[ISN] Mitnick Banned From Security Group

From: InfoSec News (isnat_private)
Date: Thu Feb 13 2003 - 01:33:42 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "The CISSP Prep Guide Gold Edition", Ronald L. Krutz/Russell Dean Vines"

    http://online.securityfocus.com/news/2403
    
    By Kevin Poulsen
    SecurityFocus 
    Feb 13 2003 
    
    By all accounts ex-hacker Kevin Mitnick created only a modest stir
    when he sauntered into the December meeting of the Los Angeles chapter
    of the Information Systems Security Association (ISSA). He sat
    quietly, paid attention, and at the conclusion of the meeting joined
    with some of the other 60-odd attendees swapping business cards,
    chatting with fellow computer security workers and discussing his
    plans for his new consulting business, Defensive Thinking. "He wasn't
    flashy at all," recalls one chapter member, who didn't recognize
    Mitnick until the conclusion of the meeting. "He introduced himself as
    'Kevin.'"
    
    But the celebrity hacker was noticed, and when he showed up next month
    at the January meeting -- open to non-members for a modest fee -- he
    was already at the center of a controversy. "People were saying, this
    would reflect bad on the L.A. chapter if we let him in," says the
    member, speaking on condition of anonymity. The members had coalesced
    into two opposing camps: those who thought Mitnick's presence at the
    gathering was an affront to everything the group has stood for in its
    20-year history, and those who thought it was pretty cool.
    
    "He's a published author, he's recently been involved in forming a
    company, and he's got international recognition as someone in our
    field with credibility," says Quinton Jones, a senior security advisor
    with Breakwater Security Associates, and the treasurer of the ISSA's
    L.A. chapter. "If you weigh the pros and the cons, I think he would do
    more to contribute to the group than he would detract from it."
    
    The ISSA is the largest not-for-profit security organization. It was
    formed in 1982, when computer security was an arcane science, and is
    now 2,000 members strong with chapters all around the world.
    
    "Launching Defense Thinking and working in the space, I thought it
    would be a good opportunity to network with people locally," says
    Mitnick. After his second meeting, and despite the mixed reaction to
    his presence, Mitnick surfed to the ISSA Web site and applied for
    membership online, as one of his first uses of the modern Internet at
    the conclusion of a court-ordered three-year ban. On January 23rd he
    received a congratulatory e-mail, welcoming him into the association,
    and giving him a password to the members-only section of the ISSA
    site.
    
    It didn't last long. Mitnick's password was quickly revoked, and a few
    days later he received a letter in certified mail from the ISSA's
    headquarters informing him that news of his acceptance was greatly
    exaggerated. "The ISSA has determined that your past behavior does not
    comply with the ISSA Code of Ethics, therefore we cannot accept your
    application at this time," reads the unsigned letter.
    
    Mitnick is taking the snub seriously, as a rare pothole on his road to
    respectability in the security industry. With sales of his book, "The
    Art of Deception: Controlling the Human Element of Security," still
    brisk, Mitnick is working the lecture circuit, developing his
    consulting business, and cutting a deal with a Hollywood studio to
    produce information security training videos for corporate America.  
    He's scheduled to give two presentations at the RSA Security
    Conference in April, the security industry's largest gathering: one a
    talk on social engineering, the other a panel discussion that will see
    him share a podium with his former government prosecutor, Christopher
    Painter.
    
    "Most security people are accepting," says Mitnick. "Like at the RSA
    conference last year, people came up to me to greet me and welcome me
    to the conference. Usually, it's warm receptions all around."
    
    
    Ethics Issues?
    
    But while the ISSA's code of ethics doesn't explicitly ban convicted
    hackers, its first commandment requires that members have a history of
    performing "all professional activities and duties in accordance with
    the law and the highest ethical principles." Mitnick, who plead guilty
    to multiple computer crimes in 1999, says that shouldn't apply to him,
    because his hacking was not a professional activity.
    
    Stephen Robinson, president of the ISSA's Los Angeles chapter,
    disagrees.
    
    "There are people that are accepted and there are people who are not,"  
    says Robinson. "We have ethics and we have standards, and we don't
    just take anybody off the street that wants to join the group."
    
    Robinson says he didn't make the decision to ban Mitnick from the
    meetings, but adds that Mitnick's hacking experience and nascent
    consultancy don't make him qualified to join a professional
    organization.
    
    Even Jones, who encouraged Mitnick to join, says he understands why
    the ISSA would be reluctant to accept the ex-hacker into its ranks.  
    "If you've got someone in the room with [the other members] who has a
    history of breaking the law, they're going to less likely to bring up
    their issues... So to that end, him attending could be a hindrance to
    the goals of the organization," says Jones. Nevertheless, "He's been
    in the industry longer than many of our members have... I think he is
    someone who is somewhat a founder of our industry."
    
    Steve Hunt, security research leader at Giga Information Group, and
    past president of the Chicago ISSA chapter, says Mitnick's membership
    was a heated issue among the association's board of directors. "The
    prevailing sentiment among most board members was not anti-Kevin
    Mitnick, it was a desire to be perceived as a professional
    organization -- just like the American Medical Association or the Bar
    Association." (Sandra Lambert, the ISSA's chairperson of the board,
    declined to comment.) Still, Hunt, who arranged for Mitnick to speak
    at the Chicago chapter last year, thinks the decision to ban Mitnick
    was wrong. "There's no reason to exclude him. He has shown over the
    last couple of years of his probation that he can contribute to the
    security community, and he's bent over backwards to show that he only
    wants to keep people from suffering at the hands of hackers and social
    engineers."
    
    Mitnick sent an appeal to the ISSA's board of directors last week,
    asking the organization to consider placing him on a probationary
    period as a non-voting member, as an alternative to an outright ban.  
    "Despite my efforts over the past three years to build a legitimate
    career in the field of information security, the stigma of my past
    still haunts me," he wrote.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 13 2003 - 04:01:43 PST