“People are not trained to resist technological fraud”
[Translation of “La gente no está entrenada contra el engaño a través de la tecnología” by Mercè Molist published in El País on 15-Jun-2006].
The North American Kevin Mitnick has deserved the label of “the most famous hacker in the world”. His interest in telephony and computer systems started at 13 years old, and he ended up at the top of the list of the FBI's most wanted men. He was finally caught by a Japanese expert in 1995. They located him after a call he made on his mobile. He was sentenced to five years in prison for having stolen proprietary programs for mobile telephones thanks to his skills in electronic hacking. After leaving prison he was forbidden to go near a computer or mobile phone for three years because the prosecutor said that he was capable of starting a nuclear holocaust with just one call. He was only allowed to use land line telephones. Now, nearing 43 years of age, he has his own company providing consultancy on security and advises those who used to fear him. This week he is in Barcelona where he is participating in the CISO Executive Summit, a group of industry leaders who are worried about computer security in their corporations. Pleasant and well-dressed, he took a rest from his commitments to answer some questions from El País. Mitnick is a classic example of the difference between a hacker and a cracker. The first gains entry and even steals from computer systems but does this without seeking financial gain or wanting to do harm; he is intellectually curious or may be motivated by a social conscience. The cracker, equally capable with computer systems, is simply a criminal who wants to become rich.
Question: Your imprisonment provoked the largest campaign in favour of a hacker in the history of the Internet with the cry of Free Kevin. Did you hear about this in prison?
Answer: I heard a little about it and it encouraged me. I was incommunicado for the first eight months because they said that my case was a matter of national security. It was horrible. I spent most of the time reading law books and working with my lawyers because my case was relatively new. I read a lot, and in the end, was allowed to talk on the phone. I was able to escape mentally doing this.
Q: After all that, do you still believe in justice?
A: Not in the United States.
Q: Are the current laws against computer crime good?
A: It depends on which laws. To me it seems terrible how quickly the US government labels a hacker as a terrorist and decides that both deserve the same punishment. The large majority of people who are hacking are doing it for the challenge, and even if they are trying to rob, they are not terrorists. Soon they won't be calling us terrorists, but war enemies.
Q: Should the punishment for an inquisitive young man who plays at hacking be prison?
A: What a young man like that needs is to redirect his energy into something positive. For example, it would be better to sentence him to working in the community; he doesn't have criminal intentions. The problem is that in the US, hacking is automatically a crime. What they ought to bear in mind is the final objective of the hacker: stealing is one thing and gaining knowledge is another. But what happens is that young people, of 18 to 22 are labelled as criminals for the rest of their lives.
Q: What happened to you?
A: They treated me like a terrorist: more than four years in prison without appeal or bail. They used my case to make publicity, for their political games, front page of the magazine Time... The prosecutors were promoted, John Markoff sold his book about me filled with lies; they used me.
Q: In your heart, what harm do you think you did to deserve prison?
A: I accessed computer systems of other people to gain information that wasn't mine. I was very interested in a particular mobile phone which worked using a proprietary program. I hacked into the company and took a copy of the program. My reason was that I wanted to learn how it worked, but I stole and this was bad.
Q: After leaving prison, what did you do to get up to date?
A: While I was in prison, people were sending me books. One year before I was released, they allowed me access to a room where there were computers so I could use e-mail. My friends were sending me messages, and the headers were examined by the prison staff. They were so stupid that they thought that I was being sent messages with some kind of secret code; that is how paranoid they were about me.
Q: When you came out, had the world of hacking changed much?
A: Today a lot of hacking is done not by traditional hackers but by criminal pirates who want to get rich. In my day, the biggest incentive was intellectual curiosity and the challenge. This has been the main change and is the main problem.
Q: Are you still in contact with the world of hackers?
A: Of course, that's my work and I have to keep in touch. The majority of the hackers that I know are from my day and now work looking after computer security for companies and governments, trying to stop the real criminals.
Q: Your speciality is social engineering, the manipulation of people so that they supply information that they shouldn't give. Have any new techniques emerged while you were in prison?
A: Yes, in the sense of the kinds of stories that are told to deceive people, but the methodology has always been the same: manipulation, trickery and influence. In a social engineering attack you disguise yourself, you create an identity that is credible to the person or company that you are going to attack. So every attack has a story, a reason for asking someone for something that you want; the the basics are the same.
Q: Have you invented any new social engineering techniques?
A: No, but I have improved some by creating good stories, understanding human psychology and finding ways of persuading people to give me the information. If you take on a good role, obtaining information is very easy, people give it without thinking in quite an amazing way. You could try to pass yourself off as a journalist from El País, for example, or what we see every day in our e-mail: messages that try to convince us to click on a link that takes us to a malicious web page or to a file that contains a virus.
Q: Is social engineering the Achilles heel of companies?
A: Yes. They don't train their staff to avoid being tricked, there are no security policies, they don't classify their information, they don't use technology to take decisions that a fallible human operator might not take so effectively. The big problem in companies is how to identify people. In the world of computers, if you don't have the password, you can't get in. But if someone calls on the phone, they are believed without question.
Q: What is the worst threat to computer security?
A: Malicious code, like viruses and exploits that are not known publicly and social engineering.
Q: Does your company, Mitnick Security Consulting, employ hackers?
A: Ethical hackers, yes. Criminals, no.
|Return to Translations Index
E-mail comments to:
Comment on this article, or any other on this web, using