In his book, Ghost in the Wires, Mitnick speaks with disarming frankness about his parents, his home life, his girlfriends and mates.
He makes no excuses – leaving the reader free to assume root causes of his’ behaviour. Maybe it was the parents’ messy divorce, Mitnick’s strained relationship with his father, the abuse he suffered from mother’s boyfriends, betrayal by his friends.
But Mitnick does not blame anyone. He takes full responsibility for his actions.
That clarity and ability to connect with people is doubtless one of the reasons he was so successful deceiving people using a technique known as social engineering. Law enforcement and the press absurdly painted him as a monster with magical, diabolical skills.
But ultimately it was his humanity that allowed him to connect to people and get what he wanted. He deceived people, to be sure. It was his stock and trade as a hacker.
When I met Mitnick for the first time, he struck me as nervous, humble and self-deprecating. He had just been released from prison and was still under very tight probation in Las Vegas.
I was hosting a conference on behalf of my employer, Giga Information Group. Mitnick was our keynote speaker – his first speech in public ever. As I got to know him, I saw he was very bright, funny and playful.
A year or two later, I arrived in Athens Greece to speak at a conference where Mitnick was the keynote speaker. I checked into my hotel that evening, exhausted from a full day of travelling, and fell right to sleep.
At about 2 am my room phone rang. I grabbed it and mumble, “hello?”.
The voice at the other end claimed to be front desk. "There is a problem with your credit card. You need to come down right now and see the manager,” it said.
I replied that I would come down in the morning, but the voice said that I would be kicked from the room unless I cleared the matter.
The voice said I could read my card number over the phone.
I grunted, grabbed my wallet and started reading the number, when Mitnick broke character and busted out giggling.
His skill at manipulating people and computer systems made him a great hacker.
His inability to stop made him a great criminal.
Mitnick's crimes became a great challenge to a law enforcement infrastructure, including the FBI which was poorly prepared to handle his crimes.
His years as a fugitive made him a great story.
He became both a folk hero to legions of computer experts and hackers who understood him, and an arch villain in the press.
Like other sacrificial lambs, Mitnick also became a symbol. To the hacking underground he was a freedom fighter. To us in the security profession, he was a manifestation of the enemy, the threat.
To law enforcement he was a catalyst for changes in law and improvements in technological savvy.
For all of us, though, he elevated the conversation about risk management. Before Mitnick, data security was all about control. If we ever lost control of data, we felt as though we lost it altogether.
That mentality still exists and is common in discussions of data leakage today. The lessons we learned since Mitnick’s adventures on the wires, however, bring us to a much more useful and business-oriented view of security and risk management.
Security — control — is not the point. No business executive wants security. They want business to run efficiently and effectively, no matter what else is going on. This idea of robust business process is the new view of security and one built firmly on the foundation of Mitnick’s hacking.
Mitnick proved to us that control of data is not the point. Securing the network is not the point.
Resiliency is the point.
The myth of Mitnick still haunts many people in technology, business and law enforcement. But the myth is all we’ve had untill now.
This memoir gives us finally the man, Kevin Mitnick, whose adventures as the world's most wanted hacker, bring us to a very human view of the intersection of technology, business, law and security.
The review originally appeared on SecurityDreamer.
