Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Books Crime

Ask Kevin Mitnick 285

The hacker with perhaps the most famous first name around, Kevin Mitnick, has gone from computer hacking of the sort that gets one on the FBI's Most Wanted list (and into years of solitary confinement) to respected security consultant and author, helping people minimize the sort of security holes he once exploited for fun. His new book is called Ghost in the Wires: My Adventures as the World's Most Wanted Hacker; it's his first since the expiration of an agreement that he could not profit from books written about his criminal activity. Kevin's agreed to answer your questions; we'll pass the best ones on to him, and print his answers when they're ready. Note: Kevin also answered Slashdot questions most of a decade ago; that's a good place to start. Please observe the Slashdot interview guidelines: ask as many questions as you want, but please keep them to one per comment.
This discussion has been archived. No new comments can be posted.

Ask Kevin Mitnick

Comments Filter:
  • by Superken7 ( 893292 ) on Monday August 29, 2011 @01:32PM (#37244624) Journal

    What and how much has changed nowadays? In other words, how would a (hacker) Kevin Mitnick getting started in 2011 hack and exploit?

    • He would start by putting in an application for the CIA, NSA, FBI and Facebook.
    • by Nyder ( 754090 )

      What and how much has changed nowadays? In other words, how would a (hacker) Kevin Mitnick getting started in 2011 hack and exploit?

      Probably the same way he started back when, but using social means to get what he wanted.

      Sure, he was a hacker and i'm sure he knew a thing or 2 about computers, but he used Social Engineering to get access to most systems. So is he really a hacker, or just a smooth talker?

      That being said, his life was made hellish for it, though of course, he choose to run from the law, so he is a bit responsible for what happened to him.

      Guilty or not, running from the law makes you guilty in their eyes. In fact, that

  • by blair1q ( 305137 ) on Monday August 29, 2011 @01:35PM (#37244662) Journal

    Do you own a Guy Fawkes mask, or have an opinion of Anonymous' activities?

  • Is it cool any more? (Score:5, Interesting)

    by Hazel Bergeron ( 2015538 ) on Monday August 29, 2011 @01:35PM (#37244666) Journal

    You have gone from hacker/cracker to security consultant via quite a difficult route. If you just wanted the money, there would have been far easier ways.

    Today, the most well-known kiddies tend to do something high profile but requiring little technical brilliance and move quickly to "legitimate" jobs. The majority of "security consultants" don't really have much technical knowledge at all, being more public relations/ass-covering types.

    With this in mind, what advice do you have to people who like to study security for its own sake? Should they keep quiet about what they do, developing an academic career so they can research to their heart's content without commercial pressures?

    Or does everyone clever sell out in the end?

    • While I'm not a big fan, one of the mustache guys from Metallica put it the best:

      "Yes, we do sell out, every single time, everywhere we play."

  • by Superken7 ( 893292 ) on Monday August 29, 2011 @01:37PM (#37244678) Journal

    How do you think would have happened in a scenario where you managed to escape the FBI and the hackers that helped them?

    • Sorry for the typos. I obviously meant "What do you think" (I rephrased and didn't notice).
      I have no excuse for mistyping "caught", however :P

  • Is it possible to be completely anonymous from home? I.e. launch an attack from home and get away with it?
  • by Dino ( 9081 ) * on Monday August 29, 2011 @01:38PM (#37244698) Homepage

    What would you recommend to organizations to curtail the sort of social engineering break-ins for gaining unauthorized entry?

    • by jhoegl ( 638955 )
      Training....
      • by Abstrackt ( 609015 ) on Monday August 29, 2011 @03:48PM (#37246306)

        Training....

        ... And strict enforcement of visitor policies.

        You can train people all you like but if they're too scared or jaded to challenge visitors that training isn't going to count for much. Everyone at every level, especially upper management, needs to learn to understand and accept that yes, they might be called on their credentials and that this is actually a good thing.

    • Yes. Convince your targets to grant VPN access to you and to everyone else in the world, and to implement a once-a-day log deletion policy.

      Otherwise, no.

  • Colbert Report (Score:4, Informative)

    by Warlord88 ( 1065794 ) on Monday August 29, 2011 @01:39PM (#37244718)
    Kevin Mitnick was recently on Colbert Report to promote his book. Here is the link [colbertnation.com] if anyone's interested.
    • Re:Colbert Report (Score:5, Interesting)

      by vlm ( 69642 ) on Monday August 29, 2011 @02:16PM (#37245222)

      Kevin Mitnick was recently on Colbert Report to promote his book. Here is the link [colbertnation.com] if anyone's interested.

      Yeah, thats the "7 digit UID new school /."

      The old school 5 digit UID and below /. crowd would have reported that Kevin was on 2600 / off the hook "recently" to promote the book. Which show was it? I donno, probably one of these:

      http://www.2600.com/offthehook/2011/0811.html [2600.com]

      I listened; it was a fairly interesting interview.

      Somewhere in between old school and new school, he was on some TWIT network show recently too, apparently this one:

      http://www.twit.tv/show/triangulation/21 [www.twit.tv]

      The twit network is generally a little too non-technical / mass market for me, although they certainly easily are more interesting than TV. I think it would be hilarious if Leo purchased the "tech tv" trademark from whoever owns it using his apparently voluminous petty cash fund (if you've seen his new studio, you'd know what I mean)

      Now someone else chime in with his Dr. Phil episode for that / newbie tone. thats what the 8 digit UIDs watch, or so I hear.

      • by interkin3tic ( 1469267 ) on Monday August 29, 2011 @03:31PM (#37246114)
        Yeah well MY UID is 2 digits. It's just cold in here. Plus my penis is 21 feet long, so I think we know who wins THIS discussion. (/thread)
  • by gcnaddict ( 841664 ) on Monday August 29, 2011 @01:40PM (#37244734)
    Should you find a security vulnerability (either in an open source project, a commercial product, or a company's hosted systems), what procedure would you consider "responsible disclosure" to the parties who are considered owners of the product? I recognize that each of the three cases listed above could vary significantly.
  • cybersecurity (Score:4, Interesting)

    by Anonymous Coward on Monday August 29, 2011 @01:41PM (#37244750)

    What cybersecurity threats do you see as the most dangerous to the Internet now?

  • In the end... (Score:4, Interesting)

    by NabisOne ( 2426710 ) on Monday August 29, 2011 @01:41PM (#37244754)
    Was it worth it? Is there an upside to your experiences the last ten years?
    • by vlm ( 69642 )

      Was it worth it? Is there an upside to your experiences the last ten years?

      Groupies? gifs or it didn't happen...

  • The minor political movement surrounding your incarceration would likely not happen today. Hacking has become a state-sponsored activity, with China attacking Google and America/Israel attacking Iran.

    Do you think your life would be a lot different if you were born 10 years later?

    • The minor political movement surrounding your incarceration would likely not happen today. Hacking has become a state-sponsored activity, with China attacking Google and America/Israel attacking Iran.

      Do you think your life would be a lot different if you were born 10 years later?

      Seems like hacking/security would be a lot different if he were born 10 years later.

  • by Superken7 ( 893292 ) on Monday August 29, 2011 @01:47PM (#37244844) Journal

    Would you agree that mostly there exists a tradeoff between security and convenience? If so, how much security (or convenience) do you think is worth sacrificing for the other?

  • Do you lead by example, as in encourage hackers to do what you did, so that they can end-up as famous and well-paid security consultants? Or are you more of a "do as I say not as I do" type of role models? Thanks.
  • When you were hacking and breaking into systems, how did you decide which ones to break into? Was it because of the difficulty/ease of doing it with different security setups? Or was it because of the actual people/corporations/entities behind the servers and what they stood for?

  • Anon & Lulzsec (Score:5, Interesting)

    by zero0ne ( 1309517 ) on Monday August 29, 2011 @01:52PM (#37244904) Journal

    What are your opinions on the actions of groups like Lulzsec & Anon? Do you feel that they will, in the end, expand freedom on the net or just help government tighten the noose on internet restrictions?

  • by Remus Shepherd ( 32833 ) <remus@panix.com> on Monday August 29, 2011 @01:53PM (#37244908) Homepage

    Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day.

    I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.

    So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.

    • by icebraining ( 1313345 ) on Monday August 29, 2011 @03:16PM (#37245946) Homepage

      The people who shouldn't sleep well at night is whoever thought credit cards where a good idea. Mitnick was responsible for 'stealing' 20k cards - they're responsible for all.

