Skip to main content
  1. Home
  2. Computing
  3. News

Q&A: The notorious Kevin Mitnick on hacking, ethics, and the future of tech

Molly McHugh
By
Kevin-Mitnick
Image used with permission by copyright holder

Today, Kevin Mitnick is a security expert who infiltrates his clients’ companies to expose their weaknesses. He’s also the author of several books, including Ghost in the Wires. But he’s most known as the hacker who eluded the FBI for years, and was eventually imprisoned for his ways. We had a chance to talk to him about his time in solitary confinement, hacking McDonald’s, and what he thinks about Anonymous.

Digital Trends: When did you first become interested in hacking?

Recommended Videos

Kevin Mitnick: Actually what started me in hacking was this hobby I had call phone phreaking. When I was a junior in high school I was fascinated with magic, and I met this other student who was able to do magic with a telephone. He could do all these tricks: I could call in on a number he told me and he’d call on another, and we’d be joined together, and this is called a loop-around. It was a phone company test circuit. He showed me he had this secret number at the phone company, he could dial a number, and it’d give a weird tone, and then put in a five digit code and he could call anywhere for free.

He had secret numbers in the phone company where he could call and he didn’t have to identify himself, what would happen is if he had a phone number, he could find the name and address of that number even if it was unpublished. He could break through call forwarding. He could do magic with the phone, and I became really fascinated with the phone company. And I was a prankster. I loved pranks. My foot in the door into hacking was pulling pranks on friends.

One of my first pranks was I would change my friends’ home phone to a pay phone. So whenever he or his parents’ tried to make a call it would say “please deposit a quarter.”

So my entry into hacking was my fascination with the phone company and wanting to pull pranks.

DT: Where did you get the technical knowledge to start pulling these things off?

KM: I was interested in technology myself, and he wouldn’t actually tell me how he did things. Sometimes I would overhear what he was doing, and I knew he was using social engineering, but he was like the magician who did the tricks but wouldn’t tell me how they were done, so I would have to work it out myself.

Prior to meeting this guy, I was already an amateur radio operator. I passed my HAM radio test when I was 13, and I was already into electronics and radio so I had that technical background.

This was back in the 70s, and I couldn’t get a C.B. license because you had to be 18 years old, and I was 11 or 12. So I met this bus driver when I was riding the bus one day, and this driver introduced me to HAM radio. He showed me how he could make phone calls using his handheld radio, which I thought was super cool because it was before cell phones and I thought “Wow this is so cool, I have to learn about it.” I picked up some books, took some courses, and at 13 passed the exam.

Then I learned about phones. After that, another student in high school introduced me to the computer instructor to take a computer class. At first the instructor wouldn’t let me in because I didn’t meet the prerequisites, and then I showed him all the tricks I could do with the telephone, and he was thoroughly impressed and allowed me into the class.

DT: Do you have a favorite hack, or one that you were particularly proud of?

KM: The hack I’m most attached to was hacking McDonald’s. What I worked out — you remember I had my HAM radio license — I could take over the drive-up windows. I would sit across the street and take them over. You can imagine at 16, 17 years old, what fun you could have. So the person in McDonald’s could hear everything going on, but they couldn’t overpower me, I would overpower them.

Customers would drive up and I would take their order and say “Okay, you’re the 50th customer today, your order is free please drive forward.” Or cops would come up and sometimes I’d say “I’m sorry sir we don’t have any donuts for you today, and for police officers we only serve Dunkin Donuts.” Either that or I’d go, “Hide the cocaine! Hide the cocaine!”

It got to the point where the manager would come out into the parking lot, look at the lot, look in the cars, and of course no one’s around. So he’d go up to the drive-up speaker and actually look inside like there was a man hidden inside, and then I’d go “What the hell are you looking at!”

DT: Will you talk a little about the difference between social engineering your way into a network and actually hacking into one?

KM: The truth of the matter is most hacks are hybrid. You could get into a network through network exploitation – you know, finding a pure technical way. You could do it through manipulating people who have access to computers, to reveal information or to do an “action item” like open a PDF file. Or you can gain physical access to where their computers or servers are and do it this way. But it’s not really one or the other, it’s really based on the target and the situation, and that’s where the hacker decides which skill to use, which avenue they’re going to use to breach the system.

Now today, social engineering is a substantial threat because RSA [Security] and Google were hacked, and these were through a technique called spear phishing. With the RSA attacks, which were substantial because the attackers stole the token seeds which defense contractors used for authentication, the hackers booby-trapped an Excel document with a Flash object. They found a target within RSA that would have access to information they wanted, and sent this booby-trapped document to the victim, and when they opened the Excel document (which was probably sent from what looked like a legitimate source, a customer, business partner) it invisibly exploited a vulnerability within Adobe Flash and the hacker then had access to this employee’s workstation and RSA’s internal network.

