Forgot your password?
typodupeerror
Security

Mitnick Speaks About Hacking 221

Posted by CmdrTaco
from the stuff-to-read dept.
Rob_Warwick writes "I've just posted a one on one interview with Kevin Mitnick on Applefritter. In just less than 20 minutes, we take a look at who generally gets targeted by social engineering schemes, and how social engineering can assist in making a technical exploit work. Mitnick speaks about which industries are at highest risk from social enginerering, and what types of workers are generally easier to talk into doing something for you. Kevin also talks about who his heroes were when getting into phreaking and computers, as well as a humbling moment when he was on the recieving end of some social engineering. The HOPE keynotes for both Kevin and The Woz are also available for download."
This discussion has been archived. No new comments can be posted.

Mitnick Speaks About Hacking

Comments Filter:
  • FREE MITNICK! (Score:1, Interesting)

    by Anonymous Coward
    Now that Mitnick's no longer in prison, it's nice to be able to comment about "free (as in beer) Mitnick." Any opportunity to hear his insights into social engineering is a welcome one, especially for those of us that have to take network security into account for our livelihood. :)
    • Is it just me... (Score:5, Insightful)

      by MrChuck (14227) on Sunday July 11, 2004 @02:33PM (#9667731)
      or do others recall that this guy (mitnick) is an asswipe?

      Yes, I had problems with police imprisoning him with little recourse as they did.
      Yes, Tsutomu Shimomura is a yahoo who did a lot of stupid and bad things. The greatest was probably his aweful book written with "journalist" John Markoff (I enquote that because as he was ghost writing with Shimora, he was also writing articles that were supposedly objective yet never mentioned doing a book with one of the particpants of the story).

      [Shimomura was terribly impressed with his (own) computer security abilities, yet ran tools that had long been sources of security holes because it was convenient. ("I am a master of securing houses; all the world leaders come to me. So imagine my shock and outrage when I'd found that someone had lifted up my welcome mat and used the key I keep there to get in. I must hunt down this bastard and have my revenge.").]

      I was appalled that national ISPs would so readily turn over logs and access to their networks and their users information to a vigilant/yahoo.

      But no, I wasn't sorry that Mr Mitnick got his ass busted. He was no kiddie using youth as an excuse for poor judgement. He was a thief who rationalized stealing from people and companies by its electronic abstraction.

      No, I don't think Kevin's "cool". That he is someone who would steal my personal information because the people I had to give it to are idiots about securing it doesn't make it ok to do so. And it's felony when he then uses that information to buy things. I don't want him in the room when I pull out a credit card. I don't want him in a hotel where I use a credit card.

      Should the hotel be smarter? Sure. But the people who decry identity theft cannot also embrace Kevin Mitnick as one to be admired.

      He's an asswipe.

      • by DoraLives (622001)
        Aw hell, we like Jesse James and John Dillinger too. Yeah, they were asswipes, but we still like 'em.
        • Re:Is it just me... (Score:3, Interesting)

          by Jon_E (148226)
          Funniest moment at HOPE (roughly paraphrased)
          ---------------------
          Kevin: I became Jesus on the cross, so that all of you could continue to do what you do ..
          Comic Book Store guy behind me (sarcastically): thank you God!
          ----------------------
          love him, hate him, or both ..
          did large corporations use him as their scapegoat whipping boy? absolutely.
          did the punishment fit the crime? absolutely not.
          is he still obsessed with manipulation to get anything he can from suckers? apparently so
          is he full of himself? oh
  • only audio??? (Score:3, Insightful)

    by kyknos.org (643709) on Sunday July 11, 2004 @10:09AM (#9665981) Homepage
    is the interview available as text somewhere?
    • Re:only audio??? (Score:3, Insightful)

      by Anonymous Coward
      The interviewer probably realized that he couldn't understand himself on the recording, so he simply published the MP3.
    • can i know why is this a flamebait? making information available in a non free audio format is not very accessible.
    • Seriously! I can't understand the kid interviewing him. Maybe if we could just... slow it down some.
    • Coast to Coast AM (Score:3, Informative)

      by DigiShaman (671371)
      The biggest and most widely available talkshow at night is called Coast to Coast AM (formerly ArtBells program). Dispite the many other dubiuos guests on the program, Keven is regarded as a "regular" on the air. Expect to hear from him every now and then.

