I can count on one hand the number of people who've significantly influenced a generation of IT professionals: Bill Gates, Linus Torvalds, Steve Jobs, Richard Stallman and Kevin Mitnick. I've had the unique privilege of interviewing two of the people in this list (Stallman and Mitnick). Each of the men in this list has his own unique approach to shaping the world in which he lives but they all have one thing in common: Passion for what they do.
But, it's not a normal passion, it's an all-consuming passion that seeps from every pore of their being. It's rare and it's what sets them apart from everyone else. There is a special pace to their speech--a cadence of thought--and a childlike thrill in their hearts for what they do.
This is a summary of my interview with Kevin Mitnick, the world's most famous and most passionate hacker.
Kevin Mitnick was the first famous hacker that I remember. He had a face and a name. He looked like a regular guy to me. He certainly didn't fit into the Ectomorphic Cerebrotonic somatotype that I expected. He didn't look like an evildoer and he didn't sound like an evildoer. But, to law enforcement, including the FBI, he was just that. To them, he was a name and a face on a Wanted poster and they wanted him under arrest. The world's largest and most influential telephone and technical companies just wanted him out of their wires.
He was unstoppable like a ghost that could walk through walls.
His new book, Ghost in the Wires, chronicles his exploits into phone systems, into computer systems, into FBI operations and into prison.
Little, Brown and Company; (August 15, 2011) 115 Amazon.com Customer Reviews: 5 Stars.
Curiosity, Mr. Decker. Insatiable curiosity.
KH: What was your motivation for hacking into phone systems and computer systems?
KM: Pranskterism. It was fun. I was curious. I wanted to know how things worked, especially operating systems. I read the source code. I didn't sell it or distribute it.
You'd think that someone who hacks into a major company would actually steal something, even if to expose it to the world. Not so with Kevin. He just wanted to read the code and understand how it worked. Apparently, the FBI placed a value on that learning exercise that was higher than his freedom.
"No company that I ever hacked into reported any damages, which they were required to do for significant losses. Sun didn't stop using Solaris and DEC didn't stop using VMS."
Instead, the FBI estimated Kevin's hacks and code reading into the $300 million range, which accounted not only for any break-in mitigation but also for the entire cost of operating system research and development. It was extreme and unfair but it was to send a message to Kevin and others like him that such actions would not be tolerated.
The punishment became more about the message rather than any actual damages. No one, not even Kevin himself, is saying that what he did was OK but the punishment should fit the crime.
"What I did was illegal and I should have been punished. But, the punishment should have been for any real damages that I caused."
KH: What is the purpose of Ghost in the Wires? What do you hope to accomplish with it?
KM: Its my story. And, I want to get my story out. I want people to know the true story. There's a lot of myth and false information about me out there.
KH: Was the Free Kevin campaign to help you with attorney's fees?
KM: No, it was to educate people about the unfair treatment I was receiving: solitary confinement, exaggerated claims, poor representation and outlandish damage estimates.
KH: How did you pay for your attorney's fees? The cost must have been overwhelming.
KM: I had a court-appointed attorney. And, the court didn't want to spend a lot of money defending me, so I sat in prison for more than four years without a trial. About one year of that was in solitary confinement.
KH: I've heard that a lot of hackers, including you, have been diagnosed with Asperger's Syndrome. What do you think of that?
KM: I was diagnosed with it but I think it was my attorney's effort to help my defense. It was never used in the case. I don't think I have it. I've heard that Adrian Lamo, Gary McKinnon and John Draper have it. I might believe that Draper has it. I don't know about the others or the Lulz guys.
Thank you for calling Cheyenne Mountain, how may I direct your call?
KH: Can you really whistle the launch codes to our nuclear arsenal?
KM: No, that is a gross exaggeration and part of what got me placed in solitary confinement. They wouldn't allow me to have access to a telephone because of accusations like that.
Welcome to McDonald's, may I take your order?
KH: Do you have a favorite hack?
KM: Hacking into the communications at McDonald's. That was a lot of fun.
How it works: Customers pull up to the drive-through box to place an order and instead of hearing the employee inside, they hear your greeting. The employees can also hear you and the reactions of the customers. Hackers who do this use some form of modified CB radio or telephonic device to tune into the frequency used by the wireless sets in fast food restaurants.
"One guy was so frustrated that he went out and looked into the drive-through box to see if he could find something in it. Of course, I was across the street watching it all."
Danger, Will Robinson!
KH: What kind of threats are big right now? It seems that full frontal attacks are down.
KM: Successful attacks these days are hybrid. Attackers use a combination of Social Engineering and Spear Phishing to compromise systems and networks.
One example of this hybrid technique is that a "vendor representative" will call an unsuspecting person in a company and ask which software versions they're using. They would ask for an email address along with that information. The hacker will then send an email with malicious code attached to deliver a payload that gets the hacker inside the company's network.
Close enough for government work?
KH: From our conversation, it seems that there's no way to fully protect ourselves from hacks. Is that true?
KM: It is. You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk. For example, if you accept email attachments as part of your business, you're introducing risk. But, if your customers need to send attachments, you have to accept that risk.
KH: What do you do now?
KM: I'm still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.
The Good Hacking Seal of Approval?
KH: Which operating system do you use?
KM: I use Mac. Not because it's more secure than everything else--because it is actually less secure than Windows but I use it because it is still under the radar. People who write malicious code want the greatest return on their investment, so they target Windows systems. I still work with Windows in virtual machines.
KH: Do you use Linux?
KM: Yes, I use Ubuntu and Gentoo.
Just the VAX ma'am, just the VAX
KH: What is your favorite OS?
KM: VMS. I've always liked it.
None shall pass
KH: What's the most secure OS? Is there one that you can recommend?
KM: I don't know of any secure OS. In the past eight years, I've had 100% success at penetration testing on all of them. Wait, ChromeOS, ChromeOS is the most secure because of its very limited attack vector--there's just nothing to exploit.
Eep Op Ork Ah Ah
KH: What else can you tell me about Ghost in the Wires, are there any secrets that you haven't revealed?
KM: Yes, at the beginning of each chapter, I've placed cryptograms there for readers to solve. If you solve all of them, then I'm going to draw names of the winners and give a piece of evidence from my case in the actual FBI bags. It would be a cool piece of memorabilia for people interested in the case or hacking. You can answer the questions by reading the book. I'm currently setting up the website now for this.
Deep vengeance is the daughter of deep silence
KH: Do you have any recourse or do you want any vengeance against anyone for the wrongs that were done to you?
KM: No. None. The best vengeance for me is that my book is number eight on the best seller list right now, my business is successful and I have my family.
To Kevin: It's better that you feel that way. Unfortunately, I am neither so wise nor so forgiving. I'm glad you're on our side and using your powers for good.
Personal Notes: I interviewed Kevin just a few days after his appearance on The Colbert Report and we had a good time trading hacking stories, discussing his new book and talking about security issues facing individuals and companies. I believe that he was treated unfairly by the courts, the FBI and the media (at the time). Accusations against him were ridiculous and exaggerated because he made fools of law enforcement. They took it personally. I also don't believe that he has Asperger's. That is nonsense and am glad that it never came up in his proceedings. I want him to have his vengeance through the success of his business, his books and his life. Godspeed, Kevin.