Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers in the Henhouse 479

strucker writes "A good story on SecurityFocus from the RSA Conference. Kevin Mitnick debated his former prosecutor, DOJ attorney Christopher Painter, on the whether ex-hackers could be trusted as computer security professionals. Mitnick says hackers bring special skills to the job, while Painter says a criminal is a criminal."
This discussion has been archived. No new comments can be posted.

Hackers in the Henhouse

Comments Filter:
  • by Animats ( 122034 ) on Thursday April 17, 2003 @02:11AM (#5749441) Homepage
    So why is Poindexter running Total Information Awareness?
  • Hmm (Score:5, Insightful)

    by zenintrude ( 462825 ) on Thursday April 17, 2003 @02:14AM (#5749446)
    What ever happened to "rehabilitation"... I guess some people just can't forgive.
    • Re:Hmm (Score:5, Insightful)

      by paulerdos ( 205999 ) on Thursday April 17, 2003 @02:40AM (#5749525)
      you're missing the point. no one is claiming that rehabilitation is impossible - anything is possible. the issue here is that of practicality. people use heuristics in every day life - if you meet a 25 yr old with 2 phd's from MIT, then chances are good that he's intelligent (but it's possible that he's not!), and if you meet a 5-time convicted felon, chances are good that he cannot be trusted with your corporation's security.

      therefore, as a practical matter of heuristics, if i were in charge of hiring a security consultant for my corporation, i would rather hire the non-excon than the excon. of course it's *possible* that the excon would have been a better, more qualified candidate, but i'm not about to bet my company's security on it.
      • Re:Hmm (Score:5, Interesting)

        by stinky wizzleteats ( 552063 ) on Thursday April 17, 2003 @07:25AM (#5750305) Homepage Journal

        if you meet a 5-time convicted felon, chances are good that he cannot be trusted with your corporation's security.


        If you hire any consultant and simply plop your company's security in their lap, you have problems intelligent hiring cannot solve. Furthermore, as I consider the predatory and fraudulent work ethic your consultant hiring practices would seem to attract as being more socially destructive than hacking a cellphone network, I would suggest that you have already been screwed more mightily than you ever would if you hired Mitnick to tiger team your network.

    • Re:Hmm (Score:3, Insightful)

      by rf0 ( 159958 )
      There is an old saying. Once can be understood. Twice is stupid. Five times? Well thats just plain idiotic

      Rus
    • he doesnt have to rehabilitate, he served his time and was set free. screw them if they don't like him or his skills. sure they can hold that felony thing over his head forever.

      i am sure being on pbs with with woz and captain crunch is nice. not to mention all the goofy shows like techtv from time to time. obviously some people have forgiven him.
  • He did his time (Score:5, Insightful)

    by crayz ( 1056 ) on Thursday April 17, 2003 @02:14AM (#5749447) Homepage
    He's not a criminal any more, he's a member of society just like the rest of us.

    Mr. Painter seems to be...painting...anyone who has ever committed a crime as a lifelong criminal. Good work rejecting the entire philosophical foundation of our criminal justice system, dipshit.
    • Re:He did his time (Score:5, Insightful)

      by velo_mike ( 666386 ) on Thursday April 17, 2003 @02:24AM (#5749472)
      We (the U.S.) have been increasingly rejecting that philosophy, why stop now? Those convicted of felonies already lose the right to own firearms. They often lose the privacy the rest of us have or the right to vote. Their property is forfeitted, and educational aid is often denied. This after they've "paid their debt to society". Why not cut off their ability to make a living? Hell, make them non-persons, brand an "F" onto their foreheads and leave them to the dogs...
      • Re:He did his time (Score:5, Insightful)

        by WegianWarrior ( 649800 ) on Thursday April 17, 2003 @04:35AM (#5749767) Journal

        Looking from the outside, it appears that the US system of judgement have more to do with revenge than actuall reform of the convicted (mind you, what we get thru the media (both ours and US media) is the high profile causes, not everyday things). The logical, yet illogical, conclusion is that all crimenals should be excecuted or be given a life sentence - and we all know that a handfull of bullets or a short lenght of rope is the cheapest alternative. And off course, doing that would bring the US nicely alongside 17th century Europe; where theft of a bread might cost you your neck...

        Revenge or reform? You make up your own minds, I know what I prefer.

      • Re:He did his time (Score:3, Insightful)

        by ndogg ( 158021 )
        I know people who work in the prison system, and I can tell you that the prison system does nothing to help these people feel like they're people.

        Our system throws a person into a cell, expecting them to "learn a lesson" from just that. It is likely that they are not educated in how to live life like a normal, law-abiding citizen. They're given the basic necissities of life, and that's it. After a number of years, they are given their freedom, but they don't understand how to live with that freedom. Th
    • Re:He did his time (Score:5, Interesting)

      by goon america ( 536413 ) on Thursday April 17, 2003 @02:25AM (#5749476) Homepage Journal
      Kevin is lucky in that getting put in jail actually increased his prospect for employment once he got out. For most people, a felony can be a lifelong sentence. And I don't understand how that's called "justice".
    • Re:He did his time (Score:3, Insightful)

      by antis0c ( 133550 )
      I agree, but you have to consider the context. It's not as black and white as that.

      For example, someone who has been convicted of molesting little boys. He goes to jail for 5 years. According to your logic, once he's out he's just a member of society just like the rest of us. So there should be no problem putting him charge of a boyscout troop. Or we shouldn't worry if he starts his own daycare center. Obviously not, thats why we have the sexual predator watch lists. Because we inheritantly don't trust
  • by beders ( 245558 ) on Thursday April 17, 2003 @02:16AM (#5749455) Homepage
    If someone will employ you, then you're trusted. You just have to prove yourself to them
  • by writertype ( 541679 ) on Thursday April 17, 2003 @02:18AM (#5749459)
    You know the rest.

    Although it certainly matter what your former profession might be, as long as you can do your job (of network security, I mean). OTOH, it seems like the best methods of foiling spies and hackers is to think like one, and the best way to think like one, is to, well BE one.

    Interestingly, I wonder exactly who the U.S. has employed in its counterterrorist operations.

    So the question boils down to morality. And that's not so easily defined. IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
    • by Anonymous Coward
      otoh = on the other hand
      ianah = i am not a hacker

      ihtlut2oigsitimawstw
      (i had to look up the 2nd one in google so i thought i might as well share the wealth)
    • I wonder exactly who the U.S. has employed in its counterterrorist operations.

      During the Clinton years, the CIA was said to be restricted in who they were allowed to use. They weren't allowed to do business with a guy if say, he was involved with human rights violations.

      One guy talking to the press after Sept. 11 said these restrictions hampered investigations which could have prevented the bombings...

    • IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.

      1. We talk about crackers here, not hackers.
      2. Crackers generally suck at system design.

      Remember that in general any destructive activity is easier than constructive - that's a property of the Universe we live in. Building demolition, while requires some thinking to be done properly, tends to take much less time, thought and
  • people thes days (Score:4, Insightful)

    by Fooker ( 656693 ) on Thursday April 17, 2003 @02:19AM (#5749461)
    I actually kinda agrea with both of them. A criminal isn't one to be trusted depending on why they were in jail for, but on the other hand, one who has the knowldge, a hacker in this story, could be very usefull. A hacker knows how to get around things, and if at first they can't, they work at getting their goal. they have experience. now Painter might say thats why you should higher a security professional. yet who would you rather have, some nerdy kid fresh out of college? or would you rather have someone who knows whats out there, has experience with the programs that you will be using? and quite frankly could do better security audits then the nerdy college kid? no offence to anyone in college for this, nerdy just seamed like a good way to state my point even though the majority of the people in the field aren't that way at all. heh. well just my 2bits, peace.
  • by stj ( 607714 ) on Thursday April 17, 2003 @02:21AM (#5749464) Homepage Journal
    as a company's employee - maybe as an expert. AFAIK he was a genius at using tools, but I don't remember him creating any of them. Maybe I'm mistaken? That brings another question: if somebody creates a tool and somebody else uses it, who is the bad guy? Recent stories (like the one of DeCSS and the one about RIAA suing students) show that people start to go after those that make tools. Shouldn't we start prosecuting gun, hammer, ax, and car manucaturers?
    • by offpath3 ( 604739 ) <offpath4@nOspAM.yahoo.co.jp> on Thursday April 17, 2003 @02:38AM (#5749518)
      AFAIK he was a genius at using tools, but I don't remember him creating any of them.

      Actually, I think the really important point here is the social aspect of his cracking. The tools and the security systems will change, but there will always be a human somewhere who knows the password, and you can ignore all of the technical defenses if you can sweet talk them just right. Or if they do stupid things like pick predictable passwords. Or write the password on a post-it-note on their desk.

