“I’m not exactly sure why my demo isn’t working,” our presenter confided to me during a break. “It looks like your firewall may be blocking the ports I need to use. What all ports do you guys block on your network, anyway?” he asked. At any other conference on any other day to any other presenter I probably would have freely given up the information; this time, however, I hesitated. Despite his friendly disposition and warm smile, I cannot forget who he is: Kevin Mitnick, the world’s most infamous hacker.
Kevin Mitnick, myself, and Alex Kasper
The Background
Mitnick’s adventures both through computer systems and the penal system are well documented. After serving three years (including eight months in solitary confinement) in federal prison and another two years of probation, Mitnick went on the run to avoid even more jail time. He successfully avoided the FBI’s radar for two years before a front page newspaper article rekindled interest in his case. Mitnick was eventually re-arrested in North Carolina and was (unconstitutionally) held in prison for almost four years before charges were ever filed against him. Almost five years after he was imprisoned, Mitnick was freed in 2000. For several years after that he was not allowed to access a computer (his first book was written using a manual typewriter).
By the time Mitnick was apprehended, the legends surrounding him had exceeded things he had actually done. The tales of his exploits had become so exaggerated by then that it’s no wonder the authorities were so afraid of him. The guy spent years amassing source code, passwords, and other private information that should have been difficult or impossible to obtain — and the most interesting thing about it all was that quite often, he simply asked people for it.
Social Engineering, or the art of getting information from people, is what brought Kevin Mitnick and longtime friend Alex Kasperavicius to our FAA office in Oklahoma December 14th, 2006. The pair of technological wizards presented the psychology behind and examples of social engineering to a crowd of forty or so employees. Mitnick and Kasper shared presentation duties throughout the day; both of them were extremely knowlegable and enjoyable to listen to.
Allow me to backtrack for a moment. The wheels for this class were set in motion a couple of months ago. Actually if you want to get technical, they’ve been in motion for over a decade. My interest in Mitnick’s case began back in 1994 when I attended Hohocon (a hacker conference) in Austin, Texas. Over the years I picked up several books pertaining to his case, including Cyberpunk: Outlaws and Hackers on the Computer Frontier and Takedown. My interest in his case was eventually picked up by my wife Susan. Earlier this year, Susan was tasked with finding some applicable training for the FAA. She found Mitnick’s website and his social engineering course, and the rest was history.
The Day
Unsurprisingly, one of the stipulations of Mitnick’s visit was that neither he nor Alex were to be unescorted on our government campus at any point throughout the day. Susan elected me to stick with them, a role I gladly accepted. My day began by meeting the two of them down at the guard shack. The two of them showed their IDs and were granted visitor badges. I smirked a little as the two of them signed their names and were handed their passes.
The all day class covered the basics of social engineering, ways to protect against being socially engineered, and enough real world demos to make you want to run home and change every one of your passwords to 30-character-long Chinese symbols. Having already read The Art of Deception I was already familiar with most of the attacks demonstrated, but there’s somethere inherently cool about watching Kevin Mitnick standing in front of a classroom spoofing Caller ID information to people’s cell phones. There was also a dumpster-diving demonstration that led to the discovery of multiple credit cards, internal memos and travel vouchers. Several various social engineering attacks were explained and demonstrated throughout the day. I don’t want to give all the surprises away, but let’s just say everyone left the conference a believer. From what I could gather, there were three basic groups of people attending the workshop. About a dozen of us were there because of Mitnick (a few of us even brought items for him to autograph). There were a few managers and helpdesk employees who were there to find out more about social engineering. The rest were there because it was a day away from normal work duties. But like I said, regardless of the reason people originally attended the workshop, no one left thinking that social engineering wasn’t a dangerous problem.