      Note: I've submitted to Slash.Dot many times about the availabilty of the interview with him. However, the editors managed to not give a damn. Oh well, at least I tried.
  • by Anonymous Coward
    post a 2.2mg mp3 file as an interview post it to slashdot and wait. How about a transcript?
  • The interviewer (Score:2, Interesting)

    by Anonymous Coward
    Sorry, I simply cannot understand what the interviewer is trying to say in that MP3. A speech impediment, flaming homosexuality (as expected on applefritter.com - come one, the interviewer must be trying to sound "gay"), and a crappy recording all help to spoil the experience.
    Kevin is loud and clear, even though I'm not a native English speaker, nor live in an English speaking country.
    • I *think* that they sped up and over-compressed the portions where the interviewer is speaking so that the whole file would be smaller and you could listen to the important parts quicker.

      Either that, or he has serious case of chinnuts, if you know what i'm saying...
  • easy (Score:5, Funny)

    by Anonymous Coward on Sunday July 11, 2004 @10:12AM (#9665991)
    In just less than 20 minutes, we take a look at who generally gets targeted by social engineering schemes,

    answer: people with passwords

    and how social engineering can assist in making a technical exploit work.

    answer: get people with passwords to tell you their passwords

    Did anybody time me?

    • Re:easy (Score:2, Interesting)

      by swherdman (790729)
      you got it in one. and in most cases it is as symple as that allomst. If anyone is really intrested try his book the art of deseption its quite good. hell workd on my comp teachers at school i got one of them to verbally tell me his password.
    • Re:easy (Score:2, Informative)

      by rpbailey1642 (766298)
      get people with passwords to tell you their passwords

      That's easy, offer them chocolate [slashdot.org].

  • quality (Score:2, Funny)

    by psichaotic (761447)
    not sure if this crappy because of the 16 kbps quality or the fact that the interviewer sounds like mushmouth from the Fat Albert cartoon after doing a gram of cocaine.
  • Mitnick stories... (Score:5, Interesting)

    by anakin357 (69114) on Sunday July 11, 2004 @10:14AM (#9665998) Homepage
    Is it just me, or do you really don't care about him anymore?

    It's a bad dream that just wont go away, some people are so enamored with Kevin that they feel the need to post every story that includes his name.

    He's a felon.

    One of the first, abeit more publicized and punished geeks, and I really don't care to read stories about him. About the only thing that actually is interesting is that this guy got caught by trying to hack into some other geeks computer, and was traced back to his location.

    Amature. Go social engineer some money out of a bank instead of robbing it with a gun, and THEN I'll be interested.

    I can see it now, bumper stickers that read:

    "Free Kevin v2.0"
    • ...perhaps you are one of the slashdot trollers he spoke of who is 'jealous'
      • Incomplete :-)

        Paraphrasing, it was something like: Jealous Slashdot trollers with nothing else going on in their lives.

        Even apart from that (mis)quote, that guy is certainly not short of self-confidence. As to the NYT, I wonder how long it will be before they issue a public apology in that case as well. I suppose it could happen in a couple of years.
    • by +Addict-09+ (239664) on Sunday July 11, 2004 @10:43AM (#9666144)
      Finally, a slashdotter who is responsible enough to recognize Mitnick for what he is.

      To all you Anonymous Cowards: No he's not a hero

      Did he suffer a misjustice? Maybe (I'm not a lawyer), but he put himself in that position. Play with fire and someday you'll get burned, it's just that simple.
      • by Zeinfeld (263942) on Sunday July 11, 2004 @04:42PM (#9668815) Homepage
        Did he suffer a misjustice? Maybe (I'm not a lawyer), but he put himself in that position. Play with fire and someday you'll get burned, it's just that simple.

        Kevin committed a string of crimes, he went to jail, how is that unjust?

