- Ghost in the Wires: My Adventures as the World's Most Wanted Hacker
- Publisher: Little, Brown and Company
- Year: 2011
- Pages: 432
Social Engineering was my hobby horse as an undergraduate IT major; I say this as though I’m an old veteran of the IT industry, but I’m not—I’m a fresh-faced, startup-mentality programmer. One of the reasons I always focused on social engineering in my various papers and projects, however, is I was exposed early to the idea of Kevin Mitnick. This isn’t to say I was particularly familiar with his exploits, or even well-versed in the technology of his area1, but the notion that you could con your way into systems without necessarily programming or “hacking” was easy enough to understand.
At the time Kevin David Mitnick dominated the national news, there was no first-person narrative available for consumption. Prior to his conviction, of course, Mitnick would not publish a book of his exploits; after his conviction, one of the restrictions placed upon him was an inability to profit from books or films about his hacking for seven years2. In the meantime, several books came out from journalists of varying proximity to Mitnick himself. One was Jonathan Littman’s The Fugitive Game, a narrative crafted in part from Littman’s conversations with Mitnick while he was on the run from the FBI. The other is Jonathan Markoff’s Takedown, which is a largely sensationalistic work with as much fiction as fact; Markoff, as it happens, was a New York Times reporter who was responsible for most of the hysteria and a lion’s share of the misinformation about Mitnick in those years. The idea that Mitnick had access to secret NSA databases, or that he’d hacked into NORAD, or that—as one prosecutor actually said in court—he could launch nuclear missiles by whistling into a phone, was largely the invention of Markoff the Fabulist and the long trail of phone company stooges that Mitnick left writhing and thrashing in his wake.
Ghost in the Wires is the first attempt by Mitnick to tell the story of those turbulent years in his old words. On the one hand, this means that we can avoid any speculation and hearsay; on the other hand, it’s a convicted felon writing about his years performing felonies. I’m not familiar with all of the laws in this regard, but it’s possible—hell, likely—there are arrestable offenses that Mitnick committed that nobody knows about. It’s unlikely that Ghost in the Wires contains any revelations, but at least we can expect it to be better than Takedown.
Our popular conception of hacker emphasizes their technical skills; we picture strange men in dark rooms interpreting binary code and issuing cryptic commands into a command-line prompt; coding malware in C and Assembler; sniffing TCP/IP packets and cracking encryption keys. Certainly, there’s an element to hacking which involves all of these things. There’s also an element, at least in Kevin Mitnick’s case, which involves fraud and impersonation and blustering into order to trick and manipulate one’s way into systems, rather than managing the entire feat via technological skills alone. Many modern writers tend to forget, when writing about Kevin Mitnick, that he was a very skilled technologist; because so many of his “hacks” involved simple impersonation, it’s easy to forgot that he was an adept at hacking computer systems programmatically, especially when it came to the de rigueur enterprise system of that time, DEC’s VMS. Ghost in the Wires reminds us that, though social engineering was often used to acquire information, or access to a system, technical expertise was needed to do anything with that access.
It’s been hypothesized (see Douglas Coupland’s JPod for mention of the subject within a fictional narrative) that the programming or technical community has a higher-than-average incidence of autism-spectrum disorders, simply because of the way disorders like Aspergers tend to emphasize concentration and technical ability. For a hacker like Kevin Mitnick however, such a diagnosis is impossible; as he himself mentions, his real skill as a hacker came from his ability to speak boldly with strangers while impersonating system users and to modify his story on the fly. Stutterers and bashful speakers need not apply when it comes to calling Nokia in Finland and pretending to be one of their U.S. engineers.
I see three main points to take away from Ghost in the Wires that are interesting and/or important:
It sucks to be one of the first well-known hackers in popular culture. Preceding Kevin Mitnick’s rise to infamy was Kevin Poulsen, perhaps the first “hacker” in the modern, pejorative sense of the term, to be arrested with national attention. But Mitnick captured the media attention in a way that, I think, has yet to replicated. His exploits came at a time when our culture was just young and naïve enough to believe just about anything told to them about technology, but invested enough in this whole “Internet” thing to be frightened by the possibilities. He was a scapegoat, at the right time; I would say “with the right crimes”, but of course most of the public panic about Mitnick’s abilities was based upon fairy tales.
Technical expertise or no, the ability to bullshit well is paramount. Technical brilliance will only get you so far in life; to achieve anything truly impressive requires bridging the gap between what can be accomplished with computer code and the real-life (personnel security, physical security, security through obscurity) obstacles in the way. This is also a frightening proposition for CIOs and network administrators, because it underscores what is still the case just about everywhere you go: people are the weak link in your security. Forget about that unpatched Apache flaw, or SQL injection, or overly-broad permissions—actually, don’t forget about them: they’re still important—because even a perfect technical system is meaningless when employees distribute credentials without performing the same sort of identification, authentication, and authorization steps that any decent information system implies.
Kevin Mitnick without an FBI manhunt might still be a minimum-wage worker. What happened to Kevin Mitnick was ridiculous. I don’t mean that Mitnick should necessarily have escaped punishment for hacking, as technically he did commit fraud and intrusion; however, the charges levied against him were farcical and largely fabricated; his five or so accumulated years spent in prison, including a long stint in solitary confinement, an injustice. The hysterical hue and cry in the media who latched onto the salable story of Mitnick-as-terrorist is an indictment of the journalists involved and the slavering readership who pay money for salacious sensationalism. All of that being said, one could argue that without an FBI manhunt, high-profile court case, and front-page coverage, Kevin Mitnick might still be a poor loser working Tier 1 tech support by day and hacking for fun at night. Instead, he’s now at the helm of a thriving security consultancy and manages a busy schedule of corporate speaking engagements. A worthwhile trade-off? Hard to say, and though Mitnick recognizes the irony, he doesn’t make any easy statements as to whether he’d do anything different; as readers, we end up not being sure what we think, either. It’s not satisfying in that regard, but at least Mitnick respects our intelligence.