Rendered at 10:09:30 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
mcfunley 10 hours ago [-]
I worked at a company that had hired Mitnick as a security consultant.
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
That trend continues beyond the grave, maybe.
skeaker 9 hours ago [-]
In all fairness, a genuine attacker WILL be abrasive and abusive. They WILL single out employees that are gullible and exploit them. It's not pretty because a genuine attack is not pretty. Of course a simulated attack will be indecent and discourteous in nature, that is how attacks are.
wjnc 4 hours ago [-]
Yeah, this is a part about itsec I don’t understand in my firm. They run social engineering tests, but never notify management when individuals fail, only in general terms. While being psyopped needs to be activelly discussed among coworkers imho.
dmos62 3 hours ago [-]
That's because susceptibility to attacks is a question of training. What would the goal of placing individual blame be? Shame? Drive them to seek training outside work? Further, if you periodically single out people, the organization will hate you.
wjnc 25 minutes ago [-]
“Shame” is a big word. I wouldn’t shame a member of my team. Why would I!? They are great people. Same with “blame”. Everyone faults, everyone can be blamed something. That doesn’t change the basics of a person.
Giving people a chance to discuss, as adults and professionals, how they got sniped beats any second hand training and experience by miles.
Now we get to hear that x% of a sample failed including #y elevated privileges people. How will somewhat naive management handle that?
Sometimes I get a feeling many HN-ers work in ultra toxic environments. HR is not your friend, your manager is there to screw you over and the firm will fire you for pennies. That’s just not my experience in working.
dmos62 4 minutes ago [-]
Selective training makes sense. But, I heard a pentest professional provide this counter-argument: if you tell management which individuals failed the test, even if your intention is to provide those people with the training they lack, the management might, due to ignorance, shift blame for suboptimal security on those people, label them as lazy/incompetent/etc, and ultimately not put the necessary processes (testing, training) in place which are the true determinants of penetration rates. The idea is that you get inefficiency by selecting for training broadly, but you prevent extreme sabotage by ignorant management.
dmos62 32 minutes ago [-]
I am surprised how controversial this is. I feel like I'm in that episode of Always Sunny in Philadeplhia where they decide to do an intervention by cornering and berating, while a mental health professional looks on terrified.
vasco 3 hours ago [-]
Shame works for me. If I was ever the one that got sniped and my colleagues saw it I'd forever be paranoid about it. Like when my dad sat me down and told me that I couldn't keep losing hats all the time when I was a kid and that I wasn't a baby anymore and it was expensive, and that shame made me look behind me when I leave somewhere until today and stop losing stuff.
Specially for security, yes, shame the personal in a small setting, shame them in a positive way, as in lets all learn from this, but shame is very powerful. Much more powerful than saying "someone in this team failed this" and everyone thinks it was the other guy.
hypfer 3 hours ago [-]
I think people saw that old culture and thought "man, that's horrible. We must never do that".
And the assessment was right, but also wrong.
Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem.
It kinda did, but with lots of collateral.
Essentially, the security consultants (and everyone else involved) were just being lazy and not doing their job correctly.
But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.
___
The solution would be to understand the individual node and apply the correct corrective measure. This can be shame, but it might also not be. And the level of it is also highly dependent on the situation.
This is a hard problem to solve, but it needs to be solved for good results.
The problem here being that scaling that up is hard, but everything needed to hyperscale. With either the individual nodes or the system integrity picking up the slack.
stymaar 2 hours ago [-]
> I think people saw that old culture and thought "man, that's horrible. We must never do that". And the assessment was right, but also wrong. Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem. It kinda did, but with lots of collateral. […] But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.
Very well said, and I think your exact description applies to management in general: management is hard, and require hard work to be done correctly, tailoring you response to every person, because two people being bad are their job aren't always bad for the same reason.
But most managers are not suited to the job, because it's mostly a status symbol and not something you give to the most qualified person, and most are too lazy to even try learning about it, so they don't make the effort of adapting to every individual, and in the end they end up either tyrannical or complacent.
hypfer 2 hours ago [-]
I mean to be fair, with the business models, incentives, compensation, etc. being how they have been, why would you care?
Why would you do the hard work when you can also just not do that?
I mean I agree with "people are not suited for the job", however, I also feel like often, "the job is not suited for people".
It's rot all the way down, essentially.
NonHyloMorph 2 hours ago [-]
"shame them in a positive way"
Oh my. That's some HR type viciousness right here.
(⌒▽⌒)
wjnc 14 minutes ago [-]
(Won’t fully repeat my other post.) Shame is such a big word. ‘Give people the chance to _teach_’ would be my reply. Which you probably would see as even more vicious, but it’s 100% sincere.