      Seriously, a system where you have to give all the authorization info necessary to charge money to the company/person you're paying, and where there's only one single set of numbers, making it impossible to revoke access without canceling the whole card?
      Who can trust it?

      I don't know about yours, but here we have accounts where we can set up 'direct debits', which not only can have limits, but can be revoked on an individual basis without affecting the account. This is the minimum for a decent payment system.

      • The people who shouldn't sleep well at night is whoever thought credit cards where a good idea.

        Good, blame the victim. Mitnick was a thief and con man. I suppose you believe that people should only do the right things when they're forced to.

        • No, I'm blaming the people who've come up and promoted the system.

          I specifically said "they're responsible for all." The victim couldn't be responsible for all, now could it? At most (s)he would be responsible for one.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day.

      You moron.

      He didn't 'steal' anything. That file with credit card numbers had been floating around for MONTHS. He was only guilty of having a copy, not for being the one who 'stole' it.

      http://blockyourid.com/~gbpprorg/2600/the_world.txt [blockyourid.com]
      "With regards to the credit card numbers, this is far more misleading. For one
      thing, only one computer system (Netcom) had its credit card numbers accessed

    • by Nyder ( 754090 ) on Monday August 29, 2011 @05:43PM (#37247664) Journal

      Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day.

      I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.

      So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.

      Seriously, put the kool-aid down.

      First, when did Kevin Mitnick get into credit card stealing? Granted it's been awhile, I don't recall that being in any of the charges against him. And if he was stealing credit card info, i would imagine that would be part of the charges against him.

      Second, Netcom isn't even listed in the targets he hit.

      I'm going to guess, netcom fucked up, and to save face, they blamed Kevin Mitnick, and sent everyone info saying it was him, so you'd be pissed (which you still are) at him, when he wasn't the one responsible.

      So, how does it feel to be played? Twice even? Seems like Netcom screwed ya twice. Hope you got a reach around with that.

      • So I take it you didn't bother to take ten seconds to run a Google search about it before you went spouting off its falsehoods? One that would have provided numerous sources including the Wikipedia page on Netcom and, oh, about 35,199 others? (2,590 if you want to force the inclusion of "credit card" rather than simply "Netcom.")

        Now I suppose it's possible that there is a decades-long, Internet-wide conspiracy to prepare for the day that somebody on Slashdot wanted to sound more clever than they are, sp

    • How does it feel to be blamed for other people's stupidity? I mean, when someone is too stupid, or lazy, to secure their systems and allows my personal information to get stolen, how does it feel when I blame you instead of the idiot that didn't take security seriously?

      I guess what I'm really asking is, when someone hides their housekey under the doormat and some thief uses it to walk into their house and take stuff, how do you sleep at night?

      Honestly.

    • Re: (Score:3, Interesting)

      by Phil Urich ( 841393 )

      So I assume that your credit card info getting into Kevin's hands caused you grievous financial harm? Oh, it didn't? Well then.

      I've yet to hear about any truly harmful acts Kevin Mitnick ever "perpetrated". Maybe I just never heard about something truly terrible and destructive, but I have my doubts.

  • Computer Setup (Score:5, Interesting)

    by Anonymous Coward on Monday August 29, 2011 @01:53PM (#37244914)

    What is your computer setup? I mean hardware, OS, software you use to work.

  • What do you think the biggest opportunities for software businesses will be in the next five to ten years?

  • SSA (Score:5, Funny)

    by Anonymous Coward on Monday August 29, 2011 @01:55PM (#37244944)

    Has the gal from the Social Security Administration claimed her kiss? if so, was she hot?

  • How would you proceed if someone broke into your company and managed to download your company's most sensitive information, and what (if anything) would you tell your clients if, for example, their sensitive info got leaked?

  • Are you going to fight to get back your ham radio license or is that all water under the bridge now?

  • Kevin, do you suspect any collusion on the part of cybersecurity companies such as Kapersky Labs or Avast! and virus creators? If there were not so many exploits in the wild, would there be a billion-dollar anti-virus industry?
    • by frank_adrian314159 ( 469671 ) on Monday August 29, 2011 @02:09PM (#37245102) Homepage

      I've worked for two of the major AV companies. In both cases, there were enough controls in place that, if it was financially happening, it would have become known. Even if you could have hidden the financials, if there was any sort of "collusion", someone would have leaked hard evidence by now, if only for the notoriety. Your paranoid imagination is just that.

