Ghost in the Wires

Ghost in the Wires: My Adventures as the World's Most Wanted Hacker
© 2011 Kevin Mitnick, William Simon. Forward by The Woz.
393 pages

CYBERPUNK introduced me to the story of Kevin Mitnick, a teenage phone phreaker turned celebrity hacker,  who boasted that he never used an outside program to break into a company. Instead,  all of his access was obtained by manipulating people within companies into giving him the information.  Writing later as a security consultant, he explained the workings of this manipulation in the book Art of Deception, which I referred to as "interesting but highly repetitive". Well....ditto for Ghost in the Wires.  It's the memoir of a serial, and apparently compulsive, hacker, whose obsession with accessing networks he has no authorization for,  and obtaining information he has no right to have,  utterly consumes his life.  He admits that hacking was like booze for him -- his entertainment, his addiction.  Even when he's barely escaped from one episode, he's already starting the other....and his enormous pride in getting one over on the hapless clerks,  alarmed security admins, and frustrated federal agents is so hubristic that he routinely calls the FBI or accesses their computer network during investigations to see how close they are to the scent. 

It's his compulsiveness that does him in time and again: even when he was relatively safe on the run, with a stolen identity (several, actually) and a comfortable job,  Mitnick is so consumed by his desire to hack that it attracts the attention of his employers, who  fire and investigate him. At one point while working there, for instance, he was on his cell phone putting on a presumably awful Japanese accent to convince an engineer that his counterpart in the Tokyo office needed him to upload cellphone source code to a server Mitnick had access to. One of his coworkers heard this outside the door and could only wonder what on earth was going on.)  When the FBI found his scent, it was because he was trying to collect the source codes for a UNIX release, as well as various next-gen cell phones that were hitting the market. Was he selling them to rival businesses? No. He was collecting them as trophies.  Mitnick is the movie villain who undermines himself by  pausing mid-kill to gloat at the hero, or  decides to consign him to a slow death in an elaborate trap.

This book was informative, however;  Mitnick proves to be far more dangerous than I'd previously believed. He wasn't  just exploring networks as portrayed in CYBERPUNK:   for him, there was no limit to the systems he'd compromise. The DMV, Social Security, Vital Records? Grist for the mill for Kevin to do what he wanted. Admittedly, his technical expertise is admirable, in the same way that Napoleon's army or the Luftwaffe  were technically admirable.  He certainly wasn't just relying on people giving him information, as  he frequently applied patches to systems to give himself  backdoor access later on. What's less admirable is Mitnick's ability to lie to so many people so habitually, to manipulate them like switches on a board. The act is deeply disturbing in itself, but  what happened to the hundreds of receptionists, clerks, and engineers who became Mitnick's unwitting dupes? 

While I began this book guardedly sympathetic to Mitnick (impressed by his talents, a little wary of his lying), by the end I regarded him as a compulsive, hubristic ass. I'm glad he's turned semistraight, in managing to squelch his desire to thwart everyone else,  but the book has virtually no information on that. Was there any soul-searching at all, or was it just a mercenary decision?   Mitnick may be a nice guy in person; he's friends with Steve Wozniak, who has experience with egotistical personalities before  and would presumably recognize it in Mitnick,  but based on this book I wouldn't trust him.

Related:
Exploding the Phone
Books by Kevin Mitnick

The Art of Invisibility

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
© 2017 Kevin Mitnick
320 pages

So, you want to be invisible online? Great. All you'll need is three separate computers -- one for your top secret business, one for your banking, and one for your everyday use; a few new email addresses,  a handful of burner phones, a large pile of cash to buy gift cards and electronics without leaving a credit trace, a slightly larger pile if you intend on paying strangers to buy said cards and electronics for you,  an ability to habitually lie, and the concentration of a criminal mastermind to remember which accounts you're using on which computer so you never accidentally blend your Top Secret identity with your real one. Child's play.