As a junior I made the front page of national news. I answered a question with a very big number on a Friday afternoon. Hit headlines on Saturday. Our prime minister had to defend my mistake in public. (He never admitted any mistake. With just enough spin nothing sticks.)
The head of the organization literally cursed and spat at me. In that same meeting from the no. 2 down they stood up for me. It’s still a great story about how to treat mistakes 20+ yrs on. Admit mistakes. What did __we__ (not: he) do wrong? (Hint: from medior to board everyone had an afternoon off and we had never discussed stakeholder management. I was in no position to say no to a ministerial request.)
vasco 25 minutes ago [-]
Maybe you just were never carefully told about something you did wrong in a way that everyone feels like they learned from it. The top reply to my comment put it better than I could, I think there was an overcorrection. I believe in fixing the process first, but there are situations where shame is the right solution. The current en-vogue thing of pretending all is good but penciling in that person for the next layoffs is I think worse than a bit of shame if that fixes the problem and avoids more drastic actions later on. Silicon Valley is very PC but then lays off without remorse so its funny to see this combo of "we care about never hurting your feelings all the way to the point where we fire you without a care in the world".
throw1234567891 1 hours ago [-]
Does for me, too. But not for 30 people around me. They just shut down and isolate. It’s a matter of how self-reflective one is. And who knows who’s going to exploit this to get their way.
kakacik 3 hours ago [-]
> Shame works for me
> I'd forever be paranoid about it
Some folks like to work that way, but I don't think most do. This obsession for outward correct behavior, even if it works at the end (at least externally), doesn't sound like a recipe for happy inner life but maybe I am reading too much into that.
garbagewoman 3 hours ago [-]
Assigning individual blame is missing the point of improving the security culture in general
quantummagic 2 hours ago [-]
Do you hold that same opinion for the training and testing of pilots and surgeons? Do you want to step on a plane with a pilot who is only there because we are too nice to assign individual blame for his inability to do the job properly? Do you want to be going into open heart surgery in a system that dismisses the idea of individual blame when analyzing the outcomes associated with each surgeon? Having no idea if the man cutting into you, has previously had great outcomes or poor outcomes?
hypfer 3 hours ago [-]
Yes and no.
Yes in general, because usually it's culture and not an individual failing.
No in specific situations, because it's not just culture but also some people are just the weakest link.
Only focusing on either of these while ignoring the other is going to lead to bad results.
deepsun 6 hours ago [-]
Not necessarily WILL. I've seen awesome attackers who were mostly checkbox spreadsheet clerks. Friendly, methodical, boring, expert.
7 hours ago [-]
7 hours ago [-]
thrownthatway 1 hours ago [-]
[dead]
bawolff 6 hours ago [-]
Isn't he famous for social engineering/physical security type things? If you hire an expert in X, you are probably going to get X.
mcfunley 6 hours ago [-]
Yeah I agree, caveat emptor and all that. The blameful framing is bad work product though.
rixed 5 hours ago [-]
Isn't he famous for getting caught?
teo_zero 5 hours ago [-]
Getting caught didn't make him a superstar. Telling his techniques in books and public speeches did.
vasco 3 hours ago [-]
That's not true, he was already famous during his trial which made him well known before any books or public speeches.
leetrout 9 hours ago [-]
Dude I was called out by name in the report either right before you got there or the first one you were there. I was called out in the one where they got B's Audi keys in his office.
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
(Sips mojito)
sersi 3 hours ago [-]
How would they have been able to install a hijacked Chrome if your computer was on the lock screen?
simg 2 hours ago [-]
perhaps, back in the day, when windows machines would automatically run autorun.inf if present on a cd or usb drive regardless of whether the machine was locked or not.
speedgoose 5 minutes ago [-]
Little Snitch is Mac software though.
firebot 8 hours ago [-]
He mostly used social engineering. Not technical exploits. So that's how he succeeded. Call it crazy, but it worked.
fma 6 hours ago [-]
Why hack a password when you can get the employee to just tell you.
deepsun 5 hours ago [-]
Because the employee now knows who might have done it.
imgabe 3 hours ago [-]
The employee doesn’t know who you are. They met “Bob the support rep from Vendor xyz” who just needed access to fix an issue.
ErroneousBosh 2 hours ago [-]
And now all that shitty KnowBe4 nonsense we have to sit through every couple of months is all "What do you do if your manager phones you up and says they're on a business trip and need you to use the company credit card to buy Amazon gift cards", over and over and over.
