Forgot your password?
typodupeerror
Security

Mitnick Testifies on Telco's Security 217

Posted by michael
from the what-me-worry dept.
Woefdram writes "Our favourite computer criminal (?) Kevin Mitnick testified in a case against Telco Sprint that their security was like Swiss cheese: full of holes. The story on SecurityFocus quotes Mitnick, saying, 'I had access to most, if not all, of the switches in Las Vegas,' and tells how he came up with a list of 100 challenge-response codes." We've written about this case before.
This discussion has been archived. No new comments can be posted.

Mitnick Testifies on Telco's Security

Comments Filter:
  • Why do it? (Score:2, Interesting)

    by Anonymous Coward
    Why give yet more attention to a pathological 'social engineer' (liar)?
    • Re:Why do it? (Score:2, Interesting)

      by JPriest (547211)
      As someone that was following the series of articles that securityfocus was publishing on "phone phreakers owning Vegas" this is actually very interesting news. The articles detail about how "hackers" are stealing business by re-routing phone calls. After multiple complaints from the business owners sprint could never seem to find a problem during its investigations and insisted they were crazy. It was concluded that the "hackers" had someone inside working for sprint tipping them off because the phone system always seemed to route just fine while sprint was doing its audits. One of the frustrated business owners hired Kevin Mitnick to come in and help straighten things out, and that was the last I've heard till now. The Security focus has a write up is here [securityfocus.com]
    • by GodInHell (258915) on Tuesday June 25, 2002 @10:40AM (#3762469) Homepage
      You gotta admit though, he's got the earmarks to be one of those great mythological figures one day.

      Can you prove it?
      Wait here for a few minutes..
      **a few minutes later**
      Here are the passwords for your central switches, I had them on file in one of my drop points down the street. Lucky me that it was still there.
      **laywer fumbles and swears**

      Remember, Hackers are like boyscouts, they're always prepared.. they just prepare for alot more than preventing forest fires and walking old ladies across the road.

      -GiH
      -This isn't my dog, this is an aibo. My dog is years more advanced than this.

    • And what's up with that question mark (?) after the word criminal? If Mitnick's not a criminal, I don't know who is.

      -Russ
      • Robin rood maybe?
        Yeah he broke laws, he intruded on systems, he stole source code. He's not a criminal anymore though, because now he's an independant security consultant, and can essentially do almost everything that he did as a 'criminal' (except steal source code) and get paid to do it, all legally. As for source code, as a consultant he can look at it for security vulnerabilities, which was why the guy stole code in the first place.
        He always had ethics about what he did, and he was sorely mistreated by the criminal justice system. To congressmen and the legal system a "Hacker" Is a terrorist, and they may as well be Witch Doctors too. Judges, police the FBI none of these guys had a clue about what mitnick could really do. It was all bad rumours, you'd think the guy had a modem in his head, because they expected him to be able to send faxes and access the internet from an ordinary jail phone.
        Mitnick found a way to hack while obeying the law, and I seriously doubt the guy wants to deal with the crap that the legal system throws at (cr/h)ackers again.
  • hire a better system administrator?

    or this is a company policy to keep system insecure to gain more PR from hacker incidentes?
    • by DutchSter (150891)
      ...is this testimony going to come back for possible charges in the future? In other words, could Sprint now decide to go after him? You really can't take the fifth once your statements have entered the public record. You can refuse to answer any further, but only in a trial in which you are accused. This is 1) Not a trial for Mitnick 2) Is not in a court of law, it is being held in the State Public Utility Commission. Consequently, all his testimony becomes public record, and he could never claim immunity or something should Sprint decide to turn around and come after him for 'losses' or the DA for criminal purposes. His only hope might be statute of limitations.

      Any ideas?
      • by Brento (26177) <brento@brentoz a r . c om> on Tuesday June 25, 2002 @08:15AM (#3761651) Homepage
        ...is this testimony going to come back for possible charges in the future? In other words, could Sprint now decide to go after him?

        No. He's already been tried for this specific crime - it would be double jeopardy. (Yes, like the movie with Ashley Judd, only with less sex appeal, since there's no women's prison involved.) You can't be tried for the same crime twice. If you commit two murders you can be tried twice, but they can't try you twice for the same murder.
        • Re: Double Jeopardy (Score:1, Interesting)

          by Anonymous Coward
          Of course, the problem with the movie "Double Jeopardy" is the fact that there was no double jeopardy involved. If you kill someone and are tried for that, and it turns out the person isn't dead after all, you can still be tried for killing them again since it's a different crime. Same person, but different crime.

