Mitnick In The News
Kevin Mitnick: The hacker who changed his hat
As the man once proclaimed "the world's most famous hacker" drones on about technology, I can't help thinking about the doughnuts. I picture them there in his fridge, in their white waxed box: topped with pink icing and chocolate, chopped nuts and little multi-coloured sprinkles.
The fridge, otherwise, is almost empty. And the doughnuts are for the FBI, who are about to raid his house.
C'mon, Kevin. Enough about computer security, identity theft, the online gullibility of your average Joe and Joanne. Can you just tell me about the doughnuts?
"Oh, sure, no problem," says Kevin Mitnick, whose voice is high and fast and kind of nerdy sounding. Speaking to me from an LA diner, he sounds like a movie actor who's come straight from the "comic store owner/ Dungeons and Dragons fan/ Nigel No-mates hacker" file at central casting.
"The FBI sent this undercover guy to meet me and see if he could coax me into doing some hacking. I went home and used that guy's phone number to find the numbers of the other FBI agents who'd hired him to come after me, then I built a device that would set off an alarm if any of those cellphone numbers came anywhere near my house."
A few week's later, Mitnick's early warning system started screeching at six in the morning, giving him time to move his computer and other potentially incriminating evidence out of his house before it was searched.
"I also went out and bought a dozen assorted doughnuts, and wrote 'FBI doughnuts' on the box. On the outside of the refrigerator I put a Post-It note with the old computer 'Intel Inside' logo on it, and when they came to search the house, all they found were the FBI doughnuts. They were pretty pissed about that, but I thought it was hilarious!"
Me, too. I once saw a dramatization of the doughnut story in a National Geographic doco about Mitnick, but it's great to hear it straight from the horse's mouth, in a slightly nasal Californian accent, liberally punctuated by playful giggles.
No wonder the FBI hated him. The guy was an arch smart-arse who always seemed to be one step ahead of them, though Mitnick stresses that he only cracked into computer systems for the sport of it, not to make money or steal state secrets or anything remotely sinister.
They got him in the end. Mitnick was tossed in jail for a year at the age of 16. In his late 20s, he was back there again for four-and-a-half years, plus another eight months in solitary confinement because this, my friends, was a man so dangerous, he could whistle and start a nuclear war.
And now, years later, in some unlikely digital approximation of the fox guarding the henhouse, the criminal "black hat" hacker has become an anti-hacker, protecting the rest of us from cyber sneaks like himself.
A rehabilitated Mitnick is now a computer consultant, working for corporations, banks and governments, testing their security systems. He's on his way to New Zealand to give a day-long public workshop on cyber security.
"It's like a technology magic show where I demonstrate the common threats that face businesses and consumers. Usually it's the staff that let these systems down. The computers follow instructions, but the humans running those computers are the weakest link. So I focus on how businesses can be compromised by outsiders cunningly exploiting those people."
Mitnick will be giving live demonstrations of the methods "the bad guys" use to extract information from business computers so that attendees can better protect themselves from such attacks.
But I'm more interested in Mitnick's own story. What made this former jailbird – a man who once freaked out the US government, tapping into Cold War cyber-spy paranoia like few before him- turn into, as he puts it himself, "one of the good guys"?
Now 53, Mitnick grew up in Los Angeles, a socially awkward, but super-bright Jewish kid who taught himself computer programming when most of his contemporaries were still reading books with titles such as See Spot Run.
He was fat, lonely, intensely curious and competitive. By the time he was 13, he had copied the database of entire phone companies, and was riding LA buses for free because he'd worked out how to make his own ticket punch.
He looked too nerdy to be dangerous, so security guards would sometimes let him simply stroll into buildings at night if he said he had forgotten his staff ID. Once inside, he would ransack the mainframe for classified info then emerge delighted, another security breach notched on his belt.
Mitnick became a legend in the nascent hacking community for some of his cunning stunts: dumpster-diving outside businesses to uncover discarded staff manuals and access codes, posing as an IT department staff member so that other workers would voluntarily cough up passwords over the phone.
"I had no father figure and a mom who couldn't really control me, and hacking became a fascinating game to me. With every system I was able to conquer, it felt like earning more points. It's hard for people to understand, but a lot of people hack out of curiosity. In my case, it was all driven by my passion to learn how these systems worked, and a sense of adventure."
He never hacked systems to steal money, cause malicious damage or compromise military security, he says, just to challenge his own skill and ingenuity.
"Some people might say that was an addiction, and maybe that's true. Certainly, it was very seductive, and even after I'd been arrested a few times, I kept right on going back to it. It was insane, I guess, but I was just having too much fun to stop."
But stop he did, in the end, because he found himself in a small fortified room with no toilet seat and no internet connection. It took a while to get the cuffs on him, though.