Bold of them to assume I'll answer the phone if I see my manager's number come up.
walrus01 50 minutes ago [-]
> What do you do if your manager phones you up and says they're on a business trip and need you to use the company credit card to buy Amazon gift cards"
If I've learned anything from the scambait people such as kitboga on youtube, if you're bored you play along with it, pretend to have acquired the gift cards, and then tell the "boss" you've scratched off and emailed their company address the codes, as the scammer on the phone wails "do not redeem! SIR DO NOT REDEEM!"
shuwix 1 hours ago [-]
Dumb people are dumb. And will be. Their ability to learn from experience is almost non-existent.
They are biggest security threat.
Corporate structure didn't identify their mental limits and gave them way more access.
So Mitnick, as outsite observer identified them and did good job.
I might say "sorry for your loss of job" .... but seriously not.
You shouldn't got that job in first place.
Atleast you can brag about getting unemployed thanx to Mitnick.
9 hours ago [-]
the_af 9 hours ago [-]
Kevin's security company is also a mess, and the training videos they produce are embarrassing at best.
I understand he probably just lent his name to the company (though he did show up in some of the videos), but still...
anthk 9 hours ago [-]
This is what happens when the 90's PC community renamed crackers as hackers. Proper hackers would have been the ITS/WAIS ones doing crazy things with computers for its era.
ActorNightly 5 hours ago [-]
I mean, the landscape changed quite a bit since early days of what Mitnick did as a blackhat. He did his best to adapt and make money, which given his prison term, isn't really that surprising.
lern_too_spel 10 hours ago [-]
He social engineered your company into contracting him, and that adds to the legend, but people don't see how many other companies he failed to social engineer.
esikich 7 hours ago [-]
"He didn't breach us the way we wanted him to do it so it was dumb." Idk man, sounds like you locked your doors but left the windows open. That's the point of these things.
mcfunley 7 hours ago [-]
The point is really after working through remediations, there were pretty massive issues remaining that weren’t hard to find and were relatively vastly easier to exploit if the attacker is a Russian teen and not Bruce Lee. And the budget for such things was blown. Priorities, etc
murderfs 7 hours ago [-]
"a client that turned out to have been rife with SQL injection" sounds more like they left the doors open, but the report focused on the lack of security bars on the windows.
topham 10 hours ago [-]
The hero worship of him makes me physically ill, always has.
He did cost people their jobs though, so I guess he's a good person.
deepsun 5 hours ago [-]
It's like we don't have any messiah's today that are mediocre professionals at best.
kingforaday 10 hours ago [-]
> "He was a hacker-turned-security consultant who, later in life, helped shape the modern white-hat."
They left out convicted criminal.
firefax 9 hours ago [-]
I have so many stories about his absolutely terrible behavior at conferences. He once refused to pay the entry fee to a charity event and had to be physically ejectedy.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
colechristensen 9 hours ago [-]
He got all of the "Free Kevin" attention because of how long he was left in jail before trial and then being stuck in solitary confinement after sentencing for months.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
firefax 9 hours ago [-]
>He got all of the "Free Kevin" attention because of how long he was left in jail before trial and then being stuck in solitary confinement after sentencing for months.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
coryrc 8 hours ago [-]
> I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
I'm glad you have finally recognized the problem.
Stop living for your idea of others and start living for yourself.
colechristensen 8 hours ago [-]
Kevin was famous for being mistreated by the DoJ and writing some books which were perhaps not particularly true in hindsight. After he got out of jail and rejoined the community he lost a lot of respect for being himself, though it's not impossible that years of imprisonment and a long time in solitary had some permanent negative effects. In other words... you shouldn't envy Kevin's life.
For the rest: nothing's stopping you from having fun, regardless of age.
user_of_the_wek 3 hours ago [-]
Vienna waits for you
rcbdev 2 hours ago [-]
Is Vienna the place to be for security researchers in their 30s starting to doubt their life choices?
stavros 1 hours ago [-]
The OWASP conference is being held there next week, so in a way, yes?
lukan 58 minutes ago [-]
But is it a good place to meet future spouses?
Because missing that that seems to be the main problem of the poster above.
stavros 56 minutes ago [-]
Anywhere where you meet people is a good place to meet future spouses.
lukan 40 minutes ago [-]
Maybe, but if I am looking for a female spouse, a mens conclave is probably not the best place to find one. (I would assume the audience there is largely male?)
But well, he also is looking for respect and regocnition among his peers and vienna is a nice city.
lnxg33k1 7 hours ago [-]
It's good that somewhere the quality of work is rewarded more than the quantity
ActorNightly 5 hours ago [-]
You act like thats a bad thing given the nature of his crimes.
