Kevin Mitnick | Talks at Google
Articles Blog

Kevin Mitnick | Talks at Google

>>Eran Feigenbaum: For those of you who know
Kevin, he needs no introduction. For those of you that don’t some have called him the
world’s most famous computer hacker. He’s had several books written about him, a movie
made about him. He’s the author of several books, with a new one that came out this week
which is a tell-all. His story in short is I’ll leave the details to you but he basically
hacked into several Fortune 500 companies, government agencies, phone companies and spent
three years on the run and then finally got caught and spent five years behind bars. So
with that, a warm welcome to Kevin Mitnick. [applause]>>Kevin Mitnick: Thank you Eran.>>Eran Feigenbaum: So I mean how does one
become the world’s most famous computer hacker?>>Kevin Mitnick: Wow, that takes a lot of,
a lot of doing. Actually I started as a 10-year old I was fascinated with magic and I loved
doing magic tricks. And then in high school I was introduced to a student who could do
magic with the telephone system. And he’s what they called a phone freak. And if you,
I don’t know how many of you read 2600 Magazine. So you’ve got a few of you in here. So phone
phreaking was like the predecessor to hacking and, and I was just like taken aback with
what this kid could do. I, I gave him my mom’s name and he was able to get our unlisted telephone
number at home. I, I, he gave me this special number that you would call, you’d call this
secret number and you’d hear like a weird tone, you’d put in five digits and then you
can call anywhere in the world for free. Not that I had to call anyone, but I liked calling
the time in Australia because I thought it was cool. And at the time I thought it was
a fluke with the telephone system, but it actually probably was some poor soul’s MCI
account and just all the cool stuff he could do with the phone. So I was a prankster and
I loved pulling cool tricks, so the first thing that I did was I changed a friend’s
class of service to that of a pay phone, so whenever he or his parents tried to make a
call, it would say, “Please deposit a dime.” [laughter]>>Kevin Mitnick: ‘Cause they’d actually get
this recording, I actually have the recording in my iPhone. So you imagine you’re, you’re
at the, you’re at home, you go to make a call, and this is what you hear: [recording starts] The call you have made
requires a ten cent deposit. [laughter] [recording continues] Please hang on momentarily.
Listen for dial tone. Deposit ten cents and dial your call again. [recording ends]>>Kevin Mitnick: And so I was really like
into pulling pranks with the telephone system and that was my passion was really just to
learn all about telephony. And, and then when the phone companies started switching over
to electronic switching systems, that’s when they had front end computers that were involved
and that’s why I became interested in hacking. Actually, I did, I wasn’t really, I didn’t
even want to go to learn about computers. I had a friend in high school that says, “Hey
you would really love computer class.” And, and then I talked to the instructor and I
said, “Hey, I’d like to take a computer class.” And he asked me what my prerequisites you
know what, what classes I had done before and I didn’t have calculus and I didn’t have
some other prerequisites, so he says I couldn’t get it. So then I said, then my friend was
there and he goes, “Show him some of the tricks you can do with the telephone.” And then ok,
we’re gonna let you in, we’re gonna waive the prerequisites. And probably that was,
probably he’s regretting that today, [audience laughs] ’cause of all the crazy stuff I did.
I mean the first thing I used to do was like dial up to USC so I could play their computer
games, because they were, they had better games than they did in high school, and they
had an Olivetti terminal, a decoustacoupler 110 baud modem, so you can imagine 110 baud.
Any of you have, have computed at those, dialed up at those super fast speeds? Well, in any
event, I dialed, they had a phone in the room, so it was restricted, you couldn’t dial out.
So what I used to do is call the operator and say, “Hi, this is Mr. Crist. I need you
to connect me to this number. And that would be the dial up for SC. So after he figured
out what was going on because all the kids in class were playing computer games on USC’s
computers because they actually had a much better gaming library, he brought in a phone
lock. And he says, “I found the one thing that’s gonna stop Kevin from dialing up to
USC. He proudly places the phone lock in the one, you know ’cause it’s a rotary phone and
number one. And I go, “Hey, that’s cool, how much did that cost you?” And he goes, “Oh
like five, six, seven bucks.” And I said, “Let me show you a cool trick.” So of course
I asked him for a phone number and I just simply pulsed out on the switch hook, you
know, the number I wanted to dial. His face turns red and he actually threw the phone
across the room. [laughter]>>Eran Feigenbaum: You were quite, quite the
prankster anyhow. I mean most kids you know in their adolescent days go you know toilet
papering houses.>>Kevin Mitnick: Yeah.>>Eran Feigenbaum: You had your other–>>Kevin Mitnick: Mine was electronics, you
know.>>Eran Feigenbaum: So tell us like the McDonald’s
story, I mean.>>Kevin Mitnick: Oh, my God, that’s kind of
my favorite hack of all time is taking over the drive-up window at McDonald’s. [laughter]>>Kevin Mitnick: So you could imagine the
fun you could have at 16, 17 years old. I used to sit, my friends and I would sit like
across a busy street in Los Angeles, I don’t know if you know the area, it’s like Ventura
Boulevard, it’s like a huge, it’s huge, it’s like Broadway here. And when customers would
drive up, I had a ham radio that I modified that I can go on, I can go on McDonald’s frequencies
so I could actually take over the drive-up window. So the guy with the headset inside,
he could hear what’s going on, right, but was powerless to do anything. So people would
drive forward, you know, I’d take their order, you know, they’d ask for a Big Mac, large
fry, large coke. I’d say, “Hey, man, we don’t serve burgers here anymore, you have to go
down to Taco Bell.” [laughter]>>Kevin Mitnick: You know and stuff like that.
