
Why Kevin Mitnick Is Still Breaking into Computers - janvdberg
http://recode.net/2015/03/26/why-kevin-mitnick-the-worlds-most-notorious-hacker-is-still-breaking-into-computers/
======
softdev12
I really enjoyed Ghost in the Wires (basically Mitnick's bio). I had first
read Takedown by Tsutomo Shimomura which told of Mitnick's pursuit by the guy
who ended up help to catch him. "Wires" was the other side - what Mitnick did
when he was on the run - and his side of how he was finally caught. Really
interesting stuff. It was like the Rashomon effect[1].

[http://www.amazon.com/Ghost-Wires-Adventures-Worlds-
Wanted/d...](http://www.amazon.com/Ghost-Wires-Adventures-Worlds-
Wanted/dp/1441793755)

[http://www.amazon.com/Takedown-Pursuit-Capture-Americas-
Comp...](http://www.amazon.com/Takedown-Pursuit-Capture-Americas-
Computer/dp/0786889136)

[1]
[http://en.wikipedia.org/wiki/Rashomon_effect](http://en.wikipedia.org/wiki/Rashomon_effect)

~~~
simplexion
Someone gave me Takedown to read because they knew I worked in IT. That book
made me dislike Tsutomu Shimomura immensely.

~~~
tzs
> That book made me dislike Tsutomu Shimomura immensely.

Why?

~~~
simplexion
The book made him seem very arrogant. Even though I knew how it ended I was
still barracking for Mitnick because Shimomura was so annoying.

~~~
Haven_Monahan
Kevin's side of the story has been told by him, by Littman in 'The Fugitive
Game' and by Eric Corley. Any reasonably broad-minded person who wants to see
the law deal evenhandedly with the accused can find places in these accounts
to sympathize with Kevin.

'Takedown' is AFAICT the extent of what TS wants to say about the matter. We
can presume he comes off in it the way he wanted to come off.

Though I do wonder about the tone of the book, and if John Markoff had more
than a little influence on how the story was told, and what details were kept
in or left out, and how the persons at the focus of the true-crime narrative
being presented were portrayed.

I felt while reading Takedown that maybe, for some reason, there were details
being elided that readers interested in a careful piece of investigative
journalism might appreciate-especially if they had a deeper understanding of
the technology than the mass NYT audience. Maybe someday someone will take
that up.

~~~
simplexion
I also wondered how much John Markoff influenced the tone of the book. I have
a feeling it would have been more enjoyable in TSs own words.

------
downandout
_“The most effective way to carry out an attack is to get the client — a
person — to do something stupid,” he said. "_

I created a startup and a significant patented technology in the multifactor
authentication space (now owned by Equifax). The main goal at the time of its
creation wasn't to prevent dangerously stupid/naive human actions - that
turned out to be impossible - but rather to nullify the potential consequences
of them. As engineers we have a responsibility to design systems in ways that
minimize the effects of human error.

It seems that Kevin has made a career out of pointing out systems that don't
embrace this design principle. I suspect he will be very busy for a long time.

~~~
jsprogrammer
How do you reconcile patenting (effectively closing off a solution to everyone
else) with your goal of minimizing human error?

~~~
downandout
You're obviously anti-patent, but the answer to your question is that I was
trying to build a business. If you ever sit down with potential investors or
acquirers, two of the most common questions you will hear are these: "What
barriers to entry are there for your competitors?" and "What assets do you
have?". A patent is both of these things.

Whatever your feelings on the subject, as the system stands today, patents are
valuable and necessary for many technology businesses. Google, Apple, Samsung,
etc. all have thousands of patents.

~~~
bediger4000
I don't think the question asked makes the asker anti-patent.

In your comment, you wrote: _As engineers we have a responsibility to design
systems in ways that minimize the effects of human error._

That's more than a little didactic and preachy. It looks to me like you're
trying to tell everyone that they have a moral duty to design systems in
particular ways. That's well and good, another design principle for all of us
to observe. But you also write that you got a patent on an idea or method of
how to actually implement that design principle. It makes it seem like you've
got a profit motive for prescribing the design principle: you've got a patent
on the way to implement that principle. We've got a moral obligation to
implement that principle, hence we should pay you (or your assignee) for the
idea.

