Did Kevin Mitnick do a disservice to the security community?

Some say famed hacker Kevin Mitnick is blowing a golden opportunity to cast the hacker community in a more positive light as he pushes his book "Ghost in the Wires."

I'm not sure that's the case, though.

I have not yet read "Ghost in the Wires," though I plan to after I finish a memoir from Aerosmith singer-songwriter Stephen Tyler. I wasn't interested at first, since I know Mitnick's story well.

For those who aren't as familiar, Mitnick was once the most-wanted hacker in the United States. He was an undisputed master at social engineering and broke into dozens of networks as a fugitive. He went on to serve five years in prison and has since built a successful consultancy.

Also see"Social Engineering: The Basics" and "Social Engineering Stories"

What interested me in the new book was a review from MANDIANT CSO Richard Bejtlich. In his excellent TaoSecurity blog, Bejtlich wrote:

As far as I can tell (and I am no Mitnick expert, despite reading almost all previous texts mentioning him), this is the real deal. Mitnick addresses just about everything you might want to know about. For me, the factor that made the book very unique was the authors' attention to detail. This sounds like it might have been a point of contention between the co-authors, but I found the methodical explanation of the social engineering and technical attacks to be relevant and interesting. Mitnick just doesn't say he social engineered a target; rather, he walks you through every step of the event! It's amazing, audacious, and in many cases beyond the pale.

Ghost in the Wires also shares the human side of Mitnick's story. His description of solitary confinement and his anxiety of returning to those conditions seemed very real. They appear ever more relevant given recent treatment of Bradley Manning. One has to wonder about "cruel and unusual punishment" of those who are not convicted, such that they will sign plea deals just to avoid solitary confinement. Beyond prison issues, Mitnick's love for his family (especially his mother and grandmother) were clear throughout the book.

That last paragraph is what grabbed my attention. As readers know from my other blog, I'm a sucker for stories about the human condition and how it ultimately impacts security and everything else in life.

Though I haven't read the book yet, I've been following the media coverage with intense interest. Last week, I watched Mitnick on the Colbert Report and thought he did well (watch it here).

Ken Yerrid, a security professional some of you know on Twitter as @K0nsp1racy, sharply disagrees. In his blog he writes:

I want to believe that Kevin Mitnick is a nice person. I have never personally met him, although I have heard of his story. His book, Ghost in the Wires, is purportedly an expose of his life. For months now, I have been watching tweets about the book (self promotional) being released. I see self-promotional tweets about book signings and appearances. Quite honestly, it reminds me of the marketing that Mr. Gregory D. Evans executes. I do not fault the guy for wanting to make a living, and it is not my place to judge his motivation. But last night, Kevin Mitnick was given a golden opportunity to help change perspectives on the state of information security by appearing on The Colbert Report. Information security is an industry that still suffers from a perception of being unstructured, unprofessional outlaws and elitists. Despite all of the wonderful things that we do for each other and others in the world, this success stories are still not being communicated effectively. It is sad.

So rather than talking about being in solitary confinement for a year, and sitting at home on Valentine’s Day—statements that further extends the stereotypes of security professionals being nerds with no life— the statements that have me fired up is the ones where he had the opportunity to pay it forward to the community. Clearly, there was an opportunity for Kevin Mitnick to avoid bragging about hacking companies with their permission (again self-gratifying), and talk about how he had made mistakes in the past, served his time, and now spends his time along with millions in the community, in protecting companies from the bad guys. Simple wordplay, but powerful nonetheless. Mitnick squandered that chance.

My thoughts on the matter:

--Yerrid makes valuable points. Mitnick as a force of good despite (and because of) his past is the most compelling story of all. It is too bad we haven't heard Mitnick talk about these things more in his pressers.

--That said, I think it's important to consider the venue Mitnick was speaking from that night. The Colbert Report isn't exactly the place to preach on how to be a good-guy hacker. The goal is to play Colbert's game.

--It's only natural that people are going to ask about all the naughty things he did. Everyone loves a good war story. There's nothing wrong with him telling the tales without attaching a "This is the lesson I learned" speech to it.

--If you listen closely, Mitnick does demonstrate his better behavior when he tells Colbert that he's still hacking, only this time for companies that pay him to do it so they can improve their defenses.

--While I haven't read the book yet, I've seen bits and pieces where Mitnick talks about his early years and some of the adversity he experienced. I've heard one reviewer note that Mitnick never blames anyone for his bad behavior. I think that in itself is a blast of fresh air in an industry where people love to point fingers at others and tear people down over disagreements.

Should Mitnick evangelize more often about how he was bad and why he changed (besides getting caught and going to prison) and what others should learn from it all?

Absolutely.

Will he? I don't know.

I give Yerrid credit for speaking his mind on the matter and hope Mitnick takes it to heart.

However, just by telling us how he did things, he's giving us a good lesson on how hackers operate. Organizations stand to learn a lot as a result, and that could mean better security in some corners of the globe.

If that can happen because of some simple war stories, that's good enough for me.

--Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

latest security news and analysis from CSOonline

See all

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.