But the better one is when the cops drove up. ‘Cause I’d see the cops car and I’d go,
“Oh, hide the cocaine, hide the cocaine.” [laughter]>>Kevin Mitnick: And then you know 16, 17
you’re a little bit immature, so>>Eran Feigenbaum: You think?>>Kevin Mitnick: Just a little, so a customer’d
drive up, place their order. You know “I’m sorry sir, our ice machine’s broken, but in
lieu of sodas we’re giving out free apple juice and would you like small, medium or
large?” And they’d always say large, right, ’cause it’s free and then we had a recording
of what sounded like urinating in a cup. [applause and laughter from the audience]>>Kevin Mitnick: “Would you please drive forward,
sir?” You know and of course the one time it got too much for the guy, the manager at
McDonald’s, and he comes, he’s out of the store, he’s walking around the parking lot
looking to every car, to see who the culprit is. He sees nothing, ’cause we’re way across
the street. And we’re kind of laughing, we’re sitting there laughing. And then he, he walks
up to the drive-up window speaker and he places his head in the speaker like he’s gonna see
something. Of course I couldn’t resist, I press down the microphone, “What the fuck
you looking at?” [laughter]>>Kevin Mitnick: And this guy, he flew back
like 25 feet, right? So that’s actually my favorite hack, is McDonald’s, so.>>Eran Feigenbaum: But earlier on, right,
you got caught even for, for some of those hacks, right?>>Kevin Mitnick: Not for McDonald’s, I got,
I got, my first time really in trouble was we went dumpster diving at a Pacific Bell
building and then we, I decided to see if we could social engineer our way inside because
we were very interested in the system at the phone company called Cosmos. And our objective
there was just to go in there and like look at the manuals, try to see if we can get a
few passwords. But we went a little overboard. We decided we’re gonna take some manuals out,
copy them, and return them, but since it was so late at night>>Eran Feigenbaum: Return them to the dumpster?>>Kevin Mitnick: No, we actually got into
the building and that’s what I got in trouble, you know, obviously, you know. And we tried
to return them, but then we were afraid to go back, so ended up getting into hot water
for that.>>Eran Feigenbaum: What kind of hot water
did you get into?>>Kevin Mitnick: Oh, well, like arrested.
[laughing] Actually because somebody told on, one of the friends of a friend told on
us and ended up, it’s all in Ghost in the Wires. It was like, I mean I remember when
the police pulled me over, I was working at, in the San Fernando Valley, is one of the
District Attorney actually showed up. And actually he’s kind of a friend of mine now,
Stephen Cooley, he’s now the District Attorney in Los Angeles County and he’s yelling to
the guys, “Search the car for a logic bomb, search the car for a logic bomb.” Because
he thought it was like an explos-, an IE, you know an explosive device, when they didn’t
know it was a piece of code. So that was kind of like ok. [laughter]>>Kevin Mitnick: [laughing] So what.>>Eran Feigenbaum: But other than the final
big arrest, you, you’ve had several run ins with the law.>>Kevin Mitnick: Unfortunately, yes. I mean
I was so, I was so passionate with hacking it came to be like a somewhat of an obsession
for me. And it wasn’t about stealing money or causing damage or writing viruses or worms,
it was really about the, the thrill of getting in and this thrill was you know overpowering
my, my common sense. And I ended up getting into, into some trouble like, and then, then
I started playing cat and mouse with the government. And at one point I, I knew that the federal
government was investigating me, so what I did is I hacked into the cellular phone company
at the time because back in those times you had wire line and wireless and I found the
cell phones that belonged to the FBI agents that were like watching me, so I decided I
would watch them. So I had real time access to the CDRs to the call detail records so
I can kind of see who they’re calling, who’s calling them, where they physically were.
And then at one point I, I had this device that could monitor the cell site in my local
area and it would monitor the data channel. And this was on AMPS, this is not an AMPS,
this is not GSM, this is the AMP system. And anytime you pass into a cell site, your phone
registers. Anytime you get a call it does a page and this is on the old AMP system.
So I had all these FBI cell phone numbers and I put ’em into my computer. Ok, so you
had a scanner that’s listening to the control channel, interfaced into this special box
to a piece of software, so I can simply program in the list of phone numbers and if those
phone numbers ever register in that cell site, it alerts me. So one morning I go to work.
I was working as a private investigator. I go into work. I put–>>Eran Feigenbaum: Do
we see the irony there? [laughter]>>Kevin Mitnick: So I go into work, I put
in the code to disable the alarm to the office and I still hear this beeping sound and I
hear beep, beep, beep. And I started walking in the hall towards my office and it’s getting
louder. And I go what the hell’s going on? Did somebody bug my office? And I’m going
to the, and then I finally go up to the computer and it’s actually the alarm, my FBI alarm,
that there was an agent in the area, so I, I realized it was like the main guy that was
like hunting for me and I realized that he actually called a pay phone across the street
from the apartment I was at. Now I slept home, I was there at the time, so I knew, well,
they didn’t come to arrest me, did they come to follow me? And then I thought, oh, maybe
they came to search. So, you know, of course I cleaned up my apartment and ’cause I didn’t
want to leave anything there they’d be interested in and then the next day I thought to go to
Winchell’s Donuts. So I got a big box of donuts and I wrote “FBI Donuts” on it and put it
in the refrigerator with a note [laughter]>>Kevin Mitnick: with a note on the refrigerator
that I had donuts for them. So the next day they actually came and searched and they were
pretty unhappy. [laughter]>>Eran Feigenbaum: Did they take any donuts?>>Kevin Mitnick: They didn’t eat any donuts
though. I don’t know why. Maybe they thought I poisoned them or something. So as a kid
I just did these like you know crazy things, you know. I was mostly interested in hacking
telephone systems, really as a trophy. So I’d like try to compromise switches in all
these different areas just to see if I could do it. It wasn’t really and to pull pranks.
And then, then I started moving on, I wanted to learn about how to become a better hacker,
so I would get access to source code, like VMS source code, you know, that DEC had developed,
so that I could analyze it for security vulnerabilities, so I could find holes that would make me more
adept at compromising those systems. So it was more like hacking into the companies,
get the source code, leverage the information to become a better hacker. Yeah.>>Eran Feigenbaum: But in reading the book,
earlier on you also took interest in creating false identities, almost like you knew what
was coming on.>>Kevin Mitnick: Well not really, this is
when I was 11 years old. I always liked to know things that you shouldn’t know. And there
was this book>>Eran Feigenbaum: Keep an eye on him.>>Kevin Mitnick: Yeah. There was this bookstore
in Los Angeles called the Survival Bookstore and they had books on lock picking, on creating
new identities, I mean just all the secret underground stuff and then they actually sold
lock pick sets. And I remember you had to be 18 years or older to buy a lock pick set,
so one of the books that I bought at the Survival Bookstore showed where you could mail away
and get a false I.D. that said you’re 18. I’m 12. So I get a false I.D. that I’m 18.
