Newsmaker: Kevin Mitnick on hacking's evolution

To many, the name Kevin Mitnick is synonymous with "notorious hacker." He was caught by the FBI in 1995 after a well-publicized pursuit. Mitnick pled guilty to charges of wire and computer fraud and served five years behind bars.

Today, Mitnick is a computer security consultant and has written two books, including one on social engineering, his forte. He is a celebrity, especially at events such as the annual Defcon gathering of hackers in Las Vegas, where attendees ask him to sign their badges.

Mitnick spends much of his time on the road at speaking engagements. CNET News.com caught up with Mitnick after a gig at a San Francisco user event for SupportSoft, a maker of call center software, and talked to him about software security, the evolution of hacking and social engineering, and law enforcement's action against hacking.

What do you think of the state of software security these days? Is it getting better?
Mitnick: Software is always going to have bugs because there are human beings behind it doing the development. Hopefully, universities teach secure coding practices. When I went to school, there were many programming classes, but nothing that taught secure coding practices. So, hopefully, there will be an educational process and companies will actually do source code audits before they release their software and also train their people in secure coding practices if they are already employed and not in school. That will reduce the amount of problems, but there will always be problems.

Do you believe that the state of software security is better today than five or 10 years ago?
Mitnick: No, though it depends on what software you are talking about and what the company has done. I can't make one statement for the whole industry. Take Microsoft, for example. I think their current code base is more secure than Windows NT was.

Would you say Microsoft is a leader and the rest of the industry is still catching up to that?
Mitnick: It is whatever the market demands--and Microsoft is up there, front and center, because they have such a broad user base. Maybe you can call them a leader, but I am sure there are other companies who are taking security seriously. I am waiting for a case where a software maker gets sued for releasing buggy code, but they will probably cover their ass with the long license agreements that nobody ever reads.

We've been talking about weaknesses in technology, not weaknesses in humans, which can also be a threat. You're one of the social engineering gurus. Do you see it evolving?
Mitnick: They are always coming up with new scams. A year ago it was Nigerian scams. Now callers purport to be from the MasterCard or Visa fraud department, calling you to try to trick you into revealing your CVV (Cardholder Verification Value) number on the back of your card. The human mind is very innovative and the attacker will build trust and confidence to gain cooperation.

Are the social engineers or the people who do such attacks becoming more criminal, like computer hackers are becoming more criminal?
Mitnick: You can have a teenage kid who is using social engineering to get into his friend's AOL screen name or you can have a military spy using it to try to break in somewhere, and everyone else in between. Social engineering is simply a tool used to gain access.

Do you see a difference between social engineers today and when you were doing it?
Mitnick: When I got started, when I learned about social engineering, it was during the phone phreaking era, the predecessor to the hacking era. That was more about calling different departments at phone companies to gain an understanding of their processes and procedures and then being able to pretend to be somebody at the phone company and having somebody do something for you.

More Newsmakers

[jcpole]

Why are we still talking about Mitnick???

I don't get the media's fascination with Mitnick. He was never
any kind of "master hacker", or anything even close. He was
nothing more than a script kiddie that got caught. He used
other people's tools, and anyone that read the transcripts knows
that he didn't have the expertise to create the tools himself.

He definitely knows about social engineering, but then again, so
does just about any good salesman.

The whole Mitnick situation was a gigantic media stunt, and the
media continues to let him milk it.

Finally, any company that hires Mitnick to do security work is
insane. Hiring a "reformed" "hacker" is a terrible idea.

Mitnick should be working at McDonalds right now. Why on
Earth do we keep hearing his name???

J.C. Pole

[tx_roundup]

All in perception

Mitnick was one of the first so called big time hackers to be caught and sent to jail. I think the media's fascination with him is part curiosity into what they see is a world unknown to the masses. And part stereotyping from the movies where a kid gets caught, reforms and then uses his talents to the betterment of society.

Right wrong or indifferent, the every day home user has little to no knowledge (and little to no interest in learning) on how to protect themselves. If they did, the Nigeria scam would have flopped on it's face. If Mitnick can help raise that awareness I'm all for it.

What are you on?

Seriously? How can you use other people's tools, or be a sscript kiddie, when you're TALKING ON THE PHONE?! Do you even know what social engineering is?

Further more, your attitude about hiring "reformed hackers" is an ignorant stance. How do you think Anti-virus companies...BECOIME ANTI-VIRUS COMPANIES?! They know how to program a virus, thus, they make a definition for it so it doesn't affect your computer.