      The bottom line is that malware writers don't need the help. Think of it as information pollution. A manufacturer "saving" a few thousands per years in dump fees can cause a mess that costs millions to clean up. The malware writers' desires to get their botnets up and running to provide themselves collectively with a few million dollars per year are all of the incentive needed to produce the mess that requires billions in prevention and cleanup.

      • Fair enough. It just seems that although the security companies appear to be at odds with the malware authors, the cat and mouse game is pretty lucrative.
  • by Pollux ( 102520 ) <speter@[ ]ata.net.eg ['ted' in gap]> on Monday August 29, 2011 @01:56PM (#37244968) Journal

    What is the primary purpose of hacking? Has this purpose remained constant over the decades, or has it changed from your rise as a hacker up to today?

  • Why wait? (Score:5, Interesting)

    by jeffmeden ( 135043 ) on Monday August 29, 2011 @01:58PM (#37244990) Homepage Journal

    TFA Asserts that "Mitnick has agreed that any profits he makes on films or books that are based on his criminal activity will be assigned to the victims of his crimes for a period of seven years following his release from prison." The summary asserts that this is the reason you chose to wait before arranging for the publishing of a personal autobiography.

    Given you had the opportunity to publish a copyrighted work and sell it for a profit prior to the release of your "official autobiography" under the pretense that the profits would be sent to the victims of your crimes (a number of which included theft of trade secrets and violation of copyright), why have you chosen to wait until the end of the agreement so that you could personally profit from this? And in a related question (unless you have answered it in the first), do you believe all of your crimes were vitcimless, some were, or perhaps none were?

    • Well, given how much he already suffered for his crimes (e.g., eight months in solitary confinement) and how much scumbaggery there was against him during his prosecution, I don't think he feels much sympathy for his victims. For example, from his previous answers to /.:

      Federal prosecutors simply added up all the R&D costs associated with the source code I had accessed, and used that number (approx $300 million) as the loss, even though it was never alleged that I intended to use or disclosed any source code. Interestingly enough, none of my victims had reported any losses attributable to my activities to their shareholders, as required by securities laws.

      Still, if the money from this book had any chance to repair any real damage he did in any meaningful way, I'd agree that it would be descent to publish earlier. I don't think would, though, and I think it's pretty clear that neither does he.

    • Wow, not sure how it happened that my question got pretty close to the top 10 in this thread... Was his book really that good that no one is curious about Kevin anymore? Anyway, if this question does get picked, let me add that I asked it out of sincere curiosity and while it sounds like I am trolling I am genuinely interested in knowing what Kevin's perspective is like as someone who has been on both sides of "intellectual property".

  • Having experienced "justice" of a rather harsh sort (IMO, & possibly yours, too :) ) given that what you did was relatively inconsequential despite the claims otherwise, do you now do any work towards helping keep the sort of experience you had from happening again to other hackers (note: *not* 'crackers')?

    Looking forward to reading your book.
  • Did you meet and hang out with other hackers in prison? I mean others who served time for computer related crimes similar to your own? Or did you make friends with any sort of people? Even non-nerds?

    • by vlm ( 69642 )

      Did you meet and hang out with other hackers in prison? I mean others who served time for computer related crimes similar to your own? Or did you make friends with any sort of people? Even non-nerds?

      Do lower security prisons have 2600 meetings? Obviously not the 23-hours-per-day-lockup prisons but more like the "office space" "country club" minimum sec places?

    • He shard a cell with Gregory Evans, how claims to be the worlds greatest hacker. It turns out most security experts consider him a fraud, but to answer your question he did share a call with someone who now claims to be a security expert, and who is the CEO of a security company.

  • Nothing more, what he did was worth (at most) one year in minimum security and a ruinous fine! The fact that the posturing, corrupt little villains in law enforcement chose to exploit this for their own personal aggrandizement just highlights the failings of the (so called) "Justice" system!