If more people strived to be like Mitnick today, the tech world would have a lot more power.
georgehotz 6 hours ago [-]
For what it's worth, I'm George Hotz, and Kevin Mitnick's books were a big influence on me. I ran into him at a party at DEFCON one year and we talked for 20 minutes before I found out who he was. Gave me a lock pick business card. Cool guy.
RyJones 1 hours ago [-]
I enjoyed supporting you in the AllJoyn/AllSeen Alliance era. Sadly, those lessons were never learned.
ww520 9 hours ago [-]
I read the book by Tsutomu Shimomura, who caught Mitnick's hacking and tracked him down. It's a fascinating read. He was able to locate Mitnick in physical world based on his online activities and his cellular phone usage. In those early days, few people understood the cyber landscape and cellular technologies to exploit them.
21 minutes ago [-]
alex1138 8 hours ago [-]
Yes but AFAIUI Mitnick was upset Shimomura had the full weight of the police on his side, right? He used techniques that shouldn't have been available to him
Interesting fact about Shimomura, he was a student of Feynman's
ww520 7 hours ago [-]
I think he didn't know cellular well enough and thought a wireless phone was unlocatable because it was mobile and not tied down to a landline. As a physicist, Shimomura would have known all about radio and signal. He just used old WW2 tech of radio triangulation to find the location of the cell phone radio transmitter. It didn't help that cell phones were rare back then and the signal of his cell transmitter frequency was standing out like a sore thumb.
Regarding the full weight of the police, Shimomura did have an easier time to convince the ISP and phone companies to give him access to the logs. He was able to ask the cellular company to locate the cell tower where Mitnick's cell phone connected and traced him to the general area. If Mitnick had been careful, he could have hacked into the ISP/phone companies and erased all his access logs.
kQq9oHeAz6wLLS 5 hours ago [-]
> He used techniques that shouldn't have been available to him
Why not? Sometimes it's not what you know, it's who you know.
Sleaker 8 hours ago [-]
... All's fair in love and war?
aculver 6 hours ago [-]
Since we're talking about Kevin Mitnick on Hacker News, I have to mention:
I recently re-read "Cyberpunk: Outlaws and Hackers on the Computer Frontier". It was published in 1991 and the first third of the book provides an early contemporary account of Kevin Mitnick. It's a great book that I first read in my high school library in the 90s and it completely captured my imagination.
However, I had never connected the dots that the subject of the last third of the book was Robert Tappan Morris, creator of the Morris worm, who went on to cofound Y Combinator! Paul Graham is also quoted in the book.
The book has aged pretty great. They added an updated epilogue in 1995 in the early part of the Free Kevin era, but honestly re-listening to the book in 2025, I was wondering where the updated Y Combinator epilogue was!
19 minutes ago [-]
olalonde 7 hours ago [-]
I did not realize Mitnick had passed away, very sad. I first learned about him as a kid through the book Takedown, and his exploits definitely fueled my early fascination with computers and hacking. It's heartwarming to see how he later befriended Shawn Nunley, though it's unfortunate that he and Shimomura apparently never buried the hatchet. He undoubtedly influenced an entire generation of hackers, RIP.
Tade0 48 minutes ago [-]
As kids in the 90s in eastern Europe hardly anyone of us knew the name Kevin Mitnick, but if you were interested in computers at all, you'd certainly recall Condor.
I think this was the first time I heard someone being forbidden by court from accessing the internet. At the time we had like two, maybe three kids in class who even used dial up regularly.
kkaske 14 hours ago [-]
I'm old enough to remember all the "Free Kevin" gifs scattered around the internet.
This helps to fill in some of the details. It's a really nice story showing the humanity that can be found in situations when you look close.
kstrauser 10 hours ago [-]
At DEF CON and related events now, you commonly see stickers saying "PUT KEVIN BACK".
sudo_cowsay 10 hours ago [-]
Well, he has passed so I don't know if that sticker is relevant anymore.
kstrauser 10 hours ago [-]
It's probably not, but still usefully signals particular mindsets to others who might share them.
sudo_cowsay 9 hours ago [-]
ok
devmor 7 hours ago [-]
From what I can tell, defcon is largely law enforcement and companies that sell to them these days, so I'm not surprised at all to hear that.
kstrauser 7 hours ago [-]
I keep hearing that cynical, and wrong, dismissal but have zero idea where it comes from. Yes, there are cops. Some .govs even have booths in the info areas. The stated idea is that it's a good thing when cops and hackers can hang out and discuss ideas and opinions outside of interrogation rooms, and I agree with that.
That's miles away from "largely law enforcement" though. I talked to an FBI agent at PyCon but people aren't claiming it's a LEO convention.
mindcrime 9 hours ago [-]
Call me nostalgic or whatever, but my laptop to this very day...
>I'm old enough to remember all the "Free Kevin" gifs scattered around the internet.
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
appden 6 hours ago [-]
Ghost in the Wires is one of all time favorite reads, and I still hope to see it as a dramatized film. It would be a fun “period piece” taking the audience through the 80’s and early 90’s, with some hilarious social engineering scenes (kinda like Catch Me If You Can) and tense moments where the audience roots for Kevin. I really think a film adaptation would help introduce his story to a new generation and be a nice tribute to his legacy.
foobarbecue 6 hours ago [-]
Except actually real whereas Frank Abagnale fabricated all of his supposed cons (read The Greatest Hoax).
16 minutes ago [-]
alex1138 4 hours ago [-]
Kevin Mitnick, substitute teacher
Kevin Mitnick, airline pilot. What's a deadhead?
nunley 8 hours ago [-]
I'm going to defend Kevin here because I see a lot of comments from people I am sure have no valid reason to be hating on him.
Kevin was particularly annoying because he never failed to penetrate a target. The reason that's annoying is it just takes one slip, one weak point, one inattentive admin and it's over. People will stay mad about that. I get it.
But those who say he had no talent are just ignorant.
His goal was to make the world safer, and making people pay attention to risk didn't make him a lot of friends. All the hate I am reading here is just sad.
If you hate Kevin and did not know Kevin, I feel bad for you. Hate is an expensive emotion, even when you're just being a keyboard warrior. It should be reserved for people who have really wronged you. Kevin is not with us anymore. The hate is hurting you, not him. And he has a son who will read this someday. Have a heart.
NitpickLawyer 4 hours ago [-]
> I am sure have no valid reason to be hating on him.
TBF that's likely a symptom of social media and people commenting on things they don't know about with a bit too much confidence. You can see similar takes on snowden today.
Back in the day (90s, 00s) he was both widely supported and a bit of a myth in the early Internet communities.
jjulius 8 hours ago [-]
In case folk don't connect the dots, this appears to be Shawn Nunley from the article.
1970-01-01 7 hours ago [-]
This story is itself evidence that Kevin had good parts to him. This 911 GTS is not some shit joke prize.
billehunt 6 hours ago [-]
Shawn and I worked together at Novell back when this was going down. It was fascinating at the time and more so in hindsight. FWIW, Shawn's a really good guy.
tmach32 5 hours ago [-]
Yeah, I am shocked a little, because he wasn't a monster or something. Critique is valid, but speaking with obvious resentment and disrespect about someone who died is pretty gross. Again, unless they're, like, a _monster_.
gosub100 2 hours ago [-]
If you're a high profile public figure, you are subject to scrutiny. Even after you pass away.
tmach32 51 minutes ago [-]
I'm not talking about scrutiny. I'm talking about crass.
reinitctxoffset 8 hours ago [-]
I would petition all other community members to appreciate the gravity of the parent's comment.
Speaking for myself as someone very early in my journey during the time when Mitnick was still active as a grey hat: he advanced our thinking about security and the nature of trust itself in ways that have never been more timely.
Paradoxically he profited personally far more as a white hat than he ever did in the grey area, his motivations were clearly not extractive. The authorities compelled him to go do lucrative things! (after persecuting him mercilessly).
RIP Kevin. We are ill equipped for the vulns of the AI, but without you we'd be helpless.
kQq9oHeAz6wLLS 5 hours ago [-]
I'm old enough to remember Kevin as both hero and villain. People are complex, Kevin seemed to be no exception. His exploits - and the ones of those who caught him - were fascinating to follow in realtime.
But be honest...
How sweet is that 911?
Barrin92 7 hours ago [-]
>But those who say he had no talent are just ignorant.
I don't think anyone says he had no talent, what rubs people the wrong way is that the thing he had talent for is the same thing that the people have who try to scam call your grandmother out of her pension money. You can be the world's greatest burglar, you're still a burglar. The whole cringy "social engineering" thing turned media persona and consulting business is to engineering what chiropractics is to medicine.
He leaned pretty heavily into monetizing his own image and for a lot of people what he did became synonymous with the word 'hacking' in a not particularly positive way and critising that isn't hate.
nunley 6 hours ago [-]
That's just nonsense. First of all, social engineering was a small part of his work, and it's OK that you don't know that. But your totally blatant ignorance of what his career covered is exactly what I'm talking about.
Look, I know that people form their opinions in a bubble. All I am saying here is you should expand your bubble. You know nothing about Kev. Again, that's OK, but it also means you should try to understand what you're hating.