        Its not like Kevin didn't know he was doing something wrong, when he got busted last time it was not his first run in with the law, it was not even his second. He got chance after chance as a juvenile. Now he wants people to believe he has gone straight.

        I don't beleive him, I think he is still using his social engineering skills and the rubes who think he got treated unfairly are only one of his targets.

        Remember, its innocent until proven guilty, Kevin has been proven guilty - repeatedly. If you want to feel bad about people who got treated baddly by the US justice system there are plenty of examples of people who went to jail for much longer for doing far, far less.

    • by SpacePunk (17960)
      Now there you go shattering the illusion that the 'hacker' wannabe's keep holding on to like an old woman holding on to keeps trying to hold on to here fading looks.

      The sad truth of it all is that he's part of 'computing lore', he'll end up as a footnote in the computing equivilent of Bullfinches, placed there by his lame fanboys.

      • by 0racle (667029) on Sunday July 11, 2004 @01:42PM (#9667392)
        He's only part of 'computer lore' because every wannabe keeps talking about him, hanging on his every word like a bunch of school girls and try to turn him into some sort of hero.

        He's a criminal, a convicted felon plain and simple. Unfortunately till these damn wannabes grow up he's always going to have an audience of idiots waiting to pay for his next book.
    • He did help 'write the book', so to speak.. So he's a classic and does deserve some respect.

      So he's was a felon.. big deal. He's also served his time. ( nes an ex-felon now.. having paid his 'debt' )

      ( it was also an unjust and mostly fabricated charge that he was convicted on as well.. )

      And if you dont care to read stories about him, why are you commenting on here? That means you are STILL reading them.. its your choice, free speech also means you have to read it...
      • Convicted? (Score:4, Informative)

        by Inoshiro (71693) on Sunday July 11, 2004 @02:30PM (#9667707) Homepage
        Kevin was held in prison for about 5 years the second time around on bogus charges. It never went to trial, he was merely incarcerated. The white equivalent of Brown Equals Terrorist [brownequalsterrorist.com].

        Tragically, he finally gave up and pleaded no contest to the charges so he could be allowed to leave the prison and return to society. Go watch Freedom Downtime [imdb.com] if you want to understand what Kevin was truly up against.
        • I thought he was convicted in the end, and it added up to 'time served' so he was released. But i could easly be wrong..

          If that is the case, then the orginal poster that claimed he was a felon that i replied to was wrong anyway...

          Either way, i stand by the statement of him being one of the orginals, and still deserves respect...
        • Re:Convicted? (Score:3, Insightful)

          by Zeinfeld (263942)
          Kevin was held in prison for about 5 years the second time around on bogus charges. It never went to trial, he was merely incarcerated. The white equivalent of Brown Equals Terrorist.

          The second time around he was being held on the grounds that he absconded while on parole from his first criminal sentence (first as an adult).

          If you commit a crime while on parole you go back to jail, if you abscond you go back to jail. The sentence does not 'time out' just because you absconded.

          The feds did not need a

          • The damage he caused was looking at the source code to Solaris, which was later open sourced by Sun anyways.

            The charges were bullshit charges.
            • The damage he caused was looking at the source code to Solaris, which was later open sourced by Sun anyways.

              Mitnick committed numerous crimes - which he admits.

              In addition to the Solaris source code he was found to have 10,000 stolen credit card numbers.

              Perhaps he was just curious, perhaps he was looking to sell them. Does not matter much, he still go to the big house.

    • You think that's bad...
      the real crime is charging $50 a head to hear him spout his rubbish. Seriously, all H.O.P.E. was was an excuse to sell t-shirts and get drunk in New York for people like him.
      • the real crime is charging $50 a head to hear him spout his rubbish. Seriously, all H.O.P.E. was was an excuse to sell t-shirts and get drunk in New York for people like him.

        Not entirely true. This is what you get for $50:

        http://www.the-fifth-hope.org/hoop/5hope_speakers. khtml [the-fifth-hope.org]
        • I know. I was at hope on friday night and Saturday. (I didn't pay because I was a friend of a speaker.)

