Mitnick sequel fails to hack it

The Art of Intrusion

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Book review Sequels are hard. Just ask John Travolta, currently being panned by the critics for his efforts in Be Cool, the would-be follow-up to the tremendously successful film Get Shorty. In books, as in films and music, following instant success is often harder than achieving it, because the former may be the labour of years but the latter has to be built from what's immediately available. Thus one can imagine the challenge Kevin Mitnick, and his co-author (and already published author) William D. Simon, faced after the plaudits showered on their first product, the 2002 book The Art Of Deception.

We need not go over the merits of that book (though you can read them up). Suffice to say they were many, principally because it focussed on social engineering - the technique of getting your victims to help you to break in, rather than sitting whey-faced in a darkened room staring at a screen running Netstat. Social engineering is really, really hard to defend against, because you can't just plug in something and feel safe. It's about people, and people can be persuaded to do and say almost anything.

But Mitnick clearly poured much of his life experiences before prison into that book. Now he's a security consultant, whose clients would likely be unhappy about having exploits or weaknesses broadcast to the world. So what to do when the publishers suggest a followup? And what to call it?

The solution: pull together tales from other hackers of how they did what they did, and call it something similar to the first book - specifically, The Art of Intrusion (subtitled 'The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers').

Thus the first chapter describes how a team of clever programmers set out to empty the computer-controlled poker-playing machines in Las Vegas by working out how the underlying code worked, and thus a winning hand was on the way. It's Ocean's Eleven sans George Clooney, Julia Roberts, and swish locations; instead there's firmware reverse-engineering and miniature computers concealed in shoes. But the team made a million, at least, and weren't caught.

The next chapter is the tale of some hackers who may, or may not, have been encouraged by a terrorist - from al-Q'aeda? - to download details from Boeing, and break into the White House website. The hackers got busted; but what's not clear is whether the person who urged them on truly was a Pakistani terrorist, or an FBI plant to smoke out disloyal (or just dumb) hackers, or perhaps a double agent.

It was around this point I got that 'sequel discomfort'. Whereas Art of Deception had a simple theme - how social engineering gets around your computer defences - Art of Intrusion is less sure of its ground. Is it about hacking? But there's plenty of stuff out there, from Clifford Stoll's The Cuckoo's Egg onwards, about that. This didn't have the tidiness of the first book; like real life, it had too many loose ends and uncertainty.

My unease continued with the story of some prisoners who had been allowed to get almost unlimited use of computers while inside a US state prison, and the trailing of a hacker through Boeing (again), and the saga of Adrian Lamo, the "Robin Hood hacker" who got hit hard by the FBI when he was found to have - gasp - hacked into the New York Times and even done some unauthorised Lexis/Nexis searches, as well as - shock! - cheekily added his name to the list of op-ed ("leader page", in the UK) contributors.

The stories are diverting enough, but what do they tell us? Mitnick does make the useful point that the charges hackers face often bear little relation to the actual damage or cost done; in Lamo's case, he was charged among other things with making $300,000 worth of Lexis/Nexis searches via his intrusion to the NYT. But as Mitnick notes, the NYT pays a monthly fee for unlimited Lexis/Nexis searches, so Lamo didn't cost a penny extra.

The injustice of hacking charges, while being a perennial Mitnick bonnet-bee, is however hardly a theme on which to hang a whole book. Only towards the end does a message emerge, and even then I'm not sure it's quite what Mitnick intended. Chapter 8 details how one lone hacker broke into a film software company and stole its latest product's source code. Doing so took months, or years; he then posted the code to one of the underground warez sites. To what end? None, really, since only a specialist could use the program, and would need very powerful machines to create anything usable. The next chapter describes a team who, for fun, hacked the mobile system used by a security company which ferries around prisoners and large amounts of money (not in the same van). Having cracked it, what did they do? Nothing - and they didn't tell the company either.

The nihilism of hacking is thus laid bare. Unless it's tied to the task of protecting people and what they do against real criminals, then hacking here lies exposed as a pointless activity, as useful as kicking in the windows of bus shelters; it keeps glaziers employed, but is a disservice to most everyone else. I'm pretty sure that's not the message Mitnick intended. Although there's no sense that he delights in what hackers do, he doesn't question the ethics or sense in stealing a program that few can use to distribute for underground kudos.

The point that is made, again and again, is that hackers will find a way in if one exists, and that any sort of communication will somehow be compromised. Against determined hackers, the gods themselves contend in vain.

Yes, you should read this if you're nominally in charge of the security of a company system where you value any of your information. The "tips" at the end of each chapter might offer some assistance, but they're less useful than those in the first book.

More helpful would be to show a couple of the chapters - particularly Chapter 8 - to whoever holds the purse-strings for your company's computer security. It'll either prompt a huge boost in the budget, or a 100 per cent cut, on the basis that there's no point protecting against obsessives.

Then again, you could follow the example of one systems manager who asked Lamo to show him the weaknesses in the system. As Lamo tells it, "They said to me, 'How would you secure this machine?' I pulled out my pocketknife, one of those snazzy one-handed little openers. And I just went ahead and cut the cable and said, 'Now the machine's secure.'

"They said 'That's good enough.' The engineer wrote out a note and pasted it to the machine. The note said, 'Do not reattach'."

I'd like to think it'll be a while before Mitnick reattaches to the task of writing about hacking. He has a unique perspective, and in Simon, a powerful co-writer. But the problem (and at the criminal end, it's a severe one) needs a mature outlook. Mitnick helps us get inside the minds of hackers. But he needs to get them to see outside their heads too - and realise their actions don't exist in an ethical vacuum. That will be what musicians call "the difficult third one". If I were his publishers, I wouldn't be pushing too hard for it just yet. ®

The Art of Intrusion by Kevin Mitnick and William Simon, publ Wiley, ISBN 0-7645-6959-7

Secure remote control for conventional and virtual desktops

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.