Spear phishing uses two components: Social networking to get the person to open up the Excel doc, and the second part is the technical exploitation of a bug or security flaw in Adobe that gave the attacker full control of the computer. And that’s how it works in the real world. You don’t just call somebody up on the phone and ask for a password; attacks are usually hybrid and combine technical and social engineering.

In Ghost in the Wires, I describe how I used both techniques.

DT: Part of the reason you wrote Ghost in the Wires was to address some of the fabrications about yourself.

ghost-in-the-wiresKM: Oh yeah, there were three books written about me, there was a motion picture called Take Down which I ended up settling a lawsuit out of court over, and they agreed to script changes and it never was theatrically released in the United States. I had a New York Times reporter who wrote a story that I hacked into NORAD in 1983 and nearly started WWIII or something ridiculous like this — stated it as fact, which was a completely unsourced allegation.

There’s a lot of stuff out there in the public eye that was just simply not true, and a lot of stuff that people really didn’t know. And I thought it was important to get my book to really tell my story and basically set the record straight. I also thought my story was like Catch Me if You Can, I had a two-decade-long cat and mouse game with the FBI. And I wasn’t out to make money. In fact, when I was on the run I worked 9-to-5 jobs to support myself and was hacking at night. I had the skills that if I wanted to, I could have stolen credit card details and bank account information, but my moral compass wouldn’t let me do that. And my primary reason for hacking was really the challenge: Like climbing Mt. Everest. But the primary reason was my pursuit of knowledge. As a kid interested in magic and HAM radio, I loved taking things apart and finding out how they worked. In my day there were no avenues to learned hacking ethically, it was a different world.

Even when I was in high school, I felt encouraged to hack. One of my first assignments was to write a program to find the first 100 Gnocchi numbers. Instead I wrote a program that could capture peoples’ passwords. And I worked so hard on this because I thought it was cool and fun, so I didn’t have time to do the actual assignment and turned this one in instead – and I got an A and a lot of “Atta boys.” I started in a different world.

DT: And you were even landed in solitary confinement while you were in prison because of things people thought you were able to do.

KM: Oh yeah, yeah. Years ago back in the mid 80s I hacked into a company called Digital Equipment Corporation, and what I was interested in was my long-term goal of becoming the best hacker possible. I had no goal except to get into the system. What I did was that I made a regrettable decision, and decided to go after the source code, which is like the secret recipe to Orange Julius for the VMS operating system, a very popular operating system back in the day.

So I basically took a copy of the source code and a friend of mine informed on me. When I ended up in court after the FBI arrested me, a federal prosecutor had told a judge that not only do we have to detain Mr. Mitnick as a national security threat, we have to make sure he can’t get near a telephone, because he could simply pick up a payphone, connect to a modem at NORAD, whistle the launch code and possibly start a nuclear war. And as the prosecutor said this, I started laughing because I’d never heard of something so ridiculous in my life. But the judge, unbelievably, bought it hook line and sinker, and I ended up being held in a federal detention center in solitary confinement for nearly a year. You don’t get to associate with anybody, you’re locked into a small room probably the size of your bathroom and you’re just sitting in there in a concrete coffin. It was kind of like psychological torture, and I think the maximum time a person is supposed to be in solitary confinement is something like 19 days, and they held me there for a year. And it was based on a ridiculous notion that I could whistle the launch codes.

DT: And how long after that were you not allowed to use basic electronics, or at least those that could enable communication?

KM: Well what happened is I ended up getting into trouble a couple times after I was released. A couple years later, the FBI sent an informant who was a real and criminally oriented hacker – meaning someone who steals credit card information to steal money – to set me up. And I realized quickly what the informant was doing so I began doing counter-intelligence against the FBI and started hacking again. This story is really focused on in the book: how I was breaking the FBI’s operation against me and found out the agents who were working against me and their cell phone numbers. I took their numbers and programmed them into a device I had as an early warning system. If they came close to my physical location I would know about it. Eventually after this case was over in 1999, I had very stringent conditions. I couldn’t touch anything with a transistor in it without the permission of the government. They treated me like I was a MacGyver, give Kevin Mitnick a nine-volt battery and duct tape and he’s a danger to society.

I couldn’t use a fax machine, a cell phone, a computer, anything that had anything to do with communications. And then eventually after two years they relaxed those conditions because I was commission to write a book called The Art of Deception, and they secretly gave me permission to use a laptop as long as I didn’t tell the media and didn’t connect to the Internet.

