Mitnick was a hacker hero of mine in my youth. I think I’ve understood his role as jester prior to conviction less as I’ve grown older, but there’s something about the boyhood charm of being so divorced from the potential consequences of one’s actions that is almost unique.
Mitnick had so many stories that entranced the people around him. I heard one second hand of Mitnick dealing with a bank who had early voice verification software. Upon meeting the CEO he gave the executive his card and departed for the evening. Arriving back at his hotel, he called the CEO and asked him to read his phone number to him. The phone number contained all ten digits which Mitnick had neatly tape recorded so as to make the CEO’s voice reproducible. He then proceeded to use the bank’s vocal banking system to transfer $1 from the CEO’s account to his as the authentication mechanism was reading out your own account number in your voice.
When Mitnick arrived back in the board room the architect of the voice verification system was crestfallen and the bank CEO delivered a check on a silver platter.
Now how much of that tale is embellished I will never know as it was second hand, but that was the kind of whimsy Mitnick brought to our world.
He has the CEO’s number and successfully calls him, and through some miracle gets through directly to ask this trivial question — as opposed to getting the number from the assistant who answers his phone - sure ok but then under what pretense does he then ask him to repeat his phone number? “Please repeat the phone number I just dialed.”
The phone number contains all the digits needed to recreate the bank account number?
He somehow has the bank account number?
He meets the CEO (despite just being a security consultant) and gives his report to the board of directors?! That is not how companies usually work, especially the board part.
Check on a silver platter? architect of the voice system is brought into the room with the board to be humiliated? This reads like something a 13 year old would dream up (nothing against OP maybe someone even Mitnik really did claim this happened).
The tale is absolutely embellished if it has any truth at all.
Mitnick could have been hired as a advisor for their system, personally by the CEO.
He calls the CEO to ask a "personal question" so to skip the assistant, asks something innocent, then let's the CEO he has a new number and provides a fake number. He asks the CEO to confirm he heard the number correctly, but it's a bad line, so speak clearly please.
The "new phone number" has all the digits of the bank account he's trying to hack. The account is likely the account number that he's being paid for the consultancy work with. He could have got this simply by asking to confirm from which account he'd be paid from to confirm the transaction.
He is asked to report his review of the new security system to the board (given it was a large investment by the Bank, or just the wrong word used) and the architect would of course be invited to his own project's review?
The board then asked Mitnick to design a new system and said that cost wouldn't be an issue.
> then let's the CEO he has a new number and provides a fake number
I came to a similar conclusion regarding the implementation of the attack. The scenario in my head was slightly different, but very similar (still includes a new number):
Kevin provides his business card and sets up a meeting with the CEO to report on his progress (or whatever). When the CEO calls at the scheduled time - Kevin doesn't answer. Sometime later Kevin calls the CEO and apologizes for missing the call, and explains that he didn't see any missed calls.
At that point the CEO explains that he tried to call, and even left a message. Kevin has a sudden flash of insight and realizes that he may have given the CEO one of his old business cards.
"What's the phone number on the business card I gave you? I'm wondering if I've been handing out my old business cards to people... that would actually explain a lot." (presumably the phone number on the business card in question would include digits 0-9 in a not-super-obvious way)
The CEO reads back the phone number on the card and Kevin slaps his forehead because that is in fact the wrong business card. Kevin gives the CEO his new number, and they finish the scheduled meeting. On future calls the CEO is able to contact Kevin using the new number, which lends credence to the attack.
It's also possible that the CEO knew what Mitnick was getting at and played along to a degree.
Kind of like when your company has a security presentation about this new "report phishing button" in your email and you suddenly see this weird phishing-like email come through a few hours later. Hopefully you connect the dots.
This is the 90's and early 2000's. We didn't have the security processes and checks like we do nowadays. I worked for a bank right after the dot-com crash and was in charge of their internet banking web presence. I was witness to other employees passing around CDs and printouts containing the private information of hundreds, maybe thousands of customers. This was the era when your SSN was your userid. So these CDs contained SSNs, names, addresses, bank account numbers, passwords (not even encrypted, much less salted), etc. I moved into a new cubicle one time and saw these CDs just left over. It was a free-for-all for people like Kevin Mitnick.
Getting credit card numbers out of the trash at a local Enterprise Rent-A-Car location was a weekly thing for us here, especially corporate accounts.
I don't think some folks nowadays realize just how effortless it was to find such information laying out in the open.
LOL, I was asked by a pet shelter for my SSN in order to adopt a cat. I stupidly put it down on the paper form and then asked why they needed it. She didn't have an answer and rejected my application to adopt. But she kept the paper form in case I tried to reapply in the future. I ripped it out of her hands and left. I should have just put a phony one in there...
They asked if I was going to let the cat outside. At the time we had another cat we adopted from a vet and we let it outside so it made sense that we'd let this one out too. That was a hard no (although they didn't tell you that). It was basically a trick question and if you didn't answer to their liking, they rejected you. That was 20 years ago. Nowadays the cat I do have is kept indoors at all times.
In the mid-/late-80's, you could easily get full PII (SSN, Name, DOB, address, mother's maiden name, etc) green-bar paper reports someone tossed in the trash when finished.
He was pretty famous when he started doing security consulting so it doesn't seem like a stretch to me.
Bank account numbers are written on the bottom of checks along with the routing code. If you have a check from them, you have their checking account number.
Phone numbers are ten digits long. So a number like (213)485-7690 contains all digits from 0 to 9. Caller ID spoofing is trivial even back then. For example, you could ANI fail to a calling card system which would drop you to an operator. Then you just tell them the number you're "calling from" and that number would show up as your Caller ID and ANI.
Using voice authentication is pretty stupid but, iirc, at least one US bank still does something similar. That said, I imagine part of the authentication was probably caller ID based. This was/is also why voicemail systems don't prompt you for a PIN when you call them from your own phone - they use caller ID for authentication.
He was already meeting with the CEO in some capacity, so it's very clear he had access to the CEO, maybe as a security consultant. Then getting him to read the number is easy, "Hey, I just got a new cell, but I might have given you my old card, can you read the number back to me?"
Getting a phone number with all the necessary digits is a bit of a stretch, but not impossible. And I would suspect, because this is the way phone systems generally work, that there was no bound on the number of attempts to enter the account number. Account numbers are all the same length, so you know exactly how many characters to input, it's just a matter of brute forcing the number--and for all I know, there may be some kind of structure that Mitnick found out.
Meeting with the board sounds like an embellishment for sure, especially for Mitnick's initial report, but I could definitely see--especially if someone was looking for a big chunk of money to strengthen the system--the report eventually being given to them.
The check on the silver platter is the most believable part of the story. Have you ever met a CEO? And why wouldn't the architect of the system be there to receive the report on the security of the system? Who else should be there?
For me, the only truly unbelievable part of this story is that he needed the CEO's voice at all. And for all we know, he just said he recorded the CEO's voice for a laugh.
I understood it as him (Mitnick) asking his own phone number back. "Did I give you my card earlier? Is it the new card? I don't recall. Which number does it have?"
If you've already identified a security system that has this vulnerability you get a phone number with all these digits and begin shopping for any institutions that bough that system.
Being able to login if you have the bank account number is still a pretty big flaw.
If you are a bank, your security threat model should assume that a hacker has access to somebody's account number and basic personal details.
Particularly for a high profile/value account, you can see how it might be possible to get soundclips of them saying the numbers 1 to 9 (see: https://www.youtube.com/watch?v=xWcldHxHFpo)
Nonsense like "silver platter", almost certainly embellished (unless a "Barnum" or "Wonka" or some shiite was running the bank). The fundamentals, totally believable.
It's incredibly easy (still) to do certain kinds of "social engineering". Terms like "psychological sleight-of-hand" can sometimes make it a little clearer how humans just have blind spots - ways our perception works and doesn't. And, people who are used to being VERY "in control", intelligent / experienced (compared to others in room), etc., can sometimes be the easiest to manipulate in certain ways.
But, really, it boils down, sometimes, to something as simple as "how long can you keep a person talking?" Mitnick was probably in a good position to do these sorts of things - assuming the story is from after he "turned White Hat". And, in this case, the even simpler deal with the numbers is something like "oh, shoot, I had a misprint on old cards, did I give you the right one? What's the phone number on it?" Drop something abruptly like that, at some random point in a conversation, most people wouldn't think twice... Even if their current context involves a heavy dose of thinking about voices and numbers. They might easily enough realize in the morning, but, too late, by then. Further, getting bank account numbers is not necessarily hard either. Could even be as simple as "dumpster diving", back then. Did the CEO always shred every single document, with a "secure shredder" (as much as that's possible) when home? Or maybe burn everything, always?
And, in any case, you're even mixing up aspects of the story. The phone number isn't the bank account digits, it's just all the numbers from 0 through 9 (you can even get one twice, for a 10-digit [w/ area code] number).
I propose that your sureness in dismissing this story, misapprehensions about it, etc., make you an unwittingly "good mark."
Mitniks social engineering really formed me. And I did all sorts of nefarious stuff in the 80s, from mapping the 411 call centers, to the tape vending machine hack and other phreaking as I had an original captain crunch whistle to (not a hack) but there was a bunch of easy fraud to be had with “calling cards” back in the day
Based on my understanding of the story in the post, Mitnick asked the CEO to read back the number he gave the CEO earlier that day.
I don't disagree it's likely all bullshit, but if you're going to post snarky, nitpicking comments at least make sure you're understanding what was communicated. It makes it all too easy to dismiss any valid points you may have when there are such fundamental flaws.
All of the stories in his books are like this. An existing seemingly sensible system is used in a creative way to get access. Every time you read one the creative solution is so elegant you just go "Ah, can't believe I didn't think of that" (and then go try it yourself obviously - had lots of fun as a teenager taking down websites/stealing ppl's passwords/etc as a party trick for my friends).
> the authentication mechanism was reading out your own account number in your voice
That's the most suspect part of it to me - even vulnerability to malicious attack like this aside, who would think that's a good idea or going to work well?
What percentage of people could successfully use a voice assistant to make a note of their bank account number the first time? Nevermind have it determine that it was indeed their voice not someone else's.
I think something was lost in the retelling. It could just be an era when people didn't figure out biometrics yet. It makes sense today, but caught up in new hype, people often implement cutting edge technology where it doesn't belong.
Sure, but usually we have 2FA now. It tends to be what you have (token/documentation), what you know (password), and what you are (voice auth).
Often you need one type for basic access (see balance), two for an actual transfer, three for say, transferring a million dollars. This may be something that people like Mitnick proved were necessary.
As a kid I ate this stuff up. In the eighth grade, I defaced my middle school website.
The IT person easily figured out it was me and then tricked me into thinking I would be expelled within days. She pulled me out of class, told me such in the hallway, let me return to class where I held in tears until the end of the day.
Nothing happened and the school year ended a few weeks later. Towards the end of the summer I realized it had been a bluff and I wouldn’t be punished. Took me a few years later to realize how much of a favor that all was! The county school of conduct clearly said cybercrime was punishable by expulsion so she could have absolutely put me in some kind of hell. The fear set me straight hah.
> The IT person easily figured out it was me and then tricked me into thinking I would be expelled within days.
Similar. I wrote a program to emulate a the logon text on a PDP-11 terminal in high-school in the mid-80s and steal a bunch of student passwords. Didn't do anything with them. They were like "trophies."
Nevertheless, the computer teacher found out and had mercy on me. He gave me a project to work on to help him compile stats on a student survey. He was a nice guy.
I did the same thing, only my program pretended to be a DOS-based Novell Netware login screen.