The question isn't anti-patent, it just gets at the motive for prescribing
such a design principle.

------
omgitstom
This article is interesting. He isn't world famous because of his skill, he
was world famous because he was caught. Being famous does not make you a good
hacker, the best hackers will never be known.

I would be surprised if any pen testing group didn't have a 100% success rate.
When you hire a pen tester or contract it out, the amount of information you
get is absurd (but prioritized by severity).

Has a pen tester ever found a system that didn't have a vulnerability?

~~~
eyeareque
Kevin is well known for his skills, mostly as a social engineer. I'd argue
that he's one of if not the best at it.

He became famous when he was on the run from the FBI for a few years. This was
one of my favorite stories: [http://news.softpedia.com/news/Watch-Kevin-
Mitnick-Explainin...](http://news.softpedia.com/news/Watch-Kevin-Mitnick-
Explaining-How-He-Used-to-Troll-the-FBI-401959.shtml)

A lot of people don't know the history around him because it happened years
ago. If you were following him at the time or if you've read his "ghost in the
wires" book you'd see why he he's rightfully famous.

~~~
wyclif
For some reason the video is missing from that post.

~~~
eyeareque
Here is it:
[https://www.youtube.com/watch?v=Nn3O8XD1z0w](https://www.youtube.com/watch?v=Nn3O8XD1z0w)

------
darrelld
Doing social engineering / penetration testing for a living sounds like a
great gig. I've been day dreaming about working for or starting a company like
that. Didn't realize it was a booming industry for companies that also do
physical penetration which is normally going to be the weakest link.

~~~
babuskov
Depends on your definition of "great". If you are really good at it there are
a lot of things that might give you prolonged periods of stress. I'd pick a
comparatively more boring career any time.

Things that can happen:

\- you manage to break some stuff during pen test that nobody expects and
learn things that make you become a liability for that company

\- you might learn some things about company whose stock price can drasticaly
change and you will need to answer questions to SEC (or a similar
institiution)

\- if you are really good, it's quite possible that government agencies will
try to recruit you, and if you say YES, it's a one way street.

\- you may learn some things about world you wish you never learned about, and
you wouldn't be able to watch the world with the same eyes ever again - even
if you wish you could

~~~
sporkenfang
> if you are really good, it's quite possible that government agencies will
> try to recruit you, and if you say YES, it's a one way street.

This is the most terrifying item on your list. Saying no, however, is
generally the best way to avoid such a one-way street ;)

~~~
bitexploder
It really isn't a one way street. People of people come from TLA and go on to
work in the private industry as information security consultants. I have many
friends that have taken this path.

~~~
sporkenfang
Yup. In fact, that's more or less what I have done. I think by one-way street
OP meant _foreign_ governments as opposed to U.S. governments, though.

------
rudolf0
This article doesn't seem to mention that penetration testing in general is a
booming business, and there are many firms out there with the same success
rate. Neither Mitnick nor his company are special in any way.

~~~
david_shaw
As someone who runs a security consultancy, I can agree. Strangely, the
article seems to frame even Mitnick's admission that he's nothing special in a
mysterious light:

 _> And here’s probably the most interesting fact: Mitnick and his constantly
changing team of speciality hackers have a 100 percent success rate. That’s no
legend. “It’s not even bragging,” he said. “It’s just a fact.”_

Yes, me too. Same with almost every attack crew worth their salt. It's
possible to be protected from known vulnerabilities and misconfigurations, and
it's even possible to train your employees to never perform dangerous actions
or disclose sensitive information... but it's very, very difficult.

The best defense, really, is just making your attack surface as small as
possible.

~~~
kriro
I've always been curious how one applies as a social engineer or hybrid SE and
tech guy for a security consultancy. It seems like something that I'd really
enjoy doing (having never done it and also not having particular great people
skills). I don't know how the business works at all but I'd love to be a plant
at some company (or a fake customer) to test their security from the inside.

It's not something you can easily learn on your own (I'd guess).

Since I worked in ERP I'd also be pretty interested in security testing
business software. I can see a myriad of issues both technically but also on a
human and for lack of a better word "process exploitation" level.

If anyone has suggestions on writing a job application without any actual
security testing skills I'd be interested in hearing them. Basically all I can
think of is "I know some technology and can program, I have some business
background (specifically ERP), I think I'm a quick learner and I'd probably
work for very little assuming increased salary as I get more
valuable"...sounds like something I'd instantly put in the trash if it hit my
desk though :P

~~~
6stringmerc
Same here, as in being interested in the field.

