I was amused to read a Web posting (see http://hunger.hu/zf05.txt) claiming that the “I33t” group (a group of cyberattackers) had broken into Dan Kaminski, Kevin Mitnick, and Julien Tines’ systems. They backed up their claims by showing listings of transactions on the compromised systems. They appear to have gotten a particularly great sense of satisfaction from having broken into Mitnick’s system, as shown in the following portion of their posting:
Kevin Mitnick, hero to many, wet dream to Emmanuel Goldstein. Consider this a follow up to the cDc article. Kevin has become the media rep for the hacker community, something which he has grown further and further apart from ever since his release. Without John Markoff’s sensationalist reporting Kevin Mitnick would not have the notoriety that allows him to earn his money providing keynotes at conferences all over the world. Kevin is polluting the
media with bull***. Whilst we understand that owning him is something which has been done many, many times, we felt that not presenting his insecurity publicly would be wrong. Since 2003 this has been done three times of note
and Kevin has used his enormously powerful SOCIAL ENGINEERING techniques to escape with an unharmed repuation each time. The fact is that he cannot secure his systems because he does not know how.
I got a good laugh, because Mitnick (as well as the rest of the individuals mentioned in this posting) is considered by some to be an information security expert. For better or worse, he is frequently chosen to be a keynote speaker for information security conferences and is often hired as an information security consultant. Interestingly, Mitnick replied to the 133t group’s posting by saying in effect that it was no big deal that this group compromised his system because there was no sensitive information on it. Yes, believe it or not, Mitnick said this, and in saying this, he has revealed a lot about his knowledge (?) of information security.
Lamentably, what has happened to Kaminski, Mitnick and Tines has happened many times before. I remember how at Berkeley several individuals who worked in information security there had their machines compromised by engaging in dangerous actions such as opening attachments that they were not expecting. They quickly dismissed the fact that their machines had been compromised. What a message to the user community, the same community that the information security staff there blanketed with messages about engaging in safe computing practices. And I remember how a colleague who had achieved considerably prominence in information security had his machine compromised several times. He almost seem proud that this had happened—that he had been targeted by the computer criminal community.
It is a tragedy that some who posture themselves as information security gurus are for some reason unable to secure their own systems. The bottom line is that those of us who claim to be information security professionals must practice what we preach. If we cannot even secure our own systems, we should not be out there telling others anything about information security.