are not based solely in fact.
As described below, I was never accused of abusing a position of trust, profiting from any illegal activity, or intentionally destroying information or computer systems. I illegally hacked into networks to look at, or copy software to advance my goals in finding security vulnerabilities. What I did was wrong, and I regret it. At the same time, I would not place myself into the same category as a convicted industrial spy or embezzler. I believe that actions speak louder than words. Therefore, I've taken my knowledge, experience, and background and used it to assist government and businesses in their efforts to shore up their defenses.
Although I've turned over a new leaf, my critics will surely speak up and discourage others from retaining my services. It's interesting to note that a conflict of interest may affect the judgment of some of my colleagues who work in the same industry. I believe that former non-malicious (no intent to cause harm) hackers can be extremely valuable in helping businesses identify their weaknesses in technologies and procedures.
This question is really a question of balance. Does the prospective employee (former hacker) bring enough knowledge, experience, or skills that outweighs the risks associated with hiring that person? You have to closely examine the background, values, beliefs, goals, and attitude, to gauge the risk to the business. In some cases, the person can be hired to perform a service that is a low risk or even risk free. I firmly believe that once a person has paid their debt to society for past transgressions, that individual should be free to pursue legitimate employment opportunities that benefit society.
People are human, and they make mistakes. We all have to learn to accept this fact and forgive our brothers and sisters.
8) still possible (Score:5, Interesting)
Given the state of technology today, and some of the recent new laws passed, do you think that the path that you took would still be possible today?
I believe you're asking whether I could accomplish the same hacking feats that I did many years ago, in light of the advancement in security technology and the new laws giving law enforcement officials broad surveillance powers.
First of all, I've learned my lesson, so taking the path I did before, is personally out of the question for me. My illegal hacking days are far behind me.
Breaking into systems and networks is much easier today than it was a decade ago. I spent many hours (improperly) acquiring and examining source code to find security vulnerabilities. Once I found a vulnerability, I would code an exploit for it. After a while, it became a very time consuming process.
Back in my hacking days, I compromised CERT, several software manufacturers that developed operating systems I favored, and a selected group of "security researchers" that reported security vulnerabilities. My goal at the time was to have knowledge of all the security holes.
In today's world, anyone with an Internet connection can obtain "security assessment" tools and/or published proof-of-concept exploit code. This information can be used by an attacker to compromise his or her targets without even knowing how the tool works or the bug is exploited.
There is more than one way to skin a cat: systems and networks can be compromised by exploiting other weaknesses other than security bugs. The target may have limited physical security, personnel security, or trusted insiders that can be deceived or bribed to hand over the keys to the kingdom.
Unfortunately, too many organizations are lulled into a false sense of security when they acquire and implement typical security technologies, such as firewalls and antivirus software. Although these technologies are essential in mitigating risk, in my personal experience, I have combined technical attacks with social engineering to compromise my targets. It's a lethal combination. No technology in the world can stop people from being manipulated and deceived. As the site http://www.sqlsecurity.com
posts, "there is no patch for stupidity."
Almost a decade after my arrest, computer systems and networks are still being successfully attacked on a daily basis. The saying, "The more things change, the more things stay the same" comes to mind.
The new laws such as the Patriot Act certainly gives law enforcement officials more surveillance powers, but it won't eliminate computer crime or hacking. The truth of the matter is the hacker mind does not consider the consequences when doing an illegal act, but gauges the risk of getting caught.
New Federal statutes certainly increase the risk (more surveillance without judicial review) of hackers being identified, but the more sophisticated ones will utilize new technologies, such as widespread open wireless networks, to stay under the government's radar.
The new amendment to existing Federal law making certain hacking offenses punishable by life in prison, without the possibility of parole, is ludicrous. More specifically, any person who recklessly or intentional causes serious bodily injury or death using a computer that affects interstate commerce, can be subject to this punishment. I don't understand why using a computer as a tool of the offense is such an aggravating circumstance. Should it matter whether it's a gun, motor vehicle, knife, hammer, or poison? The harm is still the same? Isn't it? If a person recklessly kills or serious injures another while driving, shouldn't that person be locked up for the rest of their life? In California, it's called involuntary manslaughter.
It appears the hyperbole of cyber terrorism has created a sense of fear surrounding using the computer as a tool to commit a crime. Unfortunately, the FUD (Fear, Uncertainty, and Doubt) has, in my opinion, been exploited by the Justice Department to advance their agenda of gaining more power and larger budgets.
9) What do you say? (Score:5, Interesting)
I've heard that you've expressed regret over the actions that landed you in jail and I think I even heard you say that you think you were in the wrong. So how do you respond to the hundreds of wannabes who hacked sites "in your honor" and wore "Free Kevin" shirts at the risk of repelling girls? Do you owe them anything, even a little guidance towards the straight and narrow?