Kevin Mitnick knows a thing  or two about the necessity and the difficulty of staying invisible. He spent two and a half years as a fugitive from the FBI, wanted for hacking, unauthorized access, and wire fraud. These days he works as a security consultant,  and in The Art of Invisibility he provides a point-by-point tour of the surveillance web created by the internet and telecommunications infrastructure. There are also specialized chapters on surveillance in the workplace, and maintaining privacy while traveling abroad.  Mitnick's survey and advice have at least two audiences:  most of the book can be appreciated by a technologically savvy and privacy-minded individual who wants to know more, while a smaller but not insignificant portion of the book, somewhere between 30 and 40 percent,  would be of interest to the truly paranoid.

Although Mitnick does cover material would be a given to those with an interest in security --  don't use public WIFI networks for banking or other sensitive business, even if they're password-protected, that kind of thing -- most of his information is less elementary. He's thorough, explaining how tools like email and hardware encryption work,  where they're vulnerable, and why they're useful.   The Tor browser  is a mainstay of recommendation, as it allows users to be relatively anonymous and evade filters that restrict access in territories controlled by authoritarian states like China by redirecting the user's activity across a series of nodes. The nodes chosen are random, and it's possible to encounter a node controlled by surveying authorities. If a person uses Tor on the same computer and accesses the same accounts as they normally do, however, then if they're under active surveillance by someone their token efforts at anonymity are for naught.  People in witness protection can't go to family reunions, and those who want remain invisible can't muddle their identities together. If you want to have an email account and use Tor,  Mitnick advises, then use Tor and create a new email account. The same concept applies across communication technologies: Mitnick was caught in the 1990s because despite using multiple cell phones, he was using them in the same location (a motel room), and thereby connecting to the same cell tower every single time -- allowing  the FBI to collaborate with the local telecom to get a fix on their man.

The Art of Invisibility is far more comprehensive and helpful than Mitnick's previous books on intrusion and social engineering.  Mitnick offers his exhaustive tour of vulnerabilities not to scare readers into retreating to a monastery, but to point out -- this is what you're up against, this is what you can do about it, this is where you'll still be weak. Like a security consultant's tour of your home, The Art of Invisibility shakes expectations, and disturbs the illusion of safety -- while at the same timeVanishingly few people are capable of taking all of Mitnick's advice: even he doesn't. He leaves the decision to the reader how best to integrate this information with their own practices. Everyone can benefit from better cyber-security hygiene, even if it's something as basic as keeping your cellphone locked, running adblock to disable malicious scripts on websites,  and keeping SmartTvs that never stop listening to you out of your house.

Related:

• 10 Don'ts On Your Digital Devices Daniel G. Bachrach, Eric J. Rzeszut.  A more entry-level citizen's guide to digital hygiene. 
• Swiped: How To Protect Yourself in World of Scammers, Phishers, and Identity Thieves,  Adam Levin
• Future Crime: Everything Is Connected, Everyone is Vulnerable, and What We Can Do About It, Marc Goodman

The Art of Deception

The Art of Deception: Controlling the Human Element of Security
© 2005 Kevin Mitnick
352 pages

The Art of Deception is interesting at first, but very repetitive. Mitnick, who claims his career as a hacker was passed solely on manipulating people to gain information and access, shares stories of others who did the same. These mostly include private investigators, with at least one pair of curious teenagers and a few bits of corporate espionage. The modus operandi in all the cases is very similar: the actor engages in background research to learn a few names and some of the lingo of the business, then makes phone calls to different people and departments within the company. Information is solicited under false pretense from various people, then combined to gain further access or the answers. Mitnick refers to this as social engineering, and it's obvious from his collection that a high degree of charisma is required to gain the trust or goodwill of subjects; Mitnick also points out how the actors manipulate the people they're interacting with, pushing buttons for sympathy and fear. There are very few cases included here of people working in person; the simplest case involved a man studying a business to find out when the office staff left, and when the janitors arrived. He then approached the place in a suit and briefcase, and pretended to be an office worker who needed to run in and get a few things from his office -- allowing him free run of the place. Mitnick ends each section, and the book in total, with advice on how to secure and compartmentalize information so employees don't accidentally give the farm away. This includes strict policies and training to control the flow of information, emphasizing the need to verify the identity and need of people requesting information.

