At the time of his arrest in 1995, Kevin Mitnick was the most wanted cyber criminal in the United States. The arrest marked the end of an intense two-and-a-half-year electronic manhunt, a game of cat and mouse that Mitnick likens to a video game.
"I was a little bit insane," Mitnick admits. "Why I did this psychologically is I loved putting myself in dangerous situations and then trying to work my way out of them."
To evade the FBI, Mitnick meticulously developed cover stories for himself. He worked in a law firm in Denver and a hospital in Seattle. "I was so into creating my cover it was almost like I was living another life," he says.
This fantasy life was inspired by Hollywood. According to the Tsutomo Shimomura's book Takedown,
Early on, after seeing the 1975 Robert Redford movie Three Days of the Condor, [Mitnick] had adopted Condor as his nom de guerre. In the film Redford plays the role of a hunted CIA researcher who uses his experience as an Army signal corpsman to manipulate the phone system and avoid capture. Mitnick seemed to view himself as the same kind of daring man on the run from the law.
Mitnik's ability to evade the authorities earned him considerable notoriety. In the video below, for instance, he tells the story of how he toyed with the FBI when he figured out they were close to catching him.
What's the Big Idea?
Just as reformed cheaters have gone to work at casinos, Mitnik has made a second career as a security consultant.
So what does the world's most notorious hacker have to say about secuirty? Mitnik describes security as a lifecycle. "When you develop operating systems, when you’re developing applications there are millions of lines of code in some cases," he says.
To think that a developer hasn’t made a mistake or development teams haven’t made mistakes is naïve and what I think really has to happen is either there has to be a liability attached to the companies that develop applications and operating systems and also secure coding practices. There is a rush to get applications out into the marketplace, so they could have return on investment and sometimes they want to skip the security step because it’s much faster. Then what happens is you have applications that are internet-facing that are deployed and then unfortunately end up being exploited.
So what can be done to eliminate risk? You can't eliminate it, Mitnik says, but you can at least mitigate it, and that means teaching developers secure coding practices and also auditing that code.
Image courtesy of Shutterstock