          It's like saying that if you rob a bank the first time, you're going to jail. But each time you rob it after that, you can't be tried because you've already been tried once. Not likely, you're still going to jail again and again.
          • But you can only be dead once. You can rob a bank over and over (until they lock you up, I guess).
          • But if they found you guilty the first time and you hadn't committed the crime, then you could sue the government right?

            Land in jail for 20 years.
            Sue goverment, get 20 million or so.
            Land back in jail for another 20 years.
            Use eBay extensively.

            That'd be the pattern right?
        • Aye, but they could pull an OJ and sue him civilly.
        • A subtle point: a crime is a violation of the law. So if by a single act you violated 2 laws, you committed 2 crimes, and you can be tried for each.
          • So if by a single act you violated 2 laws, you committed 2 crimes, and you can be tried for each.


            But they must be pursued at the same time. As an example, the prosecutors did not have 400 or so attempts to try McVeigh for blowing up the building, even though he committed 400 or so murders in that event.
            • You are misinformed. McVeigh was only charged with 8 counts of murder even though he killed 168 people. He was charged with the murder of the 8 federal officers, this was sufficient when convicted to get him the death penalty.

              In the case of multiple homicides especially prosecuters will hold back counts if they would not increase the penalty and leaving them out do not affect the case. For example, if a mother drowns her 5 children you first carge and try her for 2 counts of murder. If for some reason she is aquitted you can charge her with the other counts. There is no double jeopardy in this case.

              • You are misinformed. McVeigh was only charged with 8 counts of murder even though he killed 168 people. He was charged with the murder of the 8 federal officers, this was sufficient when convicted to get him the death penalty.

                Yes. That is absolutely correct.

                In the case of multiple homicides especially prosecuters will hold back counts if they would not increase the penalty and leaving them out do not affect the case. For example, if a mother drowns her 5 children you first carge and try her for 2 counts of murder. If for some reason she is aquitted you can charge her with the other counts. There is no double jeopardy in this case.

                Nope, you are absolutely wrong here. You must charge all of the crimes following out of a single act at the same time. You cannot bring two charges against a mother and then see if she is convicted on those two, and then file for the other three if she got off. McVeigh was slightly different because there were both state and federal claims against him. The eight murders he was first convicted of were brought in federal court. The federal DA couldn't charge him of the state law crimes of murder, so there is no due process violation, and the trials must be difurcated.
            • where does it say that "related" crimes must be tried together? most prosecutors lump crimes into one trial in order to expidite the process and to get a hefty sentence.

              if two people commit a crime together, they are tried together or separately depending on how the prosecutors think the outcome might be. maybe one will squeel on the other and as a result might be tried separately under lesser charges.
        • by dohcvtec (461026)
          First off, RTFA. Mitnick is detailing all of his Sprint Nevada exploits for the first time; why do you think they were so caught off guard? So apparently (the article itself doesn't expicitly say) this is the first time anyone's heard of Mitnick 0wning Sprint Nevada's switches back around '94. Therefore he hasn't been charged (or convicted) for these activities before, so duble jeopardy does not apply here, but due to the 5 year statute of limitations for these matters, he cannot be prosecuted anyway. HTH
      • by jacoberrol (561252) <jacoberrol@hotm[ ].com ['ail' in gap]> on Tuesday June 25, 2002 @08:16AM (#3761656)
        A quote from the article:

        "With the five year statute of limitations long expired, Mitnick appeared comfortable describing with great specificity how he first gained access to Sprint's systems..."
        • Yeah I read that but my thought was that if Sprint has long been claiming they are untouchable and someone goes on record as having broken it - They just might come looking at your door for problems they have been experiencing recently. If you've got someone who admits he knows how to break in, and you had a break in a year and a half ago that never went public, it seems obvious who you start looking into. Remember, Spring was "unaware" of these vulnerabilities. That means that probably until yesterday (and maybe even now), those doors were still open. One person has confessed to being there before.....
  • by Ratface (21117) on Tuesday June 25, 2002 @08:05AM (#3761612) Homepage Journal
    The only thing Mitnick is better at than hacking (or possibly eating pizza!) is publicity grubbing. Let's face it, there have been thousands of better crackers, but Mitnick manages to always claim the spotlight. Most people would want to lie low after what Mitnick has been through - but he has a career as "Celebrity Cracker" to maintain.

