Uncharted Waters

Jul 22 2014   4:24PM GMT

Wait a minute. What did Kevin Mitnick actually do?

Matt Heusser Matt Heusser Profile: Matt Heusser

Tags:
Security

Picture of Kevin MitnickHe was arrested twice for computer crimes and wire fraud. At the time of his second arrest, he was on probation from the first, caught by a large multi-agency dragnet including the FBI.

The actual term in the FBI press release was “manhunt”; he has been called The World’s Most Famous Hacker.

Let’s review a few interesting facts about Kevin Mitnick:

1) Kevin stole computer programs, including the source code to VAX/VMS and an early portable phone system – for his own personal use. He did not offer the source code of VMS to Microsoft; he didn’t cut and paste multi-threading code to be used in a different OS. He didn’t create his own operating system, or even use his extended knowledge of VMS to offer his support services for the OS.

2) Mitnick did not destroy any software or systems; he didn’t inject any viruses or trojan horses into existing systems, there was no denial of service involve.

3) Mitnick did not financially benefit from any of his computer hacking. He did not steal any bank account numbers. To pay for room and board, he had traditional jobs, even when he was on the run. The only financial crimes I could find involved stealing phone calls from mechanical (not computerized) telephone switches, and, in his youth, stealing bus fare from a paper-punch card system.

So he didn’t damage anyone else, he didn’t steal money from anyone, and he didn’t use the code he stole from to generate revenue that belonged to someone else.

What did Kevin Mitnick do, exactly?

Known as the “World’s Most Famous Hacker“, Kevin broke in the Ark, the computer system Digital Equipment Corporation (DEC)  at the age of 16, in 1979;  he then downloaded their software, the source code to the RSTS/E operating system.

Sort of.

In an interview with the register, Kevin claimed that some friends at school had the phone number for the ark, but the login required a userid and password. So Kevin called the Ark (it was in the phone book) and asked for the system manager, claiming to be Anton Chernoff, one of the lead developers, and that he forgot his userid and password. Then he showed the login to his “friends”, who downloaded the source code and called the police, indicating that Mitnick had stolen the code.

The first bit of insight here is that Mitnick wasn’t a technical hacker; he didn’t cause a buffer overflow or SQL injection or upload an image that was really javascript. Instead he pretended to be someone who should have access and politely asked for a password reset, something that today we might call social engineering.

It seems a little strange that his own “friends” were socially engineering Kevin; you might argue that the whole story is made up to deflect blame. Still, the geeky computer kid who just wants to make friends sound familiar.  Mitnick never caused any material harm to the companies he hacked – just embarrassment.

Second Conviction

After conviction for the DEC incident, Mitnick was sentenced to twelve months in prison followed by supervised release. During his supervised release, he hacked into Pacific Bell voice mail, but you never read exactly how he did that.

It turns out a federal informant gave him the login information, posing as a ‘friend’ who was ‘tipping him off’ that government agents were spying on him in order to get a second conviction.

It was true, but the second conviction appears to be that he hacked into pacific bell voice mail.

Wait, what?

In his second conviction, Mitnick got 68 months in prison, for violating the terms of his previous release, by “hacking into PacBell voicemail” and other systems and associating with known computer hackers.

The first conviction was four counts of wire fraud — listening to people on the phone he should not have been — two counts of computer fraud, and one count of illegally intercepting a wire communication.

In other words, he violated the privacy of technology companies. He made them feel … violated.

Which is exactly what the NSA does every day.

By the time of Mitnicks second conviction, real criminals were stealing actual money, credit cards, and identities, causing actual harm. It seems strange that so much attention was directed at Kevin Mitnick. Yes, Kevins first crime was a real crime; but was it the best use of scarce law enforcement resources? Was the press justified? These question lead to more questions than answers.

There’s a lot more story here than I can fit into a blog post, but I hope, at this point, you agree that something strange is going on, with words and definitions that are carefully chosen to give impressions without substance.

For more details on the Mitnick case, you can watch his Google Tech Talk or purchase the video documentary on Kevin, “Freedom Downtime” from 2600 magazine.

Or you might google it and find it for free on a popular site that allows you to have a virtual tube.

But, you know, that would be stealing.

3  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mccarthy
    What a very interesting analysis! I didn't realize Kevin never stole, damaged, or interfered with anything... Hmmm: 'Justice for Kevin' anybody?
    30 pointsBadges:
    report
  • Matt Heusser
    thanks! I think technical he stole some phone calls, as did Woz and Steve Jobs ...
    1,085 pointsBadges:
    report
  • MaceAyres

    I thought Mitnik used a syc/ack overflow to break out of the connection handshake, sort of a buffer overflow, with bogus source IP so the sequential incompletred connect attempts backed up

    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: