Kevin Mitnick, our nation’s most famous hacker, is dressed in black drawstring pants and a 2600 Hacker T-shirt. We’re talking a month after his five-year stay in the federal prison system. He was hit with a 25-count indictment charging him with hacking all across the U.S.A: He allegedly used Pacific Bell equipment to conduct illegal wiretaps, and copied source code from Motorola, Sun Microsystems Inc., NEC Corporation, and Novell, among many others. Now Mitnick’s probation officer bars him from interacting with the electronic world, and for the next three years he can’t even touch a 7-Eleven cash register.
What other conditions did the court impose on your release? I can’t buy an organizer. I am restricted from using any computer with a modem, any TV with Internet access, or any device that might come out in the future. I have to live as if I was part of the Amish, and these restrictions even impinge on my freedom of speech: I can’t advise any individual or group that is engaged in computer related activities.
Why were you reined in so tightly? The U.S. Attorney said I tampered with the records of a prior judge, erased a misdemeanor conviction from Santa Cruz, and hacked Security Pacific Bank. I did not do that.
I’ve heard that they put you in solitary confinement. Yeah, the Bureau of Prisons decided the only place they could put me was in the hole. I was under the same conditions as if I killed a prison guard or another inmate. The hole was a small little room, ten by six.
When was the last time you were on the Internet, and how drastically has it changed? The last time I was on the Internet was in February of 1995. I miss it. I want to get back and see all the new things now that e-commerce has boomed and it’s become a tool for the exercise of freedom of expression. Technology certainly has advanced. Before I went in, the browser was Mosaic 1.0.
Several Fortune 500 companies have said they’d jump at the chance of hiring you for computer security. Would you be interested? They haven’t made me any offers. I’d be good at it. I’m a natural in the field of circumventing computer security.
John Markoff, the New York Times writer who first covered you and wrote a book about your capture, has been quoted as saying that you don’t appear to be accepting responsibility for your actions. Do you think you did anything wrong? What I really was, was a computer snoop. I accessed proprietary codes and I trespassed on other people’s computers. It was a despicable invasion of privacy, but I don’t believe it rises to the level of fraud.
Then why did you plead guilty to fraud and admit to inflicting $5 to $10 million in damages? U.S. District Court Judge Mariana Pfaelzer denied me bail. It was very clear to me in her court I didn’t have the presumption of innocence. I believe I caused some loss, less than $250,000 for labor to restore computer systems and the long-distance cell charges I used to mask my location. The $5 to $10 million was a legal fiction. In the plea bargain, they came up with the number of months they wanted me to serve in prison and then picked the number from the guidelines for that amount of time, basically so they could use it for publicity value. They wanted to scare the heebie-jeebies out of other computer hackers, they’re also screaming for more money for their computer crime budgets; this is ample justification. If the government succeeded in creating the cyber bogeyman they could convince the public to give up more rights to privacy in exchange for protecting them against people like me.
That’s an interesting theory, but can we switch gears for a minute? I’d like to know why you hacked in the first place. I did it for the thrill, curiosity, knowledge, but mostly the intellectual challenge, like climbing Mount Everest. I’ve never engaged in any hacking activities for profit or harm. I knew it was wrong at the time, but I justified it in my mind because I just really enjoyed it. It’s fascinating. You feel like you’re in a Star Trek show. I don’t like to use the word addicting, but you get so focused hours could pass.
Did you go after the sites with the toughest security? Yeah, to get into a system that’s not protected is no challenge. If all the companies didn’t have passwords, there would be no hacking. What would be the challenge? That’s what they did at MIT: Onesystem’s AI never had passwords and they never had hacking.
Some people have said you were not a great hacker, but rather broke into systems by “social engineering,” like talking people out of their passwords, etcetera. Is that true? It depended on my objective. If I wanted to remain in a system stealthily, I would use a technical attack or very careful social engineering so it would never dawn on the person why I asked about their system. Let’s say I wanted all of a system’s modem numbers. I would call accounts payable and say I needed to check my billings; the computer department would never be clued in because accounts payable and computer information would be autonomous. Lying over the phone, coming up with ruses—private investigators use these techniques all the time; they call it gagging.
So maybe you were not a great hacker in the strict sense? I don’t think I was the best hacker in the world. If I had been, I wouldn’t have been caught. There are people out there who have been hacking as long as I was and were never caught. I know of one, I know him by his code name only, who has technical skills far superior to mine and he’s never been caught. If it’s a him; it might be a her.
Did Internet security improve after they got on to you and other hackers? With Digital Equipment, I was in their network for eight years, and their security improved but it didn’t improve to the point they could keep me out. The problem with any big corporation is there’s an outside threat and an inside threat and the inside is much more onerous. The insider knows the operation, knows the passwords, might have physical access and knows the vulnerabilities.
Did you ever use physical access to hack a system? I was at a DECUS (Digital Equipment Computer Users Society) convention years ago, I must have been in my teens or maybe twenties. A guy from Massachusetts offered $300 if anybody could break into his system. My friend and I, we breached it. There was a flimsy lock to reboot, we picked the lock with a paper clip, and when the guy came back his jaw dropped. He had to pay us. Also at a university I used physical access.
What about last week’s DoS attacks? Do they have anything to do with your type of work? It’s apples and oranges. A DoS attack is analogous to crashing a system. In all my hacking, I never crashed a system or damaged a computer. That’s just being destructive. In fact, I don’t consider the people behind the DoS attacks to be hackers. A hacker is a computer enthusiast who intensely enjoys the thrill and challenge of circumventing security. These are just people who used a computer to commit a crime. Hacking is pretty simple nowadays because of the scripts available to exploit vulnerabilities.
Based on your experiences, what do you think will happen if they catch the culprits? They’ll be in for a rude awakening.
Do you think hacking should be a crime, or is it the best way to explore the potential and vulnerabilities of the Internet? Is hacking a public service? I don’t think I’d go that far. I think these companies I hacked were extremely fortunate it wasn’t somebody from a foreign company or competitor who hacked them. I had the potential to cause them extraordinary harm. Company executives probably had a lot of sleepless nights over me. The problem is the Internet, and Arpanet before it, was designed for a group of university and Department of Defense people who wanted to work on projects. It was all about sharing information. The protocols were not for security. Now they’re trying to build security tools on this weak foundation. They should build new protocols for a strong foundation.
How did the other inmates at Lompoc respond to you? They certainly wanted my knowledge, and I dare say they wouldn’t be using it for the benefit of society. Especially the credit cards. When I left Lompoc, quite a few gave me their address and number, but most I left in the garbage can.
How do you feel about your newfound fame? The reality hasn’t hit me yet. You should see the e-mails I get. There’s this system, can you tell me how to get in? Can you teach me how to hack? That’s one thing the government can’t stop me from doing, write a book on how to hack. Not Son of Sam or any other law would apply. What’s barred is discussing my unauthorized criminal conduct. I’d also want to write about how to prevent it from happening to you. It’s still wrong.
What everyone wants to know is, will you hack again? Yeah, if I’m getting paid for it. You know now they’re hiring these tiger teams to go in and test systems and if they’re able to plug upholes, and it’s legal. I’d have to consider it under a cost-benefit analysis. In the last round, I was doing it for fun. But I wasn’t raised to be a cyberthief.