Kevin Mitnick's first book, "The Art of Deception", was an eye-opener for me as well.
I guess I should read "Ghost in the Wire" too :)
I hadn't thought about those books in a while. If anything, "social engineering" should be WAY easier in the Facebook age - that's what should be keeping IT security people at night these days.
I highly recommend "Ghost in the Wire". It's pretty light on the technical details, but it's really entertaining if you're interested in the "Golden Age" of hacking.
I was amazed at how much more he leaned on his social engineering skills than his technical skills when he was in his prime.
Mr. Mitnick signed The Art of Deception for me in the early 2000s. I told him it was for a friend who at the time was 'interested in the dark side of computer security'.
It's a shame that hackers are so glamorized in the media... Hacking is actually pretty easy. Most hackers just use vulnerabilities which other people have discovered and they rarely innovate themselves.
Even discovering new vulnerabilities isn't that hard. Once you know a particular codebase well enough, it's pretty easy to find new vulnerabilities. The average programmer will likely identify and fix many such bugs/vulnerabilities each day as part of their regular job but they don't get the same recognition that hackers get.
Also, social engineering is hardly engineering - It is just another name for deception/trickery.
I fully support hacking where the intent is to improve a system but doing so with the intent of achieving personal fame and fortune is just wrong and the tech media should make more effort to distinguish between the two.
Demonization can be a form of glorification. Consider for example the following two paragraphs:
"He was slick, convincing several security guards he was a wayward contractor on his way to meet the department head. Thermal cameras in the server room defeated by a homemade polyester shield, it took only twenty minutes to extract BigCo's financial records. Having slipped in under the noses of corporate security like the most adept of rats, he skittered away in the anonymity of directions to the bathroom leaving no trace of his visit."
"The felon broke into the store through its back door window using a crowbar. They stole two empty registers and a safe, ransacking the building in their search for anything of value. Ramir was frustrated when he came in the next morning after, yet remains optimistic. "We may have been robbed, but we know that we're going to come out on top in the long run." The suspect is known from security footage to have fled the scene in a green pickup truck. If you have any information related to this crime..."
You get a very different picture of these two peoples competence just from the way they're depicted and the kind of crime they commit.
An easily-misinterpreted choice of words from the OP doesn't invalidate his point. I agree - hackers are definitely *made out to be more [powerful, capable, scary, etc.] than they actually are.
It might be easy in some case to mistake "sloppy" for "pioneering". It's harder to defend yourself and cover your tracks when you're one of the firsts to actually have been there and done that.
I think the notable thing about Mitnick was just this: he became notable. He put these activities on the radar of the law enforcement and of the media when they weren't all that much concerned about it.
I used to work at a large organization with annual security training requirements for all employees. It consisted of hours of ridiculous scenarios where the correct answer was always "don't open attachments from people you don't know and report anything suspicious to IT." I've often thought that requiring everyone to read "Ghost in the Wires" would be a much more effective way to show people how social engineering and phishing would actually work.
Even to this day one can obtain quite a lot of info from the person at the front desk in many companies. You are as secure as your weakest links...your users. I've seen clients both large and small fail to enforce policy.
Money is better spent educating users and enforcing policy than acquiring the most expensive equipment.
18 comments
[ 4.5 ms ] story [ 22.1 ms ] threadI guess I should read "Ghost in the Wire" too :)
I hadn't thought about those books in a while. If anything, "social engineering" should be WAY easier in the Facebook age - that's what should be keeping IT security people at night these days.
https://en.wikipedia.org/wiki/The_Art_of_Deception
If you want to have the other side of the story, then I would also recommend "Takedown" from John Markoff.
I was amazed at how much more he leaned on his social engineering skills than his technical skills when he was in his prime.
http://amzn.com/B006BBZHAK
Ghost in the Wires
http://amzn.com/B0047Y0F0K
He wrote: Don't do anything I wouldn't do.
Christ, what would that be? He didn't shy away from much.
Even discovering new vulnerabilities isn't that hard. Once you know a particular codebase well enough, it's pretty easy to find new vulnerabilities. The average programmer will likely identify and fix many such bugs/vulnerabilities each day as part of their regular job but they don't get the same recognition that hackers get.
Also, social engineering is hardly engineering - It is just another name for deception/trickery.
I fully support hacking where the intent is to improve a system but doing so with the intent of achieving personal fame and fortune is just wrong and the tech media should make more effort to distinguish between the two.
Hackers are vehemently demonized by the media; by no means is there any sort of glorification occurring.
"He was slick, convincing several security guards he was a wayward contractor on his way to meet the department head. Thermal cameras in the server room defeated by a homemade polyester shield, it took only twenty minutes to extract BigCo's financial records. Having slipped in under the noses of corporate security like the most adept of rats, he skittered away in the anonymity of directions to the bathroom leaving no trace of his visit."
"The felon broke into the store through its back door window using a crowbar. They stole two empty registers and a safe, ransacking the building in their search for anything of value. Ramir was frustrated when he came in the next morning after, yet remains optimistic. "We may have been robbed, but we know that we're going to come out on top in the long run." The suspect is known from security footage to have fled the scene in a green pickup truck. If you have any information related to this crime..."
You get a very different picture of these two peoples competence just from the way they're depicted and the kind of crime they commit.
I think the notable thing about Mitnick was just this: he became notable. He put these activities on the radar of the law enforcement and of the media when they weren't all that much concerned about it.
Money is better spent educating users and enforcing policy than acquiring the most expensive equipment.
Btw, The Art of Deception is a good read.
It can be found here: (https://soundcloud.com/michael_graf/kevin-mitnick-speech-201...)
I gave him my forged badge, and told him I really like the speech - he signed my book and spoke with me for around 10 min... Really nice guy