I go to the lady at the same store and I go, “Oh, I’m 18.” She looks at it. She laughs.
She goes, “Ok, Kevin.” [laughing] [laughter]>>Kevin Mitnick: Guess who got a lock pick
set? But, so I learned like at a very young age of how the system works and the holes
in it. There’s this book called The Paper Trip by a guy named Barry Reed that described
how to create new identity in America and disappear. So I, I, but I never expected I’d
have to use it later. I just wanted to know how.>>Eran Feigenbaum: So when, when did you start
using that knowledge?>>Kevin Mitnick: Oh, when I, in about 1992,
right after the FBI donuts thing. [laughing]>>Eran Feigenbaum: And one of the first identities
that you picked was Erik Weisz.>>Kevin Mitnick: Yes, Erik Weisz because my,
you know, my idol at the time was a man named Harry Houdini and his real name was Erik Weisz,
so at the time I was living in Denver, Colorado, and I had to get a job, you know, because
I was running from the government at the time and I had to get a job and I needed a legitimate
identity, so I chose Erik Weisz. And I found out later, you know I had a sense of humor,
but much later I found out the FBI had no sense of humor. So this is when I did like
one of the, you know one of the attacks that I discussed in the book was on Motorola. And
I [laughter]>>Kevin Mitnick: And I forgot to bring something,
I just remembered, I wish I could’ve shown you the brochure for this thing called the
Microtek Ultralight. And this thing was like the iPhone of today. This device, I don’t
know if you remember, these like Star Trek type flip phone cell phones and as a hacker
I wanted to understand how it worked. I wanted to know, you know, the internal protocols,
how the, you know, the firmware was put together, so I made a very stupid and regrettable decision,
I decided to go after the source code for the handset. So one afternoon I left the office
early in Denver. I called the toll-free number, you know for 800 directory assistance. And
I asked for Motorola. And I was given the number. And I called the number and got a
receptionist and I said, “Hey, I’m looking for the project manager of the Microtek Ultralight
project.” And a nice lady told me that all the cellular development was handled out of
Schaumburg, Illinois. So she goes, “Would you like that number?” And I go, “Certainly.”
She gave me that number. I called the Schaumburg receptionist and I tell her I’m looking for
the project manager of the Microtek Ultralight project and I’m transferred around two, three,
four, about eight times, I’m talking to different people, and then I end up talking to the vice
president of all of research and development for Motorola cell phones, all their mobility.
And I say, “Hey, I’m looking for the project manager of the Microtek project. This is Rick
over in Arlington Heights”, because during the last eight calls I found out they actually
had an Arlington Heights facility. And he goes, sure. He gave me her phone number and
says, “Well, can I help you with anything?” I said, “No, no, no, no, I’ll just talk to
Pam.” Because Pam was the lady that was the project manager. So I called Pam and I don’t
get her, I get her voice mail outgoing greeting saying she just left on a two-week vacation,
the date she was returning and she said on her voice mail, “If you need any help with
anything whatsoever, please call Alicia on extension blah, blah, blah.” Who’s my next
call to, right? I call Alicia. I go, “Hey, Alicia, this is Rick over in Arlington Heights,
I’m looking.” I go, “Wait a second. Did Pam leave on vacation yet? Because when I spoke
to her you know last week she said she might be going on vacation. Oh she has? Well before
she left she promised to send me the source code to the Microtek Ultralight.” [laughter]>>Kevin Mitnick: And I was walking, now imagine
I’m already walking home, I live a 20 minute, I live 20 minutes away by walking from the
law firm and it was snowing that day. So as I’m walking through traffic I’m trying to
press the cell phone really tight to my ear so you can’t hear all the traffic ’cause I
never expected this to work because it’s all extemporaneous. And, and then, and then Alicia
goes, “Well, Rick, what version do you want?” [laughter]>>Kevin Mitnick: And I didn’t even know the
version numbers because then again this was all off the cuff and I just go, “How about
the latest and the greatest?” So she’s fishing around on the computer, I could hear her typing.
I’m trying to walk out of traffic on to side streets and she goes, “Rick, I found, I found
the latest source code release, it’s dock two, but there’s a problem.” I go, “What’s
the problem?” She goes, “Well there’s lots of directories and there’s you know tons of
files in each directory.” And I go, “Do you know how to use tar and gzip?” [laughter and applause]>>Kevin Mitnick: And she goes, and she goes,
“No, I don’t.” I said, “Would you like to learn?” [laughter]>>Kevin Mitnick: And she said, “Yes.” [laughter]>>Kevin Mitnick: So I became her instructor
for the day and I taught her how to use tar and gzip and at the end of the lesson there
was a three megabyte file, the source code I wanted to look at. So of course my next
question was, “Do you know what FTP is?” [laughter]>>Kevin Mitnick: And she goes, “File Transfer
Program.” And I go, “Yes, exactly.” And then as I’m walking, I go, ’cause I didn’t prepare
for this is I couldn’t give her, oh, my host name is [email protected] you know, right? [laughter]>>Kevin Mitnick: So I actually had to remember,
I remembered an IP address to a server that I had a bunch of accounts on and I gave her
the IP address. She tries connecting two, three, four, five times, times out each time.
Then she goes, “Rick?” I go, “Yeah?” She goes, “I need to talk to my security manager about
what you’re asking me to do.” I go, “No, no, no” because she’s already putting me on hold,
’cause that’s the last person, I didn’t want her to talk to someone like Eran. That’d be
bad. [laughter]>>Kevin Mitnick: So I’m walking, I’m walking
and the time is like the seconds feel like minutes and I’m really nervous, they’re gonna
like record my call. And so I was very careful when she you know was gonna return to the
line. I was gonna, I was going to be not saying words, you know, I was just gonna be try to
feel it out. So about five minutes later she comes back on the line and she goes, “Rick?”
“Uh huh?” “I, I talked to my security manager about what you want me to do.” I go, “Uh huh.”