    I liked this quote "The only way I know that this is a Nortel document is to take you at your word, correct?," asked Riley. "How do we know that you're not social engineering us now?" - now *that* guy is thinking correctly!

    • by CodeMonky (10675) on Tuesday June 25, 2002 @08:12AM (#3761640) Homepage
      You left something out, Mitnicks response to the question.

      Mitnick suggested calmly that Sprint try the list out, or check it with Nortel. Nortel could not be reached for comment after hours Monday Perhaps he knew that spring/nortel couldn't be reached. But you should still at least include the response if you're gonna quote something like that.
    • Let's face it, there have been thousands of better crackers...
      I have to say that Mitnick is one of the better crackers in recent memory, sure he gets the spotlight a lot, but I think thats because he got thrust into the public spotlight back during the Shimomura episode. I mean, how many crackers made the front page of newsweek?


      Yes, there are other deserving people out there, but I don't mind Kevin cashing in on his "fame". Who wouldn't?
    • by Ami Ganguli (921) on Tuesday June 25, 2002 @08:53AM (#3761763) Homepage

      Under the circumstances, I can't say I blame him. The man isn't allowed to touch a computer. Nowadays that means he can't even work at McDonalds.

      Cashing in on his celebrity is the only carreer option the guy has.

    • You have to compare apples to apples and oranges to oranges. Kevin did all of this back when the internet was still in its infancy. Back then there wasn't this vast sea of information script kiddies can just search for and dig up. If you wanted to crack, you had to figure it out by yourself. No doubt. He was one of the best crackers out there. His deeds were evil but he was a good cracker.
    • Gaining celebrity out of being on the wrong side of the law (whether justly or unjustly) has been long prevalent, from Jesse James to Bonnie & Clyde to Al Capone to John Gotti to 'Mayflower Madam' Sydney Biddles Barrow and beyond (with Winona in the on-deck circle).

      Why should we surprised by whoring notorious characters on the tech side?
    • The only thing Mitnick is better at than hacking (or possibly eating pizza!) is publicity grubbing. Let's face it, there have been thousands of better crackers...

      Of course there are. We don't know who they are though because they haven't been caught.

    • In the book outside the inner circle one of the techniques used to hack into systems was to get employees to fill out servays or walk into the office like you worked there.
      Now a days your not allowed in the lobby unless you have a pass card.

      No doupt based on the kinds of cracks he was found guilty of he used socal hacking techniques.

      He may be forbidden to use his technical skills but there is nothing keeping him from using the human conterpart.
  • by TheDick (453572) <dick@a s k a d i c k . com> on Tuesday June 25, 2002 @08:05AM (#3761616) Homepage
    Never EVER testify like this, no matter WHAT the DA promises you. Shit Kevin, I thought you knew better?

    *FREE KEVIN*
    • You retard... It's a civil suit, not a criminal trial. The DA has nothing to do with this. There's a 5 year statute of limitations on the crimes that he is testifying to, so it doesn't matter what he says.
  • by alapalaya (561911) on Tuesday June 25, 2002 @08:07AM (#3761622)
    "their security was like Swiss cheese: delicious."

    (yeah, my .sig is wrong, so what?)
  • Sentence (Score:3, Interesting)

    by Dilbert_ (17488) on Tuesday June 25, 2002 @08:08AM (#3761626) Homepage
    Wasn't he forbidden to do any kind of computer related work ever again? And would testifying in this case mean breaking his parole? Just wondering...

    • He's gotten exemptions to speak at conferences so I am assuming that something like that occured for this.
    • Being forbidden to do any computer related role makes it hard to maintain any job these days. Actually he cannot even sit at a counter nor a bus driver... almost any device has a omputer in it these days... I haven't read the minutes of Kevins trials but I think the sentence was a bit less restrictive than that.

    • Given that there are accurate minutes taken of everything that is said in court, I think they'd be able to keep pretty close tabs on what he testifies in court, don't you?