It was just a simple QBASIC program (that's all that was available on the Computer Room machines) running under my own login, which would write usernames and passwords to a text file in my user directory. I figured that I'd harvest a few passwords until someone got frustrated enough to call for the IT admin, at which point he would try to log in and reboot the PC when it failed, apparently "fixing" the problem and erasing any evidence of my dastardly crime.
I was right, and for a few glorious days I got away with it... until one particular arsehole picked on my best friend during recess, and I used his stolen credentials to log into his account and trash his files.
Long story short, I ended up getting expelled, which by a curious confluence of events put me on an unorthodox path that completely changed my life. Funny how things turn out.
> until someone got frustrated enough to call for the IT admin, at which point he would try to log in and reboot the PC when it failed, apparently "fixing" the problem and erasing any evidence of my dastardly crime.
This was precisely my logic as well.
> put me on an unorthodox path that completely changed my life.
I had a similar thing happen. I distributed some malware I wrote on the shared drive and had some people run it (it was extremely basic, just locked people out of the computer with no recovery by taking advantage of how locked down they were; but people lost a lot of work). My programming teacher, who was already dealing with me being a distraction in class, went to bat for me so I didn’t get strongly punished but made me clean it off the drive continuously; other students kept putting it back, so I had to monitor for it.
I wonder if the same scenario happened today, where a Kid has an interaction like that with a bank CEO, showing an insane vulnerability... The kid would just be sentenced to jail time and charged as an adult.
How would he have known the CEO's bank account number? Did the CEO write him a check at some point? Or maybe a bank's CEO traditionally gets account number 1…
Bank account numbers aren't secret, they're written on the bottom of every check you write. The story lacks the details of how he got his hands on it but its not unreasonable to assume he was able to access such unprotected information.
The european bank account numbers are often posted publicly. If you are a VAT payer, you're supposed to check that the account you send money to is registered with the business in the public registry. Otherwise you may be held liable for the receiver's tax fraud. Many companies also show them at their webpage to make it easier to get paid. See e.g. https://www.pre.cz/en/contacts/bank-details/
The account number should be just an ID, not authentication mechanism.
> The account number should be just an ID, not authentication mechanism.
Right? One of the many things (and I mean this without any hate whatsoever) I simply can't and will never understand about the US. A bank account number is your mailbox for receiving money. How does that country even operate when they build those mailboxes underground?
The US bank security system confuses me. To accept money, I need to give out my routing number and account number. Using those numbers, someone could theoretically withdraw money... Maybe... The whole system is built upon obscurity. Why do some stores need a pin on my debit card, and some do not? Why do online stores need my name and address, but IRL ones do not? How did that one online store charge me without my CVV? How can restaurants swipe my card now and charge me later?
I only send and receive money with Google/Apple Pay & PayPal at this point. This flow is reasonable (every transaction is authorised in a trusted location (ie: PayPal). Further transactions are impossible without additional authorization). It boggles my mind that banks & CC companies haven't made some standard for this. Would save them so much money in fraud protection.
> Why do some stores need a pin on my debit card, and some do not?
Oh that’s easy enough. If they need a PIN it’s actually being run as a debit card over the debit card network. Otherwise it’s being run as a “check card” over the credit card network (with higher fees and better consumer protections). It’s just backed with money instead of a line of credit.
> Why do online stores need my name and address, but IRL ones do not?
IRL stores have access to the actual card (with your name) and having this artifact present makes it much less likely that you are a fraudulent fraudster committing fraud, so the processors are willing to take it.
> How can restaurants swipe my card now and charge me later?
the good news is if the store ever defrauds you, everyone knows where to find the store! Unlike fraudsters making purchases.
And banks are still perfectly willing to issue personal checks, a form of payment that requires you to hand someone a piece of paper with your full name, address, bank account and routing info, your signature, and a brief handwriting sample.
I doubt it as well. Back in the day, I worked for an elected official who insisted on being a Domain Admin in our Active Directory tree. My co-worker and I used to joke, "think he wants to be a Schema Admin too?"
When you do pen testing you're given a limited list of valid targets.
I imagine that the mission parameters were that he take a check and remove money from the account.
It would also make sense that this is the CEO's account, or one he also controls, because he's in on the test and can give informed consent. Also, probably the CEO doesn't have any special access so breaking into his identity wouldn't impact the bank the way breaking into the IT manager's account might.
If this was a fake account (one with no real user) then they wouldn't have discovered this flaw because Mitnick couldn't have called the user. Having a real person be exploitable is essential to proper discovery of the full scope of the problems.
This was a long time ago. It was a small bank. I also heard it through the grape vine and not from him himself. I could definitely be wrong but this is what was told to me by someone who was there.
At Schwab my voice is my password. Is how Schwab authenticates me by voice. That demonstrates to me schwab knows they need a voice passphrase that wouldn't be used in passing or without raising suspicion.
I just thought it was an interesting contrast to the bank executive story. Which demonstrated how the passphrase may have evolved and that moving money is done by voice authentication today.
Using just ones voice is bad. Using a phrase is better. Using a phrase that is unique and describes its function may set-off alarm bells for some.
there is a bank in Italy currently that uses this voice recognition mechanism which with current AI tech is fakeable within 20 min. Nothing much changed since back then I guess
About 15 years ago I was using telephone banking, when you had to put in a 4-digit PIN to access banking. I could still hear background call centre noise so I asked the operator if they were still on the phone when I put the PIN in, and he confirmed he was.
"Okay, so you heard me type in the PIN? So now you can know my PIN?"
"Oh no", he said, "it's just beeps, like this - ", and pressed a few digits.
"Right so you typed 1 6 3 2 4, there."
"..."
"That's what you typed, isn't it?"
"Uhm... yes, how did you guess?"
"I didn't guess, I could hear the beeps. I've got a reasonable ear for pitch, so I can tell what the numbers are from the tones. Any chance you could escalate this to your manager after the call, and tell them to give me a phone if they've any questions?"
They rang me the next day, and I explained the situation to them.
Now, at least in the UK, you get transferred away from the call handler when you put your PIN in.
> Mitnick was a hacker hero of mine in my youth. I think I’ve understood his role as jester prior to conviction less as I’ve grown older, but there’s something about the boyhood charm of being so divorced from the potential consequences of one’s actions that is almost unique.
Yeah, I remember watching "Freedom Downtime" as a teenager and thinking how ludicrous it was that he was sentenced to prison for computer hacking, but now that I think about it as an adult of course he should have been. Sure solitary confinment, the specifics of his sentence, etc. may have been extreme and I'd like to think that the court system has progressed in their knowledge of computer security since then, but what he did was still a breach of corporate security. He knew at the time it was illegal, and he just thought he was too smart to get caught.
That idea that we had at the time that it was a "victimless crime" or something was very immature.
int(phone number) "contained all ten digits" is the main embellishment. KM used different acct#. check delivery was weeks later, after negotiations. either way kevin was OG AF ..|..
I was not aware he was ill. Always sad to hear people that are taken by cancer.
I didn't know Kevin, but am friends with Tsutomu Shimomura who worked with authorities to get him arrested. Tsutomu worked with me a bit when I was at Sun trying to get a cryptographically secure subsystem into the base system specification. It was fun to listen to his side of this story.
The 80's was a really weird time for computer enthusiasts, and it was the period of time when what was then considered the "hacker" community schismed into what today we might call "white hat" vs "black hat" hackers.
As a person who considered themselves to be part of that community I was personally offended by how the story of Kevin painted everyone who thought of themselves as a "hacker" as a criminal. It made for good story telling to make these folks "pirate" or perhaps more accurately "privateer" types in their swashbuckling ways of sticking it to the man. People would say, "Exposing security holes is like solving puzzles (which is fun) and important because if I don't do it, well somebody 'bad' will." And while I'm here, why not make it hurt for them a little bit to incentivize them to fix this problem quickly!"
I didn't disagree with the importance of pointing out security problems, but the flamboyant way it was done scared the crap out of people who were both clueless and in a position to do stupid things. As a result we got the CFAA and the DMCA which are both some of the most ridiculous pieces of legislation after the so called "patriot" act.
The damage that did to curious people growing up lost the US a significant fraction of their upcoming "innovation" talent. While not diminishing the folks who leaned in to the illegality of it.
> I was not aware he was ill. Always sad to hear people that are taken by cancer.
It was pancreatic cancer, which is the deadliest cancer. It kills very quickly and as far as I know, it's impossible to cure.
It killed my mom: 3 months between diagnosis and death. She didn't want treatment because it couldn't save her; it would only postpone the inevitable and she didn't want to spend the rest of her days in hospitals.
It took my dad last year, diagnosis in April, gone by mid-June. It was so aggressive he chose "medical assistance in death" (MAID), because he didn't want to be in hospitals all-the-time. He had half-completed the process, then had a stroke on June 4th, where he was then admitted to hospital. The stroke cause aphasia, so he couldn't communicate very well (speech was very disjointed, but he could understand everyone) - they brough in a speech pathologist, after a couple weeks they we able to confirm that he still wanted 'MAID', so - I had to make the decision as to when. (And - I agreed, spending time in hospitals, fighting the inevitable was antithetic to his whole personality)
Cleared by 2nd round of medical professionals to make the MAID decision on a Wednesday, so - we scheduled for Friday - he passed away naturally Thursday morning.
Note that it really depends on the type of the pancreatic cancer. While pancreatic adenocarcinomas are some of the worst cancers out there (overall 5y survival of 8%), others like pancreatic neuroendocrine tumours have a fairly good prognosis. Famously, Steve Jobs sought alternative medicine solutions to the latter, which was probably misguided.
I come from a long line of clinical/medical folks in my family - and me on the tech side of medicine...
That said the following is me talking out my ass, but I have followed a very few number of pancreatic cases - jobs being one... and there is one anecdotal that I would hope people closer to such cases can chime into ; how much wine did these people drink (jobs was a prolific wine drinker)
Im wondering if sulfates from wine are a major player.
Jobs famously didn't drink much alcohol; he was way more into exotic fruit juices and such. Where did you get the idea he did? And what's with the oddly narrow "must be the sulfates, in wine specifically". Why not tannins? Polyphenols? Organic acids? We already know alcohol contributes to a variety of cancers...what compelling evidence is there that sulfate need be involved?
Tannins (and sulfates) are found in all sorts of food. But it's way easier to take the intellectual shortcut and say "it's probably X", instead of "it's probably really complicated and there are a number of factors involved". Some people want simple answers, no matter how complicated the problem is, or how wrong the answer is.
> Im wondering if sulfates from wine are a major player.
I work in healthcare in one of the wine capitals of the world, Napa County, CA.
We do not have a higher rate of pancreatic cancer than anywhere else. It is average. If sulfates from wine were a factor, it is quite likely that we would have seen a higher rate of pancreatic cancer here.
If they were a major player it wouldn’t be so subtle, it would be an industry wide problem. Alcohol causes pancreatic cancer for sure, but sulfites specifically? I’d beed a lot of evidence to believe that.
Sure, but that shouldnt preclude looking into it...
As you stated "*I need a lot of evidence*" - which is exactly what I am asking for. "Moar evidance"
And sulfates may not be the right metric...
So if we can fully identify dietary commonalities of pancreatic cancer patients, then we can get a little farther down this path to understanding...
What would be the most amazing use of "AI" would be to have a biological model of a pure human body (as far as nutrients and blah blah are concerned) - then cycle through feeding that biology various substances and seeing how it propogates through the system)
There are a lot of conspiracy theories about AIDS, and in the case like the death of Steve Jobs I guess this sort of rumor is bolstered by the fact that a lot of people hid their diagnosis due to stigma. Jobs was famously very focused on image. But I think most of that stigma was gone by 2010.
