[typoon]

http://www.cnn.com/2006/TECH/interne...eut/index.html

JOHANNESBURG, South Africa (Reuters) -- He can find George Bush senior's social security number and Leonardo DiCaprio's mother's maiden name in under 15 seconds, and led the FBI on a three-year manhunt as he hacked his way into the world's biggest firms.

"Computer terrorist" Kevin Mitnick is one of the world's most famous computer hackers and became a cause celebre after breaking into networks and stealing software at companies including Sun Microsystems and Motorola.

Now Mitnick, from the United States, travels the world teaching companies how to guard against people just like him.

He argues that while sophisticated technology can help keep networks clean from viruses, it is useless if hackers can con a company's employees into handing over passwords by posing, for example, as colleagues.

"Hackers find the hole in the human firewall," Mitnick told an information technology security conference on Wednesday in Johannesburg, South Africa. "What's the biggest hole? It's the illusion of invulnerability."

"Social engineering" -- as hackers call tricking people -- formed the main thrust of his career, in which he penetrated some of the world's most sophisticated systems often by persuading unwitting staff to hand over top-secret information.

Mitnick, now in his early 40s, started hacking phone systems in his teens before moving on to computers, but says he never stole money or caused deliberate damage and hacked just for the thrill of it.

The hobby earned him a place on the FBI's most wanted list and an almost five-year stint in U.S. jail in the 1990s.

On his release he was initially banned from surfing the Web, and has since written two books about hacking and started an IT security consulting firm.

Now the companies he once stole secrets from pay him to hack into their systems and show them how to improve security.

Mitnick said hackers conduct meticulous research into companies and their staff, even swotting up on the hobbies of target employees to better win their trust.

And firms underestimate how easily hackers can get hold of personal information -- like driver's licence numbers, social security numbers and mothers' maiden names -- which are often used by banks or other companies to screen customers.

To prove it at the conference, he found former U.S. President George Bush's social security number, driver's licence number and the maiden name of Hollywood actor DiCaprio's mother within 15 seconds.

"The problem is that it is a good human quality to give people the benefit of the doubt, and unless you've been burned, or you're paranoid, then you will probably trust them," he said.

Companies must guard against smooth-talking hackers by making their staff aware of the risks, developing simple company policies on data protection, and getting the best technology, which will at least "raise the bar" for hackers.

"It's not about being paranoid, but it's about being very aware, and very alert," he said.


I love how the media is calling Mitnick a "terrorist" but they are so afraid to call a "muslim extremist" the what they really are "Terrorists."

[turtle777]

Ok. So what's your opinion ?

-t

[Millennium]

Although it's certainly possible for skills such as Mitnick's to be used for terrorism, there is no reason to believe that any of his crimes were terrorist acts.

Ahem. He does, however, have a point: no matter how good computer security gets, the user will always be the proverbial weak link in the chain. The best systems, therefore, will be the ones that can use their interfaces to teach the user about security as they go along.

A few times in the OSX forums, I've suggested that Apple reword their password dialogs. While the current wordings are true in a technical sense, they don't do a good job of explaining what's going on: they just say that you need an Administrator password to perform a given operation. What they really need to be doing is saying that "someone" is trying to do something sensitive, and the computer wants to make sure that the machine's owner (or someone else with that kind of authority) is OK with that. To do that, it needs to be certain that someone with that authority has given the go-ahead, and that's why it needs the password: something only that user would know.

If you look at things that way, then the whole authentication model suddenly turns on its head, and no longer seems as "restrictive" (a common complaint from the whiners). The computer isn't restricting the user at all; that would be pointless, since the user has the password and so he can do anything he wants anyway. Rather, the user is restricting what the computer can do, by giving or withholding the password.

[wdlove]

As long as he helps to prevent computer hacking, then it's a good thing.