ff probation and in charge of his own security consulting firm, hacking legend Kevin Mitnick talks with John Brandon about the exaggerations and the truth about his hacking past, his regrets, and why most “high-tech” hacking movies are filled with hooey.
Q: What are you doing now?
A: Mitnick Security Consulting is a professional service company where we review assessments and training. What I do personally is go around the world lecturing on information security, so I do a lot of traveling. In some cases our clients are not interested in a security assessment, but they would like to configure their computer systems or networks and their devices to reduce attacks—reduce the opportunities available to a hacker if he were to breach the network perimeter, for example. We are focused on security assessments, which is also called ethical hacking and penetration testing. I have written two books on computer security, and I am working on a third, which is my autobiography
Q: There is a limitation on when you can profit from your story, correct?
A: Right. That limitation expired in late January. Right now, I am working with my coauthor, Bill Simon, who also coauthored my other two books. We are working on a proposal. The book will be my life story. I am anxious to get it out there because there are a lot of interesting things that the public doesn’t know.
Q: There have been some inaccuracies regarding your history. Anything you’d like to clarify?
A: Oh, yeah. One of the biggest myths is that I hacked into NORAD (North American Aerospace Defense Command) in the early ’80s, and that action foreshadowed the 1983 hit film WarGames. It’s a myth. If you know a little bit about the case, there’s a myth that I destroyed a federal judge’s credit, which never really happened. [They also said] that I was wiretapping FBI agents, which is not true. Something I was doing when the government was hunting for me was monitoring their locations by compromising the cellular carrier for the agents with cellular phone service. So if they were getting close to me, I would know. That’s when I was in Los Angeles. That was true, but they kind of morphed it into that I was wiretapping. That might have been said because the public understands wiretapping but it doesn’t understand location tracking. There was a false rumor early on that I had been turned down from a job from Security Pacific National Bank because I had planted a false news story about them losing $400 million on some sort of wire service. My book is not designed to say “These are the wrong things that were said about me and here I am to clear the record.” It will be more of a catch-me-if-you-can: The things I had done, the way I evaded the government, trying to make it more of a thrilling read.
Q: Cellular tracking is common now—especially after a 911 call. How did you do it back then?
A: You could look at the cell towers and find out where the handset is registered within one or two miles. It would give you an idea of where the handset is. Same type of technology they used to track O.J. Simpson when they found him on the freeway. The police probably went to the phone company with a warrant or court order or request for help. What I did is tap into the network and did it myself. With certain agents that were tracking me, I couldn’t get their location down to 5 feet, but I did know their location within a mile, so I would know to move out of the area if they were close by.
Q: After your release from prison, you were not allowed near a computer. Do you have access now?
A: Yeah, after my big case, there were conditions of release. They did not allow me near not just a computer but anything electronic: phone, computers—anything that had a transistor. I had to get permission from the probation department to use it. I kind of scared them. The government—or some people in the government – did not know my capabilities and there was a lot of hyperbole in my case, so there were people who viewed me as a MacGyver with duct tape and two 9-volt batteries who could blow up the world. So I had stringent conditions, but actually—after two years I was allowed to use a computer to write my first book as long as I kept it secret from the media. The government didn’t want the media to know I was given access to a computer. So it was a good quid pro quo: I get to use a computer and all I had to do was keep my mouth shut. All of the conditions except for profiting off my story expired after three years, and the last one expired in January.
Q: Some of the movies on hacking have portrayed you indirectly. How accurate are they?
A: It’s ridiculous; it’s fiction. Recently I saw the Die Hard movie; it was all fictionalized to entertain. I don’t think I have seen any movie to date that is realistic. Maybe in The Matrix there was five seconds where Trinity was using an NMAP to attack a target computer. But they wouldn’t have been using NMAP because in that time frame it would have been much more advanced. NMAP would be like using something now that was used in the 1700s. It is obviously not realistic, but it entertains. It’s not a documentary to show how everything works under the hood. Two of my favorites in the genre are WarGames and Sneakers—WarGames because it was the first, and Sneakers because it was pretty close to how hackers work. I do recall something in Three Days of the Condor. When I was a kid, I took the handle “The Condor” because of that movie, when Redford was calling a CIA agent in a secret department of the phone company, even though it was not published. I don’t know if that still exists, but it did in the ’90s. There was the fun stuff—clipping on a telephone pair is accurate. Of course, having a crypto box that could decrypt everything in the world is not realistic
Q: Would you consider yourself the most famous hacker?
A: I am pretty well known. Probably the most famous hacker is Steve Wozniak. Maybe I come in at number two!
Q: What’s the current state of hacking, and what are some of the most nefarious activities today?