Crime, private and public sector

Let's start the week off with two birds and one stone!    

Earlier in the week I was finally able to get access to No Place to Hide, by Glenn Greenwald, on his encounter with Edward Snowden and the stories that led to.  For those hiding under rocks,  Edward Snowden was a civilian contractor working for the NSA until he exposed part of their globe-spanning surveillance apparatus in 2013/2014. While employed by the CIA and NSA, Snowden became increasingly concerned with the scope, ambition, and dubious legality of his employers' programs, and decided to begin documenting what he was seeing.  After methodically collecting reports for months on end, throughout several assignments, Snowden contacted a reporter with an established reputation for criticizing both the government and a complicit media.    Greenwald, after  recounting his first contact with Snowden,  then shares information from the stories he filed with The Guardian before switching into an argument against the surveillance state, and a condemnation of the establishment media, particularly the Washington Post and the New York Times.

I daresay no one will be surprised to learn that I'm far more a supporter of Snowden than the NSA -- not because I believe the NSA is  part of some evil conspiracy, but because I have certain strongly-held believes on the nature and consequences of power, and know that the construction of an inescapable surveillance apparatus is Bad News. When Greenwald says global, he means global;   the book mentions numerous programs, not just the email-tapping ones, and between them they cover pretty much everyone but the crew of the International Space Station.   It can't all be to fight terrorism: what do terrorists have to do with Brazilian gas companies, and why is NSA surveillance being shared with US agricultural departments?   Those who believe that the NSA are swell chaps who wouldn't countenance abuse of their data may sleep soundly, but what happens when someone with less scruples is in charge?  As the current administration demonstrates, we no longer require even the pretense of civility from those those who want to operate the beastly machine that is DC.

More recently I read through Kevin Mitnick's The Art of Intrusion.  Mitnick was partially featured in Cyberpunks, a teenage telephone 'phreaker' turned pioneering computer hacker. Since his release from prison Mitnick has used his reputation and experience in intrusion to sell himself as a cybersecurity consultant. The Art of Intrusion collects 'true crime' stories of computer-based or related intrusions;   ranging from illicit exploration to digital skulduggery.   A lot of data is omitted for the protection of the persons and companies mentioned, but a lot of the stories seem dated, for the book's publication year, and others are so technical I am not sure who would be reading them. I did find quite a bit of interest, however, in the chapters on penetration testing and social engineering. I still do not like Mitnick's term for an art he and his friends practiced, and one which remains a security threat:  obtaining information and access through human, instead of technological, means. Mitnick shares the stories of  analysists, who -- performing audits on companies, and attempting to breach their security -- were able  access highly sensitive areas within buildings simply by chatting up coworkers and 'acting' like they belonged there.  This also involved technical assistance, like a fake id that security guards didn't vet too closely.    Mitnick claimed in his trial that he relied on social engineering, not computer programs, to access as much as he did, and he has previously authored a book called The Art of Deception that documents the psychological strategies used in this kind of 'engineering'.  As someone with a work-related interest in security,  I may look around for a copy.

CYBERPUNK

CYBERPUNK: Hackers and Outlaws on the Computer Frontier
© 1991 Katie Hafner
400 pages

Cyberpunk takes readers back to the early days of hacking, when it was so old-school that computers weren’t involved. Using three case  in the United States and western Germany,  Katie Hafner’s history introduced readers in 1991 to the general idea of hacking, and her history sheds some light on what hackers were, what they did, and what they might want. It’s a fun look at early internet history, with the net as we know it developing slowly  throughout the course: ARPAnet, the internet’s predecessor, only appears halfway in.

