If you are into this topic, read as many point of view as possible and take a look at http://www.takedown.com/ (Tsutomu Shimomura's side of the story).
To the best of my knowledge, Mitnick didn't really code at all. There are (let's call them) intrusion specialists whose skillsets don't really involve systems programming, but rather intuition and tenacity, and there are others who write exploits. My understanding is that Mitnick was the former, and was using tools he got from friends and peers.
In the book he spends a lot of time on the social engineering parts of it to be honest. It's been a few years but I remember him mostly bragging about that rather than developing custom exploits.
He also comes from an era of intrusions where systems were so bad you didn't really need to code to get into them. For an alarmingly long time, the most effective tool you could use to pop a network was simply `showmount`.
That time is still today, as people are still the weakest link. A talented scammer can convince people to give them access to their WhatsApp account despite the E2EE, 2FA, and SMS verification codes.
In Mitnik's version, he RTFMs, learned the technical lingo, procedures, and even the names of telco employees.
Yeah I think Mitnik’s abilities were mostly around thinking about doing stuff that no-one had considered that you could do. It’s still a big skill, but nowadays, there’s less stuff that no-one has thought about before.
He didn't really code in the book either... maybe 5% of the book... he did some script kiddie type exploits, some copying of proof of concepts, and some minor modifications (like modifying the "logon" program to save passwords somewhere in cleartext).
75% of the book is spent social engineering over the phone and 20% doing stuff on phone switches and other equipment.
I have met the type on my time on the internet. All it takes is having the guts to push through with what others give you, things they themselves know would get them in legal hell.
Anyone who has studied the later parts of the phone system know that at least a few of his stories are actually bullshit.
It wouldn't be until much later (in the 90s at least, while he was in prison) that the advent of pure digital switching would enable the random reassignment of phone lines like he describes in the story about turning his friend's home phone into a payphone.
The lines were separated and had differences in sender frames just for payphones, plus typical phones weren't too happy when 130VDC was applied to them for very long.
The fact of the matter is that Mitnick went around and shook doorhandles until something opened and occasionally convinced someone to open a door for him her and there, and the fact that the emperor had no clothes was too politically inconvenient for the kinds of companies that Mitnick hit up.
Kevin hasn’t hacked anything at all. He ran with a few other characters who never received anywhere near the amount of attention that Mitnick did. For example, no one ever figured out who “jsz” was.
I think a lot of this was social engineering, but at one time the fbi considered mitnik some kind of super hacker. How did that disconnect happen? I imagine because his targets didn’t want to admit to the fbi how crappy their security was, so they would just say omg! We got hacked!
Big moments I remember from his book.
1. Gaining access to a telco C/O and social engineering his way out after being caught
2. Ultimately being caught by sloppy practices himself, logging into systems he was comfortable with and getting traced, and then forgetting some sort of identification in a ski jacket he hadn’t used in a long time, which was in his closet in a place he was living under a new identity.
It’s been awhile so I could be partly off on those details. But I’d say at least those pieces are very believable.
It should be illegal for the government to keep redactions in anything made public/declassified. It's a slap in the face to see entire sections of text (that most certainly contain important context) blocked out with a white blob.
A) a lot of what is censored ends up being publicly-known information already, so it's not a matter of safety but rather public image (imo), and B) this creates a perverse incentive to associate national security (...or other sources of unsafety) with unrelated topics to avoid having to hold yourself accountable for your work.
Plus, there's little way of knowing for the documents for which we haven't seen the uncensored version if they aren't just censoring arbitrary things.
It may be reality, but it's still pretty bad for any government that pretends to value transparency.
The people who generate the documents /cannot/ be the people who decide if they're safe to release. There needs to be independent oversight. These are not agency documents they belong to the public. They may be classified but the moment they're no longer _objectively_ worth classifying they are absolutely public domain material.
It's also extremely offensive to see the names of AUSA's (Assistant US Attourneys) and SA's (FBI Special Agents) redacted. They had personal involvement in this case so I genuinely don't understand why their names cannot or should not be a part of this document. They're public figures in a public role.
I completely disagree. In this case, it is clear there wouldn‘t be a reprisal but in many case law enforcement agents and prosecution teams get involved in might involve serious reprisal threat for them or their loved ones. Their names should never be revealed.
I think you possibly haven't read very many court documents. When these cases actually get tried much of this becomes public anyways. In particular this document details agents Mitnick _himself_ spoke with. Are you really suggesting their redactions here are to prevent reprisals? How could that possibly work?
Why do we need to have the names of people like a random security guard that was duped by social engineering? To make sure he pays for a mistake or something? What is the reason for not reacting his name?
Unless we get an unredacted version leaked in the future it's impossible to say what the redacted paragraphs say, but this document has a ton of the former style of redaction which makes me trust that the larger redactions (ie page 42) were in fact necessary to protect PII as labeled.
Perhaps too naive a question, but if they are innocent what is there to protect? I get it in the case of informants or agents that operate undercover or in plains clothes but if just a bystander how is it different than some news article?
Their privacy, which has value to them and should be respected. You can argue it on a case by case basis but the default is (and should be) to not disclose. As for comparisons to news articles, well maybe this is a place where the government is doing better than some news agencies (reasoning as to why is left to the reader).