          However, i think the thing that really bothered me was how it seemed to be a geek t-shirt fashion show. what webcomic or internet joke does your t-shirt represent?

          I wish I stayed longer and had a chance to hear about the 'how to hack an ipod' talk. all I heard before was hackers reminiscing about inside jokes I didn't get.
    • I saw the Michael Moore story of Slashdot, like he is winning at Cannes etc... It was obviously a trolling story but really helped...

      I managed to see how many fanatical republicans, nationalists watch and comment at slashdot.

      Not surprised of such comments anymore. You don't GET what Mitnick did. Maybe because he didn't get any money for it, you can't render it in your fascist brain...

      Whatever. He did good!
    • Cut him some slack (Score:2, Insightful)

      by Anonymous Coward

      Is it just me, or do you really don't care about him anymore?

      It's a bad dream that just wont go away, some people are so enamored with Kevin that they feel the need to post every story that includes his name.

      He's a felon.


      I'm not denying the legitimacy of your point, but it's hardly an argument worthy of justifying the lack of value Mitnick holds, represents or deserves within this community.

      Our history is full of technical "bad guys" from Christopher Columbus to Robin Hood, that are respected in on
    • This is "interesting"? How so? The poster can't spell, and seems unaware that being a "felon" doesn't mean jack in our modern society with thousands of ways to be a felon most of which you would never see coming. Or was it interesting that the poster doesn't want to read any more about him or somehow thinks he is oh, so much brighter than to get caught?

      Time to moderate moderators.
  • love it (Score:1, Insightful)

    by ftoomch (700184)
    apostrophe's are great for plural's
  • by iCEBaLM (34905) <icebalm@NOsPam.icebalm.com> on Sunday July 11, 2004 @10:17AM (#9666022)
    Why would anyone spend the time to interview Mitnick and then ruin it by making it audio only and then talk like you're mighty mouse on speed so no one can understand a thing you're saying?

    Note to applefritter: take the drugs away from DBub.
  • by John Seminal (698722) on Sunday July 11, 2004 @10:17AM (#9666023) Journal
    I thought he went to jail for doing this? I would have thought part of his release deal would have included not speaking about hacking and not associating with hackers. I remember from a political science class being told that most drug dealers who get released do so on the condition they will not associate with anyone known who is also a criminal. One guy who got caught at school using a computer for illegal purposes (and prosecuted) got a reduced sentance to two years probation and part of the deal was he could not use a computer.
    • He was prohibited from going anywhere near a computer for years. He's served that part of the sentence beyond custodial too.
      • One thing I remember was some commentary that Emmanuel Goldstein wrote in 2600 about Kevin's release conditions...

        Something along the lines of he's so hobbled by the restriction on not using a computer that he couldn't get a job on McDonalds.... the fry machine timers there are technically computers.

        wbs.
    • what is freedom good for if you cannot use a computer?
    • Really when you think about it, Biometrics basically halts any kind of Social Engineering. You can't get around them without chopping off someone's hand and plucking out their eyes

      If there's a machine capable of identifying fingerprints, hand prints, face lay out or retina patterns there sure are one that can record and duplicate the same. Social engineering the new way will sure involve scanning of fingers, hands, retinas and so forth..
      "Hi there Sir, how are you doing? (voice). Can you take (fingerpints,
    • by Anonymous Coward
      Mitnick is no longer under the supervision of the courts. while he is a convicted felon, he is not a ward of the state, ergo, he is a free man again with almost full rights(he may not be able to vote or serve on jury duty pursuant to local statutes governing convicted felons), and he may pursue whatever he sees fit to pursue, including breaking other local, state, and federal laws if he feels the need to spend more time in prison.

      once your parole time is up, the courts can no longer tell you what you can a
  • by Anonymous Coward
    He sounds like a duck on cocaine. It isn't entirely his fault, as the recording quality is so bad (unless he's responsible for that as well).
  • by Anonymous Coward on Sunday July 11, 2004 @10:22AM (#9666047)
    ... that could social-engineer Kevin into giving me the transcript
  • by Anonymous Coward on Sunday July 11, 2004 @10:27AM (#9666068)
    I'm sorry, maybe prison messes you up, but he should know better.
    • Talking of which, isn't IE a great cracker tool? All those lovely security holes built in, just waiting to compromise someone's machine. All we need to do now is convince lots of important people to install it on their PCs and the world is ours!