The stigma is most definitely not gone with the exception of the gay community, and maybe younger folks. If Jobs had AIDS and hid it, it wouldn't be a shock, but I think it would be a contributing factor to disinformation as most people believe the pancreatic cancer happened on its own and was exacerbated by his alternate treatments.
Well the other thing is, if he got a positive test in 2006, he'd be on anti-retrovirals and wouldn't have died of it. He had money and access to good doctors. It's rare for someone like him to die of AIDS complications.
A friend of mine survived it, I wouldn't wish pancreatic cancer on even my enemies. That stuff is tough. I do the Purple Stride with her every year to celebrate her battle.
RIP Kevin, hearing your stories and the movie Hackers was a huge inspiration in me getting into what we do.
A friend of mine who is a surgeon originally was learning to become a pancreatic cancer surgeon. She changed to GI because the mortality rate was just so high and so fast that it was extremely heartbreaking and depressing.
I'm sorry to hear about your mom. It's not impossible to cure, but it's very uncommon. I think that if it is caught early, only 10% of people eventually become disease-free.
Markoff and Shimomura received $750,000 for their book rights and $650,000 for the film rights. The most sensational parts in the book or the movie had absolutely nothing to do with the truth.
Sharknado is closer to reality than Track Down. The cringest part is Tsutomu's fictional gf.
Take Down (the movie) was fantastic fiction, and even showed Mitnick as convicted before he even was.
However my cringiest take away from the book was Simomura's detailing of what he was eating which seemed to have so many mentions that at times I thought it was a healthy eating dialogue.
Pro-tip: CFAA only applies if you cross state lines between you and the server. Otherwise, state laws applies and there are/were some states that never passed any 'anti-hacking' laws.
Pro-er tip: if you are in the US and access a computer over any kind of service provider network (Internet, leased line, etc.) you should operate on the assumption your traffic is crossing state lines and the CFAA applies to your activities.
Tools like traceroute cannot show you where your traffic is physically being sent because: there may be no geographic information in the router reverse DNS records, that information might not be accurate if it is present, and layer 3 tools cannot show you the underlying layer 1/2 path (which might be wildly different than the layer 3 hops would suggest.)
Spot on. More simply, no matter the technical underpinnings, the case will be made in court that because your service provider (and probably the carriers it's connected to) have infrastructure across state lines at all, your traffic could have crossed state lines, and the court will be asked to assume it did. And they probably will.
You can make a reverse DNS record (or any DNS record, for that matter,) say anything at all. There isn't a National Committee for the Verification of DNS Updates checking this stuff out and demanding in-person inspections and notarized affidavits swearing that 100% of all information in the DNS is accurate and means whatever the end-user might infer it to mean.
For instance, part of the tracroute from my house to Google looks like this:
6 be-33112-cs01.doraville.ga.ibone.comcast.net (96.110.43.81) 19.602 ms
7 be-33142-cs04.doraville.ga.ibone.comcast.net (96.110.43.93) 22.738 ms
8 be-302-cr13.56marietta.ga.ibone.comcast.net (96.110.39.49) 23.202 ms
You can see these hostnames are obviously meant to encode some geographic data -- strictly for the convenience of the provider, it doesn't mean anything else -- but you, as the user, cannot tell from these records that these routers are actually where you think they are, based on the host names.
Another issue is the server you're communicating with might take a completely different path to get back to you, and you'd have no real way of knowing that.
rDNS information is provided by the owner of the IP address, not the owner of the domain. More generally there are spoofing and poisoning attacks against DNS.
Absolutely not. Any computer connected to the internet, even behind a firewall / NAT / etc. is considered to be involved in interstate or foreign commerce and thus a "protected computer" subject to 18 USC 1030. It's not your actions that make it a protected computer. 1030(e)(2)
> but the flamboyant way it was done scared the crap out of people who were both clueless and in a position to do stupid things. As a result we got the CFAA and the DMCA which are both some of the most ridiculous pieces of legislation after the so called "patriot" act.
> The damage that did to curious people growing up lost the US a significant fraction of their upcoming "innovation" talent.
The causal leap from flamboyant hackers to the DMCA/CFAA, and then to damaging the US's innovation talent feels... speculative.
> The causal leap from flamboyant hackers to the DMCA/CFAA
That isn't much of a leap. The penalties aren't rooted in the actual damages, because for most of this kind of curiosity-based intrusion, there isn't any real damage and the damage imputed to them is the cost of cleaning up after the vulnerability, which the "victim" ought to have paid regardless. Getting trolled by some kid isn't what costs you money, implementing a vulnerability that allows some kid to troll you is.
The reason the penalties are high is because of that embarrassment. Some major institution that ought to have done better gets pwned by some pranksters and they lose face. So they want to throw the book at the guy to deter anyone else, not from maliciously causing them undue harm, but from making a fool of them in public.
But blaming the youth for bragging about it is blaming the victim. The perpetrators are the institutions that abuse the law, and the process of creating the law, to severely punish not evildoers but the child who points out that the emperor has no clothes.
> and then to damaging the US's innovation talent
These are the laws they use to charge the likes of Aaron Swartz, are they not?
It'll make more sense when you realize that promoting the competence of American corporations is, in and of itself, an explicit policy goal of the American government.
If they wanted to promote competence then the damages would be applied to the corporation for implementing the vulnerability, not on the attacker for exposing it. This way, corporations are given a shield for being incompetent and can place the blame and damages upon an individual that brings them to light.
The hacks had to be flamboyant. If the hacks weren’t embarrassing the “adults” in suits would deny the hairy person in a t-shirt knew what they were talking about.
This even happens when there is not nearly as much status difference between the two.
I was once tasked to work with TPM 2.0 provisioning in an embedded position. They specifically chose me and pulled me from another team because of my skills in cryptography (I wrote Monocypher). Fast forward a couple weeks, I notice that the way the provisioning was specified, it would allow us to provision a fake TPM without noticing. My team lead didn’t believe me.
Sometimes later we had an actual provisioning procedure in place, and what do you know, it worked to completion even with a fake (software) TPM and a real certificate from the manufacturer. Because, well… we just didn’t compare the relevant public keys. My team lead was still sceptical.
I had to mention the issue in a meeting with some higher-ups and the security guy to be allowed to fix the problem. I believe this goes a bit deeper than a status game. I think it’s downright magical thinking: this hope that ignoring problems (especially vague threats like security vulnerabilities), could make the problem actually disappear.
Definitely some of that. but in Kevin's day it was most likely a team of IBM blue suits, white shirts, and red ties vs. Kevin in whatever he found to wear.
Having been around for the long haul and meet Kevin a few times, I'm sad to hear of his passing. Yet, his white hat influence will live on.
I completely agree. There was a time when hacker did not mean criminal. That was the time during which Kevin was active. It was also the time during which I was active, not that that matters right now. But there was a rapid shift from computers being something you could explore to if you're exploring that then you are a bad person. And I also agree that trying to scare policy makers isn't necessarily going to work because they don't understand what they're scared of. Curiosity is no longer rewarded in general in our society.
Those of you who don't think what Kevin did was important, there seem to be a lot of people discussing him, aren't there?
> The damage that did to curious people growing up lost the US a significant fraction of their upcoming "innovation" talent. While not diminishing the folks who leaned in to the illegality of it.
It is very difficult to see how that is the case when pretty much every functioning nation has substantially similar laws.
Nobody really cared in the scene about the DMCA until the FBI started taking people offline. Even then? It stopped nobody, people just got more security aware.
As a result we got the CFAA and the DMCA which are both some of the most ridiculous pieces of legislation after the so called "patriot" act. The damage that did to curious people growing up lost the US a significant fraction of their upcoming "innovation" talent. While not diminishing the folks who leaned in to the illegality of it.
I was escorted out of my job as a shipping clerk in 1999 for creating an entry in an NT 4.0 group with my name in it to impress the IT Admin so I could get a job in the computer department.
I really enjoyed the book Takedown, about Shimomura's pursuit of Mitnick - I must have read it three or four times. I always wondered what happened to Shimomura, since he just seemed to drop out of sight after that book came out.
Shimomura was an egotistical asshole at the time. However, he was younger then and can hopefully acknowledge he was still learning about himself and wasn’t all-wise yet.
I hope Shimomura can realize that Mitnick made him a better version of himself, both personally and professionally.
I've known him since the time of the events in his book, and can confirm. He was (and still is) an insufferable jerk. Not only does he self aggrandize himself in his book and web site, he pointlessly denigrates and takes down and insults the intelligence of his own colleagues in order to make himself look better (but the net effect was the opposite that he intended). And his book was a work of fiction. Nobody in their right mind would still want to work with him, especially after what happened with his LED company. I know somebody who made the mistake of working with him, and the costly lawsuits and recriminations between them have been dragging on for years, but Tsutomu's clearly the one who was at fault.
His ego came through a bit in the book, but honestly that's a fairly common trait for young guys. I am also quite aware that the book only presents one side of the story and that Mitnick had quite a different perspective. I'm sure the truth lies somewhere in the middle. My enjoyment of the book was much more about the process they used to track him down, and the detailed description of them building tools to aid in the process, rather than the people involved.
"A bit"? You think so? At the time, Tsutomu was enough of an adult to know not to be such an asshole, but that didn't stop him one bit.
Fuck the "boys will be boys" defense, and the people who still try to defend reprehensible behavior (and ultimately their own) by trotting out that old sexist canard.
I’m not defending the behavior, just saying that it didn’t detract from the parts of the book that I enjoyed.
I did find the inclusion of so many details of his romantic life a bit odd. It’s not that they were graphic or anything, there was just a lot of it and it didn’t have anything to do with the subject of the book.
Meh. It 'ain't braggin' if it's true. Worked with Tsutomo on some projects. Dude has an extremely keen analytical mind. Mitnick on the other hand had an excellent grasp of human intellectual frailty. I was always surprised people expected Tsutomo to be some amazingly empathetic mensch and Mitnick to be some uber mentat wizzard.
Each was quite good within their speciality, and kinda crappy in the other's. And that's totally okay.
He started at company called Neofocal which had some really cool LED products. He also has had some health issues of his own to deal with. I last talked with him about 5 years ago in 2018.
Storytime:
He randomly came over for dinner while cruising around LA with a friend of a friend, aaages ago... asked if I had a disposable tablecloth, luckily yes. Orders like 10 entrees/appetizers/desserts for delivery for just the 3 of us.
Over a few hours picking at food, drinking case of beer etc., the entire table was covered in tech gibberish, diagrams, code etc. Really wish I saved that, but at the time I was like "who IS this guy?" and it was a disgusting mess. I do recall appreciating that level of openness and bonding, and have never had such an experience with anyone else like that in the industry since then.
RIP
Wow. My first encounter with Kevin Mitnick was a random one.. joining one of my school's IRC channels one day there was there guy on it who was bragging about how he had broken into our central AIX server, would read the admins' e-mail all the time and for every hole they plugged he would just find another one.
I was just a university Freshman just starting my CS classes, and seeing this discussion, it was like I had entered some underground revolutionary meeting. It opened my eyes to mischief and testing the boundaries of systems and order where this guy who was on IRC as root@system was just calmly saying how the technical universe I was just learning about was controllable in ways I had no clue about.
I never followed the case after he was prosecuted, and I didn't go down the hacker route in my career, but it was a life-changing moment for me to see this outsider live out "War Games" in real life.
RIP, root. Your crimes and mischief certainly didn't define you, especially as you went down the ethical hacker path (the first?). Pancreatic cancer is a horrible way to go, I am sorry to see this story today and condolences to his family and friends.
Oh man, oh man. This is heart-breaking. Even though I never met Kevin IRL, he was always something of a.. well, maybe not a "role model" exactly, but certainly an inspiring character in many regards. Some of my earliest forays into the world of phone phreaking and related activities were inspired by the stories I read about Mitnick and his crew out in LA, in Markoff and Haffner's book Cyberpunk. For a while me and some of the guys I ran with would use the word "Kevin" as a sort of code-word for this stuff to avoid telling our parents any more than necessary about what we were doing
"Where are you going to night boys?"
"Oh, we're going to hang out with Kevin."
(this meant a night of trashing telco dumpsters, fucking around with payphones, and various other dubious activities)
"Oh, OK. Well, be careful."
That sort of thing.
Wow. Never saw this coming. I didn't even know he'd been ill.
Anyway... RIP, Mr. Mitnick. May there be clueless operators to social engineer, on "the other side".
Yep. I'm familiar with the issues around the veracity of that book. That isn't really the point. Back in 1995 that was pretty much all we had to go on, and Mitnick still became a hero to a bunch of us.
In the subsequent years I've read all of Kevin's books, as well as pretty much all the other books written about his life, and watched the various movies and documentaries that dealt with his story. It seems like Markoff was kind of a dick and frankly contributed to some of Kevin's problems. Sad. :-(
The post mentions Dutchman Stu Sjouwerman as a close friend. Kevin was partnered with Stu in the security company KnowBe4.
Stu is a dedicated Scientologist, and has donated millions and millions of dollars to that corrupt organization. I know because I served in the Scientology Sea Org and knew Stu when he was on “OTVII”. This was before KnowBe4, but he was still something of a big donator. He really hit it big with KnowBe4 and became one of the few whales still funneling massive amounts to the church.
I found out about the connection between Stu and Kevin while I was working as a developer for a tech company. One day we started getting those security tips and tricks emails, white labeled so they looked like they came from our own AppSec team. At the end of the emails it ended with the line “the price of freedom is constant alertness, constant willingness to fight back”. A direct quote from L Ron Hubbard and one Scientologists (and former Scientologists like me) know well. After digging deeper I found out they were coming from KnowBe4 and saw Kevin listed on the site as being a partner.
Business relationship aside, after reading Ghost, you get the sense that Kevin would not and could not stop hacking. Maybe he matured and that urge dulled but I always wondered if he ever did some covert snooping into what Stu was up to with Scientology. The Sea Org computer and communication systems are ancient (they still use pagers for some things!). It would have been a blast for someone like him to compromise their systems. And they are right there in Clearwater down the road from KnowBe4 headquarters…
Posting with throwaway because I ain’t tryna win a covert Scientology harassment and stalking op and have my family disown me which happens to virtually every former member who speaks out publicly.
They seem to hook a lot of clever people. I always assumed it was some kind of weird tax dodge, but maybe Scientology doesn't get enough credit for their social engineering skills
Just because somebody is somehow "clever" doesn't make them immune to scams -- they just need to be a specific type. Scientology targets a person's sense of self-importance and empowers the feeling that they are somehow special and mentally gifted. Something that many "clever" people have.
> Posting with throwaway because I ain’t tryna win a covert Scientology harassment and stalking op and have my family disown me which happens to virtually every former member who speaks out publicly.
When Kevin first found out he had Cancer, the doctors gave him "weeks". But you know Kevin -- he refused to accept his fate and found the top doctors in the world, tried experimental procedures and was able to get himself all the way into remission just 11 months later. It was incredibly inspiring, we all thought he had yet again beaten the system. It's tragic how the last 10 weeks played out, he fought all the way until the end. He's was a legend who paved the way for millions in the cybersecurity space. We will miss him.
Looks like he died from pancreatic cancer. This cancers always reminds me of the Last Lecture by Randy Pausch. He was a CMU professor who also died from pancreatic cancer 15 years ago.
Seriously, fuck pancreatic cancer. My best friend died of it in Oct 2020. I've had 10+ people I know (or someone that I know know) die of it. It's my worst fear, cancer-wise.
My parents vaguely remembered who Kevin Mitnick was when I gave my father my copy of 'Ghost in the Wires' to read.
I told him, this was the 'hacker' of the 80s, read how he managed to 'hack' all these places. My father replied, "I'm pretty sure I won't understand anything he would do". Me, "Just give it a chance, you'll be surprised"
When he gave the book back, I asked my father if anything Kevin did my father wouldn't have understood. My father said, "I understood everything he did". I asked, "Now, when you get a call from someone you don't know claiming to be an authority figure, what do you do?". Father: "Hang up"
Would there be a modern version of this? I haven't read it and I'm interested, but mostly my parents are getting old, and with AI on the corner, I fear a bit the next level scams.
Any time a big hack makes the news it turns out that either some system had no security, they used social engineering, or a disgruntled former employee. Hackers aren't sitting there with a super computer in a Guy Fawkes mask trying to decrypt data. The scams are the same now as back then.
> Any time a big hack makes the news it turns out that either some system had no security, they used social engineering, or a disgruntled former employee.
Back in 2003 or so, my boss showed up at my desk at work, and looked like he was about to blow a gasket. There was a hack that was on the news, and it was getting featured in news stories all over the world.
He basically said he was going to fire me if it turned out it was my fault. (I built the servers that held the data that was compromised.)
Within a day, it turned out that it wasn't all the data, it was just one person, who had a lot of famous friends.
What had happened was that someone had accessed her account. The way that they did it was by guessing her password. Her password was the same as her dog's name, and she was a celebrity known to be seen at events with her dog.
Two of the most recent most high profile hacks required a large degree of preplanning, scoping out, custom coding etc to achieve the breadth and depth of penetration gained upon execution.
How would you classify supply-chain attacks?
Primary security was bypassed by breaking secondary security .. so there was security to be overcome, there was no social engineering aside from understanding procedures in play, and no disgruntled employees.
Over time they got more interesting and less like the "basic unsophisticated | opportunistic | social engineer | inside agent" description given above.
I don't think it's ever gone away, and stands to get even worse now. Good to have a safe word with your family in-case they ever get an important call from you or the reverse
The modern version should be 'put down' (does anyone still hang their phone on a wall nowadays?), and an even more modern one would be 'push red button' :)
It's funny, though I didn't really know him I did have two chance interactions 15 or so years back that are in a way core lessons for me about business.
Back when he started doing consulting I ended up spending some hours on the phone with him over a week or so as an evenings/weekends side project (I had a more than full time job too). He seemed like a nice enough dude, basically a middle aged guy trying to put his life back together, and he was understandably not up to speed on web app security due to his recent stint in prison. I don't think that business ever panned out but he eventually pivoted and built a multi-billion dollar company around the concept he was known for (social engineering).
The second is embedded in his somewhat famous lock pick business card. It turns out those cards are a direct copy of a friend's card, conceived by me, designed by a second friend, and inspired by a third friend who'd discovered the shop that did etched steel cards. Kevin's card traded in usability by shortening the tools to make more space for contact information. Regardless, his ability to capture the spotlight helped ensure his version is by far the best known.
Mitnick did remind myself as a preteen, even if it never seems he quite outgrew his own preteen antics. He was a gutsy guy who made life more rich and interesting in his own way. He never seemed to bend to the system’s will long after many of us so called anti-authoritarians would have thrown in the towel.
When I read his books I alternated between fascination, revulsion, admiration, and shock. Mitnick above all wasn’t boring and I think “not boring” doesn’t get enough credit in the measure of a man.
My ex certainly wasn't boring. But they certainly were physically abusive. I don't believe that automatically qualifies someone as deserving of credit.
I don't think anyone would claim that not being boring is the only worthwhile measure of a person. But assuming nobody wants to be around a person who is causing harm purposefully, I'll take interesting over boring.
I'm sorry about your ex, and I hope you have the support you need.
that's incredibly simplistic and lacking in empathy.
there are people with serious psychological disorders such that they can't control negative impulses and behaviors. Some people are born or develop an empathy void, but they are still human beings. Yes, we need to make sure they don't harm others, but pissing on them doesn't help you or anyone else, so why do it? All men are created equal, judge not lest ye be judged, ChristianGeek.
I think their statement stands pretty well as a serious one because credit is social, and paid to those who play by a set of rules. If you are a physically abusive person, society will discredit you. Case in point Will Smith.
I gave it a bit of thought, and remembered that there are people in the other side of the world (America) who are deep down in modernism (esp. feminism in this instance) who can really believe in that (abuse cancels all other good qualities). You're right, my mistake to assume people are as mentally healthy as they're in my country.
While I assume this is real, part of me does feel like a combination of how young he is and who is is leads me to be slightly skeptical. Assuming it's real, hopefully he would have appreciated the skepticism.
Wired story about the origin of the cards: https://www.wired.com/2007/06/lock-pick-busin/ (I looked it up because I thought they looked like some cards someone I knew designed, and sure enough…)
I had a similar thought, his social engineering abilities were very strong. If there was one person in the world willing to fake their own death to engineer access to something, it would have been him. A sad day.
what is there to elaborate, other than pointing out that he was good at social engineering things and finding behavioral or procedural loopholes to get access to systems?
“Lamo was best known for reporting U.S. soldier Chelsea Manning to Army criminal investigators in 2010[7] for leaking hundreds of thousands of sensitive U.S. government documents to WikiLeaks.[8][9] Lamo died on March 14, 2018, at the age of 37.[10]”
Kind of the wrong side in history there. But RIP, regardless.
Manning’s leaks included vast numbers of documents related in no way to a legitimate whistleblowing issues, some of which helped spark the Arab Spring which precipitated in an ongoing civil war in Syria, slave markets and the beheading of religious minorities in Libya, and on and on all over the region affecting 100s of millions of people. I don’t know about Lamo, but Manning certainly isn’t on the right side of history and deserves to be still in jail.
Manning was very sloppy; that's true. But she also released very important information about war crimes. The intent was good, the execution was bad.
As for the Arab Spring, you can blame it for revolutions in Tunisia, Libya and Egypt (some good, some bad), but I don't think Syria has anything to do with it. And ISIS was the direct result of the US invasion of Iraq.
Without being mind readers all we can know is what Manning claimed about intentions. People who break their oaths aren’t the most trustworthy cohort. Regardless, good intentions do not absolve anyone from high crimes and precipitating mass murder.
> ISIS was the direct result of the US invasion of Iraq
Without weakened or destroyed regimes across the region due to Manning’s actions there wouldn’t have been as much freedom for ISIS to spread. Manning shares the blame.
>Manning’s leaks included vast numbers of documents related in no way to a legitimate whistleblowing issues, some of which helped spark the Arab Spring which precipitated in an ongoing civil war in Syria
> These are two causes of great importance to Kimberley and Kevin; both organizations put the majority of donated funds to work in the communities they serve.
If Kevin inspired you, perhaps a donation in his name would be a nice gesture.
RIP. I still have my FREE KEVIN sticker on an old freezer.
One of my fond memories with my now-dead mother was going to see him during a prison transfer in Los Angeles and yelling outside the place until he waved to us and the rest of the crowd through a window.
Oh my god. I was on the phone with him not that long ago discussing a red team project. I had no idea what was going on.
He was always generous and kind yet professional, despite us kind of fanning out. He had the ease of someone who knew what they were doing and didn’t feel they had anything to prove, which of course he didn’t.
I was looking forward to working with him more. I hate how you never know how a thing’s going to go.
Here’s to the innumerable things about modern connected society that are the way they are, whether indirectly or directly, because of Kevin Mitnick.
I got into IT because of him mainly. When I was 12, where I was growing up I was the only one who knew what a computer is. I remember reading his story somewhere, then I got to my mom's computer at her office and read all I could find about his story.
I wrote "Free Kevin Mitnick!" with a black marker on my tshirt and was walking around my town proudly wearing it. Nobody understood anything about it but it made me feel like involved into some secret society.
Next year I convinced parents to pay for me learning QBasic (the only computer course in my town back then), and 3 years later I got into university on an Information Security specialization.
Some of my friends say that I was the reason why they got into IT. Well, I guess we all owe that to Kevin.
I talked to him in person once at a conference and was happy like a little puppy, but being socially awkward as I am I didn't tell him that he is my childhood hero. I hope now when he has trandcended to the cloud, he has a bird's eye view on our realm and can see all the positive impact that he had had on my life and lives of people I've influenced...
I really enjoyed reading his book Ghost in the Wires. It is the story of Mitnick’s hacking career, from the start in his teens, through becoming the FBI’s most wanted hacker, to spending years in jail before finally being released. It’s a fascinating book that at times reads like a thriller. One of the things that struck me when reading it was how often he used social engineering to gain access to systems.
It's in my Amazon list and now I know why. I'm 34 and learned about phreaking well after it was a thing but it inspired me.
Now I'm a cybersecurity consultant (glorified sysadmin) making a nice salary but without any of the joy that was present in my 20s rebelling against my F100 company's IT policy. Installing Dokuwiki on a shadow server just to get shit done. Helping write a custom request system to get shit done. Consequences came after.
I'm not comparing myself to Mitnick, rest in peace, only reflecting on the passing of a titan before my prime that represents a moment in communication hacking that may never exist again.
> making a nice salary but without any of the joy that was present in my 20s rebelling against my F100 company's IT policy
You just hit it. That feeling. Me too, nowadays I mostly go through the motions. No enthusiasm, no joy, no interest, no energy... no "spark". Mitnick lived and shined at a time when showing off didn't just land you in jail. Until it did.
I feel you. I'm the security champion for my team. It's no joy and all paper pushing. Just the other day they handed over some systems to me... 20 open vulnerabilities and 6 missing assessments. Nobody gives a damn about security.
I wish I remember which book I read about Mitnick (and others).
I developed a strong dislike for Mitnick, however. As others have said, he came across as an adolescent with an over-sized ego. More "Jackass" than "Silicon Valley". Although I'm sure he's not the only "hacker" for whom illegal entry into computer systems gave him a sense of self-importance.
No thanks.
Edit: yeah, probably was "Cyberpunk: Outlaws and Hackers on the Computer Frontier". I still don't think "bullshit artist" is something to aspire to.
I think it's more that he was one of the first/earliest to use technology to amplify his skills on a scale previously out of reach of most people. Coupled with the fact that he was way ahead of his opponents and a young man, it is quite understandable the path he took.no one is perfect, but don't let perfect be the enemy of good.
I think it was within reach of plenty of people but most people with that ability decided that breaking the law wasn't what they wanted to do with their lives.
Manipulating people is more interesting in some ways than exploiting a bit of badly written software because while I write terrible code all the time, I could fix it too but there's no patching our stupid stupid brains. We can try to be more careful, and avoid falling for things others have already, but the flaws are still there just waiting for the moment our guard is down.
Some human exploits can be patched, at least partially. 2FA with hardware authentication helps prevent people from leaking their own passwords and such. Phishing detectors help. Etc. I'm sad to admit my wife is better at this than me. Any time anyone she doesn't know tries to talk to her, she's quick to escape. I tend to try to politely decline, she just books it
I met Kevin at a conference in Manchester where he cloned my HID access card and made an amazing demo of how easily this can get a company's workstations compromised with keyloggers. It was like watching a magician - he was a very skilled, funny, intelligent man with a wealth of knowledge. He gave me his business card (which is also a lock-picking kit) and I will treasure it.
Thanks for all you taught us Kevin, and thanks for being a beacon of curiosity and exploration.
Wow didn’t see that coming. I met him at a HOPE conference with Steve Wozniak. Followed him for years from hacker zine texts distributed on CDs back in the day. Wow that’s really sad what a fun guy he was. His social engineering book was pretty interesting. That OKI phone story was so fascinating I bought a couple to see if I could do it too, although by then 900MHz was phased out. This guy made a difference in my life how very strange
Just woke up my wife with a loud sigh.
I remember all my childhood friends pretending to be Zidane or Figo or Rivaldo. I always wanted to be Mitnick. Sucked at soccer but never stopped hacking. Holy f, he was so young. Out of all people I really hoped to meet him one day. The rockstar of my childhood. What a shitty day.
Having read and loved Ghost in the Wires, I felt a special bond with Kevin. I loved his antics combined with his fearless exploration of how everything around him works. I'm really sad reading of his death today. He was far too young.
My favorite story from the book is how he set up a computer to tail the logs of cell towers in his area for phone numbers matching the FBI agents assigned to his case so he would be alerted when they were on to him. Wow, that's bold! But also, reading that I realized how our society had allowed ourselves to be surrounded by tracking machines that the government could use to find us at any time, and man it was beautiful to see it turned back on them.
He was so meticulous is setting up new identities and moving to random places around the country to avoid the authorities. But would then log back into his previously compromised systems in a way that would expose his current geographic location. It always seemed like such a glaring hole in his otherwise well thought out personal opsec. I'm sure the story was more complicated than what appeared in the press at the time, or in the 2600 knock-off zines that were going around at the time, or in his books. It always confused me. I could never figure out if that was an oversight, or he just wasn't aware he was being watched.
I think I share a similar pendulum swinging feelings about km as other folks here, especially as his story unfolded across many different phases of my life: from adulation as a teen, to realizing that he was just another a*hole who would lie to your face to get what they want. Recently it has swung waaay back the other way -- especially as more of our access to customer service for critical aspects of our lives get buried behind obstructionist systems -- to understanding that we always need people who can tear any system apart.
As an addendum...I think the term hacker should be handed to the sys admin that started was instrumental in getting km located by (If my foggy mind remembers correcly) by emailing logs or log stats to himself and noticing that size was shrinking so someone was deleting them -- that blew my mind at the time.
I believe that at first it was a game for him. Eventually he got tired of running, and this may have been a way of taunting his pursuers and forcing an end-game situation that he overestimated his chances against.
He was not prepared for four years of solitary and unconstitutional delaying of his trial. He did not ultimately have a game plan for what to do if his opponent cheated.
If the government had acted justly (that is, according to their own laws) he would have been found innocent and walked at his trial. However, the prosecutors lied, they cheated, corrupted the system they claimed to protect, and that was it. Game over, no redos.
Kevin is partially the reason I decided to work in information security. I remember reading his book, art of deception, and it gave a name to the skill I had practiced most of the childhood, social engineering. Later on in life I got to meet him and spent the first at least 2 hours of time in shock n awe. Afterwards, he was great to talk with and offered me his number if I ever needed another set of ears. Sadly I haven't talked with him since the pandemic, but he will forever be remembered.
I first learned about Mitnick on a network security course where we had to recreate the now iconic TCP spoofing attack he employed against Shimomura's X-Terminal [0].
I talked to Mitnick once on the phone. I was on a partyline back in the AIM days and a hacker friend of mine called him up. Kevin seemed very frustrated that he kept calling him. I was just dumbfounded I was actually on the phone with Kevin Mitnick so I didn't say anything. Was shocked and saddened to see this. Sorry about that night, Kevin. Rest in peace.
I snuck into a banking conference in Miami Florida to meet Kevin. I forged my badge, using the previous years design as inspiration. I got in, and met him, and gave him my badge.
He said "that's really cool" and signed a copy of Ghost in the Wires for me.
Kevin came to speak at CMU in the University Center. Maybe around 2003/2004. I recall it was standing room only. For me, it was like seeing your favorite action hero in real life. Yes he was convicted of some crimes, but he showed you could be redeemed and continue to live a good, fulfilling life educating others what not to do. RIP
The Cyberthief and the Samurai (along with a few other books like Snow Crash, Hackers, the Cuckoos egg etc.) were books that made a big impact on me earlier in my life. It wasn't as much about facts as much as about building a virtual map of the digital world in my head. This was before I had actual access to a fast internet connection.
I had a printout of the MIT guide to lock picking and used to try out stuff with some hand crafted "tools". I'd forgotten about Mitnick and later (probably via. Slashdot) came across his site again and saw this https://www.mitnicksecurity.com/kevin-mitnicks-famous-lockpi... which suddenly brought back the same image I had formed about him. Playful to the extent of not caring, irreverent, and curious.
Sad to see. Pancreatic cancer is one of the scary ones, since there are so few symptoms before you hit stage 4.
For those who haven't seen it, Freedom Downtime is a movie by the 2600 gang which is mostly about Mitnick's imprisonment, and the whole Free Kevin movement.
(I wonder who wrote the obituary, it's especially wide-ranging, and poetic in parts.)
I can't say enough about how influential Kevin has been in every decade, continually staying at the head of the snake of hacking. I am so lucky not just for how he inspired me in my youth, but how he relit the fire of security paranoia in the last decade when I was fortunate to work for an organization he hacked (by contract).
All software engineers are now more vulnerable with Kevin gone. Stay paranoid friends, now more than ever.
I will always remember when the "Takedown" movie came out. I loved the original "Hackers" and couldn't wait for "Hackers 2" which was Takedown.
I had learned about Mitnick few years prior to the movie and was fascinated by his life story and what he had done up to that point (including his "takedown" by the FBI). It's an understatement to say that his work, character and some sort of positive social manipulation put a great influence on my upbringing and later my professional career. Back then I enjoyed playing pranks with my friends and "hacking" them with all sorts of trojans and ejecting their CD roms :)
Pancreatic cancer really sucks. A friend of mine passed away from it a few months ago at the ripe old age of 25. She was first diagnosed with it at 20, beat it, and then nearly three years later it came back at stage 4. Like Kevin she also underwent a few different experimental treatments, the first of which worked remarkably well. (Until it didn't, which is typical of these treatments) A cure or effective treatment feels so close, and I'm sure if one comes soon I'll be having a bittersweet celebration.
I never did get to meet Kevin, but it's clear that I missed out on an amazing person. RIP Mr Mitnick.
It doesn’t matter who the Gerber Baby really is. Society has chosen to associate the Gerber Baby with certain attributes regardless of who the person behind the photo really is, and so it is with Kevin Mitnick. Mitnick, the real person, excelled at social engineering more than any other trait and was arguably subjected to malicious prosecution. But in his later years, there’s a lot of documentation online indicating that he didn’t live up to the myth that grew around him and he was not a pleasant person [1].
People here are mostly reminiscing about Mitnick--the myth, not the man.
I think we'd all be surprised to find out how many "legendary", "amazing", "revolutionary" famous people are not particularly pleasant. You don't achieve greatness by being a sweetheart.
[ftr, I have no idea what his demeanor was; like many, it's quite likely he softened over time.]
Regarding your source: People don't behave consistently all the time. There are probably people who have briefly met you when you were not in a good mood who would say that you are a jerk.
I don't really want to say bad things about someone I respect who just died, but the fact of the matter is that Kevin (especially when he was younger—he mellowed out later) really could be menacing. Combined with the compulsiveness of his nature, that could be unpleasant. It was as if he could not stop hacking and messing with people.
I remember reading Kevin Mitnick books in the early 2000s and it really open my eyes about social engineering and how hacking is more than just cracking a code. Help me become a better DevOps and Software Engineer.
Sad news. His biography/story "Ghost in the Wires" is one of the most amazing books I've ever read. I highly recommend it. The audiobook is read by Ray Porter and is gold. I'll be giving it a re-listen.
His books "The Art of {Deception,Invisibility,Intrusion}" are absolute bangers for most of the people here. Can't recommend enough
This is really sad. I can't overstate the impact Kevin had on my life. The world is suddenly less interesting and less secure and my heart goes out to family and friends. Rest in peace, Kevin.
RIP. Same here, I read the whole book on a Sony Ericsson W810i Walkman cell phone in high school. The phone I read it on had a 176x220 pixels tiny little screen. Book was captivating.
This is triggering real crying and emotional breakdown. Mitnick was a friend I never had. An older brother or cool guy that sparked inspiration. Such a strange feeling to be so sad about a person I never met. Like losing a friend. He had such an influence on my life. Hits close to home.
When I was 16 years old, I started a 2600 meeting at a local mall food court. We joined in the 'Free Mitnick' movement, and would go around handing out flyers, explaining the implications of his case, peppering the place with stickers, putting them in copies of 2600 in Barnes & Noble and Borders. His case was an inspiration to a budding little hacker and taught me to become more idealistic and push for legal reforms and the rights of people who were punished far more than they deserved. Later in life I got to meet him at hacker conventions, and he was a super nice guy. I even got one of his lock-pick-set business cards! I know he's somewhat of a controversial figure, but he was also inspirational.
The authorities obsession with Mitnick was because John Markoff and the New York Times made the public believe that hackers were effectively in control of everything and could go as far as starting WW3 by hacking into NORAD and other similar caliber BS that never happened.
Wow, this is seriously upsetting. The fact that so many people are dying of pancreatic cancer is very, very scary to me, and it's so many young people at this point.
It's one of the few that's still difficult to detect, and by the time you show symptoms you are basically stage 4... it's treatable if you catch it early, but therein lies the problem; My grandfather passed away from it.
I'm sorry to hear that, someone I knew closely died of pancreatic cancer and died 6 weeks after diagnosis which is why it scares me so much. Did your grandfather smoke, or drink a lot of alcohol? Or drink a lot of tea or coffee?
Yeah he smoked a tobacco pipe, as grandpas do, but didn't drink alot was in relatively great physical health for his age before that. He was 70. This was in 2000.
He lived about a year after his diagnosis, which occurred when he was jaundice. His health / quality of life was ok after, some weeks were good, some were bad, but yeah it was stage 4 when they caught it, and there is / was only so much you can do, especially 23 years ago.
Fun Fact: He worked on the Univac! Spent his career with Unisys afterward.
When I wad 13 I printed out “FREE KEVIN” stickers and stuck them all over the locker room of my school. …kind of a weird thing to do in Australia back then.
I read his book when I was younger... And at DEFCON 19 I got selected to get paired with a celebrity hacker in the 10,000 cent hacker pyramid. I ended up getting paired with Kevin Mitnick & we played against Dan Kaminsky. It was a really cool experience & even though Kaminsky went on to win... It was a ton of fun and Kevin was a really cool guy.
Fuck man, this hit me hard and unexpected. Ghost in the Wires was one of my favorite books. Was fun to read about a true hacker, definitely inspired me. He was too young.
Can’t believe there is no black banner. This is hackernews.
I also can't find mention of him having pancreatic cancer, but that's not necessarily a confirmation of anything. He certainly could have kept it private.
Mitnick was a warrior battling giant corps alone. I believe he did that just because he could only, but it does not take the merit of one guy being able to outweight the whole industry.
OMG! This is so sad. I read about Kevin a lot and read the book, "The Art of Deception" during my teen years and was fascinated by how interesting social engineering was. Once I got into college, I got busy and never followed him anymore. I recently read about him in some random article and then I read about him now. I opened HN to see the black band on top and was worried to know who it could be and turns out, it was Kevin.
I will by no means say that I followed or knew him. But the name was familiar and I suddenly remembered who he was and that I had his book on my wishlist for christmas. Sorry to hear about the loss.
I do like some of his approaches to life. There are some similarities between him and Richard Feynman.
Who comes to mind if I would like to follow some still living people that has this rebellious, "joire de vivre" way of life?
My first memory of Mitnick was a very early web viral 8bit sound file (ADPCM if memory serves) that was purported to be Mitnick (it turned out later to not be Mitnick); "I know sendmail technique. ...". I can still hear it in my head today. I got my start into infosec working as an admin at my university; trying to keep on top of students being naughty was a good introduction.
Takedown was my favorite movie as a kid. It influenced me a lot. In Brazil is not common to have a bathtub in your bathroom, we used suicide showers (term that I recently learned on YouTube); anyway, the image of Mitnick hacking in the tube on his laptop resonated with me, I thought it was the coolest thing ever.
Many many years ago, during undergraduate days, I used to study "Art of Deception", wanted to became a security hacker one day.
Now my topic of interest has shifted. Nevertheless, that book still reminds me that human is still the weakest link in security chain. You don't have to be super smart in exploiting code.
So many memories from way back, reading up on his story (and stories), reading his books, watching "Takedown" over and over again ...
No matter how polarising he was, his influence in the field and in leading many young people to get into computers and turn that into a career is unquestionable, imho.
I missed meeting Kevin Mitnick at the infamous HOPE 2006 conference where he was set to speak, but he was waylaid by something or other and he landed in the hospital. His reputation was still a presence through those few days though, just a few short years after his release from prison.
His recent enterprise, KnowBe4, was doing security training for companies, trying to make the internet safer! So you could say we're less safe with him gone :(
He was kind of role model for me, i was inspired by the way he saw the world, in everything he was able to see hole and flaw and how to exploit them. Where "normal" people just don't think about it.
for those of us who grew up without a father, as technologists, especially in the 90's and early 2000's, kevin mitnick was something of a guiding light.
he gave us permission to explore the darker underbelly of technology and was emblematic of a freer (free as in freedom) time on the internet. yes, he was a convicted criminal, but he was also a complex character who loved to solve puzzles and his competitive nature ultimately drove his work.
the famous story of the fbi showing up at his house and kevin saying, "no problem, I'll report to the fbi office tomorrow"... yeah, that didn't work, but he was the type to try and that was beautiful.
I'll go in tomorrow and update our August KnowBe4 training deployment for August to be a couple of his modules. Our users won't know, and I guess he won't either, but cancer sucks and it'll make me happy to do it.
KnowBe4 is the bane of my work existence. It's honestly the worst thing about my job, having to take their courses. It's too bad Mitnick sold out to Scientologists (KnowBe4), but I guess he had to cash in somehow. It kind of upsets me that I'm forced to watch Mitnick's videos about social engineering, considering his own nefarious use of the tricks he's teaching people to avoid. I mean, I guess learn from an expert? That service just rubs me the wrong way, maybe it's the scientologists that run it.
Well I’m crying. Kevin was my hero for so many years growing up and inspired me to do nearly everything I’ve done. I met him at The Last HOPE so many years ago and I feel so privileged for that opportunity.
Man, fuck cancer. He still was young, and his wife is pregnant. I remember as a kid reading about his exploits, and how much that influenced my carrer choice and interest in computers.
Rip. I've read Art of Deception in high school and I think it had a lasting influence on me. It reads like a collection of interesting stories. I recomend that book to everyone, especially to people outside of tech.
He was the person I associated the word hacker with, when I came across his name back in 2003 as a kid when I was searching for 'top hackers in the world'. (Google was functional back then...).
I'm assuming you know something I don't (about who Roxy is), but it's entirely possible to have a brother-in-law married to someone that is not your sister.
Feel bad for the unborn child that will have to be raised without a father because his parents decided selfishly to conceive him or her due to illness.
Rest in peace. Like many others here, Mitnick was an inspiration to me when I was younger, believe he truly embodied the hacker ethos. “Ghost in the wires” is a fantastic and fun read.
He was expecting his first child at 59/60 which is awesome especially those 10 to 15 years younger or so who like to still also, yet he dies before his child was born. Heartbreaking!
All my immediate family is very young so I always thought 50 was old. Then I lost a stepfather to cancer when he was in his 50’s. I couldn’t believe it, he was so young.
I never met him but his books and anecdotes fueled the mind of a young me. All I wanted was to be a hacker like him. Rest in peace Mr Mitnick. You’ll be missed.
Recently re-discovered him due to a Business Wars podcast episode on him. The dude deserves his own movie. Not a nice way to go but he'll surely be remembered.
RIP ... absolutely opened my eyes as a kid ... tonight, I'm going to dig out the old 30 threadbare paperback about hackers where I first learned of him.
I met Kevin in Chicago when he was hired to speak at a bank event that a friend got me into. His presentation was world class. He was quite a guy. Rest in peace.
What a legend. I remember reading text files about his lore in my early days of exploring the web and being absolutely captivated by it all. Rest easy, Kevin
super influential in my life in the end of 90s. If you work in the security branch, and had to stay alert on Christmas, because hackers love to hacker while Christmas, he was the main responsible by this Tradition. Fuck how thrilled I was when I watched first time some video of his telnet hacking sessions, back in the days... Resist in Peace (RIP)
He left us too soon. Does anyone else see a correlation of pancreatic cancer and our industry? It feels as if there's something about our profession. Steve Jobs, Randy Pausch, Now Mitnick? I've also had two coworkers who died of kidney/pancreatic cancer.
Beyond that I remember reading about him in 2600 and my mind being blown. He definitely helped leave the world we live in better than when he found it.
From Wikipedia: "Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private emails." - what a nice guy he was.
Taking a detour from the current thread, this sad news about Kevin Mitnick serves as a poignant reminder of the impermanence of life, but also of the value of vigilance. It's a note to all of us about the importance of our health. Remember, routine health checkups, especially as we age, can have a significant impact on our wellbeing.
Cancer, if detected early, does not have to be a death sentence. In fact, many forms of cancer are treatable and even curable if caught in their initial stages. Our advancements in medical science and technology have indeed made it possible. Yet, they can only do so much if we, as individuals, do not take the responsibility of regularly visiting our doctors.
What a great idea. He was part of the hacker subculture - regardless of what your opinion of him or his abilities is. This made me think of the takedown.com telnet transcripts - what a blast from the past.
Really sad day, RIP - will definitely have a drink for him tonight.
As one of the people whose credit card number was stolen from Netcom, I would strongly object to this. I'm not here to speak poorly of the dead, but I'm definitely here to judge those who think too highly of him.
It isn’t about thinking highly of him. His impact on security is well documented and very extensive. The black banner is used for honoring notable technologists who pass away. Regardless of personal thoughts, he was a very notable technologist and sort of first famous social engineer.
But he wasn't a first famous social engineer. That was extremely old hat by then.
People keep claiming he is a notable technologist, but I can't think of how. The Internet and other systems had intrinsic design flaws in the early day because it was birthed as an overly trusted network of well-known peers. Poking for flaws in those days didn't require any skill. The Morris worm, for example, was extremely skillful.
My biggest exposure to anything related to him is KnowBe4 and it is an utter piece of crap. It provides training modules that have no idea who their audience is so it veers wildly between terrible advice and overly technical advice with alongside the correct advice.
And lastly, and I mean this sincerely, my condolences to his family and friends. No one should have to go through this so young.
As someone too young to have a credit card in 1995, I’m curious: was its theft more of a “big deal” back then?
My Amex account number was stolen a month ago. It took me three minutes on the call with a rep to get it locked + a new card issued. I think I spent more time and effort on the phone with my dentist later that week.
Credit card number theft isn't so bad today. Having someone cash a fake check from your bank account is another story. You need to close the whole account and lose all your bill pay stuff. All the regular incoming transfers (VA, pensions, etc) have to be updated to a new account. Some of those take up to 45 days to change over. You also have to send a notarized document that the check wasn't from you to the bank and wait for them to restore the funds.
Source: Someone cashed a fake check against my terminally ill father's People's Bank checking account this year and it was a couple months of work to deal with the fallout. Faking a check is absurdly easy and US banks kinda suck at dealing with it.
Yes. People were afraid to put their credit card into early websites because they were afraid of theft. It took decades to convince people it was 'safe'. Only thing that makes it safe these days is the fact that now credit card companies won't hold you responsible for the theft. That theft is then offset and socialized by the insanely high APYs.
I just have to log into my online banking app, click on the credit card, and then slide a lock switch from left to right. A prompt comes up whether I'd like to report it lost or stolen too. If it's just misplaced, I don't have to bother.
Are you asking if I lost money or was inconvenienced when someone stole my personal info? If I steal your medical records, are you only victimized if I share them?
It's almost always an inconvenience, and doesn't cost you a thing. They refund the fraud, and send a new card. You might have to fill out some paperwork.
I'm sorry to hear that you suffered from the event, and although I'm sure you're not the only one with a negative experience, I do think the positive experiences people had from interacting/watching/hearing/meeting/reading Mitnick outweigh the negative ones.
What greedy executives? This was the early days of the Internet and there was tons of competition. And yes, OF COURSE IT WAS MITNIC'S FAULT. Why in 2023 would you even think of blaming the victim.
Absolutely. This is "hacker" news after all, and if there ever was one it was him. You don't have to think highly of him, but Mitnick was an institution.
I am going to swim against the current and ask that you please not do this. His crimes weren't victimless and his actions hurt real people. While I think pancreatic cancer is a terrible thing to die from, and while I feel for his loved ones, HN's black banner is a mark of honor, and that is not something I think he earned.
The company running this website was cofounded by the man who wrote the first internet worm, there's a chapter about rtm and pg in some of the same books that talk about Mitnick.
He certainly was an interesting person. It was always amazing the degree to which law enforcement prosecuted his hacking and cracking, when it seems like much more impactful crimes involving computers go uninvestigated. Plenty of people are hounded by threats of violence into leaving their jobs and homes, that seems far more impactful than Mitnick's crimes.
And FYI, while he died unexpectedly young, a 57-year-old man in the US has only a 50% chance of living to see their child reach 23 years of age. I, personally, wouldn't feel comfortable risking leaving a child with a likelihood of dealing with my death at that relatively young age.
Everything is high school. A rebel thumbing their nose at the system must be punished, while the conventionally corrupt deserve the benefit of the doubt.
Wow, this comment is the most profound thing I've read in a while on HN. I find myself a) intuitively agreeing and b) trying to pick it apart. Society as a whole seems to have a very complicated love/hate relationship with rebellion and rebels. But with Mitnick it's like he personified Chaos vs law enforcement's Order in an almost mythological, Jungian sense that goes beyond any utilitarian justification.
That's very specific to US society. Authorities treat computer intrusion more seriously than many violent crimes because it can affect companies and the government.
Companies and the government can spy on people all they want (see Snowden) but the reverse is punished severely (see Assange)
Reading between the lines of the article he battled cancer for 14 months, but his wife is currently pregnant with their first kid. So they chose to have a kid knowing he was a 57 year old with an aggressive form of cancer.
Well just doing the math, they must have conceived after his diagnosis, so presumably that was baked in sadly just knowing the actuarials on pancreatic cancer.
>And FYI, while he died unexpectedly young, a 57-year-old man in the US has only a 50% chance of living to see their child reach 23 years of age. I, personally, wouldn't feel comfortable risking leaving a child with a likelihood of dealing with my death at that relatively young age.
To me it seems more like he wanted to have a child with his wife before he passed so they planned it out so it would happen.
I think it's pretty amazing to be 57 and expecting a child. I'd be thrilled. I'm 54 no kids and I wish I could have great relationship with a woman that is so good we had a child. Seeing how sick he was and sterility is a possibility from cancer drugs I think Kevin would be thrilled about the child as anyone would be.
None of the commenters expressing this bullshit sentiment will provide their children with 1% of the education, health, freedom, security, etc that Mitnick will have left for his child. We struggle our whole lives to provide, it looks like he already assured that for his family, even into perpetuity if managed well.
It's not like he gave himself cancer on purpose and chose to leave a child with nothing out of spite. He played the hand he was dealt, it seems.
"Mitnick has filed a 13G form with the Securities and Exchange Commission (SEC) disclosing ownership of 9,379,829 shares of KnowBe4, Inc. Class A (KNBE). This represents 6.9 percent ownership of the company. "
" companies announced on Wednesday that they have entered into a definitive agreement, with KnowBe4 stockholders set to receive $24.90 per share in cash, "
"Vista Equity Partners to Acquire Security Awareness Training Firm KnowBe4 for $4.6B"
He decided to have a child knowing that an average man had decent chance he would be dead before they entered college. Being in remission from one of the more deadly and rapid forms of cancer meant he knew or should have known that the child would likely grow up without a father. That does not seem like support to me.
And Warren Buffet will tell you that you want to give your kids enough money so that they can do anything, not so much that they can do nothing. Have you spent time around kids who know they will be millionaires when they grow up? Really messes with your head. A buddy of mine was supported by his parents as an expat in a resort city and ended up brutally murdering his dad after they clashed about money.
And FWIW, I will be able to give my kid enough money to do anything, have been carefully developing his mental and physical aspects, travel abroad, language immersion, etc. So your attack is inaccurate in my case.
I'm not trying to attack you, just the idea. (I saw the same sentiment from several commenters) I'm just saying I strongly disagree with publicly questioning a dead man's decision to have kids when the kid still has at least one parent and financial stability. There's plenty worse you can do and not a lot better. If he'd lived to 80 would it have been "perfect"? We can't all achieve perfection.
It's virtually always impossible for almost everyone to be able to simultaneously 1] have kids while you're still young 2] wait until you have "enough" money.
Warren Buffet's quote doesn't make sense, because both "anything" and "nothing" are relative. You can "do nothing" with extraordinarily little money. You can also not be able to do "anything" even with billions of dollars (start an asteroid mining company?).
If you give your kids the moon, you just have to make sure they still have motivation and character, it's still possible. Not everyone who inherits money is a layabout.
I can stop now though, I think we just fundamentally have different opinions on this and probably won't budge much.
We don't live in an ideal world. That doesn't mean it's not worth living in.
The man didn't hang himself, he got a case of severe bad luck. I'm sure he'd be here doing the father figure stuff if he could, but if he can't, that doesn't mean the kid shouldn't have been created, and really, that's their family's own personal decision to make.
Ultimately, he did a good job for his family and the kid will be fine.
People shitting on him on the day he died for choosing to have a kid that he leaves very well taken care of just seems wrong in several different ways.
I mean, we could all be at work trying to provide for our theoretical kids right now and we're sitting here saying dumb shit on the internet instead.
That's interesting that people felt it worth the time to email.
I think what's going on here is that some people (myself included) find it extraordinarily offensive to question someone's right to procreate, whether they're "good enough" by some metric to have done so. Are you young enough, rich enough, smart enough, tall enough, moral enough, etc.
Of course, the offense can be a combination of being offended on behalf (of Mitnick in this case), and also projecting (what if we lived in a world where people questioned whether I should have children for reasons of age, wealth ... or worse reasons.)
I think we live in a world where we need all kinds of people from all kinds of parents; when we start to pick at who "should" have children, we risk losing something.
I'm sorry you've gone through such distressing experiences and definitely don't want to add to the distress, but I also don't want replies from HN commenters to add to it unintentionally.
> Having been threatened with murder and then blackmailed, with zero consequence to the perpetrators, I have first hand experience dealing with such corruption.
Care to elaborate? This sounds like something too heavy to leave behind as a remark on a comment
Just FYI, I don't think the other user was trolling. HN has a certain number of commenters coming from (let's say) distressed points of view. One can sometimes guess at this from the comment history. I don't mean to single anyone out, just to say that it's a regular if not a common pattern. It's not always easy to find a compassionate way to handle it but I think it's important to try.
I wasn't trolling and no one needs to treat me extra compassionately. I can cope just fine with reality. It's most folks who deny reality in order to remain sane and low in stress.
The world has some primordial evils in it. Only when you fall into a honey pot of the state, will you understand the level of evil and malevolence that exists as part of rule, law, and order.
The death and destruction isn't contained in neat bows, it happens on US soil in disturbing ways.
I am not special in any regard, I just have seen more than most. Enjoy the ride and don't forget that most outlier statistics aren't anomalous accidents, they are symptoms of a process that is subtle.
To be candid; fuck this narrative. Nobody "Beats" cancer based on sheer will. Same scenario as those that did not "Fight hard enough". It's a disease. It does not care about your wants, and needs.
I agree, this is a common narrative, that does a disservice for people that actually are consumed by the disease in the expected timeframe as if they weren't willing to fight it with sheer will.
I knew a guy who was diagnosed with stomach cancer at 27 years old. Never had a health problem in his life, he didn't even know how insurance worked yet. It was late stage and he was given 6 months to live. He was recently engaged before that and they moved their wedding up to 3 months away in order to have it before he passed. But he was gone from us just 6 weeks after the original diagnosis. He fought like hell to survive. He had every reason to. He was diligent with everything the doctors told him and he was gone within weeks despite being given months.
Cancer is horrible and it is unpredictable by its very nature. Cancer is literally at its definition a collection of unpredictable mutated cells. Thats why it is so hard for doctors to estimate or predict. It is unpredictable. Sometimes the unpredictability works in your favor and sometimes it works against you. But cancer cells do not listen to willpower, despite the common narrative. The reality is it is good and bad luck that often determines your fate.
As a secondary anecdote. I have a friend who's mom had skin cancer, a small patch the size of a dime on her hip. Skin cancer is generally incredibly survivable and low risk (in the world of cancers). She had it removed as a simple procedure and thought she was fine. 3 months later she started having periods of confusion or getting lost doing simple things like going to the store for milk, she would end up gone for the hours and hours forgetting why she even left the house and ending up on the other side of town. It turns out it spread to her brain and she died just 10 days after that first episode. Cancer is brutal.
> He was diligent with everything the doctors told him
I know I am going to be hated for this comment, but... Given my own experience with the medical system, I can't resist and state the (for me) obvious: Maybe that was the reason for him to pass so early...
(To put my comment in context, I was abused for a medical experiment by a high ranking doctor at the age of 7, and am 100% blind since then.)
I expected nothing else but downvotes. It is pretty representative for the times that peopel can not stand viewpoints which do not align with their own.
And no, I am not going to post my personal medical history on HN in detail. My short description of the incident is already personal enough. Besides, what would that help? Everyone picks their own convenient opinion these days, all that can come out of this is that people publicly will doubt my personal experience, which is not useful for anyone.
My takeaway from that article are these important criticisms:
- Correlation is not causation: A medical error, followed by a death does not implies medical error caused death
- The study that claim is based (BMJ analysis), suggest that 62% of US hospital deaths are caused by medical errors. Which seems hard to believe, especially having similar studies instead suggesting a 3.6% in UK, 4.6% in Norway, and 5% in a meta study
- Experts do not agree which facts are medical errors
Most (All?) other claims were about high uncertainty. Small Ns and possible biases in the samples, many obvious and others even irrelevant criticisms
---
There's still a lot of uncertainty, even in the criticisms.
I think they could have easily made estimations with the UK, Norway and meta study hospital data to have a minimum estimate of medical errors to counter BMJ analysis with a more reasonable number.
We really should calculate more and talk less (I am already sinning with this comment --_(=/)_--)
I am aware how dangerous it is to completely and utterly give oneself up to the medical system. Those without experience dont want to believe this for the sake of their own feeling of comfort and safety.
> And no, I am not going to post my personal medical history on HN
I understand. I hope my request to learn more came across as polite to you. The reason for asking was to understand more about the motivations and beliefs / experiences behind your comment.
> Everyone picks their own convenient opinion these days, all that can come out of this is that people publicly will doubt my personal experience, which is not useful for anyone.
I like to think HN is a forum where this is less likely, or where poor responses are flagged or downvoted, but of course I've seen it here too, and I understand your caution.
I believe the comment you are replying to is sincere.
Not everyone is “picking their own convenient opinion”. There are good people in this world that just want the best for others. I think that may be the case here.
Every type of cancer is different. I think that if you're young enough and lucky enough to have avoided close dealings with terminal cancer, you might be fooled into thinking that the are all kinds of new treatments that can cure you if you get diagnosed. But what you eventually realise is that every cancer is different. Some are treatable, and others are an extremely aggressive and don't respond to anything. My sister's ovarian cancer made itself known in March, was officially diagnosed in early April and she was gone by September. It did not slow down for anything. On the other hand an old boss of mine was diagnosed with terminal colon cancer and lived 4 years, eventually choosing to end his treatment because he'd just be dragging out a final two painful weeks into 6 painful months. And then there are the lucky ones that get a lump removed and never hear from it again.
Parent was not saying that Kevin Mitnick made himself better with sheer will, rather that he was enabled by his personality and wealth to obtain experimental and/or risky treatments that turned out to improve his condition.
The thing is even that is speculative. You cannot know that these treatments specifically worked better. These are things we can only assess via statistics on more than a single patient.
I.E. x% more patient survive after n years while using this or this treatment. And same treatment could increase odds of dying sooner from other decease out of scope with the research years later.
The way I read u/ecohen16's telling is that Mitnick first beat apathy and bureaucracy just to have a shot at mitigating a disease, thereby postponed the inevitable.
I've lived it. Late 80s, I had a terminal diagnosis. Lucky me, my doc found a clinical trial, and fought like hell to get my HMO to pay. Justification was for org to use me to learn about emerging treatment (stem cell transplant is current variation).
A few years ago, my buddy got a terminal diagnosis. Apparent chronic sports related injury turned out to be a late stage tumor, which had spread. Prognosis was 3 - 6 months. None of his care providers were interested in escalating, only talking about palliative care and hospice. He did exactly as Mitnick. Managed to get enrolled in a clinical trial using immunotherapy for his precise diagnosis. Timing wise, a few weeks either way and he'd be dead. Dumb luck.
I can give a few more examples. (And 100s of counter examples.)
Do patients beat cancer?
Of course not. Among the survivors I know, disease (like cancer) is part of life and you deal with it. Or not.
But, some times, if we're really stubborn, and have sufficient resources and support and dumb luck, we can do things to live a little bit longer.
> that did not "Fight hard enough"
Sometimes the patient, family, and especially the care providers don't fight hard enough. For all sorts of reasons. Probably because awareness of mortality made humans neurotic and we're all just winging it. Probably because everything is russian dolls of triage.
Any way, it's just a metaphor. Chose the one that works for you.
Just like I refuse to victim blame/shame, I'm not going to judge another person's coping mechanisms.
People with a lot of money can "fight," at least in terms of throwing everything medical science has to offer at it. I suspect that's where the narrative originated, then took on the mythos that it was somehow sheer will.
Meanwhile, the rest of us ride on pure luck as we watch cancer destroy our loved ones. They gave my dad a month with a glial blastoma. He lasted about 6, most of which the dad I knew was not present for. Tbfh, I feel like he would have rather gone quick, not enduring the twisted shit we watched him go through.
Whether it would be too late to do anything after getting the diagnosis is another question. Studies that look at sun exposure over time and mortality (e.g. Lindqvist's studies) show that it takes decades of sun exposure to lower the mortality risk by this amount.
Any doctor will tell you that mentality is incredibly important in fighting (yes, fighting) diseases.
It is well known that your psychological state influences the immune system a lot, and even from anecdata, you can see that people rapidly deteriorate when they give up. It is not a coincidence all these terms are used.
Can all cancers be beaten by sheer will? Of course not.
>It is well known that your psychological state influences the immune system a lot, and even from anecdata, you can see that people rapidly deteriorate when they give up. It is not a coincidence all these terms are used.
Brief naturalistic stressors (such as exams) tended to suppress cellular immunity while preserving humoral immunity. Chronic stressors were associated with suppression of both cellular and humoral measures
The more a stressor deviated from those parameters by becoming more chronic, however, the more components of the immune system were affected in a potentially detrimental way.
wrong. this would be correct if doctors gave you perfect instructions as a rule. but doctors dont care about maximizing the probability of good health or long lifespan. they only care whether your outcomes are up to the standard defined by the medical establishment and the expectations of laypeople. as long as your doctor meets those standards, they wont be sued, lose their practice, be fined or suffer an insult to their high status. so often there are better treatments and overlooked treatments that got lost in that incentive scheme. patients who are proactive and singleminded will definitely do better with all illnesses including cancer. never understood this until i saw both my parents through cancer. but by far the biggest advantage is to have advocates, family with you at all times, especially in the hospital.
Let's put it that way, the will is never sheer. Looks like the will pushed Kevin to deal with it and relentlessly look for solutions (and put his money to use) instead of succumbing to it. If so, then in the end obviously it's his will that helped him score a win against cancer.
We just say these types of things because it makes us feel better. And that's OK. I don't think anyone accuses someone who dies of "not fighting hard enough".
I think we should have a link that isn't totally broken. I guess a lot of people here read the headline and came to comment and share some anecdotes, which is totally fine. But the link is broken, so we should at least fix that. Here are a couple of alternatives:
Passive voice, better title is Kevin Mitnick died, or passed away, sugar coat it like he never did if you want, we all know what it means. I suddenly feel bad for him, though. He deserved the black ribbon.
If you and your wife really love each other and your wife really want to have a piece of the love you had in form of another family member, why not?
Is the submission for someone who just died the right place to write something you already know is harsh? Considering the kind of person Kevin was, I'm sure a bunch of his friends are on here, reading these very comments so maybe just a tiny bit of respect would be suitable.
It’s the age old issue if someone can’t understand something therefore there can be no understanding in it.
While many people are remembering the Free Kevin phenomenon, the random places the t-shirts would appear for years.. like other things Kevin appeared to do - it’s a decision that’s entirely Kevin and his wife’s business, and they seem more than capable of it.
He hasn't been a criminal for a very long time. He more than payed his dues as well when he was unconstitutionally held in solitary confinement without bail. Reducing a man who has done so much to something so trivial as this reflects poorly on you alone.
No disrespect to the dead, but I always thought he kind of lived in a lame timeframe. It used to be a lot easier to do what he did. If you check the terminal logs, he was a script kiddie at best (I know he's more famous for the social engineering). How many CVEs did Mitnick have to his name..? (AFAIK, zero)
Anyway, I'm prepared to get some downvotes but do check out the logs. It's pretty entertaining regardless.
Serious question: why revere Mitnick, but not someone like SBF? Mitnick is admired for his technical skill and social engineering prowess, but the same argument could be made that SBF is also exceptional in this regard on an even larger scale. Both are (alleged) criminals. Genuinely curious what makes Mitnick morally good in the eyes of HN. Was it his redemption arc as a “white hat”?
The term "hacker" describes someone skilled at tricking systems into doing what they can't. Mitnick was not only one of the first popular hackers he also had many famous exploits. His arrest was a major rallying cry for the hacker community at large (now known as the overly corporate "infosec community"). There's no redemption arc. You do not need to do what society considers "good" to be considered righteous.
There's no such thing as objective moral and ethical good. To me, Mitnick is a hero deserving of the highest praise. He inspired myself and many others to get started in this world. It may be difficult to understand if you didn't come into computers in the late 80s/90s.
On one hand you assert there’s no such thing as moral good, yet you describe him as righteous? That word is a superlative for “good” steeped in religious tones!
Anyway, I suppose you could make the case that Mitnick was taking on “the Man” which is more utilitarian, but that’s a bit anemic imo.
Just because a large number of people agree something is bad does not make it objective.
You can of course pick examples 99% of people agree with. Hitler is bad, killing kids is wrong, beating your wife is bad, Mao killed millions, stalin killed millions, etc. This still doesn't make these objective. Just agreed upon. An objective system is one in which there is no other possible answer. I'm am sure we can find at least one person for each example of these whose moral and ethical system is consistent with the tyrant's behavior. It runs afoul of society at large and generally how we expect people to behave. But it is still subjective. Whether it deserves respect is what I think you are conflating objectivity with.
Take a less inflammatory (but still inflammatory) example: dropping the nuke on Japan. Was that evil? On one hand it's true it killed hundreds of thousands of innocent lives. However, on the other hand it stopped an unnecessary blood bath that could've killed millions more. You would be neither right, nor wrong, if your moral and ethical system agreed or disagreed with this behavior. For you and me we have the upside of hindsight to make a final call.
All right and wrong is dictated by a moral and ethical system. What I consider wrong is my subjective view of morality and ethics. Just because society often agrees with me because I am a polite member of society does not suddenly make it objective. Society has a commonly agreed upon moral and ethical system but it does not make it right for every single case. If you really wanted to corner me you'd have brought up abortion. But, in fact, abortion is the perfect example of a subjective interpretation of morality and ethics. What a religious person might refer to as the laws of man. In the case of Kevin Mitnick, I do not see him as a criminal. I see him as a victim of a system that failed to understand computers. You may disagree. Your opinion is as valid as mine. But to drive home we've talked about, the hacker community at large has a moral and ethical framework consistent with Mitnick's behavior. That makes you the odd man out.
Yes, generally it's the legal system we live under. When you boil it down laws are technically just an encapsulation of the larger view society takes on issues of morality.
Now, you may not agree with every law. I don't. But I think most people would agree stealing, killing, etc are bad. This is sort of what I was getting at with a commonly agreed upon moral and ethical framework. People expect you not to kill from, or steal from them, or whatever else. If someone killed your son/daughter/wife/husband/etc your framework might justify seeking revenge. You'd run afoul of societies agreed upon framework but consistent in your own. Does that make you evil? Not necessarily. Perhaps society would think you are though. It's interesting when you think about things that way. How far afoul of the agreed upon framework can you run before you end up having more people hate you than love you.
Thanks for the response, it is more than my facetious remark deserved! I don't particularly disagree with you, I was mostly observing (pedantically once again) that "commonly" is a bit of a stretch there; I think it would perhaps be more accurate to say that a society has a sort of skeleton or high-level overview of a moral & ethical system that is broadly agreed upon.
Mitnick was not just skilled, he was creative, pushed things too far, and the internet rallied around him nonetheless. He went after corporations that people didn't like, even if he did it for personal gain.
SBF seems like an average white collar criminal next to Mitnick. He wanted to become those big corporations with their names on stadiums.
Yeah, this makes sense. Wasn’t super familiar with the target of Mitnick’s hacks but looks like mostly monopolies like Pac Bell and government. SBF was also “hacking” SV investors and politicians, but probably inflicted more collateral damage on the little guy.
SBF wasn't anything new, just the latest in a long line of scammers and frauds. Mitnick, for all of his faults, inspired a generation of people to poke and prod at technology and opened their eyes to the ways in which it could be used (and abused). Also, I don't think many people consider him "morally good". Definitely a "morally gray" character more than anything.
Mitnick wasn't malicious, more curious. He tried things, some of which shouldn't be tried, because it was illegal.
He also educated the entire industry on how it works. Most people today show off that they're a security consultant but they haven't really had any experience breaking into things, and a lot of the advice is impractical. Like everyone knows that MD5 is insecure, but who's going to actually use it as an attack vector? Mitnick does the attack and then documents it. Some people claim he made stuff up, but even having the kind of imagination to make up these scenarios puts him above many security experts.
Mitnick didn't steal anything except source code. He didn't do anything that was truly reprehensible. I feel it's premature to comment on SBF. He hasn't even been tried yet.
https://archive.ph/13uNy