      I think much more than just doing a port scan, a company would hire Mitnik to examine their _human_ protocols and proceedings for dealing with security.

  • Obsolescence... (Score:5, Interesting)

    by ari_j ( 90255 ) on Thursday April 17, 2003 @02:22AM (#5749470)
    Most caught crackers are going to bring special, outdated skills to the job.
  • What's the issue? (Score:2, Interesting)

    by kinnell ( 607819 )
    Criminals who have done their time should be allowed to work however they want, within the law.

    Companies should be allowed to hire anyone they want, whether they have a criminal conviction or not.

    What's the problem?

    • Companies should be allowed to hire anyone they want, whether they have a criminal conviction or not.

      Companies should be allowed to hire anybody they want, whether they are female or not.

      ... whether they are Christian or not.

      ... whether they are black or not.

      Sometimes the company does not get to hire "anybody they want" because the company will discriminate. Society has decided that certain types of discrimination are unfair.

    • You've never hired anyone, have you? It's all about trust. No person hiring will choose a convict over a non-convict all else being equal. It shows they have lost the trust of society, and rightly so.

      It's proven that once people commit a crime, they are more likely to do so again, that is why we have parole. It is as big a risk (if not larger) as someone using Windows instead of linux for a server. It could all be OK, but there's the off chance that it may all go to shit.

  • by SethJohnson ( 112166 ) on Thursday April 17, 2003 @02:25AM (#5749478) Homepage Journal


    I don't think Mitnick is such a good representative for this issue. Probably a better example of 'hacker' turned security expert is that guy who the 'Catch me if You Can' movie is based on (
    Frank Abgnale [bankrate.com]). The FBI sprung him from jail in order for him to help them combat check fraud. Apparently, he's now responsible for designing many of the anti-counterfitting mechanisms built into our checks even today.
    • Frank Abgnale did a lot of social engineering during his criminal years, same for Mitnick. Yes, Frank used technical means as well (forgery), but getting someone to accept a badly forged check takes social engineering.

      Mitnick upset a lot of people but he hasn't stolen money or hurt anyone. I wouldn't want to employ him, but I certainly think he has a lot to offer as an external consultant on security. A lot of what he has to teach isn't even technical, but it is stool useful for all levels in the company,

  • Vocabulaire (Score:4, Informative)

    by Tiro ( 19535 ) on Thursday April 17, 2003 @02:30AM (#5749491) Journal
    . . . DOJ attorney Christopher Painter, on the whether ex-hackers could be trusted as computer security professionals. Mitnick says hackers bring special skills to the job, while Painter says a criminal is a criminal."

    They're called crackers.

    Mitnick sounds like little more than a self-promoter to me.

    • The connotation of the word has changed, deal with it, move on. You lost this war years ago. If you don't like what it now means to everyone but you and a few others, then don't choose it as your label.

      Simply put, if the masses see "hackers" as evil criminals then that's what "hackers" are. Language is determined by the masses, not by a small minority who get to determine what's PC or right.
    • I think the push to deprecate the term hackers is a bit too little, too late. The landside usage of the word "hacker" for someone participating in illegal activity is well out of anyone's hands to deal with, not even ESR's jargon dictionary will make it change. Why don't we face the fact that its not going to change and come up with another word? That is, for those of us that don't want to be an activist for every nitpicking thing in life.
  • by KimiDalamori ( 579444 ) on Thursday April 17, 2003 @02:35AM (#5749507)

    Am I running a bank with millions of dollars, and do I want the reformed hacker to secure the database with all the money in it?

    Come on, this is common sense:

    1: If the reformed hacker was doing it for personal profit, don't hire the hacker. If the hacker was just bored and causing trouble, maybe hire the hacker.

    2: If you want to secure the aforementioned bank's financial DB, don't hire a hacker, and have someone looking over the shoulder of the guy you do hire. =)

    3: If the reformed hacker writes all of his memos in 1337$p34|{, make sure you aren't hiring a reformed script-kiddie.

    Like I said, simple, sensible rules...

  • by teamhasnoi ( 554944 ) <teamhasnoi@yahoo. c o m> on Thursday April 17, 2003 @02:36AM (#5749513) Journal
    in no way should anyone with a record of, say, working at a company known for flagrant privacy violation, ever in a million years have a job at the Dept. of Homeland Security as...hmmm, how about Privacy Czar.

