This guest review of Ghost in the Wires: My Adventures as the World's Most Wanted Hacker by Kevin Mitnick was written by Steve Hunt of Hunt Business Intelligence at SecurityDreamer.
Kevin Mitnick’s story will give new meaning to your understanding of security & business – Book Review
Kevin Mitnick taught me how to play blackjack in Las Vegas. He sat next to me at the Golden Nugget and coached me while I played. I won several times and walked away $400 ahead. He lost about that much. He just didn’t know when to quit. As I read his memoir, I would sometimes shout out loud at the pages. “Kevin, what are you doing?! It’s time to quit!”
Ghost in the Wires: My Adventures as the World's Most Wanted Hacker is the complete story from Kevin’s point of view about his life of hacking and running from the law.
In the book, Kevin speaks with disarming frankness about his parents, his home life, his girlfriends and friends. He makes no excuses – leaving the reader free to assume root causes of his’ behavior. Maybe it was the parents’ messy divorce, Kevin’s strained relationship with his father, the abuse he suffered from Mom’s boyfriends, betrayal by his friends. However, one thing shows Kevin’s character more than any other. He does not blame anyone. He takes full responsibility for his actions and obviously sees things from others’ points of view.
That clarity and ability to connect with people is doubtless one of the reasons he was so successful deceiving people using a technique known as social engineering. Law enforcement and the press absurdly painted him as a monster with magical, diabolical skills. But ultimately it was his humanity that allowed him to connect to people and get what he wanted. He deceived people, to be sure. It was his stock and trade as a hacker, but also yielded many insights he shared with us in his best-selling book The Art of Deception.
When I met Kevin Mitnick for the first time, he struck me as nervous, humble and self-deprecating. He had just been released from prison and was still under very tight probation in Las Vegas. I was hosting a conference on behalf of my employer, Giga Information Group. Kevin was our keynote speaker – his first speech in public ever. As I got to know him, I saw he was very bright, funny and forever playful.
A year or two later, I arrived in Athens Greece to speak at a conference where Kevin was the keynote speaker. I checked into my hotel that evening, exhausted from a full day of traveling, and fell right to sleep. At about 2 am my room phone rang. I grabbed it and mumble, “hullo?” The voice at the other end said “This is the front desk. There is a problem with your credit card. You need to come down right now and see the manager.” I said, “It’s the middle of the night! I’ll come down in the morning.” The voice said very firmly, “Sir, you must come right now and re-process your card. The hotel is very full and if you cannot pay we have to make the room available for others waiting in line.” “That’s outrageous!” I said, now finally waking up and getting mad. Softening a bit, the voice said, “I understand sir, perhaps you could just read your card number over the phone.” I grunted, grabbed my wallet and started reading the number, “3715 4118 6…KEVIN!!!!!” That’s when he broke character and busted out giggling.
His skill at manipulating people and computer systems made him a great hacker. By that, I mean “hacker” in the original sense of someone seeking the limits of a system. His inability to stop made him a great criminal. By that I mean his crimes became a great challenge to a law enforcement infrastructure, including the FBI, poorly prepared to understand his crimes. His years as a fugitive made him a great story. Meaning he became both a folk hero to legions of computer experts and hackers who understood him and an arch villain in newspaper articles, in the New York times and elsewhere, determined to sensationalize him and his crimes.
The story of Kevin Mitnick as the world’s most wanted hacker is funny, exciting, sad, and sometimes horrifying – especially as we read how the courts so grossly misunderstood his crimes and thereby punished him in some ways worse than the most heinous mass murderers of recent memory. Here lies the critical aspect of Kevin Mitnick’s story. Computers, networks and the Internet were so mysterious to people outside of the geek or IT subculture when Kevin was hacking that people were afraid of the unknown and needed someone or something to take their fear away. Kevin was a sacrificial lamb to his accusers, many of whom needed to defend their pride, and to the public, who loved seeing a villain take a fall.
Like other sacrificial lambs, Kevin Mitnick also became a symbol. To the hacking underground he was a freedom fighter. To us in the security profession, he was a manifestation of the enemy, the “threat.” To law enforcement he was a catalyst for changes in law and improvements in technological savvy. For all of us, though, he elevated the conversation about risk management. Before Kevin, data security was all about control. If we ever lost “control” of data, we felt as though we “lost” it altogether. That mentality still exists and is common in discussions of data leakage, today. The lessons we learned since Kevin’s adventures on the wires, however, bring us to a much more useful and business-oriented view of security and risk management. Security — control — is not the point. No business executive wants security. He or she wants business to run efficiently and effectively, no matter what else is going on. This idea of robust business process is the new view of security and one built firmly on the foundation of Kevin Mitnick’s hacking. Kevin proved to us that “control” of data is not the point. “Securing” the network is not the point. Resiliency is the point. Securing the “business” is the point.
The myth of Kevin still haunts many people in technology, business and law enforcement. But the myth is all we’ve had till now. This memoir gives us finally the man, Kevin Mitnick, whose adventures as the worlds most wanted hacker, bring us to a very human view of the intersection of technology, business, law and security.