

ATT dumps Kevin Mitnick - trader
http://www.theregister.co.uk/2009/08/19/att_dumps_kevin_mitnick/

======
pmorici
"In recent years, he's committed the password to memory and has deliberately
not shared it with anyone or kept it stored on a computer."

Isn't that what everyone is supposed to do with their passwords?

------
Tichy
Wouldn't such a customer be worth gold? A single user that constantly get's
attacked by hackers would provide a great opportunity to detect and fix
security holes. If a hacker get's through, it is just one person's account
compromised. But each detected attack could prevent attacks on other accounts.

I think some other telco should pay Mitnick to become their customer. How else
could you attract so many hacker brains and make them work on finding security
flaws in your system?

~~~
wmf
_A single user that constantly gets attacked by hackers would provide a great
opportunity to detect and fix security holes._

Assuming that they want to fix the holes, which AT&T probably doesn't. They
may be using the "infinite bugs" model, in which fixing one bug does not
improve security because there are always other bugs the attackers can find.

~~~
Tichy
Brilliant - an infinite number of bugs might confuse hackers so much that they
don't know where to start and just give up.

------
tlrobinson
So AT&T is basically admitting their approach to security is "security through
obscurity"?

As long as you're not a high profile celebrity you _should_ be ok because not
one wants to own you...

~~~
three14
Security through obscurity gets a bad rap. You rely on the "obscurity" of your
password.

The main issue is relying on false obscurity, both in systems (your program
rot-13s your password) and in passwords (you pick an easy to guess password).

There's no real security failing if you rely on obscurity that isn't exactly a
password, so long as you can accurately assess the real obscurity, e.g. port
knocking. If, let's say (and this is probably false) AT&T has a billing system
where sending 100 specific, not-easily-guessable bytes allows you to get
private data, that's no worse than a password, even if the reason that it
works is a bug - unless the source code is available to the attacker.

Of course, AT&T's problem here isn't obscurity, it's that they don't want to
invest enough for real security at all. Which could be reasonable from a
business perspective.

~~~
Locke1689
"You rely on the "obscurity" of your password."

Not really. Your password may be obscure (although it should probably be as
random as you can get), but the key exchange protocols and encryption
algorithms should be wide open. There's a reason why secret keys are called
"secret" -- they should be the only thing you have to keep secret. If his
hosting provider and wireless company can't keep his accounts secure, that's
their problem, not his.

~~~
three14
Reading my comment over, I realize that I wasn't so clear.

There are two almost unrelated issues:

AT&T has poor security - agreed.

Security through obscurity is a universal evil - not so fast. Quick example -
you have ciphertext where you don't know the key vs. the same ciphertext where
you don't know the key AND you don't know the algorithm. The latter is more
secure, because it's harder to brute force.

The reason security through obscurity is usually bad is because it causes
people to make poor assumptions - "He'll never guess I encrypted it with
rot-15 instead of rot-13," but for a given _secure_ system, adding obscurity
will make it harder to break. But it's the poor assumptions that do you in,
not an inherent flaw in adding obscurity.

The reason you use widely published encryption algorithms is because they've
been vetted for poor assumptions. They need to be open to be vetted, not to be
secure, and we've found that's always been a good tradeoff.

~~~
Locke1689
"The reason you use widely published encryption algorithms is because they've
been vetted for poor assumptions. They need to be open to be vetted, not to be
secure, and we've found that's always been a good tradeoff."

True. Most people (including Schneier, Ferguson, Rivest, etc) agree that the
NSA is secure. This is because they have a veritable army of cryptographers at
their disposal. Peer review is the most important part of cryptographic
development. The key part of this is that there is probably no other entity in
the United States that can satisfy these requirements. AT&T certainly does not
have an impressive cryptographic department and they shouldn't pretend like
they do.

"The reason security through obscurity is usually bad is because it causes
people to make poor assumptions - "He'll never guess I encrypted it with
rot-15 instead of rot-13," but for a given secure system, adding obscurity
will make it harder to break. But it's the poor assumptions that do you in,
not an inherent flaw in adding obscurity."

