Ex Hacker Urges US Lawmakers To Step Up Computer Security

Describing how he easily duped employees at top firms and government agencies into divulging key information, Kevin Mitnick, 36, told senators that he was "so successful in that line of attack that I rarely had to go to a technical attack."

Defenses against computer raids have become a hot issue in the wake of attacks last month that temporarily disabled high-profile Internet sites including the portal site Yahoo.com and bookseller Amazon.com.

Relaxed and confident, Mitnick testified at a Senate Governmental Affairs Committee hearing on the safety of US federal computers, describing how, over a hacking career spanning decades, he managed to break into all of the systems he targeted save one – run by a fellow hacker in Britain.

"I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed," he said.  

Among the victims of what he said was the allure of the "intellectual challenge" were AT and T, Motorola, Nokia and Sun Microsystems.

He said he had breached security at the Internal Revenue Service and Social Security administration in 1992, which, he noted wryly, "Happens to be beyond the applicable statute of limitations."

Because people can be fooled into giving up passwords or other access, firms "can spend millions of dollars (to beef up computer security) and that can be money wasted," said Mitnick, who on January 21 was released after nearly five years in jail.

Instead, he stressed, the government and private sector should focus on training its employees. For example, he said employees should watch videotape showing a hacker conning someone to gain access to a computer system.

And each agency must perform a risk assessment, cost-benefit analysis and ensure compliance with security policies, he said. Even so, determined individuals or foreign nations with ample resources will find a way in, he cautioned, saying security efforts were like putting a lock on one's door: "If somebody really wants to get in, they'll go in through a window."

Mitnick, who likened himself to an explorer, described secret data as a "trophy" to be won. He stressed that he never made money from his illicit activities and said harsher penalties would do little to deter hackers. "When people are doing this ... they're not doing a cost-benefit analysis," he said.

In one of the hearing's many light moments, the panel's chairman, Republican Senator Fred Thompson, told Mitnick to choose your excitement a little more carefully next time. "That's a good idea," he replied to laughter from his enthralled audience.

Mitnick drew more laughter when, saying hacking was encouraged in school, he described how one of his computer science professors had assigned a project aimed at unearthing passwords. "Of course I got an A," he quipped.  

Mitnick, arrested in 1995, pleaded guilty in March 1999 to wire fraud and computer fraud, serving 59 months and seven days before being set free under supervised release but with strict conditions.

The former hacker, who frequently joked with senators and easily bantered with reporters, said he cannot legally use cell phones, computers, software, personal information assistants, modems, nor act as a consultant or advisor to individuals or groups engaged in any computer-related activity. He later dryly observed to reporters that he had to get special permission for the pager he was wearing.

He is, however, allowed to own a landline telephone. Mitnick highlighted that because computers are used everywhere, the restrictions – which he said could be read as comprising cash machines, or even computerized exercise machines – made it difficult to find employment.

Asked by reporters whether he would work for the government, Mitnick replied, "I'd consider it, but they haven't approached me.".