“That IP address you gave me is outside of Motorola’s campus.” “Uh huh.” You know, notice
I’m not talking. She goes, “And we need to use a special proxy server to send these files.” [laughter and applause]>>Kevin Mitnick: “And I don’t have an account
on the proxy server. But my security manager was kind enough to give me his personal user
name and password.” [laughter]>>Kevin Mitnick: “to send you the file.” So
within 15-20 minutes I have a source code to the Microtek Ultralight. All I really did
was look at it, ’cause I was you know curious how it worked. What I really wanted to do
at the time, since the government was chasing me, I wanted to create invisibility. So if
I had the firmware I could actually modify it because how AMPS worked that day is you
can control the registration and the paging processes and I wanted to have better control
so I couldn’t easily be tracked. But you know like a company like you know Motorola had
you know all the best technology money can buy and it, and it was an extemporaneous attack
that actually worked. I was really surprised, you know.>>Eran Feigenbaum: So let’s fast forward to
actually getting caught.>>Kevin Mitnick: Oh.>>Eran Feigenbaum: [laughing]>>Kevin Mitnick: Ok. [laughter]>>Eran Feigenbaum: What was ultimately the
demise that got you caught?>>Kevin Mitnick: Well, actually there was
a guy, Tsutomu Shimomura, that became involved because his, his server was hacked. And this
guy, this guy is kind of an arrogant security expert, if you Google him you’ll find out
who he was and we wanted to like to take him a couple notches down, it was more of that
type of thing. And then he went on a vigilante mission. And he, he and the FBI actually teamed
up to capture me. And they ended up, you know, in the long run they ended up actually going
out with the radio direction finding gear and tracing the cellular signal to determine
my whereabouts, because I was in a fixed location in Raleigh, North Carolina, because I just
moved there and I underestimated the amount of time that the government would work, because
ordinarily they are quite slow. And, and they were able to trace the rad-, the signal and
then I get a–, and then I was just–, they were able to trace a signal and then the night
this happened, I actually was out. I was actually going to work out at the gym that night. And
I got, I arrived home late, around I don’t know about, I went, then I went to go eat
dinner. I arrived home around 11:30 that night, something like that, 11:30 or 12:00, and by
that time the FBI has this whole apartment building under surveillance because they believed
the signal was on the other side of the complex in North Carolina. So I just parked my car,
I have no idea that it’s all full of Feds. I go up to my apartment and the story is in
the book, there’s a lot more to this, but I’m just trying to get to the, cut to the
chase. And then I just had a gut feeling that something was wrong. I just had this sense,
nagging gut feeling, so I opened the door around one in the morning and I peered out
into the parking lot and I just go, “I must be being paranoid.” And I shut the door. That,
me opening the door and looking out was how they actually found me. ‘Cause they couldn’t
track the signal because the signals were bouncing. And then I get a knock on the door
and it’s 1:30, and to me, I keep hacker’s hours, I stay up late and I sleep late. And
I guess just my reaction was, “Who is it?” And it was “FBI, open up.” And I go, “Who
are you looking for?” They go, “Are you Kevin Mitnick?” I go, “No, go check the mailboxes
downstairs, because you have the wrong apartment. And they left for about ten minutes. [laughter]>>Kevin Mitnick: And at that time, in that
ten minutes I’m looking for, I’m on the second story, I’m looking for a rope to go down the
other side of my patio to get the hell out of there. And I, and I, there was nothing,
you know, I didn’t prepare, so I didn’t have a rope and I wasn’t gonna tie bed sheets together
because I didn’t want to you know get shot on the way down. So they, they knocked again
and I was already on the phone with my family and with an attorney. And they’re knocking
and I go, you know, they go, “Are you Kevin Mitnick?” “I already told you I’m not. It’s
1:30 in the morning, you have the wrong apartment.” You know, and then I finally, he goes, “Well
open up, we wanna talk to you.” I crack the door, all these agents pour in, they start
searching and they ask me for a driver’s license, I go, “Here I am” because I had, had, I was
under a new name. And, and they started searching and I’m asking where their search warrant
is and they’re just ignoring me and eventually it gets to the point, you know this is going
on for a long time, they’re searching my apartment, they really didn’t find much. And they finally
were asking again, “Are you Kevin Mitnick?” And I said, “No, I just showed you my driver’s
license, I’m not this guy Mitnick.” And then they handed me a wanted poster of myself and
said, “Doesn’t that look like you?” [laughter]>>Kevin Mitnick: So I take the wanted poster
and I’m looking at it. I study it, and I’m thinking to myself, “Could I really get out
of this?” Right? And I’m looking at it and I finally, I finally go, “No, that doesn’t
look anything like me” and I hand it back. [laughter and applause]>>Kevin Mitnick: So eventually this, this
thing is going on for awhile. One of these agents opens a briefcase on my desk, you know,
unlocks a briefcase, and he’s about to go through it and I had some very important papers
in there, like blank birth certificates I didn’t want him to find. I figured that’d
be suspicious. [laughter]>>Kevin Mitnick: So I, I, I went over to the
table because I wasn’t under arrest. And I said, “Hey!” And he looks up. I slammed the
briefcase down and I lock it and he goes, and his face turned red of course and he took
the briefcase to the kitchen because he was gonna use a carving knife to actually open
it up. And then the other agent stopped him because it’d be illegal search, right, to
open up a container. So then finally the FBI went to go get a search warrant and, and then
during that process they found a wallet and then they found a paystub in the name of Kevin
Mitnick because I had a ski jacket that I had a paystub from like 1980 something that
I inadvertently left in there. And then they finally arrested me. So it was like this whole
three and a half hour ordeal and I was trying to get out of, and at one point before they
found it they said, “Well, you know what, we’re not sure if you’re Mitnick or not, so
we’re gonna take you down to the FBI and fingerprint you and then we’re gonna compare the fingerprint
records to rule out that you’re, you know to rule out that you’re Mitnick. I said, “Why
didn’t you think of that before? We could’ve saved all this time. In fact, tell me what
time you want me to show up at your office tomorrow and you can fingerprint me.” [laughter]>>Kevin Mitnick: I tried my best. It didn’t
work. But the craziest thing is I think is the time that when I was in court and they
had told the judge that not only do they have to detain me, but because I’m a national security
threat that they actually have to keep me away from the phone. And the reason they had
to keep me away from the phone is I could pick up the phone and I could whistle the
launch codes to start a nuclear war. So. [laughter]>>Kevin Mitnick: I’m serious. So I actually
laughed in court, right? Because, because I figured the prosecutor’s gonna lose all
credibility with the judge. Unfortunately the judge bought it and I ended up, you know,
in solitary confinement for eight and a half years. So during this time in solitary confinement
I perfected how I could whistle the launch codes and I want to share that with all of
you today. [laughter]>>Kevin Mitnick: Ok? I, I, I, you know now
I need a phone because if I’m gonna connect to NORAD I need some connectivity, so I’m
gonna connect to the phone here. So give me a second, and what we’re gonna do here now,
you might have to take cover, [Mission Impossible whistling sound] [laughter] [sirens] [laughter] [sirens continue]>>Kevin Mitnick: I’m sorry, New York’s gone.