  • In your last interview you mentioned that one of your primary goals was to change your much-maligned image as the most notorious hacker in the world into something more reputable. Have you succeeded? How has the journey been?
  • by sdguero ( 1112795 ) on Monday August 29, 2011 @02:21PM (#37245300)
    hacked your way into a girl's panties?
  • A good friend of mine insists that your past behavior was due to a lack of certain ethical / moral regions in your psyche, in comparison, I think its more like a different orientation of ethical / moral beliefs rather than an outright lack of certain areas. So what is your philosophical reflection on why you did what you did?

    In simpler terms, were you naughty because you didn't stop to consider if it was naughty or not, or were you naughty because in your judgement at that time it was overall the right thi

  • Wow, some /. writer has a bit of a man-crush on Mr. Mitnick...

    Even if you mean just "most famous first name in the computer security field", I would argue that the only reason his first name is famous is because people know what it is. There are many more (current) computer security hacktivists whose online pseudonyms are well known: GeoHot, comex, etc.

    I work at a computer security company, yet if I were to say "Kevin" to someone, Mr. Mitnick would *NOT* instantly spring to mind.

    And as timothy does not spe

  • .

    Who am I and where is my car?

    .

  • Did you / have you brought any legal actions for the breach of rights committed in the pursuit and eventual arrest of you? Do you feel the violations were similar to ones now being taken against "terrorists"?

  • What is your opinion on anonymity - one of the Internet's greatest attributes - being attacked from all directions off late? On the one hand, governments are gunning against it citing national security and "protecting the children" as excuses, ISPs are being forced to retain activity logs thanks to the RIAA & other mobs, and the advent of Facebook, Google+, and other "people registers", are eroding privacy across the board. On the other hand, entire governments are being overthrown thanks to social revo
  • I read the book and absolutely loved it. Best non-fiction I've read in a looong time. As I read it I kept wondering when you'd get to the part where you got into Microsoft's network and snagged the source code to NT or Excel. But you never did. Why not?
  • I see that you are now 48 years old. Do you still enjoy getting your hands dirty digging into code or do you find yourself becoming comfortable moving towards management & other roles? Where do you see yourself five years from now?
  • by vlm ( 69642 )

    Most "hard core computer people", or whatever you want to call them, have some gaming interests.

    So, what is it, minecraft, dwarf fortress, WoW, DnD online, obscure programming languages not fit for production like brainf*ck or intercal or java (just kidding about the last one... or maybe not), anyway what wastes your time? Or do you still do "analog" gaming like ESR does?

    Personally, I do hex-based-wargames, text adventures, non-FPS RPGs, and simulations (xplane, civ, etc). There's a lot more out there tha

  • 3 digit? 4 digit? 5? Just curious.
  • In the new Deus Ex game, set in 2052, as you are infiltrating a rogue Chinese company the main character discovers that the Chinese company hired a 'penetration expert' named Kevin Mitnick? The expert does not appear in the game, but you are able to read emails from 'Kevin Mitnick'. How do you feel knowing you'll be successfully hacking for pay 40 years from now? Or more seriously, how do you feel about being included in the game this way?

  • Kevin,

    Every time I see your name mentioned in an article written by Kevin Poulsen, I wonder how many people reading it know the connection. Do you have any interesting stories of crossing paths with someone your knew from your "ghost in the wire" days, or unexpected relationships you've developed or continued with people who either impacted your life, or were impacted by your actions back then?

  • Hi Mr. Mitnick,

    Is there an amount of security that would stop a gifted social engineer like yourself, and if so, how much would it typically cost a Forbes 500 company?

    Read your book, it was quite entertaining and informative!

  • Did you ever make peace with Tsutomu Shimomura and/or John Markoff?

  • Or allow others to call you that?

    You are a cracked, not a hacker. And at that, you are just a script kiddie. You haven't ever found a single vulnerability, and you haven't developed a single exploit. You relied on social engineering and script-kiddie techniques.

    Why do you give Hackers a bad image? Certainly the figure of a script-kiddie who has done obvious attacks, was quickly discovered, ran away, was found and served prision time, then used his fame to make money as a security consultant, is incompatible

  • mistake you ever made?
  • You were obviously a celebrity /then/ - no one can forget "Free Kevin!"

    How do you feel about being a celebrity /now/? Your name is used in the most recent Deus Ex game, and you're in the Internet exhibit at the Museum of Science and Industry in Chicago.

Technology is dominated by those who manage what they do not understand.

Working...