Feeds

Mitnick banned from security group

'We don't just take anybody off the street'

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

By all accounts ex-hacker Kevin Mitnick created only a modest stir when he sauntered into the December meeting of the Los Angeles chapter of the Information Systems Security Association (ISSA). He sat quietly, paid attention, and at the conclusion of the meeting joined with some of the other 60-odd attendees swapping business cards, chatting with fellow computer security workers and discussing his plans for his new consulting business, Defensive Thinking. "He wasn't flashy at all," recalls one chapter member, who didn't recognize Mitnick until the conclusion of the meeting. "He introduced himself as 'Kevin.'"

But the celebrity hacker was noticed, and when he showed up next month at the January meeting -- open to non-members for a modest fee -- he was already at the center of a controversy. "People were saying, this would reflect bad on the L.A. chapter if we let him in," says the member, speaking on condition of anonymity. The members had coalesced into two opposing camps: those who thought Mitnick's presence at the gathering was an affront to everything the group has stood for in its 20-year history, and those who thought it was pretty cool.

"He's a published author, he's recently been involved in forming a company, and he's got international recognition as someone in our field with credibility," says Quinton Jones, a senior security advisor with Breakwater Security Associates, and the treasurer of the ISSA's L.A. chapter. "If you weigh the pros and the cons, I think he would do more to contribute to the group than he would detract from it."

The ISSA is the largest not-for-profit security organization. It was formed in 1982, when computer security was an arcane science, and is now 2,000 members strong with chapters all around the world.

"Launching Defense Thinking and working in the space, I thought it would be a good opportunity to network with people locally," says Mitnick. After his second meeting, and despite the mixed reaction to his presence, Mitnick surfed to the ISSA Web site and applied for membership online, as one of his first uses of the modern Internet at the conclusion of a court-ordered three-year ban. On January 23rd he received a congratulatory e-mail, welcoming him into the association, and giving him a password to the members-only section of the ISSA site.

It didn't last long. Mitnick's password was quickly revoked, and a few days later he received a letter in certified mail from the ISSA's headquarters informing him that news of his acceptance was greatly exaggerated. "The ISSA has determined that your past behavior does not comply with the ISSA Code of Ethics, therefore we cannot accept your application at this time," reads the unsigned letter.

Mitnick is taking the snub seriously, as a rare pothole on his road to respectability in the security industry. With sales of his book, "The Art of Deception: Controlling the Human Element of Security," still brisk, Mitnick is working the lecture circuit, developing his consulting business, and cutting a deal with a Hollywood studio to produce information security training videos for corporate America. He's scheduled to give two presentations at the RSA Security Conference in April, the security industry's largest gathering: one a talk on social engineering, the other a panel discussion that will see him share a podium with his former government prosecutor, Christopher Painter.

"Most security people are accepting," says Mitnick. "Like at the RSA conference last year, people came up to me to greet me and welcome me to the conference. Usually, it's warm receptions all around."

Ethics Issues?

But while the ISSA's code of ethics doesn't explicitly ban convicted hackers, its first commandment requires that members have a history of performing "all professional activities and duties in accordance with the law and the highest ethical principles." Mitnick, who plead guilty to multiple computer crimes in 1999, says that shouldn't apply to him, because his hacking was not a professional activity.

Stephen Robinson, president of the ISSA's Los Angeles chapter, disagrees.

"There are people that are accepted and there are people who are not," says Robinson. "We have ethics and we have standards, and we don't just take anybody off the street that wants to join the group."

Robinson says he didn't make the decision to ban Mitnick from the meetings, but adds that Mitnick's hacking experience and nascent consultancy don't make him qualified to join a professional organization.

Even Jones, who encouraged Mitnick to join, says he understands why the ISSA would be reluctant to accept the ex-hacker into its ranks. "If you've got someone in the room with [the other members] who has a history of breaking the law, they're going to less likely to bring up their issues... So to that end, him attending could be a hindrance to the goals of the organization," says Jones. Nevertheless, "He's been in the industry longer than many of our members have... I think he is someone who is somewhat a founder of our industry."

Steve Hunt, security research leader at Giga Information Group, and past president of the Chicago ISSA chapter, says Mitnick's membership was a heated issue among the association's board of directors. "The prevailing sentiment among most board members was not anti-Kevin Mitnick, it was a desire to be perceived as a professional organization -- just like the American Medical Association or the Bar Association." (Sandra Lambert, the ISSA's chairperson of the board, declined to comment.) Still, Hunt, who arranged for Mitnick to speak at the Chicago chapter last year, thinks the decision to ban Mitnick was wrong. "There's no reason to exclude him. He has shown over the last couple of years of his probation that he can contribute to the security community, and he's bent over backwards to show that he only wants to keep people from suffering at the hands of hackers and social engineers."

Mitnick sent an appeal to the ISSA's board of directors last week, asking the organization to consider placing him on a probationary period as a non-voting member, as an alternative to an outright ban. "Despite my efforts over the past three years to build a legitimate career in the field of information security, the stigma of my past still haunts me," he wrote.

© SecurityFocus.com

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.