      And besides, the judge knows the system. He wouldn't even be allowed to testify in court if it broke his parole.

    • Re:Sentence (Score:4, Interesting)

      by Wingchild (212447) <brian@wingchild.net> on Tuesday June 25, 2002 @08:30AM (#3761686) Homepage
      From http://www.usdoj.gov/criminal/cybercrime/mitnick.h tm [usdoj.gov] :

      "Once he is released from prison, Mitnick will be on supervised release for three years, during which time his access to computers and his employment in the computer industry will be severely restricted."

      While testifying in a case isn't technically work in the computer industry, consulting definetly would be. Maybe this is outside the scope because we're talking about telco equipment and not computers per se (which, coincidentally, goes back to Mitnick's roots as a marginally talented phreaker and a decent social engineer)?

      Or perhaps Mitnick's just an outright idiot. I don't recall him getting wailed on by Sprint during his legal proceedings, so I'm not certain that he's exempted from prosecution by way of double jeopardy. A curious thing, this testimoney.

      • Re:Sentence (Score:1, Informative)

        One again, he is not working with computers at all, just recounting his experiences from 7+ years ago. And the crimes he committed then have a 5 year statute of limitations.
      • Well, I am pretty sure that by now Mitnick has learned his lesson and has everything like this that he does vetted by his own lawyer first. If there was a danger of this testimony getting him in any sort of trouble, he would have just refused to consult on this case.

        Of course, maybe that's what the delay they had in getting him on the stand was all about. Hard to tell...

      • Re:Sentence (Score:3, Informative)

        by vinnythenose (214595)
        If you had read you would have noticed that he's protected by the statute of limitations. It's been over five years.
      • "...his access to computers and his employment in the computer industry will be severely restricted."

        I re-interate. It was my experience that Kevin clears all of his significant activities that could possibly be construed as "consulting" with the individual responsible for supervising his release. At this time I worked with him, I do believe he even had to clear visits to his mom (a LasVegas resident) because the trip exceeded his residency area boundaries.

        Kevin's participation in this proceeding could ONLY happen if he had permission. With only 0 years, 6 months, 24 days, 8 hours, 43 minutes, 25 seconds left to go, why Fsck this up now?
    • AUTHORITATIVE:

      Kevin works very closely with those monitoring his "Supervised Release". Kevin is very serious about having his life and freedoms returned to him.

      I worked with Kevin for several months on his Radio Show, "The Darkside of the Internet" on KFI, Los Angeles.

    • Mitnick was allowed to get a cellular telephone, after his parole officer okayed it. Also, I believe he's allowed to use a computer under police supervision, however he's not allowed to own one.
      He's a security consultant now, and I'm sure that he can get work related use of computers approved, as long as the company is wiling to keep mitnicks activites on computers as detailed as law enforcement requires.
      And if he has to agree to run everything through a keylogger, I'm sure he's not going to break any laws while using a PC for supervised work related activities.
  • You have to wonder. (Score:3, Interesting)

    by Nomad7674 (453223) on Tuesday June 25, 2002 @08:12AM (#3761638) Homepage Journal
    The article indicates that Mitnick is calmly able to lay out what he did, because the statute of limitations has expired on his alleged crimes. Anyone who has spent anytime watching LAW & ORDER (and of its spin-offs) has to wonder if there is an enterprising District Attorney somewhere combing the law for any permutation of the law WITHOUT a statute of limitations to use against him based on this testimony. For example, he can not be tried for the hacking itself, but could he be tried for Conspiracy?
    • Actually, if he's at all intelligent, which is apparently is, he's garnered immunity in exchange for his testimony.
    • Anyone know if Mitnick was ever questioned or tried for his hacking in Las Vegas? If he has stated under oath that he didn't do any of that stuff, he might be risking a perjury charge -- unless the statute of limitations has run out on that as well.

