Computer Crime Research Center


Kevin Mitnick and the art of intrusion - Part 2

Date: April 20, 2005
Source: Computer Crime Research Center
By: Tim Phillips

In the final part of our exclusive interview with Kevin Mitnick, the 'notorious' ex-hacker talks of his anger at being locked up in a Federal prison by an administration ill-informed about computer security.

He describes how the US authorities were so paranoid that they kept him in solitary confinement because they believed that "Osama Bin Mitnick" could hack into military computers and cause a nuclear holocaust without even using a computer.

Hackers are often portrayed in the media as nerds who can't get the girl. The hackers in your book don't fit the stereotype; they often have very advanced social skills that they use to gain access to 'secure' systems.

In Italy there's a guy, Raoul Chiesa, and he's like the Italian Kevin Mitnick. We were out last night and this guy is picking up on every girl that walks by, and the girls are interested.

This guy has all the social graces in the world, and doesn't fit the hacker stereotype. A hacker can be a total geek with no social graces, or he can be a great salesman or saleswoman. But natural born hackers all have that mindset: how to think around obstacles, like being good at solving puzzles.

The hackers in the book are generally responsible people. Do any hackers scare you?

The people who are scary are the people in China, like the Xfocus group. Don't forget that China has been oppressed; [people are] not even able to visit Western news sites.

So you have some very talented people out there who are very angry at the oppression and they spend a lot of time hacking, in the sense of discovering vulnerabilities. Some of these guys are several steps ahead, and they don't call Microsoft and say: 'Hey, we found these vulnerabilities.' They just use them.

Is hacking becoming more sinister?

What happens if a hacker passes vulnerabilities to other governments who use it to do a bit of military espionage? You never know. Maybe the Xfocus guys are purist hackers, but other exploits are being sold. Governments buy them. What about if Al Qaeda starts buying them?

It all comes down to money now. In Russia, for example, a lot of guys target large e-commerce sites and steal their SQL databases containing credit card information.

How do you stop kids turning into hackers?

When I went to high school and [wrote] a program that stole the teacher's password, I was actually rewarded, considered the gifted kid and the teacher came to me for advice and I became the tutor.

Nowadays you would go to the principal's office and maybe get arrested, but I don't think they even teach computer ethics today in schools. They should.

That's largely why I took the path I did, because if you have no sense of ethics, it didn't feel wrong. It just felt like man against computer. That's the mindset I was in. When it was finally criminalised, I just carried on.

Do you think that vendors routinely overstate the security of their products?

Yes. Sales people do that because they want to sell the product. Talk to a salesperson, and they will give one shortcoming and then show how they overcame that shortcoming. So you are only thinking about that one issue, and not everything else because they want to direct your thought processes.

If you had the past 15 years over again, would you still be a hacker?

I've paid a very heavy price for what I did. I don't know if I would be involved in computer security or anything like that. Probably, but I wouldn't have taken the hacking path.

There is a path I would have liked to take: there's a really respected guy who started off hacking phone systems. He's Steve Wozniak. With [Apple co-founder] Steve Jobs, they were hacking the phone system and selling Blue Boxes [an early hacker device to give free phone calls] on Berkeley's campus.

Now if I could have gone down their path, becoming a pioneer of the Apple personal computer, that would have been a better choice for me.

How much of your story as it was told in the press is true?

Half and half. I mean you have reports that I was wiretapping the FBI, that I was stalking [actress] Kristy McNichol - all these crazy stories just never happened in real life.

Even the prosecutors added to the myth. They told the judge that I hacked into Experian and damaged the credit of every judge I dealt with before. They knowingly said these false statements to warn the judge that I was this dangerous threat.

Of course, at the end of the prosecution they finally admitted that they didn't have the evidence to demonstrate it. I realise that even government officials have no integrity. They will lie, cheat and steal to get whatever they want to win at all costs.

Did these 'lies' mean you were punished more severely than you should have been?

I was held in solitary confinement for eight months in federal custody because the prosecutor told the judge that I might be able to dial into NORAD without a computer and possibly start a nuclear holocaust, and the judge believed it.

I was held for eight months in a room, 24 hours a day. A New York Times reporter took that straight out of the movie Wargames. Unfortunately when I read articles about me to this day, it still says I hacked into NORAD in 1983. Here we are, 10 years later, and these people still don't have a clue. The judge thought I was 'Osama Bin Mitnick'.

But you weren't innocent of everything. Did you deserve any jail time?

I deserved to be punished because I was a recidivist. But not five years, not solitary confinement, not to be made into the Osama of the internet. The worst thing I did was steal software. I never ruined anyone's life or destroyed anyone's credit or wrote a virus.

Sun Microsystems claimed that you caused $80m of damage by illegally downloading the source code for Solaris.

It's a bullshit figure. What was really unnerving was that to demonstrate to the public and the courts that I was such a bad guy, the only things they could show were financial damages.

What I was essentially doing is stealing source code to analyse it for vulnerabilities. I was moving it because I wanted to be on my target's computers for as little time as possible.

So what the government did was come up with these huge numbers; they basically told the companies to provide the loss as the R&D investment to develop the software. So if I look at Solaris source code, which was sold to educational institutions for a few grand, I merely copied it over to the computers at USC - which already had a copy of it, incidentally.

But you did cause losses.

I did cause some loss. Altogether, it was maybe a couple of hundred grand. I feel very regretful about any of the real losses I caused. But I'm still angry that I was punished based on losses that never really happened, based on notional numbers. There was nothing I could do about it.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo