Mitnick Warns Other 'Scapegoats' ...

[Elyn Wollensky]

Has anyone seen this -
elyn


http://www.wired.com/news/culture/0,1284,47354,00.html

Mitnick Warns Other 'Scapegoats'
Wired/ 10.8.01

The world's most notorious hacker says the government should focus on
securing its computer systems rather than snooping on citizens.

Kevin Mitnick, who spent four-and-a-half years behind bars for breaking into
the computer systems of telephone companies, stresses that hackers should
take extreme care these days given the sensitive political environment and
the new laws defining many hacks as acts of terrorism.

He also warned that any hacker could win the "scapegoat sweepstakes" at any
time, receiving a harsh sentence to serve as an example to other hackers.

Mitnick, who has testified before a Senate committee on the dangers of
politically motivated hack attacks, thinks cyber terrorism is a credible --
but not particularly critical -- threat that could be headed off by
strengthening security at government agencies and private corporations.

He firmly believes the newly proposed Patriot Act is just an excuse for law
enforcement to further its own agenda.

The act, approved on Wednesday by the House Judiciary Committee and slated
for a full vote this week, gives wide-ranging surveillance powers to the
police, including extensive scrutiny of electronic communications.

"The Patriot Act is ludicrous," Mitnick said. "Terrorists have proved that
they are interested in total genocide, not subtle little hacks of the U.S
infrastructure, yet the government wants a blank search warrant to spy and
snoop on everyone's communications."

If anyone has a right to what some might see as paranoia, Mitnick would be
that man. He's been portrayed in newspapers, books and movies as the
all-powerful evil programmer, a brilliant hacker able to launch a nuclear
war with a mere whistle into a cell phone, able to bring down government
computer systems on a whim.

For the record, Mitnick denies many of the crimes that have been credited to
him and said the government and the mainstream media created the myth of
Mitnick for their own profit.

"I am not innocent but I certainly didn't do most of what I was accused of,"
he said. "Basically, I won the scapegoat sweepstakes."

Mitnick agreed to be interviewed as part of the publicity for his role in an
episode of a new ABC spy drama, Alias, in which Mitnick plays a CIA computer
expert. Mitnick's episode, "Doppelganger," is scheduled to air Sunday, Oct.
28.

Arrested in February 1995 for hacking into the computer networks of
communications providers such as Digital Equipment, Pacific Bell, Bell
Atlantic and Internet service provider The Well, Mitnick was held without
bail for four and a half years.

He served eight months of that time in solitary confinement as authorities
apparently feared he could still manage to hack into some device and cause
the end of the world. He pleaded guilty to entering computer systems without
authorization, served another eight months, and was released in January
2000.

Mitnick is banned, until January 2003, from using computers, acting as a
technical consultant, or writing about computers without permission from his
probation officer. Mitnick recently was given permission to carry a cell
phone so that he could be in touch with family during his father's terminal
illness.

Mitnick was allowed to keep the phone after his father died five months ago
but believes it's so authorities can keep track of him.

Mitnick testified before the Senate Governmental Affairs Committee in
Washington on March 2 and outlined a comprehensive plan that would secure
computer systems against most hack attacks.

He believes that the government should be hardening their systems now,
although he's not totally convinced that cyber terrorism is the worst
threat.

"Yes, a coordinated team of hackers could take down the communications
systems, the power system, perhaps the financial markets," he said. "But all
of those systems would be back online pretty quickly; you can't really knock
them out for an extended period. You could use those outages as a decoy
though, to draw attention from what you are really planning."

But he believes that increased surveillance powers aren't going to help win
the war against terrorism and he thinks the government knows it.

"The government does things like insisting that all encryption programs
should have a back door. But surely no one is stupid enough to think the
terrorists are going to use encryption systems with a backdoor. The
terrorists will simply hire a programmer to come up with a secure encryption
scheme."

Mitnick defines a hacker as someone who has a passion for technology,
someone who is possessed by a desire to figure out how things work.
Sometimes, he said, that passion may lead a hacker into the shadowy places
where the law and hacker ethics conflict.

"A hacker doesn't deliberately destroy data or profit from his activities,"
he said. "I never made any money directly from hacking. I wasn't malicious.
A lot of the unethical things I did was to cover my own ass when I was a
fugitive."

Mitnick does not justify all of his hacks. He admits he broke into computer
systems to peek at code that powers cellular phone systems. He didn't
destroy data or sell it. But he copied proprietary software.

He did have long lists of customer records from major corporations --
including customer credit card numbers -- but said he used the information
to "social engineer" his way into systems.

Social engineers hack people instead of computers, coercing information out
of people by pretending they have a right to that information. Mitnick said
he used those corporate billing records to assume customers' identities.

"The companies would ask address, credit card information, things like that
to confirm that you were who you said you were. That's why I needed the
customer databases. Everyone always wondered why I had all those credit
cards and never used them or sold the numbers," he said.

Mitnick believes Dmitry Sklyarov, the Russian software programmer currently
awaiting trial in the U.S. on charges he violated the Digital Millennium
Copyright Act, may have also won the so-called sweepstakes. He warns young
hackers to pull back and be very careful now.

"I hope Dmitry puts up a good fight," Mitnick said. "He's got a great
lawyer. I had a public defender. He's innocent, I wasn't. All the right
people are supporting him. I pissed a lot of the right people off by hacking
into The Well."

The Well is an online service that, in its heyday, was the online community
of choice for anybody who considered themselves a technophile. Mitnick used
The Well's servers as a sort of storage locker for data he'd pilfered from
other places, which angered many users who assumed he'd crawled all over the
system and violated their privacy.

"I was on the run, and didn't have any place to store this data I was
collecting. So I hid it all over the Net like it was Easter eggs."

Mitnick does admit to reading the e-mail of New York Times reporter John
Markoff, who reported on Mitnick for The Times, and then co-authored Tsutomu
Shimomura's book, Takedown: The Pursuit and Capture of America's Most Wanted
Computer Outlaw -- By The Man Who Did It.

"I read their e-mail because they were discussing how the FBI was going to
catch me. I didn't read it all, just searched for a combination of letters
that's in my name, and words like "trap," "trace" things like that. Again,
this is something I had to do to cover my ass, total self-preservation."

Mitnick hosts a radio show, and is currently working on a book on social
engineering and how people can protect themselves against it. The book will
be published next year.

Many in the hacking community believe Mitnick is an outstanding social
engineer but just a so-so hacker with limited programming skills.

"I'd say I'm equally skilled in both areas," Mitnick said, "but no, my
programming skills aren't stellar. Yes, I'd rather hack people's brains than
code. If I needed to know about a security exploit, I preferred to get the
information by accessing the companies' security teams' files, rather than
poring over lines of code to find it on my own. It's just more efficient."

Mitnick gave an interesting example of the power of social engineering.
Enlisting a co-worker to demonstrate, he proved that it is easy to spoof
caller ID information by placing calls to Wired News that appeared to come
from other destinations such as the White House.

The information that appeared on the incoming caller ID information
identified the calls as coming from the spoofed addresses, instead of the
phone number that was used to place the call.

"Imagine what a malicious hacker could do with this trick, which, by the
way, is a perfectly legal feature of the phone system," Mitnick said.
"Imagine if your caller ID identified a call as coming from your credit card
company, or your bank."

Mitnick said the best way to avoid social engineering scams is to trust
nothing.

And yes, he is bitter over the way his life has been "twisted and torn out
from underneath me." But knowing he'll be free to use computers again in
2003 keeps him going.

He cautions young hackers not to take any chances now.

"Set up a network with your friends and try to hack into it. I know it's not
the big challenge you're looking for. You don't get the thrill of entering
into forbidden territory, but now is not the time to be hacking. Trust me,
you do not want to be the next big winner of the scapegoat sweepstakes."