I worked at a company that had hired Mitnick as a security consultant.
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
In all fairness, a genuine attacker WILL be abrasive and abusive. They WILL single out employees that are gullible and exploit them. It's not pretty because a genuine attack is not pretty. Of course a simulated attack will be indecent and discourteous in nature, that is how attacks are.
Dude I was called out by name in the report either right before you got there or the first one you were there. I was called out in the one where they got B's Audi keys in his office.
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
"He didn't breach us the way we wanted him to do it so it was dumb." Idk man, sounds like you locked your doors but left the windows open. That's the point of these things.
The point is really after working through remediations, there were pretty massive issues remaining that weren’t hard to find and were relatively vastly easier to exploit if the attacker is a Russian teen and not Bruce Lee. And the budget for such things was blown. Priorities, etc
"a client that turned out to have been rife with SQL injection" sounds more like they left the doors open, but the report focused on the lack of security bars on the windows.
This is what happens when the 90's PC community renamed crackers as hackers. Proper hackers would have been the ITS/WAIS ones doing crazy things with computers for its era.
He social engineered your company into contracting him, and that adds to the legend, but people don't see how many other companies he failed to social engineer.
I have so many stories about his absolutely terrible behavior at conferences. He once refused to pay the entry fee to a charity event and had to be physically ejectedy.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
He got all of the "Free Kevin" attention because of how long he was left in jail before trial and then being stuck in solitary confinement after sentencing for months.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
>He got all of the "Free Kevin" attention because of how long he was left in jail before trial and then being stuck in solitary confinement after sentencing for months.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
> I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
I'm glad you have finally recognized the problem.
Stop living for your idea of others and start living for yourself.
Kevin was famous for being mistreated by the DoJ and writing some books which were perhaps not particularly true in hindsight. After he got out of jail and rejoined the community he lost a lot of respect for being himself, though it's not impossible that years of imprisonment and a long time in solitary had some permanent negative effects. In other words... you shouldn't envy Kevin's life.
For the rest: nothing's stopping you from having fun, regardless of age.
I read the book by Tsutomu Shimomura, who caught Mitnick's hacking and tracked him down. It's a fascinating read. He was able to locate Mitnick in physical world based on his online activities and his cellular phone usage. In those early days, few people understood the cyber landscape and cellular technologies to exploit them.
Yes but AFAIUI Mitnick was upset Shimomura had the full weight of the police on his side, right? He used techniques that shouldn't have been available to him
Interesting fact about Shimomura, he was a student of Feynman's
I think he didn't know cellular well enough and thought a wireless phone was unlocatable because it was mobile and not tied down to a landline. As a physicist, Shimomura would have known all about radio and signal. He just used old WW2 tech of radio triangulation to find the location of the cell phone radio transmitter. It didn't help that cell phones were rare back then and the signal of his cell transmitter frequency was standing out like a sore thumb.
Regarding the full weight of the police, Shimomura did have an easier time to convince the ISP and phone companies to give him access to the logs. He was able to ask the cellular company to locate the cell tower where Mitnick's cell phone connected and traced him to the general area. If Mitnick had been careful, he could have hacked into the ISP/phone companies and erased all his access logs.
I keep hearing that cynical, and wrong, dismissal but have zero idea where it comes from. Yes, there are cops. Some .govs even have booths in the info areas. The stated idea is that it's a good thing when cops and hackers can hang out and discuss ideas and opinions outside of interrogation rooms, and I agree with that.
That's miles away from "largely law enforcement" though. I talked to an FBI agent at PyCon but people aren't claiming it's a LEO convention.
>I'm old enough to remember all the "Free Kevin" gifs scattered around the internet.
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
It's in his (Mitnick's) autobiography Ghost in the Wires. In his telling of the story they put him in a more restrictive environment exactly because of the reason given (launching nukes by whistling into a phone)
I'm going to defend Kevin here because I see a lot of comments from people I am sure have no valid reason to be hating on him.
Kevin was particularly annoying because he never failed to penetrate a target. The reason that's annoying is it just takes one slip, one weak point, one inattentive admin and it's over. People will stay mad about that. I get it.
But those who say he had no talent are just ignorant.
His goal was to make the world safer, and making people pay attention to risk didn't make him a lot of friends. All the hate I am reading here is just sad.