But I mean the timing was wrong in that, but I thought that would be funny, but. [laughter]>>Kevin Mitnick: Yeah, so, back then when
I was involved in hacking I mean it was all mysterious. The internet wasn’t really so
popular it is today. You know, they looked at you like as a dark, like as a witch, like
a dark you know magician or warlock and they had such fear that they would actually that
people actually believed you could whistle the launch codes. So.>>Eran Feigenbaum: That wasn’t the only myth
that was made about you, right? I mean you have several.>>Kevin Mitnick: Oh, yeah. I mean there’s
just so many, I mean. [chuckles] Oh yeah, that I you know hacked into NORAD and nearly
started world war III, that actually was stated as fact in the New York Times, and that was
actually from a movie called War Games in 1983. [laughter]>>Kevin Mitnick: Yeah. But I was under this
severe, you know I was, I was in high security in federal prison during this you know, when
I was detained and I was in what they call “the hole.” And this was a solitary confinement,
so if you are like the Mexican mafia, if you’re, you know, Al Capone, if you’re kill a prison
guard, they put you in this place that you’re just under 23/24 hour lockdown. And I had
a special phone restriction that I was only allowed to call like five people, my mom,
my grandmother, my aunt, my attorney. And so I figured, you know, I’m kind of at the
bottom of the bucket here in solitary confinement in a federal detention center, but you know
that didn’t stop me from phone hacking. [laughter]>>Kevin Mitnick: Not at all.>>Eran Feigenbaum: So you were hacking from
prison?>>Kevin Mitnick: Hacking from prison. Let
me tell you how, is [laughter]>>Kevin Mitnick: Is whenever I had to make
a phone call, they would actually shackle my arms, shackle my legs, they’d walk me like
30 feet to this room that had a bank of pay phones and the guard would look at you know
the numbers I can call. He’d say, “Which number do you want, Mitnick?” And he would dial zero
plus the number to get, ’cause it was a collect call obviously. And he’d place his chair four
feet away from the payphones. So he’d just sit there and his eyes would never move from
what I’m doing. And I’d, and the handset cord on the payphone was a little bit longer than
it is like on the street, I guess they’re longer in federal prison, who knows. So I’d
walk back and forth when I was talking and I would constantly be scratching my back,
you know, switching phone, just getting him used to this behavior, scratching my back,
and actually rub my back against the payphone. And then I figured when I ended the call,
I acted like I was still talking to the person that he dialed and I just, you know, keep
talking and I’d be rubbing my back and then behind my back I would just hang up, you know,
hang you know push down the switch hook. And then I’d move my hand to the front because
I knew that I had 18 seconds before the phone went into reorder, meaning beep, beep, beep,
beep, so I had 18 seconds to do this. So I’d just continue to scratch and then I’d put
my hand behind again and dial zero plus the number I wanted, ’cause I was able to dial
the touch tone behind my back, touch tone pad, I was able to dial the phone number behind
my back. And then I’d have to continue in the conversation because I knew within a,
you know, 30 seconds the operator was gonna come on the phone, you know come on the line
and ask who the collect call was from, so I’d have to say, “Well, you know, tell Uncle
Harry that Kevin says hi.” And when I said Kevin that’s when the operator was asking
who the collect call was from. So this is how I was able to call anyone I wanted, you
know, even though the guard, even though I was in plain site of this you know this officer. [laughter]>>Kevin Mitnick: And this was working for
like three weeks. [laughter]>>Kevin Mitnick: And then early one morning
my door opens and it was like the executives of the prison, they put me in handcuffs, they
take me to this like attorney-client visiting room and they sit me down and the captain
of the prison goes, “Mitnick! How you doing it? How’re you redialing the phone?” [laughter]>>Kevin Mitnick: I go, “What are you talking
about?” [laughter]>>Kevin Mitnick: “Our officer is watching
every move you make and somehow you’re redialing the phone.” [laughter]>>Kevin Mitnick: I said, “Hey, guys, I’m not
David Copperfield.” [laughter]>>Kevin Mitnick: ‘Cause I wasn’t gonna admit
to anything. Then they say, “Well, we’re monitoring everything you do downstairs.” Which I knew
they were. And I just said, “Maybe there’s a failure in your monitoring system.” You
know, ’cause I still, you know, I’m not gonna admit anything because then they could use
it against you. So, so a couple days later I hear some commotion outside the door and
I peek out and it’s Pacific Bell and they’re installing a phone jack across the corridor
from where my, where my room was. And I’m thinking, are these guys actually gonna install
a phone in my room and then try to restrict who I can call? That’s gonna be fun, you know.
