Features

Net.wars - The most dangerous hacks

The number of people on the Internet rose by one this week.

Kevin Mitnick, once branded the archetypal "darkside hacker" by New York Times journalist John Markoff, and called the "most wanted computer criminal in US history" by the federal government, was, said Wired News, allowed back online on Wednesday.

And so far, the Internet has survived!

In 1995, Mitnick was captured in a high-profile, cyberspace and cross-country chase. He was yanked offline, mid-cellphone hook-up and thrown in jail in North Carolina. From there, he was sent back to California, where the break-in (through John Gilmore's computer system) that led to his being caught occurred. Mitnick then served five years in jail (eight months in solitary confinement) - without a bail hearing.

He's been offline, either in jail or under court order, for eight years.

Eight years ago, the Web was all URL-of-mouth, Bill Gates hadn't yet "got Net", and registering domain names was still free. Ah, Internet time.

The day of Mitnick's release back onto the Net, the New York Times reported that two judges have ruled that banning Net use is too broad a punishment. Back then, however, they wanted to hit Mitnick hard as an example: a deterrent to others.

This is not a foreign suspected terrorist; it's an American citizen who captured the eye of high-profile journalists at a time when people were completely weirded out by the existence of someone who could find his way into computer systems apparently at will. And what did he do? Did he steal huge databases of credit card numbers and profit from them? Did he write and distribute viruses? Swamp the network with spam? Launch anything like the vicious DDOS attacks that have kept the IRC network Dalnet out of action for more than a month? Sell copied source code? Steal people's identities?

As far as we know, no. His immediate crime when he went on the run in 1994 was to miss three consecutive appointments with his probation officer (according to Kent Walker, the California district attorney in charge of the case, at the time. The chase that spawned three books and a movie so bad it was only ever released on DVD in France started as simply as that. Mitnick told 2600 editor Emmanuel Goldstein on his radio program "Off the Hook" that the reason he ran was, ironically, that he was afraid they'd put him in solitary again. While he was running, though, he did a lot of things with cellphones and other people's computer systems to stay online and in touch with his friends, and it was these activities that led to further charges against him. The crimes for which he was originally convicted were the usual run of phone company shenanigans and cracking into big computer systems; but he was a long-time repeat offender who claimed in court he was a computer addict.

Mitnick unquestionably did a lot of things that cost a lot of people massive time and effort in clean-ups. The problem for system administrators dealing with the aftermath of a break-in is that they have no way of knowing whether the cracker was benign; they must audit everything in a time-consuming exercise that adds nothing to the normal work of the organization. When someone copies the source code for your new cellphones, you have no way of knowing whether it's been sold to your competitors.

But the scuttlebutt has always been that Mitnick is not technically guruate but someone who's just very good at conning people into telling him what he wants to know. Mitnick dubbed this skill "social engineering," and the book he and William L. Simon have cowritten, The Art of Deception, authoritatively shows how tiny, apparently insignificant details can be added together to create a major security hole ripe for exploitation.

I would love to think that it's Mitnick's arrival that's convinced that lost Recording Industry Association of America anti-MP3 nut Hilary Rosen to retire to spend more time with her family. What with killing Napster and sending out threatening letters, and suing people Rosen has arguably done far more Net damage than Mitnick ever did. In fact, she apparently briefly considered a career as a cracker: there was a proposal in front of Congress last year to allow copyright holders to hack into other people's computer systems and networks if they suspected unauthorised copying.

And there's the interesting thing: like Mitnick, she did it without any particular technical expertise. She didn't need to make computers jump through hoops; she just needed BIG lawyers to send out threatening cease-and-desist letters and even BIGGER pockets full of cash with which to lobby Congress. The most dangerous hacks aren't technical at all.

Hilary: may I direct you to Gnutella? We'll have you downloading MP3s in no time. You're a private citizen now. You can do these things.

Kevin: welcome home. Good luck in your new life.