Title.
Well that's good. At least those security holes will remain unpatched so that the rest of the customer base that isn't Mitnick can be attacked in a low-profile manner.
Over the years, Kevin Mitnick has gotten used to the attacks on his website and cell phone account that routinely result from being a convicted hacker turned security expert. What he finds much harder to stomach is the treatment he's getting from his providers. Over the past month, both HostedHere.net, his longtime webhost, …
who report breaches in security ? I fully expect that AT&T will just tell them that it is their fault and that they must have given their account details to someone else.
The loss of customer security is not really paid by AT&T so they don't care. MK's crime was probably to try to hold them accountable.
"his status as a celebrity hacker makes his accounts too hard to defend against the legions of script kiddies who regularly attack them".
Hard to defend? Perhaps his providers need to employ competent security staff.
Script kiddies use known and published exploits, competent hackers develop exploits for publicly unknown vulnerabilities. Any security expert worth his/her salt is aware of attack vectors exploited by script kiddies and protect systems from such lame attacks.
Anyone want my IP address? It is either full stealth or exposes my honeypot. I am not saying I cannot be owned, but it would take more than a script kiddie and I'm not a security professional. Btw I am working on it (becoming a security expert that is) and looking for a change of career should anyone want to employ a smart ass to protect their systems ;-)
LOLz, totly h4z0rd mitnick acct. I B 2 l33t.
sKiddies suck, but you gotta love the irony here. I'm sure that the former victims of Mr. Mitnick are happy to see the poetic justice in action.
Interesting marketing strategy for the vendors (at least on a security front). Implied message "we our network's security very seriously... you can feel safe with us, after all, if you're not safe with us, we'll drop you!"
Mitnick security tip of the day: "Remember your password, don't write it down or tell it to anyone!"
...Paris, because that's the level of 'security expert' advice I see here.
Quite ironic how you see so many people trying to get one over on Mitnick simply to get the kind of status that Kevin himself had years ago. Where as now all you hear about Mitnick is his entire life is under the watchful eye of almost every script kiddie you can come across that wants fame.
All of these companies who do such things as drop someone from their PAID services simply because they can't keep up to the fact that they get exploited really makes you worried for the other customers.. I mean yeah 0days come out.. Even Microsoft have been slapped left right and center with 0days over time. But they havent decided "we'll quit coding. We can't handle the attacks" Thankfully i dont host my websites with them and i dont have A&T But worrysome :P
Seriously?
Why is it whenever people who were caught and found guilty, who did their time have to continously defend themselves against morons? (Yes Im looking at you)
There are those out there who deserve to be scrutinized (OJ and Whacko Jacko for instance) and there are those who took what was given to them by the courts and came out to be a hell of alot more productive.
Personally I feel the onus in this case SHOULD be on the providers and not those who pay for their services. If they want to take the cheap easy way out then whats the point in promising 'security' at all?
The host doesn't seem to offer enterprise or even dedicated hosting. They offer shared hosting at $15, $20, and $30 per month. Fending off one ddos attack per year, might cost them more than KM might pay them in a year.
How could they NOT get owned? They offer cpanel, php, and frontpage. Securityfocus shows 109 past (known) vulns in cpanel alone. To exploit some of the cpanel vulns, you would need an account. So the host probably faces the expense of accounts opened via fraud cc accounts too.
Just the cost of doing business? I don't think so. Even the casinos ban people that cost them money.
Here we have a security consultant who was hosting their security focused site, with a shared hosting provider. Is this what he would recommend to his clients?
Here we have a person who spends $2k per month on phone bills, but apparently "nickel and dimes" his business web presence.
Would you hire this guy?
It sounds like he should have "retired" and become a talking head who appears on cnn, whenever some celebrity gets their cell phone hacked.
I think that being dumped by the hosting company and by the cell company are quite different things.
Webhosting is competitive market, and the message here is "for the money we charge, you get sloppy security, but if you are not a target of choice you are OK." There are probably companies that would be happy to take responsibility for fending "serious" attacks and charge premium for that. If not, it's a nice business opportunity for Mitnik himself: buy co-location and start a hosting company advertising it as "secure enough to host Kevin Mitnik himself". (Conspiracy theory: he is planning exactly that, and this news story is his first PR move.)