You'd try to make money on your image if you could, I'm betting. Especially if you had been put in prison and left there with no bail hearing, and put in solitary confinement for 'hoarding tuna' in your cell. For 9 months. While your father died. This was not a normal treatment of any person in custody.
Kev was a good person. Full stop. Just as curious as all of us in that era.
Barrin92 5 hours ago [-]
His (or other peoples) treatment in the US prison system is another matter and often cruel, but no he didn't conduct himself like a good person in regards to his 'hacking'. He committed wire fraud, he impersonated people, he exfiltrated sensitive credit card information from thousands of people.
That's not just curious, that's not something we all did when we were young, those were legitimate crimes and they still are for good reason. He had a big part in popularizing the image that a hacker, rather than someone who writes software for the public good, is someone who tricks other people and steals personal data.
And no I wouldn't be proud if I ran phishing scams and stole IP from random companies, I wouldn't monetize that, I'd say I'm sorry which from reading his books at least I don't think he ever was.
TurdF3rguson 10 hours ago [-]
I heard he can launch nukes by whistling into a pay phone.
jagged-chisel 9 hours ago [-]
Maybe I'm mistaken, but that sounds more like Chuck Norris.
Wait ... no fists involved. My mistake.
fallous 6 hours ago [-]
Nukes launch Chuck Norris at their enemies.
uberex 7 hours ago [-]
With Chuck Norris, the nukes whistle at him, just to keep on his good side.
alex1138 8 hours ago [-]
It's in his (Mitnick's) autobiography Ghost in the Wires. In his telling of the story they put him in a more restrictive environment exactly because of the reason given (launching nukes by whistling into a phone)
DonHopkins 6 hours ago [-]
At least Kevin wasn't a sanctimonious hateful bible thumping religious fanatic homophobic bigot like Chuck Norris.
kQq9oHeAz6wLLS 5 hours ago [-]
Wow. Get help.
Gibbon1 5 hours ago [-]
When I think back to when I was 10 and every boy I knew idolized Norris and I instinctively hated his guts I feel better about myself.
DonHopkins 2 hours ago [-]
You're the one who needs help if you're a hateful bible thumping religious fanatic homophobic bigot like Chuck Norris, or think there's anything admirable about that.
Or are you denying objective reality and falsely believe I'm wrong about him, despite what he provably used his platform to say in his own words again and again?
Are you so offended at me criticizing him with verifiable facts to balance hero worshiping and idolizing him with outrageous lies, because you also support Proposition 8, think the Boy Scouts should kick out gay kids and adults, advocate racist birtherism that Obama wasn't born in the US, endorse pedophiles like Roy Moore and Donald Trump, fear the "gay agenda" and "gay anarchy" is underming society, and you're terrified of other people having "unnatural sexual behavior" and loving same sex marriages?
Then you need to get therapy to come to grips with your own homophobia, instead of defending Chuck Norris's. The bigotry that makes you hate other people is quite often and obviously (to everyone but you) a pathological symptom of your own self loathing internalized hatred. But your bigotry is treatable: Once you come to terms with your own problems, it gets better, buddy. Really it does.
trick-or-treat 42 minutes ago [-]
Maybe just don't drag homophobia into unrelated threads?
Hah, he social engineered the God of social engineering...
boombapoom 6 hours ago [-]
good god how did he get a car into prison?
sborra 1 hours ago [-]
*whom
nba456_ 9 hours ago [-]
Too bad he wasn't colorblind.
Simulacra 6 hours ago [-]
I also have Kevin Mitnick's business card and it is one of my most prized possessions. A great inspiration and influence on my life.
lovich 9 hours ago [-]
I don’t need to know an iota of his activities as a hacker to hate him. I hate him because of how many times I had to be put through mind numbing security training with his mug as the opener. “I’m Kevin Mitnick” and KnowBe4 are seared into my brain at a ptsd level for terminal boredom.
kmoser 5 hours ago [-]
> He put himself on the proverbial map in 1979 by dialing into a software company’s server and copying its forthcoming operating system release in its entirety. Imagine convincing a Microsoft server to cough over an early copy of Windows 12 using little more than a phone number.
Windows 12 was in development back in 1979? I think that timeline is a bit off.
NitpickLawyer 4 hours ago [-]
The first phrase is what he did. The second phrase asks you to imagine how silly that sounds in today's world. (i.e. imagine that all it took back then was a phone number)
Kevin was from a different time. Back then security wasn't even an afterthought. He was exploring the shiny new thing of digital worlds, with an attacker mindset, and that was new at the time (and quite unique to a small set of humans back then).
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
That trend continues beyond the grave, maybe.
Giving people a chance to discuss, as adults and professionals, how they got sniped beats any second hand training and experience by miles.