    Just like no one who went AWOL should be Commander in Chief, and the head of a giant energy corporation who mismangaged and defrauded it out of zillions of dollars should serve on a energy 'task force' behind closed doors, and a convicted monopolist should be able to expand their business to the very department of Justice that looked the other way.

    Oh.

    I guess what I meant to say is Christopher Painter must be a dumbfuck.

    Thank you! I'll be here all week!(or at least until the Privacy Czar's Storm Troopers come to put a transmitter in my ass...)

  • hacker/cracker (Score:2, Informative)

    by den_erpel ( 140080 )
    this is actually getting pretty boring to reply to this, but this [softlab.ntua.gr] definition explains it nicely:

    On USENET, calling someone a "cracker" is an unambiguous statement that some person persistently gets his/her kicks from breaking from into other peoples computer systems, for a variety of reasons. S/He may pose some weak justification for doing this, usually along the lines of "because it's possible", but most probably does it for the "buzz" of doing something which is illicit/illegal, and to gain status amon

    • Re:hacker/cracker (Score:3, Informative)

      by stj ( 607714 )
      I looked up Webster Online and:
      From Jargon File (4.3.0, 30 APR 2001) (jargon)


      cracker n. One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of {hacker} (q.v., sense 8).

      I think it's the shortest definition and the most accurate. And actually means that cracker and hacker are mutually exclusive.
    • This is a very insular USENet thing adopted by some segments of Free Software culture, and not at all in keeping with past or present common usage in the computer field or wider culture. As noted in one of the other replies, the usage of "cracker" to describe people who break into computers was coined ca. 1985; the usage of "hacker" to describe these same people dates back to the late 1970s, and was already in very common usage by the early 1980s. For the vast majority of the history of computers, this (s
  • by jonhuang ( 598538 ) on Thursday April 17, 2003 @02:39AM (#5749523) Homepage
    It's not just about whether convicted felons can be trusted--M. seems to argue that it's actually _better_ to hire someone who's been on the shady side of the law.

    And as most crackers look for unsecured systems rather than attacking or defending a specific one, I don't think the "special skills" argument holds much weight.

    Ex-druggies make great recovery therapists but bad customs agents..
    • Good point. I wouldn't hire a recovering drug addict as a customs agent, but I might bring one in to give a talk to the other agents about where drugs may be hidden, how to spot the mannerisms of someone smuggling blow, etc. For the same reasons, I would probably hire someone like Mitnick as a consultant. I may not want him running my IT department and as others have pointed out, knowing how to break into a system isn't the same as knowing how to secure one, but I'd imagine he could probably teach my sta
  • Like Frank Abagnale [abagnale.com] who, after a brief but brilliant career as a conman, was eventually hired by the FBI itself.
  • by JakiChan ( 141719 ) on Thursday April 17, 2003 @02:41AM (#5749530)
    So the prosecutor was concerned about Mitnick's lack of remorse? While I cannot condone Mitnick's actions at all, I have to wonder how easy it would be to show remorse when the legal is being used abused against you. If there had been a speedy and fair trial that would be one thing, but given all that happened in this case I know that by the time the actual trial came about my anger would get in the way. I'm not saying that's ok, I'm just guessing at what my own reactions might be.

    Winkler might want to look at the message that HP is sending by hiring the Getto Hackers and not hiring Mitnick. To me that message is "Hacking is ok if you don't get caught." I suppose it might be a valid viewpoint (in football it isn't holding if the ref doesn't call it) but to me that seems like the wrong thing to say for someone who is trying to take the moral high ground.
    • I have to agree with you on the subject of remorse. The fact of the matter is that Kevin Mitnick was held without trial so long that he was forced to plea bargain - quite possibly because the prosecution didn't believe it could build a strong enough case on Kevin.

      The one who SHOULD be showing remorse here is his prosecutor, for abuse of law and violating the spirit of the justice system. Inadequate law enforcement training is good reason to get better training and become better at collecting evidence; it
  • by fm6 ( 162816 )
    And of course <sarcasm> criminals have no place in law enforcement [chicagotribune.com]. </sarcasm>
  • Ethical Hackers (Score:3, Interesting)

    by rf0 ( 159958 ) <rghf@fsck.me.uk> on Thursday April 17, 2003 @02:46AM (#5749552) Homepage
    I believe there is room for people who proves themselves to be trustworth. These are the sort of folks who have a private contained network in which they do their hacking. There aren;t hurt anyone and theuy are still learning.

