Kevin Mitnick once made a hobby out of breaking into computer systems, causing many network administrators -- not to mention the U.S. Federal Bureau of Investigation (FBI) -- a lot of grief in the process. He spoke to the public Wednesday for the first time since being released from prison in January, telling a group of corporate managers in the computer-security field how to keep hackers like him out of their networks.
The 37-year-old was surprisingly polished, confident and good-humored. Wearing a dark suit and red tie, Mitnick told attendees at Giga Research's Infrastructures for E-Business conference that educating employees about good security practices will do more to protect a company than any technology.
Malicious hackers don't need to use stealth computer techniques to break into a network, he said. Often, they just trick someone into giving them passwords and other information -- a practice known among hackers as social engineering.
"People are the weakest link," Mitnick said. "You can have the best technology, firewalls, intrusion-detection systems, biometric devices and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything."
Mitnick, who lives in Thousand Oaks, Calif., a suburb of Los Angeles, was arrested in February 1995 and held without bail for four-and-a-half years. He served eight months of that time in solitary confinement. In March of this year, he pleaded guilty to wire fraud and computer fraud for accessing information on company networks. In an unrelated earlier case he had pleaded guilty to possessing and using an unauthorized access device for a clone cell phone.
He felt his chances of getting a fair trial were small. "There was too much risk," he said. "When you're in that position, you'll plead out to anything just to get out of jail."
He suspects the FBI made an example of him because he embarrassed the agency, which spent three years hunting him down. "When they were watching me and surveilling my movements, I was watching them," he said.
Mitnick is on parole until January 2003, under what he says are the "most restrictive parole-release conditions of anyone." His parole officer has allowed him to use a cell phone (which Mitnick suspects might be used to track his whereabouts), but he is prohibited from using a computer. He had to have someone else create the power-point presentation he prepared for the Giga conference and fax it to him.
As a condition of his supervised release, he also is barred from discussing the specifics of his case or from making any profit from telling his story for seven years. He paid just over US$4,000 in restitution, down from the $80 million the government originally sought.
"I deserve to be punished for the illegal transactions, but not to the degree that I was," he said during a dinner interview.
In the meantime, he's getting a lot of job offers: Brill's Content magazine has hired him to write for its Contentville site, a security consulting firm wants him to serve on its board, and he might do a radio show about the Internet. Paramount wanted him to serve as a technical consultant on a movie about cyberspace, but a deal was never reached. An agent at United Talent Agency represents him. Mitnick's options are severely limited by the fact that he can't use a computer or travel outside central California.
Prior to being imprisoned, Mitnick worked as a private investigator, a systems administrator for Passkey Systems in Las Vegas and as a programmer in training at GTE Corp. before they realized he was a phone phreaker -- someone who breaks into telephone networks. He was a ham radio operator at age 13 and became a phone phreaker at 16.
In addition to the advice he gave out Wednesday, Mitnick defended hackers, pointing out that they are a group whose skill set can be used for good or evil, like lock pickers. Hackers, even "mischievous" ones like he was, are motivated by intellectual curiosity and challenge and are attracted to the element of danger, he said.
Mitnick also noted that he didn't have criminal intent and never profited from his hacking.
"I used to be a prankster. I used to be a pretty good one," Mitnick said. "When I was into phone phreaking when I was a kid, we figured out how to intercept directory assistance for Rhode Island."
"Albert Einstein, in my mind, was a hacker," Mitnick added during a lunchtime Q&A session. "[He stretched] the technology to make things better."
Although the FBI was less than pleased that Giga executives invited Mitnick to deliver Wednesday's keynote speech, conference attendees found value in it.
"I had mixed emotions about listening to a guy" who was imprisoned for hacking into systems, said Alex Vance, director of systems performance at RaiLink in Raleigh, N.C., a subsidiary of the American Association of Railroads. "On the other hand, he has an expert perspective that could only come from one who has done it. And his point was well-taken that we probably as businesses don't have as much to fear from the traditional teenage hacker as we do from those who have done a cost-benefit analysis" to hacking into our systems.
Mitnick also discussed the ease with which people can get passwords and other information that help them gain access to networks without authorization through dumpster diving and other means.
* Confirm that someone is who they say they are before giving out information.
* Don't pick easy passwords or ones that are real words (password-cracking tools can easily figure them out).
* Don't write passwords on Post-it Notes affixed to computers or other easy-to-find locations.
* Change passwords frequently.
* Use different passwords for different systems.
* Use shredders that destroy documents so they can't be reassembled.
* Physically destroy CDs and diskettes, because deleted or erased data can be recovered.