DT: I’d assume this wasn’t just incredibly inconvenient but also personally difficult.

kevin_wantedKM: Yeah because imagine… I was arrested in 1995 and released in 2000. And in those five years the Internet went through a dramatic change, so in this time it was like I was Rip Van Wrinkle. I went to sleep and woke up and the world has changed. So it was kind of difficult to be forbidden to touch technology. And the government, I believe, just wanted to make it extremely hard on me, or they actually believed I was a national security threat. I really don’t know which one it is, but I got through it. Today I’m able to take all this background and my hacking career and now I get paid for doing it. Companies hire me from all around the world to break into their systems, to find their vulnerabilities so they can fix them before the real bad guys get in. I travel the world speaking about computer security and raise awareness about it, so I’m extremely lucky to be doing this today.

I think that people know about my case, and that I did break the law, but that I wasn’t out to do it for money or to harm anybody. I just had the skills. I had nothing to lose, I was on the run from the FBI, I could have taken money, but it was against my moral compass. I regret the actions that harmed others, but I don’t really regret the hacking because to me that was like a video game.

DT: Hacking has been a trending topic this year thanks to hactivists like Anonymous. They are an extremely polarizing group – what’s your take on them?

KM: I think the number one thing that Anonymous is doing is raising security awareness, albeit through a negative way. But they are certainly illustrating that there are a lot of companies out there that are the low-hanging fruit, that their systems have shoddy security and they really need to improve it.

I don’t believe their political message is really going to make any change in the world. I think the only change they create is making themselves a higher priority for law enforcement. It’s sort of like why the FBI was so pissed off at me. When I was a fugitive, living in Denver and had figured out what the informant was doing, I found through my early warning system (monitoring their cell phone communications) that they were coming and going to search me. I cleaned out my apartment of any computer gear or anything the FBI would take, and I bought a big box of donuts and with a Sharpie wrote “FBI donuts” on it and stuck it in the refrigerator.

They executed the search warrant the next day and they were furious because not only did I know when they were coming but I had bought them donuts. It was a crazy thing to do… it lacks some maturity, but I thought it was hilarious. And because of this, I became a fugitive, and the FBI was arresting the wrong people they thought were me, and the New York Times was making them out to be like Keystone Kops. So when they finally got a hold of me, they hammered me. They came down really hard on me, and even in my case… you know, I did steal source code to find security holes and I hacked into handsets from Motorola and Nokia so that I couldn’t be tracked. And the government solicited these companies to say the losses they incurred at my expense were their entire R&D investments that they used for cell phones. So it’s kind of like a kid going into 7-11 and stealing a can of Coca-Cola and saying that the loss this kid caused to Coke was the entire formula.

And that’s one of the things I set straight in the book: I did cause losses. I don’t know if it was $10,000, $100,000, or $300,000. But I know that it was wrong and unethical for me to do and I’m sorry for it, but I certainly did not cause $300 million losses. In fact, all of the companies I hacked into were publicly traded companies, and according to the SEC, if any public company suffers a material loss it has to be reported to shareholders. None of the companies I hacked into reported a single penny of loss.

I became the example because the government wanted to send a message to other would-be hackers that if you do these types of things and you play games with us, this is what’s going to happen to you. As a reaction to my book, some people say “Oh he’s not sorry for what he did, he’d do it again,” I’m not sorry for the hacking, but I am sorry for any harm I caused. There’s a distinction between that.

DT: So how do you see hacking evolving right now? Technology is far more accessible than ever and more and more consumers are capable of pushing these limits.

KM: Hacking is going to continue to be a problem, and attackers are now going after mobile phones. Before it was your personal computer, and now it’s your mobile device, your Android, your iPhone. People keep sensitive information there, bank account details, personal photos. Hacking is going in the direction of phones certainly.

Malware is getting more sophisticated. People are hacking into certificate authorities, so you have a protocol called SSL for online shopping or banking transaction. And this whole protocol is based on trust and these certificate authorities, and hackers are compromising these certificate authorities and issue themselves their own certificates. So they can pretend to be Bank of America, pretend to be PayPal. It’s all more sophisticated, more complex, and more important for companies to be aware of the problem and try to mitigate the chance that they’re going to be compromised.

DT: What advice if any would you give to hackers today?

KM: It was unavailable in my day, but now people can ethically learn about hacking. There are courses, lots of books, the cost of setting up your own computer laboratory is very inexpensive, and there are even Websites out there on the Internet that are set up to allow people to try to hack into to increase their knowledge and skills – ones called Hacme Bank. People can ethically learn about it now without getting themselves into trouble or harming anyone else.

DT: Do you think that encourages people to misuse these skills?

KM: They’re going to probably do it whether or not they have the help. It’s a tool, hacking is a tool, so you can take a hammer and build a house or you can go hit somebody on the head with it. What’s important today is ethics. The ethics talk for Kevin Mitnick was: It’s okay to write password-stealing programs in high school. So it’s important to get people and kids interested in this because it’s an interesting field, but to also have the ethics training behind it so they use it in a good way.