      Ohhhh.... hang on, I just realised something...
  • Biometrics (Score:4, Insightful)

    by mfh (56) on Sunday July 11, 2004 @10:28AM (#9666073) Journal
    Really when you think about it, Biometrics basically halts any kind of Social Engineering. You can't get around them without chopping off someone's hand and plucking out their eyes, but if you're going to go that far, you're criminal enough that it won't matter if you use Social Engineering or not. Let's face it, pretty soon we'll be heading toward the Biometric model for pretty much everything, and the privacy advocates are going to fight it all the way.

    FUD, apply, lather, rinse, repeat.
    • Remote (Score:4, Interesting)

      by Xner (96363) on Sunday July 11, 2004 @10:33AM (#9666092) Homepage
      And how exactly would remote authentication work? Chop off your finger and send it via fed-ex? Or would it involve converting your biometric information to a digital representation that is vulnerable to all the usual attacks, with the added problem that you can't "change fingers" like you change passwords?

      Biometrics isn't the panacea it's made out to be. Educate your users, it's the only way.

      • There are ways to do remote authentication, using time-based hashes. Example:

        The server challenges you with a problem for which it will only accept an answer for (say) sixty seconds. That problem can be solved quickly only using the biometric info (for example, a large composite number one of whose factors is a hash of the fingerprint data). It can be solved via brute force eventually, but you set the time limit low.

        An even easier way, for example, is to give every user a public-private key pair, and k
    • Re:Biometrics (Score:5, Insightful)

      by Lehk228 (705449) on Sunday July 11, 2004 @10:39AM (#9666126) Journal
      "the machine's not letting me in, could you palm the door for me?, thanks"
    • Re:Biometrics (Score:3, Informative)

      by Anonymous Coward
      You can't get around them without chopping off someone's hand and plucking out their eyes

      You've been watching too much Sci-Fi.. The Sci-reality of the situation that they can currently be fooled by fake fingers made from gelatin [cfo.com], or a photo of an eye [go.com].
    • Re:Biometrics (Score:5, Insightful)

      by Eivind (15695) <eivindorama@gmail.com> on Sunday July 11, 2004 @10:46AM (#9666156) Homepage
      Biometrics alone is, atleast presently, useless. There's simply two orders of magnitude too many false positives and false negatives.

      Aside from that, the implementation is icky. Half a year ago you could read about every single comersially available fingerprint-scanner being defeated by cheap and simple tricks such as for example blowing graphite-dust over them (sticks to the fat-traces from previous finger), and then pressing down on them with a piece of clear tape.

      Also, in many situations they're just not useful, how could biometrics secure the login to your online bank ?

      Authentication is based upon one or more of what you *know* (for example a password), what you *have* (for example smart-card or key) and what you *are* (for example biometrics).

      Good, robust security uses a combination. For example, the combination of posessing a smart-card and knowing a code is used to authenticate to my online bank.

      Even if someone convinced an account-holder to give up the password, that'd still not matter, aslong as they didn't *also* convince the person in question to hand over the smart-card.

    • I call your cubicle. "Hi, I'm $so_and_so, your boss sent me down here to do $gobbledygook_9000 compliance checks and I need into your computer. Can you log me in with your account please?" You: "Sure, lemme stick my hand on the scanner." Me: "Now type what I tell you. This is a three-line obfuscated Perl trojan^Wprogram to check your computer for compliance..."
    • Getting around the fingerprint biometrics is easy. There are clear strips you can buy with an adhesive back end that you stick your thumb (or finger) on and then stick onto the surface of something that someone else has touched. The oils stick to the other side of the material, so when you press it on a thumbprint reader (a lot of hosting providers use them) it'll grant you access. The retina scan would be a better method.
    • Really when you think about it, Biometrics basically halts any kind of Social Engineering. You can't get around them without chopping off someone's hand and plucking out their eyes,

      So, you're saying if I socially engineer the password to the database where the biometric data is stored and I use the password to swap the records on a known rapist and my victim, that this will fail because????

