DT: Hacking has been a trending topic this year thanks to hactivists like Anonymous. They are an extremely polarizing group – what’s your take on them?
KM: I think the number one thing that Anonymous is doing is raising security awareness, albeit through a negative way. But they are certainly illustrating that there are a lot of companies out there that are the low-hanging fruit, that their systems have shoddy security and they really need to improve it.
I don’t believe their political message is really going to make any change in the world. I think the only change they create is making themselves a higher priority for law enforcement. It’s sort of like why the FBI was so pissed off at me. When I was a fugitive, living in Denver and had figured out what the informant was doing, I found through my early warning system (monitoring their cell phone communications) that they were coming and going to search me. I cleaned out my apartment of any computer gear or anything the FBI would take, and I bought a big box of donuts and with a Sharpie wrote “FBI donuts” on it and stuck it in the refrigerator.
They executed the search warrant the next day and they were furious because not only did I know when they were coming but I had bought them donuts. It was a crazy thing to do… it lacks some maturity, but I thought it was hilarious. And because of this, I became a fugitive, and the FBI was arresting the wrong people they thought were me, and the New York Times was making them out to be like Keystone Kops. So when they finally got a hold of me, they hammered me. They came down really hard on me, and even in my case… you know, I did steal source code to find security holes and I hacked into handsets from Motorola and Nokia so that I couldn’t be tracked. And the government solicited these companies to say the losses they incurred at my expense were their entire R&D investments that they used for cell phones. So it’s kind of like a kid going into 7-11 and stealing a can of Coca-Cola and saying that the loss this kid caused to Coke was the entire formula.
And that’s one of the things I set straight in the book: I did cause losses. I don’t know if it was $10,000, $100,000, or $300,000. But I know that it was wrong and unethical for me to do and I’m sorry for it, but I certainly did not cause $300 million losses. In fact, all of the companies I hacked into were publicly traded companies, and according to the SEC, if any public company suffers a material loss it has to be reported to shareholders. None of the companies I hacked into reported a single penny of loss.
I became the example because the government wanted to send a message to other would-be hackers that if you do these types of things and you play games with us, this is what’s going to happen to you. As a reaction to my book, some people say “Oh he’s not sorry for what he did, he’d do it again,” I’m not sorry for the hacking, but I am sorry for any harm I caused. There’s a distinction between that.
DT: So how do you see hacking evolving right now? Technology is far more accessible than ever and more and more consumers are capable of pushing these limits.
KM: Hacking is going to continue to be a problem, and attackers are now going after mobile phones. Before it was your personal computer, and now it’s your mobile device, your Android, your iPhone. People keep sensitive information there, bank account details, personal photos. Hacking is going in the direction of phones certainly.
Malware is getting more sophisticated. People are hacking into certificate authorities, so you have a protocol called SSL for online shopping or banking transaction. And this whole protocol is based on trust and these certificate authorities, and hackers are compromising these certificate authorities and issue themselves their own certificates. So they can pretend to be Bank of America, pretend to be PayPal. It’s all more sophisticated, more complex, and more important for companies to be aware of the problem and try to mitigate the chance that they’re going to be compromised.
DT: What advice if any would you give to hackers today?
KM: It was unavailable in my day, but now people can ethically learn about hacking. There are courses, lots of books, the cost of setting up your own computer laboratory is very inexpensive, and there are even Websites out there on the Internet that are set up to allow people to try to hack into to increase their knowledge and skills – ones called Hacme Bank. People can ethically learn about it now without getting themselves into trouble or harming anyone else.
DT: Do you think that encourages people to misuse these skills?
KM: They’re going to probably do it whether or not they have the help. It’s a tool, hacking is a tool, so you can take a hammer and build a house or you can go hit somebody on the head with it. What’s important today is ethics. The ethics talk for Kevin Mitnick was: It’s okay to write password-stealing programs in high school. So it’s important to get people and kids interested in this because it’s an interesting field, but to also have the ethics training behind it so they use it in a good way.
DT: Can you talk a little about the Mac vs. Window security debate?
KM: Macs are less secure but they are less targeted. Windows have the most market share so they are more targeted. Now Apple is obviously ramping up their security, and the reason you don’t hear about many Macs being attacked is malware writers don’t write malicious code for the Macs because they just weren’t popular enough. When you write malicious code you want to attack a lot of people and there have traditionally been a lot more people running Windows.
As Mac market share goes up, we’re naturally going to start seeing them targeted more.
DT: What OS is most secure?
KM: Google Chrome OS. You know why? Because you can’t do anything with it. You can access Google services but there’s nothing to attack. But it’s not a viable solution for people. I’d recommend using a Mac, not only because of security, but I have fewer problems running Mac OS than Windows.
DT: What new tech do you find most fascinating right now?
KM: I remember when I was nine years old and I was driving through L.A. with my dad looking at the rumble strip on the freeway thinking one day they’re going to make technology where you won’t even have to drive the car. There will be some sort of electronic solution where the cars will drive themselves and there will hardly be any accidents. And three, four decades later, Google is testing this type of technology. Driver-less cars. I think that’s George Jetson type stuff.