And I found out what happened afterwards. They actually, the next time I had to make
a call, the guard brings a phone, he plugs it in, he dials the number I want, then he
puts the hand cord through this like trap door in the door. So I only have the handset,
I can’t touch the touch tone pad, it’s beyond the locked door. And then I’m having a flashback
to Hannibal Lecter in Silence of the Lambs. [laughter]>>Kevin Mitnick: So that was crazy. They were
so embarrassed by this they never told the court, so the court never found out that I
was calling anybody that I wanted to, ’cause they would look like fools, so. [laughter]>>Eran Feigenbaum: Let’s talk a little bit
about, you know, finally getting out, the Free Kevin Movement.>>Kevin Mitnick: Oh, yeah, well, I mean a
lot of stuff was happening in my case, like I was detained for four and a half years without
trial and I, you know, and a lot of civil liberties issues so then 2600 Magazine actually
started this Free Kevin Movement to kind of you know like why is this guy denied the ability
to help his lawyer look at the evidence? Why has he been held for so many years, you know,
in custody without a trial? So they started this whole Free Kevin Movement and it was,
and, and I, I couldn’t believe this one day I was in my room in, in detention and I looked
out this like, they have this slitted window, and I look out and I heard they were having
Free Kevin protests that day and I look and I see an airplane flying, like a puddle jumper,
and it was pulling a Free Kevin banner on an airplane and I could see this from my prison
cell. So it was like kind of like, wow!, you know, like I never expected this. And anyway,
they were trying to get the word out to, it wasn’t like the Free Kevin Movement was saying
hey, this guy shouldn’t be punished for his hacking, but it was more like you know why
is he held for, detained for so long, you know why, why is the judge not allowing his
lawyers to look at the evidence? So it was kind of to get the word out. And they did
a good job of it, you know. And ultimately did it help my case? No. ‘Cause the government
doesn’t care, really about, you know, protests, but eventually I made a deal with the government
after, well the reason I made the deal is I found this case. Since I was hacking for
more curiosity, I wanted to look at source code to become a better hacker. It wasn’t
about selling the source code, it wasn’t about, you know, doing anything with it but using
it to leverage it to hack in. And I found this case called Rich, this case, this IRS
agent called Richard, his name is Richard Sabinsky and he was doing the same thing.
He was working for the IRS but actually looking up people’s tax returns because he was curious.
You know he wanted to know how much money they made and all this sort of thing. And
he was prosecuted for the same charge, you know crimes that I was. And he actually appealed
his case, and this was a federal case, saying well he did it out of curiosity. He didn’t
sell the information, he didn’t disclose it to anybody, it was a case of curiosity. And
the, and the federal appellate court said, well if it’s, if you didn’t use or disclose
the information, it’s not a federal crime. So I actually wanted to go to trial, say hey,
I did all this hacking, you’re right, you know I admit everything, but I did it for
this purpose, you know, it was more my curiosity and learning, it wasn’t about using or disclosing
it for monetary gain. And my lawyer told me that the federal prosecutor at the time said,
told him, warned him, that if your client doesn’t take a deal, we’re just gonna, we’re
gonna try him here, let’s say we, we lose, we’re just gonna move him to this jurisdiction
and try him there. We don’t care if we win or lose, because we’ll keep your client in
custody so long that it won’t matter anyway.>>Eran Feigenbaum: ‘Cause you hacked in many
jurisdictions?>>Kevin Mitnick: Right, well, when you’re
doing, you know when you’re hacking over dial up, I mean this was dial up in these days
over the internet, you’re going through so many jurisdictions, they could just put you
on the bus for this ever ending, you know, series of trials, so I just figured, hey,
you know I, I wanted to settle it on the best terms possible and one big negotiating point
is they didn’t want me to tell my story for life. In fact another hacker named Kevin Poulsen
recently wrote a great book called Kingpin, he’s a editorial, I think he’s the editorial
director of and his deal is he can’t write his story for life, right? And so, we,
my attorney negotiated and it was a seven years. For seven years I was pretty much blacked
out from being able to tell my story and that expired in 2007, then I teamed up with this
awesome co-author, his name is Bill Simon, and he’s actually here today in this audience
with his girlfriend. He’s right over here. Bill, why don’t you come up here and say hi
to everybody? [applause]>>Kevin Mitnick: Ok. He doesn’t want to do,
he doesn’t want to, he doesn’t want to come up to stage, but this book would have not
been possible without Bill. I mean Bill put up with my hacker’s hours for two years. I
mean Bill’s the type of guy that rises at 6:00, has breakfast at 7:00 and he’s hard
at work at 8:00. I’m going to bed at 8:00. [laughing] So, so, but we finally got it done
and I, I thank Bill because without him the book Ghost in the Wires would not be here
for all of you to read, and so thank you Bill. I appreciate your hard work. [applause]>>Eran Feigenbaum: Not only not being able
to tell your story for seven years, you also had some other restrictions as part of your
release.>>Kevin Mitnick: Oh yeah, I couldn’t, I couldn’t
touch a transistor. Anything with a transistor in it was restricted. I, the federal government
was so, I don’t know if they were scared or if they were trying to punish me or what the
reason was, but anything with electronics I wasn’t allowed to touch without their permission.
So even to use a fax machine. And then after two years, it was really interesting because
I was commissioned to write Art of Deception, again with Bill, which was my first book on
social engineering. And what had happened is I called the probation department, saying,
hey, I was researching word processors that have no way to connect to a modem, no way
to connect to the internet, just like stand alone and I spent like a couple weeks researching
the stuff and then I presented the case to the probation department, hey, I could use
this word processor so I could, you know, work on this book with my co-author, and my,
and the probation officer said, “Hey, you know Kevin, we’re gonna let you get a laptop.”
“What?” Yeah, they’re gonna let me get a lap, they, they allowed me to get a laptop under
two conditions. One, is I don’t tell the media. That was the biggest condition. Two, is I
don’t connect to the internet. So then I was able finally to write you know Art of Deception
with Bill. I mean there are just so many stories to tell I don’t know where you, I mean there
just, it’s just crazy, so.>>Eran Feigenbaum: One last one and then>>Kevin Mitnick: Ok.>>Eran Feigenbaum: we’ll open up to questions.
Through the book it it’s pretty obvious that you have an addiction to hacking.>>Kevin Mitnick: I would call it an extreme
passion. [laughter]>>Kevin Mitnick: [laughing] I mean, that’s
what drove me. I mean I remember when I was in my younger years when I, this is how I
guess passionate I was is when I was young my parents couldn’t afford a computer. Oh
and let me remind you how I started off on this path is when I went to my first programming
assignment in high school was to write a Fortran program to find the first 100 Fibonacci numbers.
And I thought that was a boring assignment. So I thought it would be cooler to write a
program to steal everyone’s password. [laughter]>>Kevin Mitnick: Just for the fun of it. And
what we had at school was an Olivetti 110 baud terminals, acoustic coupler modems and
we had a PDP 11, I think it was like an 11/34 running RISC to CED , in downtown Los Angeles.
