Tag Archives: hacking

Review of “Takedown” by Tsutomu Shimomura and John Markoff

Several weeks ago I read Ghost in the Wires, Kevin Mitnick’s autobiographical accounts of his hacking exploits, discovery by security researcher Tsutomu Shimomura, and reformation. Yesterday I finished Takedown, Tsutomo’s book about tracking down Mitnick.

Generally the accounts agree. The framing or emphasis, however, changes. So, for instance, Shimomura (who had the time worked at the San Diego Supercomputer Center, emphasis his own personal skills and generally dismisses Mitnick as copying others or using trial-and-error techniques. Mitnick’s book actually agrees with this, where he is dismissive of the press’s wilder claims, and instead emphasizes the greatest tool he had was social engineering — that is, being a con-man.

This pattern — both books largely agreeing on facts, but differeing in the interpretation of facts — even extends to Hollywood. Both Shimomura and Mitnick have mentioned Mitnick’s fascination with the 1992 Phil Alden Robinson film, Sneakers, starring Robert Redford, Dan Akroyd, Ben Kingsley, River Phoenix, and Sidney Poitier.

Shimomura chalks this up to Mitnick’s fixation on Robert Redford. Mitnick, in a talk to my employer, described Sneakers as the most realistic movie about hacking every filmed. After re-watching it, I agree. The protagonists of Sneakers are not especially amazing when it comes to technology. They are great at social engineering — being con men.

The whole topic of “social engineering” lets me talk about one of the most disorienting things about reading these two books. Kevin Mitnick was a social engineer — a con man — but one who did not seek to profit from his work. So he writes in a friendly (if manipulative) way that makes you sympathize with him. Shimomura, by contrast, is a jerk. The book is filled with criticisms of anyone who has helped him or any place that was good to him. Reading Takedown is an emotionally exhausting experience, while reading Ghost in the Wires approaches the experience of having a massage — you’re no longer observing the world quite as objectively, but that’s not the point.

To illustrate, here’s an example. Mitnick is an intelligent and well spoken individual. But pay attention to use his use of words:

I had seen some of the security bugs that Shimmy [Tsutomu Shimomura] had reported to Sun and DEC and been impressed with his bug-finding skills. In time I would learn that he had shoulder-length straight black hair, a preference for showing up at work wearing sandals and “raggady-ass jeans,” and a passion for cross-country skiing. He sounded every bit the kind of Californian conjured by the term “dude” — as in, “Hey dude, howz it hangin’?”

Mitnick is manipulating the reader by adopting several traits associated with a stereotype of the loveable hackers, including
1. An admiration for technical skill
2. An admiration for California generally
3. An admiration for non-conformists
4. An almost child-like view of the world, especially in the last sentence. [See my review of Veins for the power of his imagery]

Now, here’s a passage from Shimomura’s book

“I have no idea why Andrew [Shimomura’s mentee] told you to start cleaning up,” I said, incredulous.

Seiden, who is a computer security pro, was angry at having been misled at such an error. “Last time I take orders from Andrew,” he muttered. His task was no, we agreed would be to resume monitoring Mitnick’s activities on Internex for indication of how deep his supsicions now ran. Seiden was still fuming with indignation as we ended our call.

I punched in Andrew’s numbers. “What the hell’s going on?”

A good leader makes others great. Even cantankerous perfectionists like Steve Jobs can get excited in people. Shimomura instead criticizes and denigrates those close to him, to make himself appear brighter.

In keeping with this trend, Mitnick even gives Andrew’s family name twice, while in Tsutomu it is only given once, in Tsutomu’s co-author‘s acknowledgements.

I’m glad I read both books, but Ghost in the Wires is both more up to date and less grating.

Review of “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” by Kevin Mitnick with William L. Simon

Several weeks ago Kevin Mitnick spoke at the research arm of my employer. He is a funny guy, knowledgeable, a great public speaker. He was also hawking his book. During the Q&A Kevin was asked what the most realistic movie about computer hackers was. He replied, “Sneakers,” a 1992 film starring Robert Redford, Dan Aykroyd, Ben Kingsley, Mary McDonnell, River Phoenix, and Sidney Poitier, which I had remembered watching as a teenager. This answer seemed so bizarre it made me want to know more — hence several hundred pages later, I’ve read Mitnick’s book.

After re-watching Sneakers, I was struck that it did not use the Hollywood trope of a computer whiz sitting down on a keyboard, hitting random buttons, and getting into the system. Or Mission: Impossible high tech wizardly or suspension cables. Instead, in Sneakers access is gained by talking to people, calmly and persuasively lying to them, and getting them to do what you want. This was Mitnick’s method. That was why he liked the film.

Kevin’s story begins as a boy “hacking” the L.A. mass transit system to get free rides, thru getting his mom free long distance, to finally an increasingly complicated web of compromised systems to evade the growing number of enemies who was looking for him. Mitnick’s adventures take him from California to Las Vegas, Seattle, South Dakota, and North Carolina, before finally being arrested.