What's your name and address? (Rhetorical question, please don't answer.) Is that info you'd be comfortable sharing on a public forum? I presume you're not doing anything particularly wrong.
This also assumes that we can all agree on a definition for "innocent."
> what is there to protect?
Their privacy. Some people have strong opinions on 3 letter agencies and poor reading comprehension. Some people are just mean spirited. Best way to prevent dumb stuff from happening is to not create a situation where dumb stuff could happen.
This is a bad take. Plenty of licenses involve essentially exchanging a right for a privilege (in simple terms). People who aren't comfortable with this compromise have the choice to not get a certain type of license (and many don't, HAM radio licenses aren't held by anywhere near a sizeable chunk of the population).
Is the underlying assumption that everyone redacted in that report is a licensed HAM radio user deprived of their right to have a private name and address?
Sure, they know what they're doing and they're doing it on purpose.
If you rented out a room (or even a hotel room) to Eric Weiss (mitnicks alias, one of many), do you really want everyone here to see your full name and address?
Or if someone hacked some database of users and used your name/surname to socially engineer someone else.
maybe you told someone you were
going to be some place else
maybe you were with your other family and this unwarranted disclosure revealed that to a scorned spouse and friend group that are always looking for holes in the story 40 years later
not criminal issues, not an FBI problem, and yet can alter your private life
There may be a middle ground where, with some effort effort, a watered down summary of the redacted information could be given (e.g. if a name of a person is redacted, replace it with some sort of unique handle). As long as this is done as an annotations for the visibly marked redaction, I see no problem. The reader may choose to trust those annotations or not.
This would be fair (I hadn't considered names in my original comment). Whether truly sensitive or not, protecting names/addresses/numbers/etc. would make sense (especially if there was a footnote to a "why" something was redacted).
Ukrainian court rulings do this -- it's always person_1 meeting person_2 at address_1, so only the parties have an unredacted ruling, while redacted one is publicly searchable
I write a lot about history, and as part of that work I occasionally file FOIA requests. There was one occasion where the FBI's response contained dozens of pages that were typewritten memos consisting of:
To: [recipient name]
From: [sender name]
Date: [date]
[Multiple paragraphs of redacted text]
...and that was basically it. It was funny, but frustrating (funstrating?).
Also, the human effort required to make the redactions is high.
That means records cannot be automatically declassified after N years because the effort to redact every document created N years ago would be extreme.
This is pretty damn interesting, it's definitely the earliest example of a computer intrusion incident response report that I've ever seen. These reports detail stuff he was doing in 1980/1981 at the earliest I can see just skimming the top few pages. His own side of this particular chapter of his history is maybe worth a read, maybe not - he was known for embellishments:
Other people have mentioned this… but it’s been established in policy that the SSN of a deceased person is not PII. There are a ton of different ways to get the SSN of someone who is deceased.
They aren't "public" but if you have a good reason, the govt will let you see the list of dead people SSNs. It's one of the first things checked when you're trying to open a line of credit because it's so easy to verify.
Now I’m wondering how many other people in this thread don’t know he died (pancreatic cancer). 59 isn’t that old. And he was expecting a baby at the time, which suggests maybe they didnt think so either.
Him, probably not. His estate, however, potentially. Perhaps one could get a loan, using his SSN, and his estate gets the bill and subsequent harassment.
SSNs make terrible secrets and it's insane that you could harm a live person by knowing their SSN. I doubt that insanity stops just because you're dead.
> I doubt that insanity stops just because you're dead.
It really does stop. What can you do with someone’s SSN? Get loans, open bank accounts, receive government benefits, set up utilities, etc. It harms someone because creditors falsely believe that the SSN’s holder owes the debt, or the government believes that the SSN’s holder received benefits, etc.
People who are falsely reported as dead have a difficult time doing anything… certainly a hard time getting loans. It’s certainly going to be hard to make a claim against an estate that’s been closed for a couple years, with a debt that is dated after that person’s death.
Well, it might show if you've been reported to have died. It's possible you were reported as dead but you're still alive. It's possible you weren't reported dead but are. And it's also possible that regardless of how you were reported, the credit agency will botch the lookup and report your dead-or-alive status wrong.
Given the amount of erroneous information in credit files, I wouldn't be surprised if the above scenarios happen regularly.
But they clearly left the year visible so blocking out the AUSA's name seems dumb too as it wouldn't be hard to look up who were the AUSAs to narrow down who was named in the file.
I guess thats why Matthew Broderick's character had a script which dialed random numbers in a target area code (I think he used Sunnyvale, CA in the movie)
I wonder if anyone did that back in the day. Not sure how much the telco would have appreciated it ...
Never used an auto-dialer myself, but it would be trivial to code one. Just send ATDT<number> out the serial port and see if "CONNECT" comes back before timing out.
Back in that time, I think a good rate was $0.01/minute for a local call on a consumer landline. Unlimited calling plans came later. Not attributing any intent to the telco, just saying, there would be no cost issue to motivate an investigation.
It definitely wasn't local - he was in Washington but dialed into Sunnyvale, CA.
I can't remember charges for local exchanges (same area code), but I only remember as far back as the late 80s. It was something like 10 cents a minute.
I remember all the adds about "friends and family" special rates/etc. Metering on voice calls persisted into the 2000s.
But the calls were very brief (if they did pick up) unless he got a "hit". So thousands of calls could have no charge