      BTW, this testimony is a real-world example of what "white-hat" hacking is supposed to be all about -- exposing security weaknesses that might be exploited by others. Of course, Mitnick might have had his black hat on back in the day when he was doing it.
  • You kinda have to wonder if all of this publicity of someone getting money because their system had been compromised before will spur an onslaught of similar lawsuits, possibly from the same people who got into the system. The trend seems to be, where the media goes, the people will follow.
  • Not surprising (Score:5, Interesting)

    by nakedsavage (588065) on Tuesday June 25, 2002 @08:28AM (#3761680)
    This does not surprise me at all. I work for a large telecommunications company. 4 years ago our group took over responsibility for 40 switches, 32 of which were DMS-100s. The forst thing we had to do was change the admin passwords- some were still the default password installed by Nortel when the switch was first built, others were as simple as admin:admin. All someone would have needed to do is call a NOC and pose as a Nortel engineer to get the dial up numbers and voila! Tens of thousands of customers without service and a very long report to the FCC.
    • Vendors to blame (Score:3, Interesting)

      by scoove (71173)
      were still the default password installed by Nortel

      Had the same problem with a bunch of calling card switches installed by PCM (Priority Call Management - somewhat of a bigger name in that world).

      Root passwords were "root", no OS patches (SCO & QNX) were ever applied since "they hadn't tested whether their software would interoperate with a patched version of the OS", .rhosts were common between systems to enable trusting, all the usual sockets were wide open, etc.

      Course, then there's the time we were paying Lucent $75,000 to install voice access concentrators and they complained that they couldn't telnet to them. Lucent set 200.200.200.0/24 addresses on all the systems they built - just made up a number - and couldn't figure out why the numbers wouldn't route across the open Internet. Boy did I get a stupid look when I asked the Lucent people what the Comite Gestor no Brasil thought about their address scheme... (whois 200.200.200.0@whois.arin.net)

      Really, how do these folks stay in business?

      *scoove*
      • Really, how do these folks stay in business?
        They do because everyone is just as bad, so now it is the norm. Kinda makes you wonder how we ever manage to actually advance without collapsing.

        Maybe that's why we aren't "beaming" up, telecommuting on Mars, or any of the other cool futuristic stuff we should've done by now --- because we're dragged down by the Norms.

      • Really, how do these folks stay in business?

        Right now it looks like some of them might not.
        It's probably an issue of how easy it would be for someone to switch supplier. Even though modern telephone systems are highly modular you can't mix and match bits from different suppliers.
  • by tshoppa (513863) on Tuesday June 25, 2002 @08:47AM (#3761732)
    The SecurityFocus article takes a very interesting look at the PUC hearing and is, I think, very newsworthy and a significant legal development.

    What is most vital is that in this case, unlike other previous Mitnick cases, the telco is arguing that Mitnick didn't break in while Mitnick is insisting that he did. Mitnick is offering proof in the form of documents and passwords and the Sprint of Nevada lawyer is saying that the information Mitnick is bogus or publicly available. This is such an exact turnaround from the last legal tangle that Mitnick was in that I gotta wonder if it's even the same universe.

    Does this have any relevance to legal cases outside the Munoz "Vegas escort" case? I don't know, but I could see it happening: Hollywood lawyers calling on DeCSS authors and users, arguing that the software they have doesn't actually promote piracy. Could be interesting!

    • It makes sense to challenge something like this. Obviously someone is going to be a little be skeptical if you tell them you broke something they were assured is 100% secure. That would be kind of interesting to turn a few other cases around like that.
  • Security through Obscurity Rules!

    'nuff said

    - SWM
  • by deander2 (26173) <publicNO@SPAMkered.org> on Tuesday June 25, 2002 @09:08AM (#3761851) Homepage
    I worked for a year and a 1/2 on a project designed to replace the DMS-100 provisioning and configuration systems. I can tell you that those systems are complex in the extreme to set up correctly. I knew people who had worked with them for 20 years and still had questions about how they worked. It's not through Sprint's stupidity that they were hackable, it is a by-product of overly complex system engineering.

    This is a common problem in this industry. Having complex systems when you're the defacto standard makes a great revenue stream in your consulting and training systems, but kills the reliability of said systems. Nortel/Cisco/IBM never take the fall for it however, because they can just say "well, you didn't configure it right" and Sprint/etc can't even argue - it would take 2 years and 10 consultants to even find out.
    • To be fair to Nortel, these particular systems were hacked 7 years ago, at a time where encryption on the internet was a rarity, and orginally designed well over a decade ago. Security features weren't much of an issue with customers at that time, clearly security is becoming much more of an issue now.

      However, very few systems are proof against social engineering, encryption or not.