So all the students used VT100 terminals to connect to the school’s computer. So I wrote
a program that would be a log-in simulator, kind of like a fishing tool, so people would
think they were logged out, they would type in “Hello”, we’d ask them to put in their
user name and password, it would log them in. This was my first program. The first one
that I ever wrote. It wasn’t Hello World, it was I’m Gonna Steal Your Password. [laughter and applause]>>Kevin Mitnick: So I worked really hard on
it because I had to like do sys calls, interact with the operating system, it wasn’t as easy
as finding the first 100 Fibonacci numbers and, and because I spent so much time on this
assignment, I wasn’t able to finish or even do, start the Fibonacci assignment, so it
was due. So when the teacher goes, “Kevin, where’s you assignment? I let you into class.
I waived your prerequisite, and you’re not, you’re not even, you know, holding your weight
here.” I said, “Well, I was busy working on this other program, let me show you how it
works.” [laughter]>>Kevin Mitnick: So I showed him the program
of stealing passwords. And he goes, “That’s awesome.” [laughter]>>Kevin Mitnick: And he gave, and he gave
me an A. [laughter]>>Kevin Mitnick: [laughing] That’s awesome.
He actually showed it to everyone else in class. “Look what Kevin did.” And like all
these atta boys so the ethics taught when I was in high school [laughter]>>Kevin Mitnick: that hacking is cool. And
it wasn’t even illegal. It was 1979, they didn’t have the first computer crime law until
1984. So I started in an era where it was encouraged to do this stuff because it was
like no harm, no foul, you know. I wasn’t stealing passwords ’cause I wanted to get
in their accounts, it was more like just for doing it. So it was kind of like a cool thing.
The teacher liked it, you know, so. [laughter]>>Eran Feigenbaum: So do you still have this
deep passion today?>>Kevin Mitnick: I hack every day. But I do,
there’s only one difference. I have authorization. So companies that hire me to break into their
systems give me a jail, get out of jail free card and as long as I have that card in my
pocket I feel really comfortable and I still get to do the same thing I was doing 20 years
ago today. And all, and the techniques still work, like social engineering. I mean the
technical exploits change, you know as we build more complex systems it creates more
vulnerabilities as you know, so we, you have the technical side, which you know now you
could download Metasploit you have commercial products like Canvas and Core. Metasploit
is awesome if you’re into, I don’t know how many of you know Metasploit here in the audience,
but these tools weren’t available when I was hacking. It was like you had to do it on your
own. There was, there was, you know there was no you know frameworks, not where you
can go and Google, you know Google didn’t exist by the way. I couldn’t, I couldn’t Google
you know exploits, you know it was all on your own and today, I mean, what kids can
do, which I didn’t have this option, was you know, they could, you know, have, you know,
open source Linux boxes, you know, for, you know, next to nothing. They could get access
to frameworks like Metasploit, so they could experiment and have fun hacking you know legitimately,
and I didn’t have this option when I was a kid, it just didn’t exist. So what I chose
to do was go to universities, all the Cal state universities in Los Angeles and I would,
until I wore out my welcome, right, and all the Radio Shacks in Los Angeles, yeah.>>Eran Feigenbaum: Great. Let’s, we have a
couple of microphones if you could just raise your hand a microphone will come to you. [pause]>>male #1: I had [inaudible] [laughter]>>Kevin Mitnick: Somebody hacked your mic.>>male #1: I don’t need a mic, I’m loud enough.
I had a free [inaudible]>>Kevin Mitnick: [laughing]>>male #1: So did you ever use the name Nussbaum?>>Kevin Mitnick: No. That was a myth.>>male #1: Because a friend of mine got arrested
at [inaudible]>>Kevin Mitnick: Yeah, I heard about that.
They thought he was me and they arrested him when I was a fugitive, unfortunately, and
then I guess they thought I was using his name, I never used it. The names I used was
Erik Weisz, Brian Merrill, they’re all in my book, the names I used. It was a handful,
but never his name, never even talked, I never even knew the guy. So that again was another
myth.>>male #1: [inaudible] [laughter]>>Kevin Mitnick: Tell him, tell him it wasn’t
me.>>male #1: That’s why I asked.>>Kevin Mitnick: Yeah, they also arrested
another guy who they thought was the informant on my case, a guy named Eric Hienz, his real
name is Justin Petersen and, and they actually were almost gonna arrest I think Robert Steele,
who was an ex-CIA agent who does a lot of talks at conferences. The agents actually
asked him to pick up his pants on one leg because the real Justin had a you know had
a prosthetic leg. And they were almost gonna arrest him. ‘Cause they’re just going crazy.
They wanted to arrest somebody, but they kept getting the wrong people. [pause] Any other
questions? Yes? [pause]>>male #2: With the, is it on?>>Kevin Mitnick: No.>>male #2: Alright. [pause]>>male #1: Just speak loud.>>unknown: Right.>>male #2: With everybody getting so connected,
I mean that’s kind of what we do here, making sure that everybody’s connected, that everything’s
accessible to everybody as much as possible, is security intractable for regular people?
I mean I know that social engineering always worked and probably always will work, but
you can get so much further with it now because you can you know send out>>Kevin Mitnick: Spear fishing.>>male #2: Yeah. You can try and scam ten
million people at a clip. Is this an intractable problem that we’re just gonna be in this situation
forever?>>Kevin Mitnick: No, I don’t really know.
I mean the, I look at the solutions to social engineering as using technology whenever possible
to take the decision making out of the you know human actor’s, you know, hand so to speak.
And then training and ed-, you know a lot of training and education. A lot of the, you
know don’t forget the, the social engineering usually re, also relies on some technical
vulnerability like an older version of Adobe Acrobat, you know, that the person’s using,
so I mean by keeping the technology up to date I think you mitigate the social engineering
because if you look most of the attack vectors today are client side. So you’re looking to
exploit the browser, you’re looking to exploit Adobe Acrobat, Flash, Java, the Media Players,
the Instant Messaging tools, so I find that a lot of my clients, they’re not keeping that
stuff up to date and that’s how I’m able to exploit them. You know I just had a client,
a multimillion dollar client, and they were running like version I think 9.1 of Adobe.