I don't think anyone would argue that the obscurity in the algorithm is the
weakness. However, obscurity can _never_ make a secure algorithm more secure.
If your algorithm and key space are sufficient to prevent decipherment before
the heat death of the universe, the two months it takes to reverse engineer
the protocol are as close to zero as makes no difference.

~~~
three14
"However, obscurity can never make a secure algorithm more secure."

If you're talking about the security of the algorithm, fine. But you're
talking about the security of the system, and the algorithm is seldom the
problem. If it takes two months to find the problem with the key management,
then your obscurity that added two months just doubled the time to break in.

I still say you should use publicly vetted systems - but the community is in
denial over the value (second rate, but still value) of security through
obscurity.

Case in point: when Slashdot first released their source code, they didn't
escape quotes in passwords, so it was possible to log in as an admin using an
appropriately modified SQL statement. Sure, you could have figured what the
command needed to be via trial and error before the code was released, but I
was lazy. Releasing the code meant that I could now break into something I
wouldn't try to break into before. The obscurity protected them _from a
certain threat model._ It was still much better when they fixed the bug, of
course.

------
peoplerock
A service provider whose top priority was security _could_ have taken another
approach to KM... using him like the canary in a mine shaft, an indicator of
problems with their security system (allowing all-numerals password would be
just one example of such a problem that ought to be fixed).

------
travisjeffery
An 8 digit, all numerals password? Really, Mitnick?

Also, it wasn't just AT&T that is refusing service to him, his webhost
HostedHere.net did the same thing.

And if this has been happening over and over again for 9 years why didn't he
just want to go to another service provider?

~~~
ErrantX
Indeed. Other providers host and maintain the security of as-high-profile
"targets".

More importantly you have to question how much of the security problem Mitnick
poses in this? If he is part of the cause I think AT&T & HostedHere probably
are reasonable to want to get rid of him

(btw I suspect the 8 numeral password is a pin number: similar to the ones
handed out by banks for online logins. Could still be his fault it is out in
the wild though)

~~~
fauigerzigerk
How is it reasonable for AT&T to admit blatant incompetence? Couldn't they
have worked with Mitnick to secure his account and even use his case to
attract more celebrity customers?

~~~
dundun
It's probably just a business decision. (assumption)They can provide cell
phone service for 1000 people for the same cost as Mitnick since he is a
target.

It's the same thing Sprint did a couple years ago when they dumped people that
called customer service too much.

~~~
alex_c
I'm sure it is, but it doesn't seem like a bright business decision. He claims
he spends up to $20K a year - sure, maybe this still isn't worth it to AT&T.
But more importantly, you'd think they would see this as an opportunity to
make their system more robust for all their clients, save money that way (more
than $20K/year? likely), AND turn it into a good PR piece.

~~~
ErrantX
_Hi, we're AT &T. The company that is SO secure we can even protect legendary
hacker Kevin Mitnick!!_

Cue mass attempts to break into AT&T from every angle (which is sure to end
badly) :)

------
radu_floricica
20k per year? He's doing something wrong...

~~~
hedgehog
It's easy to run up long bills if you roam internationally, $3/minute adds up
fast.

~~~
irinotecan
That's why you get an unlocked phone and buy an international SIM chip that
you swap in overseas. $20K/year is ridiculous, and probably an exaggeration or
lie on his part to try to make himself look like a desirable customer.

~~~
pmjordan
Except you also incur roaming charges for receiving calls, and expecting
people to call an overseas number (let alone keep them up to date on your
whereabouts) really is pushing it.

------
jacquesm
I find Kevin Mitnick going to the authorities for protection a little bit
weird. If your claim to fame is that you are the 'worlds baddest hacker' you
take the script kiddies as going with the territory. It's like Billy the Kid
complaining about the wanna-be's that want to meet him at noon on main street.

"The move by AT&T came this week after Mitnick hired a lawyer to complain that
his privacy was being invaded by people posting Mitnick's account information
in public hacking forums"

You need a lawyer to complain these days ?

Most other 'celebrities' have these issues but being a high profile hacker
makes you a great target.

The best defence against this is don't get caught hacking... that way your
privacy stays yours.

What Mitnick should do is give tit for tat, expose the identities of his
attackers. For such a hotshot security consultant (all digits?) that should be
a piece of cake, really.

That said, AT&T has no business cutting him off, rather the opposite, they
should secure their systems and use the publicity surrounding this to brand
themselves as the provider that is good enough to secure even Kevin Mitnicks
account.

~~~
jacquesm
Dear downmodders, if you disagree speak your mind. Feel free to downmod away
but at least let me know which bit you disagree with and why.

~~~
Locke1689
_I think it's ok to use the up and down arrows to express agreement. Obviously
the uparrows aren't only for applauding politeness, so it seems reasonable
that the downarrows aren't only for booing rudeness._

\--pg

It seems many people have responded to you though.