Cell phone providers, on the other hand, are only so many. If none of them three can guard your privacy, well, where can you go? Founding your own cellco is not an option. That's why they are regulated, and in this case, should be forced to implement security that is adequate for Mitnik and "ordinary people" likewise.
Mitnick was, is, and will continue to be, a putz.
The skiddies harassing Mitnick are child[ren|ish|, and/or idiots.
The press following the skiddies harassing Mitnick are bottom feeders.
Drop it, already. Mitnick was NOT a hacker. He was a con-artist, at best. He's done his time, and is now trying to con other people into paying him for pretty much nothing ... which is probably where the real story is.
This post has been deleted by its author
I'm with Anon.Coward, above. If Mitnick would be a half-decent security guy, he could rig up a server and lock it down instead of whining about being kicked off a shared hosting (when I ran an ISP, I regularly kicked off people for being a general nuisance and not worth the effort - the cost of doing business does *not* include playing charity).
Shame on AT&T though - don't they have a legal obligation to protect customer data?
Also in defence of the companies he is using, he really should have a proper web presence that he has more control over. If he is still unable due to his previous actions then he is a bit stuck, sucks to be him I guess.
As far as the phone thing goes, if people kept posting my mobile number about, I'd just get a new number and maybe consider getting a friend, relative or lawyer to register it so it wasn't in my name.
Much as I sympathise with Kevin the victim, there is definitely a lesson to be learned here about consequences and the Internet.
Exactly. There's loads of web hosts out there with pretty average security and pretty low prices - its the customer's choice.
Are people really saying that every low-cost hosting company should be ready to defend a high-profile target? Sure, they should apply the patches etc, but not everyone wants to pay for instantaneous responses to new vulnerabilities, particularly if they think they are a long way down the firing line.
I'd like the option of hosting my insignificant little website on a cheap service even if it almost certainly has holes. There's a cost to me of getting hacked, and a likelihood of getting hacked, and if the product of those two is less than the extra I'd pay for better security, then that sounds like a rational choice.
Surely for $20K per year he could easily get a couple servers and a good connection to host his own website out of his office/home?
Since when do security professionals (especially ones like him) let other people host their sh*t? Its like being an F1 mechanic and paying the local chop shop to fix your ford's muffler.
Please.
Now his problems with AT&T however I can sympathize with. Talk about an asshat of a company. Its too bad we cant host our own mobile networks.
"In recent years, he's committed the password to memory and has deliberately not shared it with anyone or kept it stored on a computer."
Seriously?!?! he's turned into the very type of person he used to pry on if he stores his password on computer or gives it to other people. Jeez, someone should teach him about security ;)
"In recent years, he's committed the password to memory and has deliberately not shared it with anyone or kept it stored on a computer"
Wow I've been doing this for about 2 decades now, as well as my bank PIN, my user names and even my home phone number.
That makes me some sort of secuirty guru doesn't it?
"sKiddies suck, but you gotta love the irony here. I'm sure that the former victims of Mr. Mitnick are happy to see the poetic justice in action."
Are you for real? Do some research into what actually happened to Kevin Mitnick and how he was arrested. He was actually done for "phreaking", hacking phone lines to make free calls. It was the media that made him out to be some kind of uber hacker. His sentence and his treatment by the US Penal service was as a direct result of the media hype. And the reason for the media hype? He refused to allow a journalist to write a bullshit book about him.
He was never a hacker in the modern sense, his skill was in persuading people to do what he wanted, not in forcing his way into a system.
Give Mitnick a connection and run a series of adverts explaining that if you value your private data and online security, get a connection with us rather than that 'other' company. Just make damn sure he doesn't get pwned on that network.
And yeah, he should be hosting his own site.
", despite a wide range of countermeasures he's followed to prevent the attacks. In recent years, he's committed the password to memory and has deliberately not shared it with anyone or kept it stored on a computer."
Well id certainly pay him £60k a year with that cunning security. Not.
Not writing your passwords down is akin to correctly tying your shoelaces and not shitting yourself in public to be honest.