I do regret over my past actions involving my computer hacking activities. What I did was wrong, against the law, and I deserved to be punished.
However, the punishment in my case was extremely harsh and did not fit the crime. I equate my illegal actions not to a person who molests children or burglarizes a house (I heard these specious analogies before), but to a person who illegally copies software.
The difference in my case is the software was proprietary. I was not an industrial spy, nor did I ever attempt to profit or damage any systems or information that I had illegally accessed. The government falsely claimed I had caused millions of dollars of loss, in an effort to demonize me in the press and the court. The truth of the matter is I regretfully did cause losses, but nowhere near a million dollars. The theory the government used to reach those numbers was to use the same formula for traditional theft or fraud cases. When a person steals money or property, the Federal Sentencing Guidelines use the value of the property lost, damaged, or destroyed as the loss amount. This formula works well with tangible property, but when the property at issue is information, or in my case source code, does the same formula reflect the true intended or actual loss? The government requested that my victims provide their research and development costs as the value of the information I either copied, or reviewed online (source code). Federal prosecutors simply added up all the R&D costs associated with the source code I had accessed, and used that number (approx $300 million) as the loss, even though it was never alleged that I intended to use or disclosed any source code. Interestingly enough, none of my victims had reported any losses attributable to my activities to their shareholders, as required by securities laws. Unfortunately, due to media hyperbole, the unknowing public believes I had caused these tremendous losses.
To this day, I believe this "formula" was used to further the government's agenda to turn me into the poster boy for computer hacking. Although I had committed socially unacceptable acts through my hacking, I've been turned into this mythological Lex Luthor type character that can destroy the world. As I write these words, I think back to the publicity campaign for libelous book Takedown: He could have crippled the world. Only one man could stop him: Shimomura. Oh Please!
First and foremost, I really can't start a nuclear war from a prison payphone, as prosecutors alleged, which resulted in my being placed in solitary confinement for eight months.
I served over four and one-half years in a Federal detention center prior to trial or settling the charges against me.
I'm the only person in United States history that was held without an initial bail hearing.
My residence was searched with a blank search warrant at the time of my arrest in Raleigh.
A government informant, Ron Austin, was working at my attorney's office at the same time he was representing me.
The Free Kevin campaign was initiated by a group of people who realized that Federal prosecutors and the Federal judiciary had turned a blind eye to my constitutional rights and statutory law that protects any person accused of a crime. To my amazement, some people believe my treatment was justified. With that in mind, I must remind you that our forefathers have fought and died in wars to preserve our freedoms and inalienable rights that we hold dear to our hearts. These inalienable rights also include constitutional and procedural due process that every person accused of a crime. Would my detractors have a change of heart if they or their family and friends were treated in the same fashion? I would assume so. I spent over four and one-half years in prison as a presumed innocent man, because Federal prosecutors were very adept at manipulating the technically-challenged judge who presided over the case. For instance, one prosecutor argued that my attorney should not be able to review the electronic evidence with me on a laptop computer, because I could somehow break into the Bureau of Prisons computers and release myself from custody, or write a virus/worm that would somehow leak out from the computer and wreak havoc upon the free world. I was astonished that the judge bought into these scenarios, even when my attorney pointed out the laptop did not have modem or network capability.
As to the question, I never advocated or condoned anyone hacking or damaging any computer system or network, in an effort to bring attention to my cause. I released a similar statement at the time of the major hacks into Yahoo and the New York Times.
I don't encourage, and in fact, discourage anyone from doing any illegal activity that affects other's property rights. However, I do advocate hacking in the sense that it does not amount to illegal or unethical behavior. Since the cost of computing is significantly lower nowadays, one activity may involve setting up a LAN with different computing platforms and attacking those systems in order to find vulnerabilities. Furthermore, a group of people sharing similar interests may participate in finding vulnerabilities on each other's systems to invoke a challenge, without violating anyone's property rights.
As a young teenager in high school, my family could not afford to purchase any computer-related equipment to learn on. I'd hang out at Radio Shack and local universities, spending hours and hours learning on their computer systems. Perhaps I would have gone down a different path if I had legitimate access to technology as young people have today.
10) How about.... (Score:5, Interesting)
What is the first thing that you have done with access to the internet?
I've been spending a lot of time emailing people that have written me in the past couple of weeks. I have to admit, it was a lot easier to have family and friends helping me with email, because it's unmanageable at the moment. I intend to use the Internet as a means to help grow Defensive Thinking into a prominent security services company. The Internet, of course, is a powerful tool to communicate messages to potential clients.
At the same time, I plan to explore the new features of the Internet that did not exist in 1995. As we all know, the Net is a new medium for communication, association, and research. I intend to use the Net to its full potential to advance my professional and personal agendas.