Now we get to hear that x% of a sample failed including #y elevated privileges people. How will somewhat naive management handle that?
Sometimes I get a feeling many HN-ers work in ultra toxic environments. HR is not your friend, your manager is there to screw you over and the firm will fire you for pennies. That’s just not my experience in working.
Specially for security, yes, shame the personal in a small setting, shame them in a positive way, as in lets all learn from this, but shame is very powerful. Much more powerful than saying "someone in this team failed this" and everyone thinks it was the other guy.
Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem. It kinda did, but with lots of collateral.
Essentially, the security consultants (and everyone else involved) were just being lazy and not doing their job correctly.
But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.
___
The solution would be to understand the individual node and apply the correct corrective measure. This can be shame, but it might also not be. And the level of it is also highly dependent on the situation.
This is a hard problem to solve, but it needs to be solved for good results.
The problem here being that scaling that up is hard, but everything needed to hyperscale. With either the individual nodes or the system integrity picking up the slack.
Very well said, and I think your exact description applies to management in general: management is hard, and require hard work to be done correctly, tailoring you response to every person, because two people being bad are their job aren't always bad for the same reason.
But most managers are not suited to the job, because it's mostly a status symbol and not something you give to the most qualified person, and most are too lazy to even try learning about it, so they don't make the effort of adapting to every individual, and in the end they end up either tyrannical or complacent.
Why would you do the hard work when you can also just not do that?
I mean I agree with "people are not suited for the job", however, I also feel like often, "the job is not suited for people".
It's rot all the way down, essentially.
As a junior I made the front page of national news. I answered a question with a very big number on a Friday afternoon. Hit headlines on Saturday. Our prime minister had to defend my mistake in public. (He never admitted any mistake. With just enough spin nothing sticks.)
The head of the organization literally cursed and spat at me. In that same meeting from the no. 2 down they stood up for me. It’s still a great story about how to treat mistakes 20+ yrs on. Admit mistakes. What did __we__ (not: he) do wrong? (Hint: from medior to board everyone had an afternoon off and we had never discussed stakeholder management. I was in no position to say no to a ministerial request.)
> I'd forever be paranoid about it
Some folks like to work that way, but I don't think most do. This obsession for outward correct behavior, even if it works at the end (at least externally), doesn't sound like a recipe for happy inner life but maybe I am reading too much into that.
Yes in general, because usually it's culture and not an individual failing. No in specific situations, because it's not just culture but also some people are just the weakest link.
Only focusing on either of these while ignoring the other is going to lead to bad results.
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
(Sips mojito)
Bold of them to assume I'll answer the phone if I see my manager's number come up.
If I've learned anything from the scambait people such as kitboga on youtube, if you're bored you play along with it, pretend to have acquired the gift cards, and then tell the "boss" you've scratched off and emailed their company address the codes, as the scammer on the phone wails "do not redeem! SIR DO NOT REDEEM!"
I might say "sorry for your loss of job" .... but seriously not. You shouldn't got that job in first place.
Atleast you can brag about getting unemployed thanx to Mitnick.
I understand he probably just lent his name to the company (though he did show up in some of the videos), but still...
He did cost people their jobs though, so I guess he's a good person.
They left out convicted criminal.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
I'm glad you have finally recognized the problem.
Stop living for your idea of others and start living for yourself.
For the rest: nothing's stopping you from having fun, regardless of age.
Because missing that that seems to be the main problem of the poster above.
But well, he also is looking for respect and regocnition among his peers and vienna is a nice city.
If more people strived to be like Mitnick today, the tech world would have a lot more power.
Interesting fact about Shimomura, he was a student of Feynman's
Regarding the full weight of the police, Shimomura did have an easier time to convince the ISP and phone companies to give him access to the logs. He was able to ask the cellular company to locate the cell tower where Mitnick's cell phone connected and traced him to the general area. If Mitnick had been careful, he could have hacked into the ISP/phone companies and erased all his access logs.
Why not? Sometimes it's not what you know, it's who you know.
I recently re-read "Cyberpunk: Outlaws and Hackers on the Computer Frontier". It was published in 1991 and the first third of the book provides an early contemporary account of Kevin Mitnick. It's a great book that I first read in my high school library in the 90s and it completely captured my imagination.
However, I had never connected the dots that the subject of the last third of the book was Robert Tappan Morris, creator of the Morris worm, who went on to cofound Y Combinator! Paul Graham is also quoted in the book.
The book has aged pretty great. They added an updated epilogue in 1995 in the early part of the Free Kevin era, but honestly re-listening to the book in 2025, I was wondering where the updated Y Combinator epilogue was!
