In 20 years of hacking, Kevin Mitnick says he only once failed to penetrate a computer system. "It was a computer system run by one individual. And this computer was in his home and it was in the UK, in England, and I was unable to circumvent the security in that system because I didn't have control of BT [British Telecom (quote: BT)]," Mitnick told the Senate Governmental Affairs Committee on Thursday.
During his testimony, Mitnick -- who was only released from a medium security prison in California on 21 January -- offered tantalising insight into his life as a computer intruder, and also took the opportunity to take another swipe at the FBI for "enticing" him back into illegal hacking activities.
Regarding that unsuccessful hacking attempt, Mitnick, who in the past has cracked computer systems belonging to Motorola, Fujitsu and Sun Microsystems, said he targeted the computer because it belonged to an "individual" who had found vulnerabilities in Digital Equipment's VMX operating system. "And my goal was obtaining information on all security vulnerabilities so I'd be effective in compromising any security system that I chose to compromise," he said.
However, the hacker said he found his target "extremely difficult" to crack because "this person was very, very sharp" on computer security. "See," Mitnick said, "the real important point is that the more people that have access to a computer system, the easier it is to penetrate. For social engineering an exploit into government or into large corporations, it's very easy."
Dressed in a jacket and tie, and rocking gently back and forth in his chair as he answered questions, the bespectacled Mitnick, 36, was the star witness at Thursday's Senate hearing. He was convened to discuss online security following last month's spate of Denial of Service attacks against eight major Web sites, including ZDNet.
To thwart computer attacks, Mitnick suggested that each US government agency assess the risk to its systems and do a cost-benefit analysis on protecting them. Mitnick also applauded as a "good first step" a pending bill to beef up federal information security practises. But, he said, the bill should go further to create an audit and oversight program that measures compliance and a numeric "trust ranking" that would quantify its results.
North Carolina Senator John Edwards asked Mitnick whether hacking was a "physical addiction". Mitnick: "I enjoyed it. I would say it was a distinct preoccupation, but I don't think I could label it an addiction, per se."
Edwards: "Did you ever try to stop?"
Mitnick: "I did stop for a while. And then at that time that I wasn't engaging in that behaviour, the Department of Justice, specifically the FBI, sent this informant [hacker Justin Petersen] to target me. And, basically, I got hooked back into computer hacking because of the enticements that this fellow that they sent to target me -- you know -- kind of enticed me back into that arena."
Mitnick went on to say that he didn't encourage "any activity, which maliciously destroys, alters or damages computer information". "Breaking into computer systems is wrong," he added.
Mitnick is not the first hacker to appear before the Governmental Affairs Committee, chaired by Senator Fred Thompson of Tennessee. In May 1998, L0pht, a Boston-based hacker group that recently went corporate, also testified on computer security.
In a statement issued before Thursday's hearing, Thompson said federal agencies continue to "use a band-aid approach to computer security". "Hopefully, the recent breaches of security at the various dotcom companies is the wake-up call needed to focus attention on the security of government computer systems," he said.
Reuters contributed to this report.