    If they find something they then take the appropiate route of contacting the appropiate company and working with them to fix the problem As for the people who find an exploit then use it. No definitly not

    Rus
  • Case in point... (Score:4, Interesting)

    by BlueFall ( 141123 ) on Thursday April 17, 2003 @02:46AM (#5749554)
    The government hires ex-criminals to fight crime with great success -- just look at She-Spies! ;-)

  • by stienman ( 51024 ) <.adavis. .at. .ubasics.com.> on Thursday April 17, 2003 @02:48AM (#5749558) Homepage Journal
    Hacking is an addiction. Furthermore, a succesfull cracker does not necessarily make a good security expert. You wouldn't give a 5 time convicted drunk driver their license, even if they haven't touched alcohol for years... Why? Because it can be too easy, too much of a temptation to fall back into old habits.

    Maybe you've never felt a true addiction. Perhaps you don't know what it's like to be mentally chained to some action, item, etc. Sure, you get into long programming binges, where you're in 'the zone' for hours, but it's not like you can't go 2 minutes without zoning out of real life and thinking about your program.

    When you are addicted to something you very literally are unable to keep your mind off the subject for any length of time.

    The chances of an addicted, convicted, and reformed cracker of being tempted and going back to their old ways are so much greater than the chances of a programmer/net admin/whatever who hasn't been addicted that it isn't a reasonable risk to take. You don't give a reformed alcoholic a wine tasting job.

    That being said, it's unfair to group people together by any metric. I could say, for instance, that all good criminals are persistant con men. It isn't always true all the time, but when you look at one case at a time it certianly seems so. Most, if not all, of Mitnick's significant exploits weren't brain power, or shear ability to break systems. It was his ability to convince another person that he was authorized to recieve sensitive information, and when he didn't get it from one person he moved on to the next. A very charismatic, persistent con man. Certianly no Carmack.

    So it's not fair to lock everyone convicted of computer crimes from using computers again, or even from using computers in the way they used them in their illegal activities.

    But if you are shortsighted enough to believe that a true addicted can ever be fully and completely cured... Employer beware...

    -Adam
    • It was his ability to convince another person that he was authorized to recieve sensitive information, and when he didn't get it from one person he moved on to the next. A very charismatic, persistent con man.

      What if Kevin is doing that to us right now?! We must keep him away from Dale Carnigie books at ALL COSTS! He'll be unstoppable!!

  • they have more fun at it. I'd rather have a ex-evil hacker testing my security than some goody-too shoes. The evil ones will go that extra mile - they have something to prove, that they can bust into anything.

    The good ones will just pound sand and say, "They didn't teach me that in 'Hacker School'".

    Added benefit: If you hire all the evil hackers, they'll be so busy hacking other evil hackers that they won't have time to steal your credit card database. Besides, we all know that hackers don't break int

  • I'm a consultant for an internet security company. The job is challenging, varied, fun and well paid. I get involved in pen tests, source code audits, hardware audits, etc etc. I wouldn't have got this job were it not for the fact that in a former life I used to 'play' with things I shouldn't. Don't get me wrong, I've never been arrested or charged with any crime relating to computer misuse, I've never done anything that serious. Something as simple as writings 'POKEs' for computer games was considered
  • by anethema ( 99553 ) on Thursday April 17, 2003 @02:59AM (#5749585) Homepage
    Im pretty sure that the main point of prison..besides simple punishment..is to reform those to behave society's rules when they have shown that they cant. When they are released from prison, they are -supposed- to be considered a fully functional reformed member of society.

    To label an EX-con as always a criminal kind of goes against the whole point of prisons, and general reform.
  • Prior Art (Score:5, Interesting)

    by R_V_Winkle ( 186128 ) on Thursday April 17, 2003 @03:11AM (#5749609)
    I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".

    And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
  • WTF. Obviously they're not responsible for the misuses of hacker that they quote, but they're goddamn Securityfocus. They have no excuse for not knowing how to use "hacker" properly. That's like an artist pointing at a paintbrush and asking you to hand them that thing with the fluffy end.
  • I don't understand this discussion. A lot of movies and TV-series have already proven that using a former criminal is the only (cool) way to go if you really mean business?
  • From the article: Regardless of whether or not a hacker with a record has reformed, the bottom line, said Painter, is that paying former criminals big bucks sends the wrong message to the young, up-and-coming technology workforce. He added, "That's like saying the best way to a high pay check is to go out and be a criminal hacker."