As someone who knew an F1 mechanic, I can say that he did indeed take his car to Shit Fit when it needed an exhaust. It wasn't a Ford though.
Something to do with changing a steel exhaust on a production car being somewhat beneath you when you're used to working with parts that are hand made out of unobtanium alloy and also having the cash to pay someone else to do the crap jobs.
He didn't change his own tyres either. He said that anything built in such a way that it isn't possible to do this in 7 seconds or less just isn't cut out for DIY work. Apparently the staff at his local tyre and exhaust centre were heartily sick to the back teeth of hearing this one.
"Isn't karma great, his getting a taste of his own medicine and doesn't like it, too bad!"
LOL, I read the article and thought that too... Was all great and dandy (and possibly fun!) when he was hacking into various systems, altering & changing a few bits and pieces and causing no-end of problems for the poor buggers who ran thm... But as soon as he's on the shitty end of the stick; he pisses his pants & cries. Poor baby. ;)
*bring on the flames!*
Have you actually read the story?
You're given an 8 digit password for authentication. Do you memorise it immediately or write it down to remember it as you go along? Dunno about you but I have trouble remembering my own mobile number as I've only had the phone a month or so. And no, I'm not going to tell you how I remember important numbers, but it's not on a piece of paper in my wallet that's for certain.
His issue with AT&T is that they're unable to keep his password secure. Forget the script kiddies, someone at AT&T is handing out someone else information when asked without adequate security measures being taken. He hasn't given that password to anyone, no one else has seen it on a bit of paper he's written it on or hacked into his computer and pulled it from a .txt file handily named "Kevin's secret password stuff". His security measures are exactly the same as what anyone else should be doing. It's not his responsibility in this case to keep his details secure, he is doing, it's AT&T's responsibility not to hand other people's details out to all and sundry, either by computer hacking or by social engineering.
And believe me when I say how easy it is to get into someone elses account, especially if the account happens to be a business account. I've had to do it myself when the previous techy where I work left without leaving any of the account details for our telephone systems.
...or at least he thought he had, but the El Reg commentards seem to think it is OK for someone to be hounded to the end of their days by vigilantes after the juducial systems says they are clean and clear.
How nice! How so very progressive of you.
I don't agree with what Mitnick did, in fact I wonder about the size of the gulf between what he did and what people *think* he did.
But, you know, don't let the facts get in the way of a witch-burning will you commentards?
I’m not going to defend Mitnick, but you seem spectacularly ignorant of what shenanigans he got up to or what he was convicted of.
The latter point is worth remembering – he got caught and he did his time. If Mitnick had got scot free, then one could argue what’s happening is vaguely karmic, but he didn’t.
It’s also worth remembering is that before his trial, he spent eight months in solitary confinement, during which he was denied access to a lawyer or even charged with an offense. Until the ‘war on terror’, Mitnick also had the record for being locked up without being charged or legal counsel. But I guess you believe that’s a walk in the park…
Here's what Wikipedia says about Mitnick:
"After a well-publicized pursuit, the FBI arrested Kevin Mitnick on February 15, 1995 at his apartment in Raleigh, North Carolina, on federal offenses related to a 2½-year computer hacking spree.[2]
In 1999, Mitnick confessed to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication, as part of a plea agreement before the United States District Court for the Central District of California in Los Angeles. He was sentenced to 46 months in prison in addition to 22 months for violating the terms of his 1989 supervised release sentence for computer fraud. He admitted to violating the terms of supervised release by hacking into PacBell voicemail and other systems and to associating with known computer hackers, in this case co-defendant Louis De Payne.
Mitnick served five years in prison, four and a half years pre-trial and eight months in solitary confinement, because law enforcement officials convinced a judge that he had the ability to "start a nuclear war by whistling into a pay phone".[3] He was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was initially restricted from using any communications technology other than a landline telephone. Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet.
As per the plea deal, Mitnick was also prohibited from profiting from films or books that are based on his criminal activity for a period of seven years.
Mitnick now runs Mitnick Security Consulting LLC, a computer security consultancy."