A: The TJ Maxx hack is one—where attackers exploited wireless insecurities to steal 45 million credit card numbers; that’s a big case being investigated now. As far as attack vectors, there are application vulnerabilities, people using unsecure wireless protocols such as WEP, using weak keys for WPA, or not even using any keys at all. If you are working for, let’s say, an aircraft manufacturer, and you VPN into the network from home and you have an unsecure wireless, it paves the way for a hacker to tap into Boeing, for example. It’s an example of social engineering. It worked 20 years ago and it will work 10 years from now. There is no technology that protects against it. You can sweep everyone under some sort of security policy, but it is really each individual [that exposes threats]. So anybody who interacts with computer-related equipment or even has access to a particular building can be targeted and exploited, so all the money that is spent on security is wasted. That’s pretty scary. Of course there is the possibility of somebody being bribed—and insider threats. It is a challenge protecting infrastructure from the outside, but how do you protect it from the inside? Let’s say you are working on a project that involves trade secrets. There are so many ways to steal the information and bring it outside the company—with iPods, camera phones, USB drives, CDs, and DVDs. There are so many bad apples, so many ways to steal information, that the challenge is really to come up with a security program that balances security and productivity, that reduces the risk to an acceptable level.
Q: Do you think to understand hacking and the security industry it helps to have been a hacker?
A: Yeah, either illegally or legitimately. I believe hacking is a mind-set. Figuring your way around security obstacles is a skill and a mind-set. Some people in the industry might have programming and debugging skills, but attacking a system is a mind-set.
Q: What was your original motivation to become a hacker?
A: Fun and entertainment. It sounds strange but it was exciting, an adventure. Cyberspace was kind of new, computer networks were an interesting area to explore, matching wits with system administrators, getting access to information you’re not supposed to see—source code, for example. Now you can get it free. There was not much open-source back in my day, everything was closed and proprietary. It was a challenge. Today the trend has changed so hackers are more profit-oriented. Even the people who are discovering bugs and vulnerabilities want to make money, so they put up sites where people can bid on security vulnerabilities. Recently it was revealed that the FBI targeted a kid that was making bomb threats on MySpace. They were able to compromise those machines to get his IP address. I am sure that the Feds used an exploit to get the code onto his box, and they probably purchased it from one of these vulnerability researchers who act as a contractor.
Q: What would you say is your most famous hack?
A: Motorola Corp. [A hack] targeting researcher Neal Clift when I was 17. Other people consider it big, but I didn’t at the time. I compromised all of the telephone switches in California, New York, Chicago, and Maryland. I was able to eavesdrop on the telephone lines at the NSA [National Security Agency] by accessing a telephone switch out there. The phones would be routed through the PSTN that weren’t secure, so I worked out a way to listen to their conversations. I did it one time and verified I could do it, but I never did it again because I was afraid that I was messing with somebody I did not want to mess with. Thinking post-9/11, that was pretty serious. If I could have done it when I was a kid at 17, what could a well-funded adversarial group do today? Or even a phone-company insider? That’s what I think about. That’s why I wouldn’t discuss any classified information over the PSTN because its network is at the mercy of the phone-company personnel. So I had the same capability as a phone-company technician, but really from the outside by hacking into their network.
Q: What are some things you did that were not widely reported?
A: Well, it had been reported that I was able to do a social-engineering attack on Motorola to get an employee to send me source code. But it wasn’t reported that I actually penetrated its network.
Q: Do you have any remorse over your early hacking?
A: Definitely. I caused a lot of trouble for a lot of companies for my own entertainment. It was the wrong thing to do, and it was immature. If I had to do it all over again, I certainly wouldn’t do it. On the other side, I did have fun doing what I had done, but did my entertainment justify stepping on other people’s copyrights? Hopefully, my contributions today will help other would-be victims, to protect them from the threats today. I made some serious mistakes.
Q: What would you say to a teenager thinking of hacking?
A: I would really vigorously encourage them not to follow in my footsteps, and to be careful, because in today’s world, hacking has become a very serious offense. Back in my time—starting in the ’80s—hacking was considered cool, even though it was still illegal. But there was a coolness factor. Now it has all changed. Don’t forget you are interrupting a business. Why do that just to get your kicks? It is not a smart thing to do. Look for entertainment elsewhere. You are having a lot of traditional criminals using computers for theft. Organized crime and traditional criminals have adopted or acquired hacking skills to pull off their capers.
Q: Do you sometimes wonder if you are still being watched, if the FBI is still listening?
A: They probably are, so say hello! They definitely are, with the Patriot Act and with me being a high-priority target. I assume I am still being monitored!