    Too right. I agree with this 100%.

    If we encourage kids to do this, by promising them a long and lucrative career in 'Security', then we will just have even more crackers out there trying out their so-called skills.

    I've had one guy who repeatedly downed a DALnet server I managed tell me that basically he hoped to put his skills on the market once he finished his Degree. He laughed at me when I suggested having a criminal record might slow him down.

    If you run an IT department, don't hire crooks. No matter HOW good they say they are, a trained professional without a criminal record is a thousand times better than some thug who has spent his youth trying to make lives for people like me a misery.
    • I think a lot of these "hiring convicted criminals gives a majorly wrong idea" posts miss a big point: prison. Sentance times for hackers are getting longer and longer and longer; if Mitnick was convicted today he would probably be Ashcrofted of his citizenship, stuck in solitary somewhere, and never heard from again. Young hackers have at least a certain level of brains about them; they have at least a twinkle of understanding that hacking can lead to some Big Problems nowadays.

      Arguing that Mitnick is gl

  • by polished look 2 ( 662705 ) on Thursday April 17, 2003 @03:37AM (#5749650) Journal

    I used to work at MHMR/TC [mhmrtc.org] and my supervisor, on at least one occasion, bought phony computer equipment and pocketed the money. Further, when a co-worker of mine tried to blow the whistle on him, he was told to play along or else they would make his life miserable at work, which they did and he was soon fired or forced to resign.

    I, on the otherhand, who am very skilled with computers, was put in a rather awkward position after I was let in on the little secret because it soon became apparent that it was bothering me and they obviously feared they could not trust me, so they treated me badly and I soon became suicidal and tried to commit suicide four times.

    Later on, however, after I was forced to resign and was able to collect myself, I discoverd that one particular co-worker's Yahoo! email account was linked to credit card stealing, which you may view for yourself here [google.com] which so happened about the same time someone stole money out of two of my co-worker's purses.

    When I discovered this, it was like, great! We finally have the culprit and so I told them, but they did not do anything. I even told them about the supervisor that was buying phony equipment and keeping the money. Still, they did not do anything. Then, after realizing many are involved, I wrote one email to many people in the organization (that is, many people were in the To: header) and they responded by threatening me with litigation concerning things like computer security breachment, criminal harassment with a computer and some other computer crimes.

    Why is it that since they're idiots with computers but thieves they can point to someone that is good with computers and not a thief and call her a criminal hacker?

  • by jemenake ( 595948 ) on Thursday April 17, 2003 @03:38AM (#5749653)
    I don't think most hackers hack because they like crime. They like a challenge. The want a way to test their intellectual arsenal against others.

    In a way, I guess you could look at hacking the first multi-player online game. It was the first way to pit yourself against a real human opponent online (aside from checkers and chess on Prodigy back in the 80's I guess :) )

    The hackers play the "side" of the hackers because that is the side that's most available. If you give them a job as the sysadmin, then being able to read everyone's mail is no longer a challenge and, hence, tends to lose its novelty. Instead, they now have a new adversary: the rest of the hacker world.

    It's all about proving that your king-fu is better. Whether you play the black pieces or the white pieces only determines the numbers printed on your paycheck (or your orange jumpsuit, I guess).
    • Sometimes, with the smarter ones. But that is only a small percentage.

      Most are fairly dumb. Probably no smarter than I. ;)

      The main reason they get started is they think its cool. Thats all there is to it. They hang around with a bunch of guys on IRC, find some hacking related channels, suck up to various people, start trying to develop some skills so they can get cred, and it goes from there.

      With a trojan kit and half an hour of time (and a few weeks of waiting for the trojan to propogate), you to can be
  • by JimPooley ( 150814 ) on Thursday April 17, 2003 @03:38AM (#5749654) Homepage
    OK. A guy breaks the law and is convicted on the basis of his hacking crimes. When he comes out he gets a prime well paid job on the basis of his law breaking experience.

    What kind of example is that setting?
    "Break the law, and get a good job" is NOT a good example to be setting, it will only encourage people to commit similar crimes.