      • by JUSTONEMORELATTE (584508) on Tuesday June 25, 2002 @09:35AM (#3762003) Homepage
        To be REALLY fair to nortel, while the web was young seven years ago, (the net was old, even then) that has absolutely nothing to do with this crack job.
        The DMS-100s were broken the good old fashioned way -- use a war dialer to find the dialup number, then call the switch directly. Once connected, try the obvious passwords first (either admin/admin or admin/NORTEL_DEFAULT_PASSWORD, which Mitnick had learned from Nortel docs)

        Deander2 got it right -- Nortel designed an absurdly complex product, and was unmotivated to clean house because they were able to rake in the consulting bucks. WHEN (not if) this comes back to bite a client in the butt (like it did with Sprint) Nortel takes no heat for it, and in fact most likely gets even MORE consulting dollars for a hasty clean-up effort.
        • Look there's no significant evidence of any 'absurdly complex product' features here. These suckers didn't change the password from the factory default. That's all. Or they spouted off to anyone on the phone about what they were.

          From what I know of Nortel, I'd bet that the company ran courses that laid out exactly what you should do to secure the equipment. Its no use these companies going crying to their mommies because they didn't use the flipping equipment properly. Kevin RTFM and they didn't. So it's in the manual too.

          The use of default passwords wasn't out of line with the time. Nowadays you'd have to explicitly switch it on to get it to work. Back then, probably not. Heck, over the weekend I was reading about the Alcatel ADSL modem. Apparently the tftp server on it doesn't even HAVE a password- that modem looks wide open to me. And that wasn't designed 15 years ago, more like 2 or 3. Who's more culpable?

          The customer. They bought the equipment, they specified the equipment, they didn't set the passwords on the equipment, they didn't read the manual that comes with the equipment. They didn't make a big fuss to Nortel about how insecure the equipment was. It certainly wasn't the customers fault that they were hacked, but they did everything except hold the door open for him.

          • The use of default passwords wasn't out of line with the time. Nowadays you'd have to explicitly switch it on to get it to work.

            Since the telephone numbers of the configuration modems were apparently random then most likely someone had do do some sort of configuration. It's not as if using a dialup modem is the only way to remotely configure the system anyway. Alternatives would be a private IP or X25 network or a direct line to a NOC. Indeed using a dialup connection has the problem that a misconfiguration could disable the dialup line.

            Heck, over the weekend I was reading about the Alcatel ADSL modem. Apparently the tftp server on it doesn't even HAVE a password- that modem looks wide open to me.

            The TFTP protocol dosn't use passwords. The question would be more "why does an ADSL modem need a TFTP server in the first place?"
      • Bingo.

        The article explains that employees were willing to give away "secret" phone numbers and challenge/response pairs to a stranger over the phone.

        Encryption won't help with that. Token-based authentication won't help much -- "Hi, this is system security, we're upgrading the smart card system, could you please help us test by inserting your card and going to this URL?"

        I have to quibble about the awareness of security in the telco industry, though. Phone system security has been a headline issue since Captain Crunch. I'm not willing to excuse anyone who used an unlisted phone number and a cleartext password to "secure" a mission-critical system. They knew they'd be attacked.
        • Token-based authentication won't help much -- "Hi, this is system security, we're upgrading the smart card system, could you please help us test by inserting your card and going to this URL?"

          In which case the owner of that URL learns nothing useful about the token. Assuming that the token has a crypto processor on board capable of public-key signature, it neatly prevents this attack. The web server sends a random string, the token signs the string with its private key, and the web server validates the signature with the token's public key. The web server does not gain the ability to impersonate the token.
      • To be fair to Nortel, these particular systems were hacked 7 years ago, at a time where encryption on the internet was a rarity, and orginally designed well over a decade ago.

        This has nothing to do with the internet. Configuration was apparently by a dialup modem on an obscure telephone number.
        • Yeah, I know, I never said it was, I said it was hacked at a time where encryption... was a rarity. I was trying to remind people that all this equipment is really old. The industry standard in security is rather further forward now; and they aren't comparable. The DMS100 probably wasn't out of line with the standards of the day when it was designed; although it certainly wasn't state of the art. And it's still better than some other equipment you can buy today from companies.
    • So you're arguing that it isn't through Sprint's stupidity that they were hackable? that the stupidity was actually Nortel's stupidity?
    • I am a current nortel employee and I work on the DMS-100 system. Just to give you an idea of the complexity: the product's 35 million+ lines of code (in a proprietary language called protel) have been written over the past 24 years. It came out in 1976 as the first digital switch. It is old and fussy and really, really hard to improve. The legacy problem strikes again.

      a.c.
  • It is hilarious reading this ... If this doesn't bring Mitnick from Legendary to Godly I dont know what will. He still has old lockers with passwords and infos.. This is stuff that books and movies are made of, not real life! Incredible.
  • Hi there.

