An Hour with Kevin Mitnick: Page 2
In part one of a candid discussion with Vince Barnes, Kevin Mitnick tackles the issue of hiring hackers, talks about what is keeping him busy these days and reflects upon his past.
Kevin also went on to talk about his reasons for being at Infosec. He mentioned the name of the person who was to interview him at a session the following day:
Kevin Mitnick: ...Mark Rash. Now that's another interesting can of worms because Mark Rash, as a part of his resume, actually states that he worked on my case for the Department of Justice, while he was with the DOJ. So that'll be interesting! But he's a nice guy and we going to be meeting later today and discuss the boundaries of the interview.
Last year I spoke at RSA and I was put on the hot seat — it was like a debate, "do you hire the hacker"... and that's where I was basically attacked right away as the, you know, "once a criminal, always a criminal" - that type of mindset. And even though nobody "won" it still didn't really bring any value to the audience, because what the audience wants to know is "Hey, we have a huge problem out here. We have problems with our physical security, operational security through to management. What can we do to shore up our defenses?" and "Do you hire the hacker?"
On Hiring a Hacker
I basically look at it as... if the guy hacked into Citibank and stole millions of dollars, would I hire him to secure my bank? Maybe not! I would look at it as the guy physically embezzled money through the computer so I'd say the risk would be too high.
Now let's say the same guy; and I'm with the Los Angeles School District and I want to protect student information; so even if this guy got hold of it, what can he do with it? Then if this guy had really, really good skills and he was really sharp, then I'd say maybe it is worth the risk.
You know there's a risk involved, but there's two opposing things. You have the criminal history and you have the skill set and it's up to the person making the call, the certifier, the person doing the hiring to asses the risk and make the call. It's simple mathematics today.
Now, fortunately, in my case, the Department of Defense has contacted me directly to submit a bid to do an assessment for the DOD, and a civil part of the US government has asked me to submit a bid, so here I have the US government that wants to hire me, so they've obviously had to weigh the pros and cons as well.
Then again, my case was all about the misappropriation of source code because I wanted to become the best hacker in the world and I enjoyed beating the security mechanisms. It was a challenge. I wanted to get behind the door; pick the lock; not because I wanted to steal what was on the other side of the lock, but because the challenge was being the best at getting through the lock; so the harder it was to break the more of a challenge it was.
So what I did was; I made some very stupid decisions and I said, "I'm going to go and get the source code to that lock, I'm going to go get the design specs to that lock; and figure out what in the designs makes some problems with it and I'm going to about them because I'm going to sneak into their computers and see their secret plans." So that's what I did with the source code.
Any type of operating system that I wanted to be able to hack, I basically compromised the source code, copied it over to the university because I didn't have enough space on my 200 megabyte hard drive. So I'd move it over to USC and I'd sit there and first I'd look through the comments, pick through the security holes, and then I'd see what the developer did to fix it because they'd always leave it well commented - thank you very much - and then I'd work back and figure out how I could write exploit code to exploit their vulnerabilities.
So what I was essentially doing was, I compromised the confidentiality of their proprietary software to advance my agenda of becoming the best at breaking through the lock.
Then and Now
I made stupid decisions as a kid, or as a young adult, but I'm trying to be now, I'm trying to take this lemon and make lemonade. It's amazing that I've been successful in this endeavor because now I travel round the world speaking about security.
Of course I'm sure half the people there hate me and half the people like me. It's half and half because most of the people have formed their opinion about Kevin Mitnick from what they've read in Takedown and what they've read in the media and how I was portrayed. I was pretty much the government's poster boy for what I had done. I've always looked at it as, what I did was wrong and I should have been punished, but the punishment didn't fit the crime.
Be sure to check out Part 2 of Vince's conversation with Kevin Mitnick.