Kevin’s spoken a lot about his former life. Here’s a 60 minutes report:

And an hour-long talk he gave at Google

Shortly after his release his prison, he was called to testify before a Senate committee headed by Joe Lieberman and Fred Thompson.

If technology, “social engineering” (which Mitnick calls “lying on the telephone”), and security interest you, I strongly recommend Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. I read Mitnick’s book in the Nook edition. It is also available for Kindle.

Dozier Spam Bot Attacks tdaxp?

Two strange messages (I’ve left them in tact, except for the hyperlink) have appeared in the comments for my posts, Dozier Internet Law harms client’s reputation and Did Dozier Internet Law Misrepresent a Federal Judge?.”

The first comment reads:

Here is the Dozier Internet Law Blog:

[url redacted by tdaxp]

Frankly, it seems pretty insightful.

and the second is:

I don’t know who is right. It looks like it might be Dozier:

[url redacted by tdaxp]

At first blanch, these are merely spam messages. The IPs of the two comments (left with the same nick and email account) are quite different… the 128.241.*.* range resolves to NTT America (a “global IP solutions company”), while the range of 207.195.240.0 to .255.255 resoles to Global Tac, LLC. Global Tac has been implemented in spam messages before. It appears that Global Tac hides behind150 different IP messages to conduct its spam campaigns, so the discrepancy between the IP addresses is smaller than it appears.

Dozier Internet Law is no stranger to spam as a means of advertising – they’ve long generated spam websites with nonsensical information. Still, escalating this to include spam comments on private blogs comes dangerously close to trespass and hacking.

Is DirectBuy Hacking Wikipedia?

I don’t know, but Wikipedia’s Revision history for “DirectBuy” now discusses “possible user of sleeper accounts. The text that keeps getting removed reads:

Complaints

Many customers have complained that they have been deceived by DirectBuy into signing expensive contracts for the privilege of purchasing goods supplied by the company. A three-year membership usually costs about $5,000, with yearly fees in the hundreds layered on top of that. Furthermore, potential members are told at the information sessions that unless they commit to it right then and there, they will be ineligible for membership for another seven years. While DirectBuy prices have been proven to be lower than some of their competitors’ prices, all purchased items incur a processing and shipping fee, which is not included in the original price quote. In many cases, these additional costs usually bring the total price to that above what can usually be found at many traditional retailers.[citation needed]

Critics of DirectBuy

The section has been removed repeated by users “Wiseard” and 206.228.159.59.”

While it is clear that DirectBuy intimidates those who complain and floods the web with spam, the question of whether they violate Wikipedia‘s conflict of interest policy is an open question. Certainly I’ve run against over-zealous wikipedians in the past (who deleted the entry for “5GW” and wished to destroy information on “Unrestricted Warfare“), so nothing is certain at this time.

An Army of One

Let me tell you a story about a man named Gary:
Gary McKinnon, 39, is accused of accessing 97 US government computers, causing damage estimated at $700,000 (£370,000).

An extradition hearing at Bow Street magistrates’ court was told that McKinnon, of Wood Green, north London, deleted files that shut down more than 2,000 computers in the US army’s military district of Washington for 24 hours “significantly disrupting governmental function”.

It was claimed he left a note on an army computer in 2002 saying US foreign policy was “akin to government-sponsored terrorism”. The note allegedly said: “It was not a mistake that there was a huge security stand down on September 11 last year. I am Solo. I will continue to disrupt at the highest levels.”

McKinnon is accused of 20 counts relating to the American army, navy and air force, Nasa and the Department of Defence.

One allegation is that he deleted files and logs from computers at the US Naval Weapons Station Earle at a critical time after the Twin Towers attacks, rendering the base’s network of 300 computers inoperable.

Mark Summers, for the American government, said: “The defendant was acting from his own computer in London. He effectively owned those computers by virtue of the software he had transmitted. His conduct was intentional and calculated to influence and affect the US government by intimidation and coercion.”

It is also alleged that McKinnon obtained secret passwords or information which might become “indirectly useful to an enemy”, and interfered with maritime navigation facilities in New Jersey.

Via Pejmanesque  http://www.pejmanesque.com/

Didn’t Gary have something better to do with his time? Imagine the intelligence and skill this man possesses that could have been used to do something useful and good. But he did think he was doing something useful and good. American foreign policy was “akin to government-sponsored terrorism,” so he really thought he was doing good by attacking the US. This idea isn’t original to Gary, it’s the kind of thing we have heard again and again: the US is the #1 rogue state, America is a greater threat to world peace than al Qaeda or Saddam and so on. It was only a matter of time before someone who actually bought into this idiocy decided to act on it. Is it possible to defend yourself against this kind of solo actor?  We have to assume that there are many more people who not only share Gary’s views, but are willing to take the next step and act on those ideas. They are not organized, but rather complete solo actors who are operating without any knowledge of others doing the same thing. This time it was a computer attack, who knows what it will be next time.

Posted by Phil