    After working for several Fortune infinity companies, I have come to the conclusion of my $5,000,000 granted study that anyone able to pick up a telephone is a susceptible hacker. It is about time the telco in every neighborhood started locking down their systems with finger-printing and place a mark on the wrist or hand of every telephone subscriber that he may not buy or sell anything over the phone without this mark. With further granted jurisdiction, the telco should be able to establish a real-time video and audio presence in the homes of each and every telco subscriber and relay this information across satelites so the whole world may be allowed to intrude on anyone's privacy in attempt to prevent people from worshipping anyone but the telco. Kevin Mitnick shall, upon appearance, be put to confinement in a maximum security stone cave, a rock rolled in front of it, and the cave sealed with wax so the telco will know whether the prison had been disturbed within any 3-day period. This is the only way people, and the telco shall have rights to your first post and first born. Anyone that has not lathered sheep's blood above their doorway shall have their building demolished by the telco. As of yesterday, the staff of slashdot.org and the users of the United Nations' oxygen on planet earth must comply or face harsh punnishment from internation agencies that don't like United States citizens. Thankyou for your time.

    Sincerely,
    Bob Grover

  • by nochops (522181) on Tuesday June 25, 2002 @09:54AM (#3762125)
    Why use a '?' in the post?

    Is there any doubt that Mitnick is a criminal?

    Since is when is cell phone cloning, carding, and cracking legal?

    Since when is running from the law (he was a fugitive) legal?

    I think there's no question as to the legality of Mitnick's actions. Weather or not the legal system handled the case correctly is another story, but he is definitely guilty of those crimes.
    • Presumably the '?' was there because it is an open question whether he is our "favorite computer criminal", not whether or not he is a criminal. (Note the "favorite" there).
    • It should have been:

      "Our favourite (?) computer criminal...."

    • Now I'll be the first to admit that yeah, Mitnik screwed up. He made several mistakes and more importantly, broke the law. However, he more than paid for it by the inhumane (at best) treatment that the law system gave him[1], even when he admitted his guilt. The courts used him as an example of how they treat hackers who get caught.

      It's yet another perfect example of what's wrong with the legal system in this country.

      Mitnik's "officially" done his time, but thanks to the power of the government, media, and press, he'll continue be prosecuted by the public for the rest of his life.

      1) Details of his unfair and unconstitutional treatment can be found all over the internet from independent resources. The government still won't admit that they did anything wrong and you can bet the press wouldn't challenge that.
      • For the two people reading slashdot who've never heard of 2600 magazine, the url is [kevinmitnick.com]
        Complete with a realtime ticker of how long until he's a free man.
  • Hmm... (Score:4, Insightful)

    by Greenrider (451799) on Tuesday June 25, 2002 @10:44AM (#3762487)
    At the top of the paper was printed "3703-03 Remote Access Password List." A column listed 100 "seeds", numbered "00" through "99," corresponding to a column of four digit hexadecimal "passwords," like "d4d5" and "1554."

    Commissioner Escobar Chanos accepted the list as an exhibit over the objections of Sprint attorney Patrick Riley...


    So here's a question - since this password list is now an exhibit in a public trial, what's to stop someone from getting the list through Freedom of Information and using it to further compromise Sprint's network?

    It would be like a sinister version of what the Fishman affidavit [peghole.com] did for Scientology. Any lawyers want to weigh in?
    • The Freedom of Information Act covers government records, it doesn't apply to evidence presented at trials. Judges can and do seal evidence, especially when it contains confidential information like trade secrets. Furthermore, it's a federal statute and doesn't cover state governments.

      Sorry, just because something was submitted as evidence doesn't mean you can get it.

      Also, even when the FOIA does apply, the feds can hold up the process for a decade or more.