The story begins with telephone lines, which -- in the mid-20th century -- bored teenagers began to examine with great interest.  Kevin Mitnick and Susan “Thunder” met over their mutual interest in learning to detect the patterns used by telephone switching systems and reproducing the sounds to manipulate their way through the boards, arranging free phone calls for themselves. (This was a bit of a cultural education for me -- evidently there were conference call lines advertised where people called in and just chatted with whoever was also on the circuit, a telephone chatroom!)  When the systems became controlled via computers,  Kevin, Susan, and a few more of their friends began tinkering with them.  (For readers born in the eighties, whose first computers came with web browsers, it takes a bit of chewing to realize that Mitnick and Thunder were literally dialing other computers;  telephone and computer network access systems were much more closely related)  Their explorations would eventually led to purloined and privileged accounts on sensitive systems across the United States; Susan had a particular interest in looking at military hardware.  The group weren’t plundering records for profit.

Although this group acquired an enormous amount of access via its steady experimentation, little was involved in the way of programming. They weren’t creating bugs to invade systems;  at most they rooted through the dumpsters of phone and computer-access companies looking for manuals, notes, and other juicy bits of detritus. The manuals not only allowed them to understand the systems they were ‘phreaking’, but often included passwords from people who hadn’t yet developed any sense of security.  They also engaged in what Hafner calls ‘social engineering’ -- lying, essentially, and obtaining information by talking to telecommunications and networking personnel under different guises -- almost exactly like phishing, but they did it in person. Eventually an interpersonal feud led to one of the crew being turned in, and the tip was used to great effect by a security specialist who had been doggedly tracking their excursions.

From here, Hafner moves to a group in Germany whose hacking begins to resemble what we in the 21st understand it to be. Initially, they too were interested only in the thrill of entering computer systems.  Unlike the American group, “Chaos” did experiment with programs to do their work for them -- and unlike the Americans, some of the Germans became interested in converting their skills into currency. Specifically, they approached East German border guards (who connected them to KGB personnel), offering to sell them information obtained through the networks.   The Soviets’ real interest was in the actual software -- compilers, especially -- but they were willing to engage in occasional business.  (Chaos also claimed to be working on behalf of world peace, since if a balance of power was maintained, war was less likely.)

The third act in Hafner’s book concerns the “Morris worm”, the invention of a son of the NSA who invented a self-spreading program to explore the size of the internet. An error in judgement allowed the program to collect several instances of itself on one machine, consuming their memory, and causing system after system to grind to a halt.  The worm infected ten percent of all machines then connected to the internet. Needless to say, this unexpected attack caused a panic, and in the resulting trial some members of the cyber-communications industry were out for blood despite it being fairly obvious that the culprit hadn’t intended any harm and had in fact sent off anonymous warnings within a couple of hours of noticing that his creation had gone berserk.  Although a zealous prosecutor -- and an equally zealous witness, the man who had led the hunt for the Mitnick intrusion -- did their best to incarcerate Morris, in the end the judge erred on the side of mercy and concluded with a sentence of community service, probation, and a large fine.

Cyberpunk was quite the education for me.  My interest in the early days of the internet, and in particular the quasi-libertarian ethos of some of the personalities attracted to it, first interested me in the volume.  Most of the people cataloged here are quirky individuals, all uncomfortable in school but obsessive about learning the ins and outs of different systems.  They were driven to explore a new world, to prove themselves masters of it -- but they were also inspired by the literature they were reading. From time to time books like Shockwave Rider,  Neuromancer, and the Illumantus Trilogy show up. (Interestingly, the latter was used as a staple of one of the hacker characters in David Ignatius' The Director..)   Although Hafner was recounting these cases to an early 1990s audience just starting to explore the consumer-oriented internet,  the cases as arranged offer a look at the internet and its cultured as they evolved.  I enjoyed it enormously.

As a side note: the case of Kevin Mitnick continues provoking controversy, with numerous books authored by him and others arguing with one another over the "truth".  According to this book's epilogue, Hafner's own account is "80%" true.