    I think companies are perfectly correct not to employ convicted hackers in a security role. It is completely morally and ethically wrong to reward people for crimes they have committed.
    • You ever listened to any gangsta rap or seen the movie Catch Me If You Can? Both probably have a much bigger influence on the general public.
    • So, someone who served the sentence for their crime still can't be trusted to never do it again. And for his hubris, Kevin will never be on your payroll.

      Similarly, then, you would never employ the services of a Mitnick for less than ethical, moral, or dare I say scrupulous endeavors.

      It is completely morally and ethically wrong to reward people for crimes they have committed.
      And yet, they speak Spaninsh in Mexico.
  • by termos ( 634980 )
    Is this the title for the new Disney movie?
  • by Cap'n Crax ( 313292 ) on Thursday April 17, 2003 @04:36AM (#5749769) Homepage
    Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.

    In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.

    So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)

    Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.

    Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.

    And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
    • Bah.

      I was around then too. I, however, wasn't a thief.

      "I pride myself on my honesty and don't steal, rob, rape, pillage or murder."

      Um, yes you DO! You stole from companies. Furthermore, you STILL don't see it as wrong. You have the same attitude as Mitnick, and that's what the prosecutor was getting at. Lack of remorse, lack of true understanding that YOU ARE A THIEF.

      You didn't just break some random law--you STOLE service! Others had to pay for you to do things that you were supposed to pay for.

      I wo
      • Tell it to Wozniak, he and ALOT of other names in the IT field are admitted hackers just like the person you're replying to. So am I for that matter, I was around then, but that was long ago, today is a very different world. Its a MINDSET. The same mindset I put to use for 7 years in the realm of physical security. How does the system work, were are its weak points, can I get around the system?

        Everything isn't so cut and dried, and if you want to make such blanket statements, I hope you check the records o
    • Nice article:

      The TMC Primer [phrack-don...t-dmca.org]

      I can dig that, old-timer. I can see where you are coming from too. I came in on the tail-end of the BBS era, just when it was really starting to die, and the internet was just started to get around, in Australia. I could really have done with some of these phreaking deals when I was a kid ($2000AU phone bill, ouch).

      The thing is, I'd hire you, as you have not been caught, yet you freely admit your past. Mitnick, however, was caught - yet he repeatedly complains about the ro
  • Kevin Mitnick has served the sentence society gave him.

    And while it is every employers choice if they want to hire him or not, it is foul play of his prosecutor to argue in public that he should not be given a job.

    Even if the prosecutor personally don't believe in reform (no, even though you yanks all seem to believe it, the purpose of imprisonment is not revenge from society's point of view), he is still a DOJ official. How can he send people to jail, claiming it is for their reform, when he obviously

  • Debt to society. (Score:3, Interesting)

    by tmortn ( 630092 ) on Thursday April 17, 2003 @05:55AM (#5749991) Homepage
    Intresting concept but as many have pointed it out it has problems.

    I can't say I would hire him to build my security system. I would however hire him to test it ala "Sneakers".

    Computer security savvy is a catch twenty two. You can't know how to defend unless you know how they attack. The only way to be premptive is to figure out all the ways of attack. This means you have to attack your system at least theoretically. And the only way to determin if your deffense is effective is to test it.

    People who are only testing a system will always be less creative in finding 'hacks' than those truly trying to penetrate the system. Its the problem of being inside the box.

    The best crook is a cop and the best cop is a crook. Know your enemy. Keep your friends close and your enemies closer.

    Ultimately I don't buy this rewarding crap. Mitnick at some level has paid for his transgressions with an all expense paid federal 'vacation'. If he so much as twitches his nose wrong with a computer system again and it is caught they will send him back and throw away the key. Paying the man to gain knowledge that can help you build a better and more secure system is not rewarding him. It is not encouraging kids to go get busted for a felony hacking offense and spend years in prison for the possibility of making big bucks as a security consultant.

    To the letter of the law I doubt there are many people who post here who under 100% enforcement would not possess a computer misuse charge agianst them. How many here might have been that kid the RIAA just lit up? How many have never copied anything that was not supposed to be copied? How many have never tried a back door method of gaining access to a system ? Hell how many havn't successfully gone through a back door? Answer that with no justification, no weasle wording, and no claims but that was different. Technically the law dosn't give a damn.

