WASHINGTON (03/03/2000) - Reformed computer hacker Kevin Mitnick, donning a blue suit and tie but legally barred from carrying a cell phone or PalmPilot anywhere, told Congress Thursday that the U.S. government and private companies need to beef up security to prevent curiosity-seekers like him from breaking in.
During an exchange with the U.S. Senate Governmental Affairs Committee that was by turns comical and sad, the world's most infamous hacker explained to members of the same government that prosecuted him the means hackers use to infiltrate computer systems.
"Companies spend millions of dollars on firewalls and secure access devices, and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems," Mitnick testified.
Mitnick, 36, who walked out of a federal prison in California in January for the first time in nearly five years, boasted to senators that he was able to break into all but one computer system he targeted during a 20-year hacking spree. He detailed how he persuaded employees of companies such as Motorola to divulge passwords, source code and other sensitive information by trickery. He suggested that federal and corporate workers be trained to recognize such techniques, which he called "social engineering," often the first line of attack.
Mitnick, who pleaded guilty on March 16, 1999, to five counts of wire fraud and computer fraud, and was given credit for about four years served, said outside the hearing room Thursday that his probation orders are too restrictive. He complained that he's being used as an example because of press reports and popular books, such as Katie Hafner and John Markoff's "Cyberpunk," which made it seem he was taunting the FBI during a three-year manhunt that ended in 1995 with his arrest.
A court order now bars him from using computers or cellular telephones - "anything capable of accessing computer networks," he said in his testimony. He told reporters he is allowed to have a land-based telephone line, but doesn't know if he's legally allowed to use a bank's automatic teller machine or even the Stairmaster at the gym. He's also been barred from consulting to any individuals or groups engaged in "computer-related activity."
As a result of those restrictions, he said, he's unemployed right now.
Mitnick had been invited to testify and help the Senate panel figure out ways to keep the government's electronic networks safe from intruders. The Senate Governmental Affairs Committee is pondering passage of a bill to require government agencies to create anti-hacker programs, undergo yearly audits, and give the Office of Management and Budget the duty of information security oversight of federal agencies. Congress is considering a flurry of measures in the wake of recent high-profile denial of service attacks on some of the most high-profile e-commerce companies, such as Yahoo and eBay.
Mitnick said the legislation is "a good first step," but offered his own suggestions for keeping government computers secure, such as changing software if a manufacturer doesn't pay attention to security loopholes, and training employees to recognize signs of an attack.
In questioning Mitnick, committee member Sen. Joseph Lieberman (D-Conn.) probed at his motives. "My motivation was the quest for knowledge, the intellectual challenge, the thrill and in order to escape from reality," Mitnick said. He emphasized that he was never interested in profiting or doing any harm. In fact, Mitnick said that hacking was encouraged in the public school he attended. He once was assigned a project to design a login simulator that would convince a user to give up their password.
"I got an A, of course," he said.
Mitnick also pointed out that some computer pioneers got their start in hacking activities, such as Apple founders Steve Jobs and Steve Wozniak.
"There was a fork in the road that went in a different direction," Lieberman observed. "But you're still young. You still have time."