      At the end of the day, biometric data may or may not be unforgeable, but it's the relationship to other data that

  • This guy... (Score:2, Funny)

    by VTEC01EX (726566)
    This guy doing the interview should have slowed down and taken his retainer out.
  • tips (Score:5, Insightful)

    by MikeHunt69 (695265) on Sunday July 11, 2004 @11:20AM (#9666420) Journal
    I just heard the first 30sec of the mp3 file, and couldn't continue. It was far too painful - the guy doing the interview should slow the fuck down when speaking. You don't get medals for quantity over quality.
  • Not trolling; I'm serious. A friend of mine told me that he lost a lot of respect for Mitnick when he found out that he (Mitnick) is just a Windows user lately.
  • Thanks for posting The Woz and Mitnick, but where is Jello? [deadkennedys.com]

  • by hugesmile (587771) on Sunday July 11, 2004 @11:48AM (#9666610)
    Don't you know that the correct way to refer to someone who breaks into security of systems is to make a derogatory comment about his Caucasian ethnicity?
  • Social engineering has been around for a long, long time. The only difference is that until recently everyone just called it 'conning'. I don't know if geek hackers prefer to think of themselves as 'social engineers' because it's easier on their conscience than thinking of themselves as con men, or if it's just a result of the natural geek affinity for overly technical jargon. Either way, it's a bit silly.
  • by Anonymous Coward on Sunday July 11, 2004 @12:45PM (#9667024)

    What Mitnick does is not "social engineering." Social engineering would be something like trying to convince a population of people to eat more healthily, or stop smoking, or something like that.

    What Mitnick does is fraud. Alternatively, you can call it grift, or con. (As in, Mitnick is a con man.)

    Using the term "social engineering" is playing into the hands of the con men. It's a term they invented to con you in to thinking that what they do is somehow more acceptible than it is.

    Use the term, and you've been conned.

  • Argh (Score:4, Insightful)

    by Cthefuture (665326) on Sunday July 11, 2004 @12:49PM (#9667048)
    All these interviews and the only thing I've ever wanted to know about the guy is never asked.

    What encryption and/or data protection schemes did he use that the FBI couldn't break?
    • by camusflage (65105)
      I don't have the transcript handy, but he spoke of using PGP [mit.edu], being asked for his passphrase to access his private key, and telling them to get bent. As the US has no analogue to the UK's RIP act which compels people to hand over encryption keys or face jail time, he (rightfully) invoked his fiftn amenement powers.

      Assuming you use a strong passphrase, PGP [mit.edu] is fantastically secure. Make sure there's no hardware/software keystroke loggers though, or you may end up like Nicky Scarfo [wired.com].
  • Sorry about the quality folks, I'll put up a transcript after I get it typed. I've got a train ride back to New Jersey tonight, so I'll throw it up. Also, sorry about the Canadian accent and the quick talking. Getting a few minutes with Kevin Mitnick is not easy at HOPE, and I was trying to get through the material.
  • by Sir Foxx (755504) on Sunday July 11, 2004 @03:04PM (#9667945)
    There is an excellent interview(video and audio) at thebroken.org with Kevin for anyone that cares.
  • by Rob Riggs (6418) on Sunday July 11, 2004 @04:37PM (#9668762) Homepage Journal
    Social engineering is concocting the "gay marriage" issue to distract from general incompetence, lies regarding WMD, a predisposition for a war we didn't need, distracting our military from the diligent pursuit of Osama, etc. You want to talk social engineering, talk to Karl Rove.
  • by payndz (589033) on Sunday July 11, 2004 @05:17PM (#9669094)
    At least this time there won't be any snide "RTFA" posts. They'd have to be "LTTFMP3" posts instead!

"But this one goes to eleven." -- Nigel Tufnel

Working...