    Not that I think this is a wretched hive of scum and viallany. I just think this is a group of highly savvy computer users. There is deffinatly a line. A line I would wager the majority of /.'ers have not crossed and its a line Mitnick was well on the other side of. But to some extent I think the largest difference there is someone who acted on knowledge vrs people who possesed the knowledge. Ultimately who makes the better applicant for a job ? The one with the knowledge or the one with the knowledge and the experience ? In terms of social engineering Mitnick is one of the few KNOWN people that knows through experience the difference between reality and theory. However the fact of his experience makes him a risk.

    I can see both sides of the issue.

    On one hand HP could embrace Mitnick's firm and then emblazon on their systems that it was hack proofed by the most notorious hacker to date.

    On the other they can say we won't encorage miscreat beheivior and hire people who it seems pretty certain have done questionable things in their past but have never been caught.

    Overall.... hiring the people that have yet to be caught may be better. But it also carries with it its own risk. They may be employing Mitnick Jr. The overworn Cliche of having the fox gauarding the hen house is poorly thought out. After all don't we often have a Dog guarding the hen house.. or the sheep ? And what is a dog but a domesticated version of the Fox/Wolf that has been trained to provide a constructive service instead of a destructive one ?

    The true question to me then is if Mitnick is still a fox or if he has been house broken. If the former stay away, if the latter I can think of few would would be better. You decide. Me personally I think he is the moral equivalent of a celebrity spy ( its an oxymoron ) IE he can't do what he did anymore because he is too well known. I say companies should take advantage of the fact he is out in the open. Odds are he will wind up being a nemissis to wanna be Mitnicks more than an inspiration.
  • by Millennium ( 2451 ) on Thursday April 17, 2003 @06:54AM (#5750185)
    Well, then, probably every politician currently active in the US (and most other places) ought to be fired immediately.

    And it seems someone needs to read Les Miserables.
  • by isa-kuruption ( 317695 ) <kuruption AT kuruption DOT net> on Thursday April 17, 2003 @07:01AM (#5750215) Homepage
    Like many have already said, it's about trust... it's not about whether he is a criminal or not. Being a criminal convicted 5 times of computer related crimes makes him untrustworthy regarding computer security.

    I'm sure Mr. Mitnick would be a very trustworthy chef or petroleum distribution agent (aka gas pumper). But as a security guy in a corporation? Uhhh I don't know about that one!
  • Hacker zen (Score:3, Insightful)

    by clonebarkins ( 470547 ) on Thursday April 17, 2003 @07:35AM (#5750361)

    A criminal is only a criminal because the law says he is.

  • by Dman33 ( 110217 ) on Thursday April 17, 2003 @09:00AM (#5750862)
    Okay, this irks me just a little bit. Someone in law enforcement (whether you are an officer or a prosecuter) should never say things like that. The problem our society faces is that mentality that once you are a criminal, you are always a criminal.

    Recidivism is the leading cause for prison overcrowding. The problem is that the convicted felons are not given the opportunity to learn necessary skills (whether they be work skills or social skills) to make it in the real world. So when said prisoner gets out of the pen, they only know one thing, not to make the mistake that got them caught the first time.

    It worries me to see prosecutors give up on people. I was charged with a felony, I was not exactly convicted (plea bargain for probation, no record cuz I was young) and the court actually gave me the opportunity to make things right. And I did. I also had studied criminology in college and knew the epidemic of recidivism that plagues our society. Understanding the problem and how to pull myself out of it was very important. I also had a support network of family and friends which is also important but that is a different story.

    I guess my point is this... when somebody make a mistake or poor decision, it is not exactly good to label them a violator of the law for the rest of thier life. Yes, punishment and restitution is prudent, but labels are what cause that person to repeat the crime again. Prison is not so much of a deterrant once you have already been there... it becomes a training facility and the 'me versus them' attitude begins. If you make a mistake and you know that you were dumb and should have done better yet everyone keeps calling you a criminal and nobody tells you otherwise, you become just that... a criminal.. for life.

    Yes, there are some that commit crimes that are so severe that you can only think that they are mentally damaged. That is a different story and I am not saying that we should just put murderers and pedophiles into counseling and then off to the real world where they will be perfect citizens for ever... I am saying that non-vilolent crimes that do not directly harm another individual should be treated with hope that the one that comitted the crime can be reformed and contribute to society in a meaningful way in the future.

    It is scary, but here is a little theory of mine. If I were to have 100% knowledge of every law in the land, and I were to watch every move you make, I would be able to charge 95% of you with at least one felony be it federal or in your state. Would the case win? Not sure... but I bet I would have a good case.

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...