http://www.wired.com/news/print/0,1294,47354,00.html By Michelle Delio 2:00 a.m. Oct. 8, 2001 PDT The world's most notorious hacker says the government should focus on securing its computer systems rather than snooping on citizens. Kevin Mitnick, who spent four-and-a-half years behind bars for breaking into the computer systems of telephone companies, stresses that hackers should take extreme care these days given the sensitive political environment and the new laws defining many hacks as acts of terrorism. He also warned that any hacker could win the "scapegoat sweepstakes" at any time, receiving a harsh sentence to serve as an example to other hackers. Mitnick, who has testified before a Senate committee on the dangers of politically motivated hack attacks, thinks cyber terrorism is a credible -- but not particularly critical -- threat that could be headed off by strengthening security at government agencies and private corporations. He firmly believes the newly proposed Patriot Act is just an excuse for law enforcement to further its own agenda. The act, approved on Wednesday by the House Judiciary Committee and slated for a full vote this week, gives wide-ranging surveillance powers to the police, including extensive scrutiny of electronic communications. "The Patriot Act is ludicrous," Mitnick said. "Terrorists have proved that they are interested in total genocide, not subtle little hacks of the U.S infrastructure, yet the government wants a blank search warrant to spy and snoop on everyone's communications." If anyone has a right to what some might see as paranoia, Mitnick would be that man. He's been portrayed in newspapers, books and movies as the all-powerful evil programmer, a brilliant hacker able to launch a nuclear war with a mere whistle into a cell phone, able to bring down government computer systems on a whim. For the record, Mitnick denies many of the crimes that have been credited to him and said the government and the mainstream media created the myth of Mitnick for their own profit. "I am not innocent but I certainly didn't do most of what I was accused of," he said. "Basically, I won the scapegoat sweepstakes." Mitnick agreed to be interviewed as part of the publicity for his role in an episode of a new ABC spy drama, Alias, in which Mitnick plays a CIA computer expert. Mitnick's episode, "Doppelganger," is scheduled to air Sunday, Oct. 28. Arrested in February 1995 for hacking into the computer networks of communications providers such as Digital Equipment, Pacific Bell, Bell Atlantic and Internet service provider The Well, Mitnick was held without bail for four and a half years. He served eight months of that time in solitary confinement as authorities apparently feared he could still manage to hack into some device and cause the end of the world. He pleaded guilty to entering computer systems without authorization, served another eight months, and was released in January 2000. Mitnick is banned, until January 2003, from using computers, acting as a technical consultant, or writing about computers without permission from his probation officer. Mitnick recently was given permission to carry a cell phone so that he could be in touch with family during his father's terminal illness. Mitnick was allowed to keep the phone after his father died five months ago but believes it's so authorities can keep track of him. Mitnick testified before the Senate Governmental Affairs Committee in Washington on March 2 and outlined a comprehensive plan that would secure computer systems against most hack attacks. He believes that the government should be hardening their systems now, although he's not totally convinced that cyber terrorism is the worst threat. "Yes, a coordinated team of hackers could take down the communications systems, the power system, perhaps the financial markets," he said. "But all of those systems would be back online pretty quickly; you can't really knock them out for an extended period. You could use those outages as a decoy though, to draw attention from what you are really planning." But he believes that increased surveillance powers aren't going to help win the war against terrorism and he thinks the government knows it. "The government does things like insisting that all encryption programs should have a back door. But surely no one is stupid enough to think the terrorists are going to use encryption systems with a backdoor. The terrorists will simply hire a programmer to come up with a secure encryption scheme." Mitnick defines a hacker as someone who has a passion for technology, someone who is possessed by a desire to figure out how things work. Sometimes, he said, that passion may lead a hacker into the shadowy places where the law and hacker ethics conflict. "A hacker doesn't deliberately destroy data or profit from his activities," he said. "I never made any money directly from hacking. I wasn't malicious. A lot of the unethical things I did was to cover my own ass when I was a fugitive." Mitnick does not justify all of his hacks. He admits he broke into computer systems to peek at code that powers cellular phone systems. He didn't destroy data or sell it. But he copied proprietary software. He did have long lists of customer records from major corporations -- including customer credit card numbers -- but said he used the information to "social engineer" his way into systems. Social engineers hack people instead of computers, coercing information out of people by pretending they have a right to that information. Mitnick said he used those corporate billing records to assume customers' identities. "The companies would ask address, credit card information, things like that to confirm that you were who you said you were. That's why I needed the customer databases. Everyone always wondered why I had all those credit cards and never used them or sold the numbers," he said. Mitnick believes Dmitry Sklyarov, the Russian software programmer currently awaiting trial in the U.S. on charges he violated the Digital Millennium Copyright Act, may have also won the so-called sweepstakes. He warns young hackers to pull back and be very careful now. "I hope Dmitry puts up a good fight," Mitnick said. "He's got a great lawyer. I had a public defender. He's innocent, I wasn't. All the right people are supporting him. I pissed a lot of the right people off by hacking into The Well." The Well is an online service that, in its heyday, was the online community of choice for anybody who considered themselves a technophile. Mitnick used The Well's servers as a sort of storage locker for data he'd pilfered from other places, which angered many users who assumed he'd crawled all over the system and violated their privacy. "I was on the run, and didn't have any place to store this data I was collecting. So I hid it all over the Net like it was Easter eggs." Mitnick does admit to reading the e-mail of New York Times reporter John Markoff, who reported on Mitnick for The Times, and then co-authored Tsutomu Shimomura's book, Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It. "I read their e-mail because they were discussing how the FBI was going to catch me. I didn't read it all, just searched for a combination of letters that's in my name, and words like "trap," "trace" things like that. Again, this is something I had to do to cover my ass, total self-preservation." Mitnick hosts a radio show, and is currently working on a book on social engineering and how people can protect themselves against it. The book will be published next year. Many in the hacking community believe Mitnick is an outstanding social engineer but just a so-so hacker with limited programming skills. "I'd say I'm equally skilled in both areas," Mitnick said, "but no, my programming skills aren't stellar. Yes, I'd rather hack people's brains than code. If I needed to know about a security exploit, I preferred to get the information by accessing the companies' security teams' files, rather than poring over lines of code to find it on my own. It's just more efficient." Mitnick gave an interesting example of the power of social engineering. Enlisting a co-worker to demonstrate, he proved that it is easy to spoof caller ID information by placing calls to Wired News that appeared to come from other destinations such as the White House. The information that appeared on the incoming caller ID information identified the calls as coming from the spoofed addresses, instead of the phone number that was used to place the call. "Imagine what a malicious hacker could do with this trick, which, by the way, is a perfectly legal feature of the phone system," Mitnick said. "Imagine if your caller ID identified a call as coming from your credit card company, or your bank." Mitnick said the best way to avoid social engineering scams is to trust nothing. And yes, he is bitter over the way his life has been "twisted and torn out from underneath me." But knowing he'll be free to use computers again in 2003 keeps him going. He cautions young hackers not to take any chances now. "Set up a network with your friends and try to hack into it. I know it's not the big challenge you're looking for. You don't get the thrill of entering into forbidden territory, but now is not the time to be hacking. Trust me, you do not want to be the next big winner of the scapegoat sweepstakes." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 07:09:38 PDT