Looking more like an investment banker than a recently paroled felon, notorious computer hacker Kevin Mitnick apologised to software developers via satellite Tuesday for invading their privacy and their code.
Dressed in a dark suit and argyle socks, Mitnick discussed the recent Microsoft hack and other security issues during a keynote interview at the Software Developers 2000 Conference in Washington.
Due to probation restrictions banning Mitnick from leaving southern California, his interview was beamed via satellite from Thousand Oaks, to conference attendees.
"I do regret doing that because it was wrong," said Mitnick, who pleaded guilty in federal court to felonies for cracking into computer systems at cell phone companies, software vendors, ISPs and universities and illegally downloading software. "I was a kid and I was having fun." "I did something that affected [software developers'] rights. It pissed them off," Mitnick said during the interview. "Hopefully I can be forgiven."
But Mitnick tried to distinguish between snoops who break into someone's network for the fun and challenge of it and hackers who actually disclose what they find. He categorised himself as the former.
Something fishy in Redmond?
Mitnick was skeptical about some claims surrounding the Microsoft attack, including one that Microsoft itself was watching the hacker. When something as important as source code is involved, companies are less likely to monitor a hacker's activities than to kick the person out of the network, he said.
"I think it's important to note that companies such as Microsoft that have enormous resources can be victims of computer hackers," said Mitnick, whose probation also prevents him from using a computer, cell phone or similar device for three years. "Nobody's immune from attack." He said the reports he has read about the attack indicate Microsoft employees either didn't have the most updated anti-virus software or were using static passwords to gain access, which he said was surprising.
"That's foolish in today's environment," Mitnick said. "Now the whole world knows they're using static passwords. That's a huge vulnerability."
Motivation for the attack could range from mischief to malicious corporate espionage to an opportunity to embarrass Microsoft, Mitnick said. The hacker or hackers could put a back door in widely used software so anyone purchasing the software would be vulnerable, he said.
Telecommuting also presents a new security hole, with hackers able to simulate a user's log in and grab passwords as the telecommuter tries to dial in.
"You can't eliminate it, you can only minimise it," Mitnick said of such security risks.
Lessons lost?
Mitnick, released from prison in January, said he doubts the Microsoft hack will send a lasting message to companies.
"It's going to raise awareness for three or four months, then people are going to relax," he said.
He suggested software developers pay more attention to security from the beginning.
"It's really about exercising due diligence and putting yourself through some kind of audit to prevent these things from happening," Mitnick said.
Mitnick is now trying to make a living speaking about security issues and consulting as the federal government permits. CMP, the sponsor of the Software Developers 2000 Conference, paid Mitnick for his appearance, but a spokeswoman for the company declined to say how much.