"Mitnick gained unauthorized access to his first computer network in 1979, at the age of sixteen, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. He broke into DEC's computer network and copied DEC's software, a crime he was charged and convicted for in 1988. He was sentenced to twelve months in prison followed by a three year period of supervised release. Near the end of his supervised release, Mitnick hacked into Pacific Bell voice mail computers. Mitnick fled after a warrant was issued for his arrest, becoming a fugitive for the next two and a half years.
According to the U.S. Department of Justice while a fugitive Mitnick gained unauthorized access to dozens of computer networks. He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country’s largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Mitnick was apprehended in February 1995 in North Carolina. When arrested he was found with cloned cellular phones, over one hundred clone cellular phone codes, and multiple pieces of false identification."
"Confirmed Criminal Acts
* Using the Los Angeles bus transfer system to get free rides[5]
* Evading the FBI[6]
* Hacking into DEC system(s) to view VMS source code (DEC reportedly spent $160,000 in cleanup costs)[5][6]
* Gaining full admin privileges to an IBM minicomputer at the Computer Learning Center in LA in order to win a bet[5]
* Hacking Motorola, NEC, Nokia, Sun Microsystems and Fujitsu Siemens systems[6]
Alleged Criminal Acts
* Stole computer manuals from a Pacific Bell telephone switching center in Los Angeles[7]
* Read the e-mail of computer security officials at MCI Communications and Digital[7]
* Wiretapped the California DMV[7]
* Made free cell phone calls[8]
* Hacked SCO, PacBell, FBI, Pentagon, Novell, CA DMV, USC and Los Angeles Unified School District systems.
* Wiretapped FBI agents according to John Markoff,[7] although denied by Kevin Mitnick"
There is a great film about his jail time made by his friends but there is also a film which is completely rubbish and possibly liabilus (Track Down).
"A fan-based documentary named Freedom Downtime was created in response to Track Down."
If you look at what he did, he didn't really do much more than Steve Wozniak or Steve Jobs - they were also known to be phone pheakers though not sure if they hacked any systems (I bet they did though).
Mike
I thought the crappy film name was "Take Down", not "Track Down" Freedom Downtime was a great documentary by 2600, and still worth a look, though somewhat outdated since Kevin is out of prison now.
While there may be some poetic justice in the problems Mitnick is having, it seems like he's had the last laugh by making AT&T look like fools by making the reason why they dropped him public. (not that AT&T needs much help in looking the fool)
There isn't much excuse for him not hosting his own website as far as I can see (or having competent friends host it) Not much choice when it comes to his cell phone though.
"Not writing your passwords down is akin to correctly tying your shoelaces and not shitting yourself in public to be honest." --I usually wait until I get home to tie my shoes together and soil my trousers. So check there.
Your right but I was using Wikipedia as a source though:)
I found it funny to though but I wanted to see how else noticed, I noted some people didn't know what he had done so I thought it was interesting to see whom knew what...
I think he's wanting someone to host it so he can blame them and get the attention when they don't or so he can chastise them over security issues (would be a good move on his part, I think) plus being an American he could sue them into the ground when they have a security outbreak due to their negligence.
I host some things myself but they aren't exactly business critical systems and I don't care really if they get taken down - he might not want to invest in a backup solution and might not want the hassle (I doubt it would be at all differcult to take down a home hosted DSL web server).
Mike
Hello, I _am_ a security expert, and I agree with Schneier on password storage. Root passwords for my work laptop and personal home box are on a slip of paper in my wallet. If I fall under a bus my family might like to recover personal photos* and whatnot from it, and work will want to recover their data. If I drop it in the street the passwords are no use to a random passer-by or pickpocket, as there are no hostnames or IPs; and because I tend to keep track of my wallet fairly closely, I'd miss it pretty quickly and be able to change the passwords at the same time as stopping bank and credit cards. A targeted attacker would need to get physically close enough to me to pull it from my inside jacket pocket; not impossible, but good enough for me. Yeah, if the NSA want to send ninjas into my house at 3am to photograph the bits of paper, there's little to stop them, but if you're wasting time and money trying to defend against the NSA, you're an idiot anyway.
*stop sniggering at the back, there!