There was a time when the name Kevin Mitnick represented everything that the world’s chief security officers feared most: a reckless geek with the power to break any network in the world.
In the mid 1990s, Mitnick became the world’s poster boy for the “hacker threat” when he was identified as the guy sneaking into and stealing code from networks including those belonging to Sun Microsystems, Motorola, Novell and Fujitsu.
Prosecutors and journalists, including the New York Times’ John Markoff, further aggrandized his cybercrime exploits, claiming he was a criminal hacker mastermind who had wiretapped the FBI to stay ahead of his pursuers, hacked into Pentagon computers and could launch nuclear weapons simply by whistling tones into a pay phone.
Mitnick wound up serving five years in prison — four before his conviction and eight months in solitary confinement. He got out in 2000. Now Mitnick, 45, has reinvented himself as a security consultant. In his second career, he performs the same cyber-intrusions he once used to steal data to suss out flaws in companies’ defenses. That means Mitnick has to convince major corporations and even government agencies that he’s a trustworthy professional — rather than a cyberpunk.
But Mitnick isn’t hiding his hacker background. In fact, he says the notoriety of his criminal past has only boosted his business. And last month, at the HOPE hacker conference in New York, Mitnick announced that a lapsed statute of limitations will allow him to publish a book detailing his exploits as a cybercriminal and a fugitive. The book won’t be ready for about a year, but Forbes.com talked with Mitnick about telling all, the state of cybersecurity and why true hackers make the best security professionals.
Forbes.com: What can we expect in the book?
Kevin Mitnick: It’s pretty much my autobiography, the story of my years as a hacker and a fugitive told from my point of view — starting out from my younger years in telephone phreaking when I was 11-years-old, to my arrest, to my post-arrest career as a security professional. There’s going to be a lot of information revealed about hacks I pulled off. The statute of limitations has lifted on a lot of that stuff, so now I can talk about it publicly.
Forbes.com: Can you give us a preview of the exploits you’re going to recount in the book?
Mitnick: I’m trying to save that all for the book. What I can tell you is what won’t be in the book — I won’t be whining about my trial or my mistreatment by the government or [Mitnick-chronicling] John Markoff.
This book is going to be a kind of Catch Me if You Can in cyberspace. It’s going to be what’s real in my history and what isn’t, what I did and how I did it and how I’ve since turned my life around.
Forbes.com: What are some of the myths about Kevin Mitnick that just aren’t true?
Mitnick: I never wiretapped the FBI, though I did wiretap an informant who was working with the FBI and chasing me for the bureau. Some other myths: that I hacked into the National Security Agency, that I hacked into NORAD.
Forbes.com: And some things you did do?
Mitnick: Well, I compromised all the phone companies, essentially. Even when I was a kid I had the capability to disrupt the telephone systems for entire states.
I hacked into the systems of all the major software companies at the time: Digital Equipment, Sun Microsystems, IBM, Silicon Graphics. Also most of the companies that made cellular phones at the time, like Nokia, Motorola, Fujitsu.
Forbes.com: What drove you?
Mitnick: Curiosity. It was never about making money or even getting free phone calls. It was about the thrill of exploration.
Forbes.com: Do you think that background has made you a better computer security analyst?
Mitnick: Today, they’re teaching computer security in schools, and people think that if you pass the CISSP test, [a program in cybersecurity certification] you know what you’re doing. But passing a test doesn’t make you skilled in computer security. You have to have what I call “hack sense.” The best hackers know to think, to defeat obstacles, to solve puzzles. They know how to out think the people who have architected systems. They understand the human factor.
‘The best hackers know to think, to defeat obstacles, to solve puzzles. They know how to out think the people who have architected systems. They understand the human factor.’—Kevin Mitnick
Someone from CISSP might be able to detect vulnerabilities and assess the risk factor from each of those vulnerabilities. But someone with “hack sense,” might be able to see, for instance, that three low-level vulnerabilities can be leveraged together to create a single, high-level vulnerability.
I don’t want to generalize too much. Other organizations like SANS are much more qualified. But CISSP in particular has created this certification and made a lot of money by convincing organizations that employees need it. And I think it’s essentially worthless.
Forbes.com: So do you look for hackers with when you’re hiring?
Mitnick: I look at a potential employee’s skill set in general. But for almost anyone who’s very skilled, they’d be lying if they said they’d never broken into a system without permission
Forbes.com: On the flip side, do you lose business because of your history as a criminal hacker?
Mitnick: It’s hard to say, because I don’t get calls from people who tell me they’re not hiring me because they don’t trust. I’m sure that I’m not called in some cases because of my history. But of course no one ever calls me to say they’re not hiring me.
Fortunately there are companies that do trust me to do work. I’ve even worked for the FAA [Federal Aviation Administration] and for other government agencies that I can’t disclose.
In general, I’ve gained more business than I’ve lost because of the notoriety given to me by the U.S. government, because of the way my case was blown out of proportion by prosecutors and the media. I don’t have to search for business.
Forbes.com: The government devoted years to prosecuting you and making sure you served a long sentence. Do you believe that prosecution makes the information technology world more secure? Is it more important to chase down hackers or protect the fort?
Mitnick: I think you need both. You do need to prosecute people who break the law. In fact, I’ve never argued that I shouldn’t have been punished. I argued that I shouldn’t have been held for four and a half years without a trial, putting me in solitary confinement for eight months.
Forbes.com: What do you see as the biggest threats to cybersecurity today?
Mitnick: Cybersecurity used to be about the network or operating system. Now it’s more at the application layer. Companies and their contractors build their own applications hosted on a public website, and the people who write them aren’t trained in secure coding. The mistakes they make can be leveraged to break the system.
Forbes.com: A report last month from the Identity Theft Resource Center showed that data theft by employees has more than doubled since the year before. Are insider data breaches a problem that can be solved?
Mitnick: I help my customers monitor what information is going into and coming out of their organization, to monitor where employees are going on the network and if someone is handling a lot of information they’re not supposed to.
But if you have a legitimate employee with a clean record who accesses information in their normal course of duties, then how can you stop it? If someone really wants to steal from you, they’re going to.