Mitnick was not jsut a "media stunt." Far from it. Do you even know what he was doing when he got caught?

Seriously, people like you should not be allowed to even own a computer.

Media Kiddies

The media likes Mitnick because he talks well.
He has written a couple of books, which focus
on Social Engineering, which is something that
the English Majors at Time Magazine can relate
to. Therefore, he is the kind of hacker that
the reporter can relate to, more or less.

On the other hand, some German guy who dresses
in sloppy black clothing and grunts a lot, who
wrote an IRC script to relay bot commands for
some kind of zombie network, is not going to
get a lot of media attention. The typical editor
at the Chronicle will say "What's an IRC??".

Until somebody who has similar skills AND IS
BETTER LOOKING comes along, Kevin Mitnick will
continue to be the media face of hacking.


(The TV people, in particular, would really like
to have a 20-something hacker babe to put on
their ads. It would probably increase the
ratings 30%, which is good money, even on basic
cable. TV is such a meat puppet kind of
medium. . .)

[sdencar]

reformed hacker?

A "reformed" hacker is a lot like a "reformed" child molester. Criminal activity is part of who they are. Like the previous post said, a company who hires a "reformed" hacker is nuts. Go ahead, hire a reformed child molester to run your day care.

[profiler_911]

evolved hacker

I don't think that Kevin would ever again go into nasty hacking business. Now he's got much better stuff to do and it probably pays off better ;-)

[Topher2798]

Enough Already!

I am so damn sick and tired of hearing the term "Social Engineering". Can we please stop this silly farce?

A Social Engineer is a just a ******** term for a Con-Artist. It makes about as much sense as a trash man calling himself a Sanitation Engineer.

Mitnik is a joke, and is nothing more than a Con-Man. Just reading the interview, it's obvious the fool doesn't even know what he's talking about. He's completely out of touch with the current state of Technology.

[rbannon]

M$

The line about M$ being on top of the security game must be a
joke.

[vincentt]

Yup..

Yup its a joke, M$ is way underground on security. Anyway, hiring reformed hackers isin't that bad its like hiring ex-criminals, i guess its ok but the media is just blowing it way out of porpotion, liike they always do

[farbuckle]

Is this reporter completely new to the beat?

The question "Would you say Microsoft is a leader and the rest of the industry is still catching up to that?" suggests the reporter has a way to go towards gaining basic knowledge of the industry and security.

MSFT has made a massive PR push on security after at least a decade of mocking others' efforts precisely because their products have been so insecure. When the National Security Agency had industry roundtables on security, MSFT would send low-level mignons to sit alongside giants at Whitfield Diffie. The junior managers were quite blunt. "No one pays for security, so we're here," they would say. "Our top level guys are busy making money instead of chasing academic problems."

MSFT's negligence was as jaw dropping as its arrogance. Now _they're_ playing catch up -- the rest of the industry addressed many of the same problems years ago. The only question is, can MSFT possibly fix its bloated code base in time?

Dan Geer did an excellent piece on the problem, one I heartily recommend to Mr. Evers. John Borland even wrote about it: <http://news.com.com/Microsoft+critic+dismissed+by+Stake/2100-1009_3-5082649.html>

Best of luck to you, Joris. You might start your reeducation by getting in touch with Dan Geer. He's at Verdasys.com, these days.

[Stating]

We Are All Social Engineers

Politicians. Lobbyists. Activists. Celebrities. PR/Media Consultants. Propaganda (Truth) Ministers. Talking Heads. Lawyers. Sales Reps. Marketers. CEOs.

Let's face it, the fabric of society is social engineering. From the family, to the tribe, to the community, to the nation, to the world. Rather than focus on the narrow problem of social engineering as it pertains to hacking, step back and focus on the con at all levels. Cultivate "street smarts" and don't let anyone pull the wool over your eyes, be it a hacker or an Enron energy trader. Trust no one and you probably won't be taken in.

[benaround]

OH MAN....

The dude got caught on wireless phone stuff when it was in its beginnings. DefCon..to be a speaker what a joke anymore. It was great at the first 3 conferences and was real but now just a side show. All this reminds me of the scene in Jurasic Park.
When the girl sits down at the Silicon Graphics Workstation. " This is Unix I know Unix !"

[Master2U]

Terrorist in given news sources

I recall, when I couldn't convince the telephone company, He was using thier maintence computors, to attack My home, around the clock, for a yr, with calls. I am quite angry, he gets past a lawsuit, for damaging My life, because I didn't have a way to catch his whereabouts, when he left Mn. Seeing him in the news media, is like honoring Saddam.