    • Technically it isn't a trial but a Public Utilities Commission hearing, though with Mitnick testifying under oath and lawyers present, it sure sounds like a trial.
  • There's something ironic about Kevin Poulsen writing an article in a mainstream magazine about how Kevin Mitnick is testifying for the good guys in a hacking case. Kind of reminds me of the aging hackers in "Sneakers"... :-)

  • by sfgoth (102423) on Tuesday June 25, 2002 @01:56PM (#3763851) Homepage Journal
    So one theory is that the Mafia was behind Munoz's problems. Forget legal trouble... how much trouble might Kevin be getting himself into now?
  • by rice_burners_suck (243660) on Tuesday June 25, 2002 @02:03PM (#3763879)
    How Sprint's crappy security directly affected me.

    I live in Arizona, and I have four Sprint PCS phones: One for myself and three are for my "on-call" employees. These phones are on 24 hours a day for obvious reasons.

    A disgruntled ex-employee in Delaware (who had been fired years ago), who happens to know my phone number, strolled into a Sprint PCS store in Kentucky, and asked the proprietor (or rather, the idiot working there) to bring up my account information. Now remember: All this person knew was my phone number. The Sprint PCS idiot happily punched up my account and showed the unidentified person my account details: All my phone numbers, numbers that had been called on these phones, how much my bill was... it goes on and on. In short, someone who only knew my phone number got access to all my "private" information, no questions asked.

    I discovered this when the person in Delaware (who was in Kentucky at the time) called and told me, in the form of a threat. I immediately called the Sprint PCS customer support line and told them of the problem. They had some explaining to do, and I expected them to immediately change my phone numbers and account information. They refused, and explained that any such breach of security was impossible: The gentleman in the store should have asked for an account password. If the customer didn't know the password (or so claimed the customer support woman), the account information could not be accessed. This made sense, as computers do ask for passwords before showing any protected information. So I assumed the ex-employee was lying to annoy me, and dropped the issue.

    Later that night, angry employees began calling me repeatedly and complaining of crank calls. Then, I got a call from the disgruntled shmoe in Delaware. Turns out, my assumption had been wrong. I came to the conclusion that private account information is protected by nothing more than a company policy: The employees in the stores can bring up any account, and the password is DISPLAYED along with all the other information. They're SUPPOSED TO ask you for the password before giving out any information. That's one hell of a security system, eh? So I immediately called Sprint PCS's customer support thing again, but this time, when they answered, I demanded to talk to a supervisor. The conversation went something like this:

    Sprint PCS lady: May I ask about the nature of the call?

    Me THE NATURE OF THE CALL IS SPRINT PCS GIVING OUT MY PERSONAL INFORMATION TO STRANGERS WITHOUT MY CONSENT!

    Sprint PCS lady: One moment...

    At this point, a supervisor lady answered, and I explained (rather angrily, I may add) exactly what happened, and DEMANDED that they change all my phone numbers IMMEDIATELY. (I was doing this as an immediate action, to be followed by any number of things, including the high possibility of cancelling my account altogether, followed by strong legal action.) Now the supervisor freaked out and got a bunch of people on my case within minutes. She explained that my conclusion about their security had been correct (that nothing is password protected at all), but that I could optionally make my account "high security", which basically means that certain other information (like a social security number or something) is needed before account details can be accessed. So I demanded that my account immediately be made high security. Then, she began the process of changing my phone numbers, and mentioned that it would cost some amount of dollars to make the change. At that point, I became pissed and said, "I'M STILL CONSIDERING WHETHER I'M GOING TO SUE YOU AND YOU'RE GOING TO CHARGE ME TO CHANGE THE PHONE NUMBERS, AFTER YOUR COMPANY SCREWED UP?!?!?!?" She realized the error of her ways and waived the fees. I continued to raise hell with Sprint PCS for an hour or so, making DAMN SURE that no errors would occur in my next bill (because every time a change is made with them, errors show up in the next bill or two and you have to call and bitch about it, especially when you have multiply phones), and that international calls won't be disabled on the phones (because enabling international calls is a long and complicated process with them, one that raised my blood pressure to the sky too), and that various other problems won't pop up. In all, they were a bit helpful, considering they did screw me over.

    But anyway, that was MY story of how much their security sucks.

Never make anything simple and efficient when a way can be found to make it complex and wonderful.

Working...