On the other hand though, I've had something like 10+ customer service jobs,
along with formal education, a tried-and-true love of technology...and a
deviant / mischevious streak wider than the Gulf of Mexico. Oh, also acting
lessons...People are kind of my specialty...

To me, working customer service is very much a social engineering training
ground. How? Little to no actual authority, frequently hostile / challenging
engagements, and limited tools and techniques by which a solution or
conclusion can be reached. There's a significant advantage to out-thinking one
or more customers, staying just ahead of them thought process wise, which
seems to align with turning the coin around.

One of the other things I learned through both customer service and in my
white collar career(s) is how to dress for success. Self-presentation is one
of the most important parts to get people to let down their defenses.
Technicians look tech-y, consultants look business-y, security people project
a certain firmness...well, anyway, that's been my experience as both service
provider and dealing with people in power. I've always used my learned
perspectives for good.

At the end of the day, it's absolutely amazing the results that one can get
with a pleasant, persistent attitude, good appearance, and some patience.

------
kstenerud
“I still had access to their network so I left a copy of the report on his
PC’s desktop,” Mitnick said. “It was more secure to do it that way than email
it. He thought that was a nice touch.”

And that, folks, is what we call class.

------
danbmil99
Kevin Mitnick still owes me $500.

------
cubano
Why indeed...my off-the-cuff guess for why is for obscene piles of cash and
some minor ego gratification?

After reading the interesting article, I commend him for the creativity and
sheer audacity of his social and sometimes-technical exploits.

He is, obviously, a very smart and talented individual...my hat's off to him
for not allowing a prison stint to wreck a very lucrative career.

That was perhaps his best hack of all.

[edits]

------
sporkenfang
Honestly, without Kevin Mitnick and the like, I wouldn't be a computer
scientist nor a specialist in computer security. He (and other hackers covered
by the media of the '90s) brought awareness to the common American of this
field right when I was at an impressionable age.

------
gcb0
1\. hire a tv celebrity that all the hacking he ever did was write checks with
fake signatures.

2\. pay him a large sum to test your flawed security

3\. ???

4\. CTO get's a huge bonus for impenetrable security. 90's celebrity get's a
fat check (with his name on it, for a change)

------
jquast
How about an article on why real hackers are still breaking into Kevin
Mitnick's personal computers?

~~~
johnchristopher
You could submit such articles.

------
ourmandave
From wikipedia:

"In 1999, Mitnick pleaded guilty to four counts of wire fraud, two counts of
computer fraud and one count of illegally intercepting a wire
communication,...

He was sentenced to 46 months in prison plus 22 months for violating the terms
of his 1989 supervised release sentence for computer fraud."

I would have SERIOUS trust issues with a company run by a convicted hacker.

~~~
joshuapants
Seems like that would be a good credential for a computer security consultant
to have

~~~
ourmandave
By that line of thinking, I can't wait for Bernie Madoff to get out and start
another hedge fund. o_O

~~~
beernutz
Or to start a company to help people AVOID scams maybe?

------
henvic
This is bullshit.

Linus Torvalds is a more well-known hacker, for instance.

Hacking is not only about criminal social engineering practices. Mostly, it's
not about that.

~~~
001spartan
More well-known to whom? Most non-technical people I know have never heard of
Linus Torvalds, or Linux. Kevin Mitnick is a name that has been in the media
in much more prominent positions. As far as the "hacking" vs "cracking"
debate, that fight has been lost for many years.

~~~
Retra
You really think non-technical people actually know the name Kevin Mitnick?
I'm a 'technical person' and this is the first I've ever heard of him.

~~~
001spartan
Again, anecdotal evidence on my part suggests that he's more widely known than
Linus Torvalds. I have no solid data to back that up.