The Night
After the class ended, several co-workers and I took Alex and Kevin out for a night on the town. As Alex lives in Los Angeles and Kevin resides in Las Vegas I knew a night out in Oklahoma City wouldn’t be that exciting for the two of them, but we tried anyhow. Our adventures throughout the night led us from work to the Bricktown Brewery, Abuelo’s (for dinner), the Purple Bar, Graham’s (by far the most redneck club I have ever set foot in), and eventually, Waffle House. Throughout the night we all shared many stories and experiences. It was great to go offsite and actually get a chance to talk with both guys. And, between the Country Christmas Carols, being approached by security at the Murrah Memorial, seeing a redneck getting tasered, getting tossed out of a country bar for not meeting the dress code (belt buckle too small, perhaps), and seeing a fast food employee working without a shirt on, the two of them got the true Oklahoma experience crammed into a single evening.
During dinner, Kevin commented on one of the pictures on my phone. When I looked down at it, I saw a note that read, “Bluetooth connection established.” Mitnick just smiled. After dinner, a woman stopped us outside the restaurant, asking for a picture. Kevin agreed. It then dawned on us that what she wanted was Kevin to take a picture of THEIR group. The irony was hilarious, and I did manage to snap a picture of Kevin taking their photo.
Between destinations, Kevin, Alex and I made a minor detour and stopped by the Murrah building memorial. It was 10:30pm by then; I’m not sure if the memorial actually closes, but there were only four of us there; Alex, Kevin, myself, and the security guard who ran all the way across the memorial to then come stand within 10 feet of us. “I’ll bet you get that a lot,” I joked to the two of them.
By the time we got to the Waffle House we were down to four: Myself, Mitnick and Alex, and Paula (another co-worker). After squeezing into a Waffle House booth, Mitnick (unaware of Waffle House’s social status) tried ordering a bottled water, and got excited momentarily when I joked about them having latte’s. He settled for a glass of OJ while the rest of us had (somewhat chewy) coffee. As the party died down, the four of us sat around bullshitting about old versions of Linux, The Cult of the Dead Cow and old work and war stories over various flavors of Waffles. Shortly before the late night bar rush was scheduled to arrive, we ducked out and called it a night.
Afterthoughts
At the beginning of the day, I was excited about meeting Kevin Mitnick, the celebrity. (I have to admit, the first time I answered my phone and heard “Hi, this is Kevin Mitnick”, I giggled like a schoolgirl.) Throughout the day my perception of him changed; I began to see him less as a celebrity and more as just a guy who loves technology. His eyes occasionally sparkled as he reached back and relayed a particularly wiley hack or two from his past.
Throughout the day, I couldn’t help but remember that here’s a guy who has spent one fourth of my lifetime in federal custody on essentially bogus charges. If ever there was a poster boy for “the punishment does not fit the crime,” it’s Kevin Mitnick. Regardless of what you think of the guy, there IS no crime heinous enough that a person should be held unconstitutionally for over four years. As they mentioned in Freedom Downtime, “even the Unibomber had a bail hearing” (Mitnick was denied a bail hearing for over four years). While Mitnick has no doubt pulled off some serious hacks in his days, the fact remains that the charges he was held on (one was essentially software piracy) were things that many of us have done — we just didn’t have the misfortune of having our adventures pasted all over the front page of the New York Times.
Links:
Kevin Mitnick
Alex Kasper
Mitnick Security Consulting
Books:
The Art of Deception by Kevin Mitnick
The Art of Intrusion by Kevin Mitnick
Movies:
Freedom Downtime (A feature length documentary about the Free Kevin movement and the hacker world.)
Propaganda to avoid:
Cyberpunks (book)
Takedown (book)
Takedown (movie)
I’ve been waiting for the update on the visit. I knew you’d be having a blast. Wish I could have set in on that training session! I want more details later.
Mom
Kevin and Alex raising hell in the Sooner State? Good times. I’m glad you got to spend some time with them, they really are great guys. But did Alex tell you that he’s an SC grad? I’m sure the OK staties would have tasered him if they knew that after the embarrassing Orange Bowl a couple years back.