I think this was the first time I heard someone being forbidden by court from accessing the internet. At the time we had like two, maybe three kids in class who even used dial up regularly.
This helps to fill in some of the details. It's a really nice story showing the humanity that can be found in situations when you look close.
That's miles away from "largely law enforcement" though. I talked to an FBI agent at PyCon but people aren't claiming it's a LEO convention.
https://fogbeam.com/free-kevin.jpg
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
Kevin Mitnick, airline pilot. What's a deadhead?
Kevin was particularly annoying because he never failed to penetrate a target. The reason that's annoying is it just takes one slip, one weak point, one inattentive admin and it's over. People will stay mad about that. I get it.
But those who say he had no talent are just ignorant.
His goal was to make the world safer, and making people pay attention to risk didn't make him a lot of friends. All the hate I am reading here is just sad.
If you hate Kevin and did not know Kevin, I feel bad for you. Hate is an expensive emotion, even when you're just being a keyboard warrior. It should be reserved for people who have really wronged you. Kevin is not with us anymore. The hate is hurting you, not him. And he has a son who will read this someday. Have a heart.
TBF that's likely a symptom of social media and people commenting on things they don't know about with a bit too much confidence. You can see similar takes on snowden today.
Back in the day (90s, 00s) he was both widely supported and a bit of a myth in the early Internet communities.
Speaking for myself as someone very early in my journey during the time when Mitnick was still active as a grey hat: he advanced our thinking about security and the nature of trust itself in ways that have never been more timely.
Paradoxically he profited personally far more as a white hat than he ever did in the grey area, his motivations were clearly not extractive. The authorities compelled him to go do lucrative things! (after persecuting him mercilessly).
RIP Kevin. We are ill equipped for the vulns of the AI, but without you we'd be helpless.
But be honest...
How sweet is that 911?
I don't think anyone says he had no talent, what rubs people the wrong way is that the thing he had talent for is the same thing that the people have who try to scam call your grandmother out of her pension money. You can be the world's greatest burglar, you're still a burglar. The whole cringy "social engineering" thing turned media persona and consulting business is to engineering what chiropractics is to medicine.
He leaned pretty heavily into monetizing his own image and for a lot of people what he did became synonymous with the word 'hacking' in a not particularly positive way and critising that isn't hate.
Look, I know that people form their opinions in a bubble. All I am saying here is you should expand your bubble. You know nothing about Kev. Again, that's OK, but it also means you should try to understand what you're hating.
You'd try to make money on your image if you could, I'm betting. Especially if you had been put in prison and left there with no bail hearing, and put in solitary confinement for 'hoarding tuna' in your cell. For 9 months. While your father died. This was not a normal treatment of any person in custody.
Kev was a good person. Full stop. Just as curious as all of us in that era.
That's not just curious, that's not something we all did when we were young, those were legitimate crimes and they still are for good reason. He had a big part in popularizing the image that a hacker, rather than someone who writes software for the public good, is someone who tricks other people and steals personal data.
And no I wouldn't be proud if I ran phishing scams and stole IP from random companies, I wouldn't monetize that, I'd say I'm sorry which from reading his books at least I don't think he ever was.
Wait ... no fists involved. My mistake.
Or are you denying objective reality and falsely believe I'm wrong about him, despite what he provably used his platform to say in his own words again and again?
Chuck Norris Fears Gay Anarchy:
https://www.mambaonline.com/2008/11/19/chuck-norris-fears-ga...
Chuck Norris accuses Boy Scouts official of pushing Obama's "pro-gay" agenda:
https://www.upi.com/blog/2012/06/26/Chuck-Norris-accuses-Boy...
Are you so offended at me criticizing him with verifiable facts to balance hero worshiping and idolizing him with outrageous lies, because you also support Proposition 8, think the Boy Scouts should kick out gay kids and adults, advocate racist birtherism that Obama wasn't born in the US, endorse pedophiles like Roy Moore and Donald Trump, fear the "gay agenda" and "gay anarchy" is underming society, and you're terrified of other people having "unnatural sexual behavior" and loving same sex marriages?
Then you need to get therapy to come to grips with your own homophobia, instead of defending Chuck Norris's. The bigotry that makes you hate other people is quite often and obviously (to everyone but you) a pathological symptom of your own self loathing internalized hatred. But your bigotry is treatable: Once you come to terms with your own problems, it gets better, buddy. Really it does.
Windows 12 was in development back in 1979? I think that timeline is a bit off.
Kevin was from a different time. Back then security wasn't even an afterthought. He was exploring the shiny new thing of digital worlds, with an attacker mindset, and that was new at the time (and quite unique to a small set of humans back then).