I worked at a company that had hired Mitnick as a security consultant.
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
Dude I was called out by name in the report either right before you got there or the first one you were there. I was called out in the one where they got B's Audi keys in his office.
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
He social engineered your company into contracting him, and that adds to the legend, but people don't see how many other companies he failed to social engineer.
This is what happens when the 90's PC community renamed crackers as hackers. Proper hackers would have been the ITS/WAIS ones doing crazy things with computers for its era.
I have so many stories about his absolutely terrible behavior at conferences. He once refused to pay the entry fee to a charity event and had to be physically ejectedy.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
He got all of the "Free Kevin" attention because of how long he was left in jail before trial and then being stuck in solitary confinement after sentencing for months.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
>He got all of the "Free Kevin" attention because of how long he was left in jail before trial and then being stuck in solitary confinement after sentencing for months.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
In all fairness, a genuine attacker WILL be abrasive and abusive. They WILL single out employees that are gullible and exploit them. It's not pretty because a genuine attack is not pretty. Of course a simulated attack will be indecent and discourteous in nature, that is how attacks are.
I read the book by Tsutomu Shimomura, who caught Mitnick's hacking and tracked him down. It's a fascinating read. He was able to locate Mitnick in physical world based on his online activities and his cellular phone usage. In those early days, few people understood the cyber landscape and cellular technologies to exploit them.
Yes but AFAIUI Mitnick was upset Shimomura had the full weight of the police on his side, right? He used techniques that shouldn't have been available to him
Interesting fact about Shimomura, he was a student of Feynman's
>I'm old enough to remember all the "Free Kevin" gifs scattered around the internet.
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
It's in his (Mitnick's) autobiography Ghost in the Wires. In his telling of the story they put him in a more restrictive environment exactly because of the reason given (launching nukes by whistling into a phone)
I don’t need to know an iota of his activities as a hacker to hate him. I hate him because of how many times I had to be put through mind numbing security training with his mug as the opener. “I’m Kevin Mitnick” and KnowBe4 are seared into my brain at a ptsd level for terminal boredom.
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
That trend continues beyond the grave, maybe.
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
(Sips mojito)
He did cost people their jobs though, so I guess he's a good person.
I understand he probably just lent his name to the company (though he did show up in some of the videos), but still...
They left out convicted criminal.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
Interesting fact about Shimomura, he was a student of Feynman's
This helps to fill in some of the details. It's a really nice story showing the humanity that can be found in situations when you look close.
https://fogbeam.com/free-kevin.jpg
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
Wait ... no fists involved. My mistake.