Not long after the dreaded "doughnut incident", Mitnick went on the run. He spent three years as a fugitive, bouncing around America adopting various identities, and was nearly apprehended several times.
At one point, an FBI agent with "a fake leg and heavy metal hair" tried to entrap him in a café, leaving a laptop crammed with supposedly tasty state secrets on the table while he went to the dunny. Mitnick smelled a rat and scarpered.
He was proclaimed "the world's most notorious cyber-thief" in The New York Times, and "the poster boy for computer crime" on TV's 60 Minutes. And then at last, after he made a couple of calls to family on a public payphone near his house, the FBI finally nailed him, living under a fake identity in North Carolina.
Mitnick was presented in court as extremely dangerous, "the world's most wanted" computer criminal, and his trial coincided with a time when American cyber paranoia was at an all-time high.
"Really, I had stepped on the wrong toes with smartass stunts like the FBI doughnuts. I pissed off the wrong people, so I ended up locked away in solitary as an example to other hackers of what could happen to them."
The case against him was stacked with lies, he says. "The prosecutor told the federal judge I'd hacked into police computers and erased my own records, and altered a judge's report. It was nuts! But the clincher was this ludicrous story they invented about how I could whistle a secret launch tone-code into any pay phone and launch a nuclear weapon! I mean… come on! The guy clearly saw too many reruns of [1983 hacker-attack movie] WarGames!"
Mitnick's prison experiences were "extremely grim", and he remains bitter to this day.
"I was mischievous, not dangerous, but on the stand they said- 'Oh! Mr. Mitnick cost millions and millions of dollars in damages'. They claimed I'd cost the entire research and development budget of a phone company because I stole the source code for a Nokia, say, which is like charging you for everything that's in a supermarket if you shoplift a can of Coke!. Yet in the end, the restitution I was ordered to pay alongside my five-year sentence was just US$4,125! It was incredible."
Mitnick was released in January, 2000. Now the very skills that landed him in jail earn him bumper pay cheques.
"These huge companies now pay me to do exactly the same thing I did in secret when I was 16 years old. I'm the ringleader of a team who come up with strategies to test a company's security systems. They hire me to attack their systems and manipulate their people to find their security holes so they can fix them. They've turned a once criminal endeavour into a legitimate activity. It's kinda like Pablo Escobar becoming a pharmacist."
Kinda, but not really. Still, it's honest work for a change, and lucrative, too, and it still carries some of the same old thrill as Mitnick does his damnedest to breach each client's digital defences.
"I'm still operating as this sneaky character, and the excitement's still as strong as it was when I first did it 25 years ago. And you know what? There hasn't been a company that's hired us in the last 15 years where we haven't been able to find our way in."
The secret? Forget the machines; hack the humans. "It's called information reconnaissance. You identify who the staff target is, and work out what conditions have to exist before they'll give you the information you need, then you build up the story that will create that condition you want to exploit."
This, he says, is easier than you might think. "In 2003, a bunch of people from the Information Security Conference in London went out into Waterloo Station and offered random people a cheap pen if they took part in a survey. One of the survey questions was 'What is your access password at work?'. Amazingly, nine out of ten people gave them their password, in exchange for a little trinket. That's like, 'what? You're kidding!', but it goes to show you that a lot of people would be prepared to expose their company to huge risk in exchange for a crappy gift."
You can find out more about Mitnick's journey from allegedly evil "black hat" to angelic "white hat" hacker in his 2011 autobiography Ghost in the Wires, or in the rather breathless NatGeo dramatized doco I Am Rebel: Phreaks And Geeks, made earlier this year.
Meanwhile, it's time for one final question. Kevin, look, I know that prison sentence was unjust and all, but can you really whistle down a phone line and start a nuclear war?
Nah, sorry. Kidding. But how nervous should we be about people hacking into potentially world-ending military systems?
"Well, there's no doubt that critical military infrastructure is a regular target for hackers, but really, this idea of nuclear armageddon is all from movies like WarGames. To genuinely break into these systems is so massive and difficult and complex on so many levels, I can't imagine it ever happening. And besides, why should you worry? You're in New Zealand!"
Oh, we worry all right. We may be miles away in the middle of the South Pacific, but we're deeply concerned by world affairs. That new fangled internet thingy keeps us abreast of the news.
Well, some of us anyway. I hate to break it to you, but New Zealand is pretty primitive when it comes to information technology. We still rely on typewriters, telegrams, faxes, the occasional abacus. We only have about three computers between us and have to line up and take turns, which doesn't bode well for your cyber-security conference.
"Ha, yes. I love it! Only three computers in the whole country, but a really great view. I can't wait to get down there and see if that's true."
Keven Mitnick presents Cyber Threats: Insights from the World's Most Famous Hacker on Monday, August 22 at Auckland's Sky City Convention Centre.