Monday, Feb. 21, 2000

The World's Most Hunted Hacker

By Kevin Mitnick

Fifty-nine months in federal prison offers a certain perspective from which to view the recent disruptions in e-commerce. The person or group behind these attacks ought to consider my imprisonment and supervised release quite carefully.

This is a hot story because of the targets involved, which include some of the biggest names in e-commerce. Denial-of-service attacks have been around for years, but the sexy victims in this case require the government to ensure public confidence in economic trade on the Net.

We're seeing the actions of apparent vandals--not hackers--who are using tools that hackers developed. No hacker I've ever heard of would do anything remotely resembling these attacks. I mean, it's not as though they have to "get root" on Yahoo's servers to do these things. Unless these people are extremely skilled, they'll be caught quite quickly. If these actions have economic gain as their motive, the perpetrators may have the resources to avoid arrest much longer.

If I could talk with the people carrying out these disruptions, I'd tell them that their actions just aren't the cool thing to do; these attacks aren't impressive. They require no sophistication. They are analogous to throwing paint remover on cars driving down the street, and they're getting a bunch of people angry. I've learned a very painful lesson--avoid any contact with the criminal-justice system, because it's a system that's stacked completely in favor of the prosecution.

If the terms of my release permitted me to do so, I'd tell the people running the sites that were hit three things, all of which they may have done by now: 1) use a network-monitoring tool to analyze the packets being sent to determine their source, purpose and destination; 2) place your machines on different subnetworks of the larger network in order to present multiple defenses; and 3) install software tools that use packet filtering on the router or fire wall to reject any packets from known sources of denial-of-service traffic.

As others have noted, the distributed nature of these attacks makes any defense far more difficult. It has also been apparent that the victims haven't been forthcoming in sharing their experience. This is quite unfortunate, as the best hope of stopping these attacks rests in sharing information about their technical nature, timing and origins. The scattered approach we're witnessing, I might point out, is a distinct contrast to the tightly coordinated efforts used to find and arrest me.

With history as our guide, we can expect that the government will use this event to push through legislation authorizing digital wiretapping without court orders, to outlaw encryption that the government cannot crack and to track the location of cell-phone users without their knowledge. They'll push laws that eliminate individual rights in exchange for more government "protection" against cybercrime.

Mitnick spent 4 1/2 years in pretrial detention before pleading guilty to wire and computer fraud. The opinions expressed here are for informational purposes only and should not be construed as technical advice of any kind.