And how I found, what I did was I used social networking to find, to create my target list
on LinkedIn and so, you know it’s easy, you could even use Google of course, but you know
you find, you try to look for network administrators and engineers and people that are likely have
domain admin rights and you target those people first, right? So I was able, so I found out
who this administrator works with at one of the companies that supports one of their IT
functions and e-mailed him a PDF that had an exploit in it. He opened it up and I was
able to get into his box. He had domain admin rights and the game was over. I mean it was
just that easy. If he had a, had an updated version of Adobe at the time, because the
problem was patched, you know, maybe the social engineering side would have worked, but it
wouldn’t have gotten me anywhere, right?>>Eran Feigenbaum: Switch your clients to
Chrome OS or Chrome? [laughter]>>Kevin Mitnick: I use Chrome. I shouldn’t
tell you this because now maybe I could be a target. [laughing] [laughter]>>Eran Feigenbaum: One last question. Let’s
give somebody a, oh, go ahead.>>male #3: So you mentioned writing a Hello
World program.>>Kevin Mitnick: Right.>>male #3: And you mentioned how your teacher
kind of encouraged you to, you know it was encouraged to, to hack and it was cool.>>Kevin Mitnick: Well, it was after I wrote
the first program because I didn’t tell the teacher what I was doing the first, during
the first, during that development.>>male #3: So I’m curious if you feel that
education for developers has changed in any regard. ‘Cause I still find that when we’re
trying to get people into computers and development, we still kind of go, “Look how easy this is!
Print Hello World. Great, you wrote your first program. It’s real easy.”>>Kevin Mitnick: Well>>male #3: We don’t build on a stronger foundation
of oh, well, here’s the building blocks and security.>>Kevin Mitnick: Well absolutely, I mean most,
most of the, most of the time we’re methodology, well, most of the time when we’re able to
get into a client’s infrastructure is easy by exploiting a web app, usually with something
like SQL injection. I mean it’s, I mean, and so if the developers of those applications,
you know, you know sanitize their input, we wouldn’t be able to get in you know at that
point, so I find that there’s a lot of low-hanging fruit out there. There’s lots of web applications,
interfacing web applications that are insecure and easy to exploit. I mean case in point
is you have like LulzSec right? They’re out exploiting everybody in the world, you know,
they’re doing some stupid attacks with DDoS attacks, but a lot of, all the other victims
are you know simple sequel injection. Look at Sony, they were hacked 12 times, and I
think like 10 of those hacks were SQL injection hacks, alright so the developers are obviously,
they either bought the code from somebody else, bought the application from a third
party who obviously didn’t have secured coding practices you know in their development cycle,
and, or they did it in house and it was a shoddy security and got, got hacked.>>male #3: So I guess the question is then,
why hasn’t education changed for developers or –>>Kevin Mitnick: Well they have it available,
it’s just the question of companies actually using it in the development cycle.>>male #3: Well companies and schools, right?
Why are –>>Kevin Mitnick: Oh, schools.>>male #4: Liability laws, Eric. The liabilities
are in the wrong place. I mean credit cards used to be if you. The thing that enabled,
the problem is that the liability laws are in the wrong place. When credit cards first
came out, there was a question of who gets, who has to pay for the fraud.>>Kevin Mitnick: Right.>>male #4: And the answer was the user has
to pay for the fraud and so users didn’t want it. And then when the law said the bank has
to pay for the fraud, there’s 50, you know the>>Kevin Mitnick: Right.>>male #4: both the user or it was either
the user or the merchant, but somebody you know if the user has to pay for the fraud,
the users don’t want it. So they say, well, let’s make the merchants pay for the fraud.
Then the merchants don’t want it. So they made the bank pay for the fraud. All of a
sudden the liability and the incentives are in the right place. And the banks fought against
it, they said, oh no, you can’t make us pay for the fraud, it’s not our fault, you know,
then and you know the law just said, well, pay for it anyway. Which then the banks said
oh, all right. At which point credit cards had this amazing round, you know, round of
growth. Because the banks said, ok, well we’ll cut down the fraud to a level that we are
willing to, that people are willing to pay for in the interest rate. And so it’s really
just liability.>>Kevin Mitnick: Right. I mean and I think
today it’s on the merchant actually, is the fraud. I mean unless you know Visa and MasterCard,
you know, if you go through secure code, they have, if you what is the product called, MasterCard
Secure Code and Visa Verified. If you go through those mechanisms then the bank takes the risk.
But I think today it’s the merchant still takes, still takes the risk on transactions,
right.>>Eran Feigenbaum: Hey, Kevin, I think we’re
gonna broadcast this, so maybe just parting thoughts>>Kevin Mitnick: Oh, yeah, we’re recorded.>>Eran Feigenbaum: It’s been inspiring hackers
or security researchers, for somebody that’s been there, done that, been behind bars.>>Kevin Mitnick: [laughing] I mean, I just
love what I do. I mean I, my primary reason for getting involved in the hacking was the
intellectual curiosity, the challenge and most importantly the learning. And I wanted
to learn everything that I possibly could and I still have those drivers today. When
I’m testing my client’s security, I still get that endorphin rush when I’m able to find
a security hole. So I really enjoy what I do, it’s almost like you know it’s almost
like not working, but I mean my recommendations is if you’re developing applications is you
do use secure coding practices so people like me can’t get in. You can make our pentests
harder. Yeah. And I, I, I guess unless you have any other questions I don’t know what
else to say.>>Eran Feigenbaum: Check out the book.>>Kevin Mitnick: Oh, yeah, book. Why am I
here? Ghost in the Wires, I mean you get a lot more detail about what had happened, why
I did it, how I did things, that’s in the book. Again it was a two year, a two-year
project. I told Bill what I wanted this book to be was like a catch me if you can thriller,
so we were able to take my, my story because of all the crazy stuff I did as a kid and
I thought we actually met the goal. And I’d love to hear your feedback. You’ll have my
e-mail address on my card. If you like the book, dislike it, find an error, let me know.
I definitely would appreciate it and I love Google. You guys are, you guys, Google is
my home page on my browser and I do use Google Chrome and I loved touring your campus in
Mountain View, it was awesome, it was like a little city. So I think you guys are working
for an awe-, a great company. So thank you for being here and I have business cards for
everybody. I didn’t run out, I just wanted to get, kill some time until Eran came and
was ready to interview, so.>>Eran Feigenbaum: Thank you.>>Kevin Mitnick: Thank you so much. Thank
you. [applause]

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top