DT: Can you talk a little about the Mac vs. Window security debate?

KM: Macs are less secure but they are less targeted. Windows have the most market share so they are more targeted. Now Apple is obviously ramping up their security, and the reason you don’t hear about many Macs being attacked is malware writers don’t write malicious code for the Macs because they just weren’t popular enough. When you write malicious code you want to attack a lot of people and there have traditionally been a lot more people running Windows.

As Mac market share goes up, we’re naturally going to start seeing them targeted more.

DT: What OS is most secure?

KM: Google Chrome OS. You know why? Because you can’t do anything with it. You can access Google services but there’s nothing to attack. But it’s not a viable solution for people. I’d recommend using a Mac, not only because of security, but I have fewer problems running Mac OS than Windows.

DT: What new tech do you find most fascinating right now?

KM: I remember when I was nine years old and I was driving through L.A. with my dad looking at the rumble strip on the freeway thinking one day they’re going to make technology where you won’t even have to drive the car. There will be some sort of electronic solution where the cars will drive themselves and there will hardly be any accidents. And three, four decades later, Google is testing this type of technology. Driver-less cars. I think that’s George Jetson type stuff.

Topics
Molly McHugh
Molly McHugh
Former Digital Trends Contributor
Before coming to Digital Trends, Molly worked as a freelance writer, occasional photographer, and general technical lackey…
Best Squarespace deals: Save on domains, web builder, and more
A laptop with Squarespace displayed on the screen.

Nowadays, everybody has a website, whether it's for personal stuff, to show off their online portfolio, or even to sell something. Of course, building a website isn't always easy, especially for those who aren't tech-savvy, but you'll be surprised at how easy it is to build a website with Squarespace, even for beginners. Luckily, there is currently a great sale going on at Squarespace to give you an extra nudge to grab yourself a subscription, with annual plans giving you up to 36% off, as well as a short-term 20% off sitewide with the code W4D20.

Besides just website building, there are a ton of perks of subscription, from hosting to email campaigns and even Squarespace Courses, which is pretty unique for a website-building website. So, if that sounds like something you'd like to be a part of, we've listed all the ways you can save on Squarespace subscriptions below.
Today’s best Squarespace deals

Read more
Microsoft Word free trial: Get a month of service for free
A person using MS Word.

It may not feel like it, but Microsoft Word is probably one of the most popular word processors out there, along with Google Docs, and pretty much everybody has likely used it at some point, regardless if you prefer Microsoft Office to Google Docs. Of course, if you want to get your hands on it these days, you're going to have to buy it as part of Microsoft Office, as opposed to getting it as a standalone product like you used to. While you do have to pay for the subscription, you can get Microsoft Word for a month using the free trial before it reverts to a paid subscription. Also, be sure to check out some of these useful Microsoft Words tricks and even how to run Microsoft Office on the Quest 3.
Is there a Microsoft Word free trial?

Microsoft Word is actually part of the company's wider Office app suite. Now known simply as Microsoft 365 (formerly Microsoft Office), Microsoft's enterprise software is available in a number of different packages that are now subscription-based; the company has retired the older bundles that were available for a one-time payment. That means if you want a Microsoft Word free trial, you'll need to sign up for the Microsoft 365 trial.

Read more
The best web browsers for 2024
Lenovo IdeaPad 530S

All web browsers have the same basic function, and yet, the choice between them has always been one of the most contentious in tech history. You have more options these days than ever before, whether you're looking for the best web browser for privacy, the best for speed, or perhaps something a bit more adventurous.

To help you decide on the best web browser, we grabbed the latest browsers and put them through their paces. Even if some could use a complete overhaul, these options are your best chance for a great online experience.
The best web browser: Google Chrome
Google Chrome version 116 Mark Coppock / Digital Trends
Chrome is ubiquitous -- and for good reason. With a robust feature set, full Google Account integration, a thriving extension ecosystem (available through the Chrome Web Store), and a reliable suite of mobile apps, it’s easy to see why Chrome is the most popular and the best web browser.
Chrome boasts some of the most extensive mobile integration available. Served up on every major platform, keeping data in sync is easy, making browsing between multiple devices a breeze. Sign in to your Google account on one device, and all Chrome bookmarks, saved data, and preferences come right along. Even active extensions stay synchronized across devices.
Chrome's Password Manager can automatically generate and recommend strong passwords when a user creates a new account on a webpage. Managing saved passwords and adding notes to passwords is even easier. The search bar, or Omnibox, provides "rich results" comprised of useful answers, and it now supports generative AI capabilities. Favorites are more accessible as well, and they're manageable on the New Tab page. And it's now easier to mute tabs to avoid unwanted sounds.

Read more