If you hate Kevin and did not know Kevin, I feel bad for you. Hate is an expensive emotion, even when you're just being a keyboard warrior. It should be reserved for people who have really wronged you. Kevin is not with us anymore. The hate is hurting you, not him. And he has a son who will read this someday. Have a heart.
I would petition all other community members to appreciate the gravity of the parent's comment.
Speaking for myself as someone very early in my journey during the time when Mitnick was still active as a grey hat: he advanced our thinking about security and the nature of trust itself in ways that have never been more timely.
Paradoxically he profited personally far more as a white hat than he ever did in the grey area, his motivations were clearly not extractive. The authorities compelled him to go do lucrative things! (after persecuting him mercilessly).
RIP Kevin. We are ill equipped for the vulns of the AI, but without you we'd be helpless.
>But those who say he had no talent are just ignorant.
I don't think anyone says he had no talent, what rubs people the wrong way is that the thing he had talent for is the same thing that the people have who try to scam call your grandmother out of her pension money. You can be the world's greatest burglar, you're still a burglar. The whole cringy "social engineering" thing turned media persona and consulting business is to engineering what chiropractics is to medicine.
He leaned pretty heavily into monetizing his own image and for a lot of people what he did became synonymous with the word 'hacking' in a not particularly positive way and critising that isn't hate.
I don’t need to know an iota of his activities as a hacker to hate him. I hate him because of how many times I had to be put through mind numbing security training with his mug as the opener. “I’m Kevin Mitnick” and KnowBe4 are seared into my brain at a ptsd level for terminal boredom.
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
That trend continues beyond the grave, maybe.
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
(Sips mojito)
I understand he probably just lent his name to the company (though he did show up in some of the videos), but still...
He did cost people their jobs though, so I guess he's a good person.
They left out convicted criminal.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
I'm glad you have finally recognized the problem.
Stop living for your idea of others and start living for yourself.
For the rest: nothing's stopping you from having fun, regardless of age.
Interesting fact about Shimomura, he was a student of Feynman's
Regarding the full weight of the police, Shimomura did have an easier time to convince the ISP and phone companies to give him access to the logs. He was able to ask the cellular company to locate the cell tower where Mitnick's cell phone connected and traced him to the general area. If Mitnick had been careful, he could have hacked into the ISP/phone companies and erased all his access logs.
This helps to fill in some of the details. It's a really nice story showing the humanity that can be found in situations when you look close.
That's miles away from "largely law enforcement" though. I talked to an FBI agent at PyCon but people aren't claiming it's a LEO convention.
https://fogbeam.com/free-kevin.jpg
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
Wait ... no fists involved. My mistake.
Kevin was particularly annoying because he never failed to penetrate a target. The reason that's annoying is it just takes one slip, one weak point, one inattentive admin and it's over. People will stay mad about that. I get it.
But those who say he had no talent are just ignorant.
His goal was to make the world safer, and making people pay attention to risk didn't make him a lot of friends. All the hate I am reading here is just sad.
If you hate Kevin and did not know Kevin, I feel bad for you. Hate is an expensive emotion, even when you're just being a keyboard warrior. It should be reserved for people who have really wronged you. Kevin is not with us anymore. The hate is hurting you, not him. And he has a son who will read this someday. Have a heart.
Speaking for myself as someone very early in my journey during the time when Mitnick was still active as a grey hat: he advanced our thinking about security and the nature of trust itself in ways that have never been more timely.
Paradoxically he profited personally far more as a white hat than he ever did in the grey area, his motivations were clearly not extractive. The authorities compelled him to go do lucrative things! (after persecuting him mercilessly).
RIP Kevin. We are ill equipped for the vulns of the AI, but without you we'd be helpless.
I don't think anyone says he had no talent, what rubs people the wrong way is that the thing he had talent for is the same thing that the people have who try to scam call your grandmother out of her pension money. You can be the world's greatest burglar, you're still a burglar. The whole cringy "social engineering" thing turned media persona and consulting business is to engineering what chiropractics is to medicine.
He leaned pretty heavily into monetizing his own image and for a lot of people what he did became synonymous with the word 'hacking' in a not particularly positive way and critising that isn't hate.