Comment Articles

What hackers can teach you about security

Robert Vamosi AnchorDesk

Published: 24 Apr 2003 14:52 BST

Can you trust a hacker? What if that hacker was convicted, and served time, for his offences? I ask because I'm back from the RSA Conference in San Francisco, where those questions were hot topics.

Two years ago, computer security companies bragged about hiring former hackers -- who better to plug security holes, the thinking went, than the folks who were so good at finding and exploiting them?

But ever since the passage of the Patriot Act in October 2001, with its stern penalties for hacking, that kind of thinking has fallen out of fashion. Generally, I think that's a good thing: I don't think convicted hackers should be rewarded or become celebrities simply because of their crimes. The same holds true for those who've escaped prosecution.

That said, I think Kevin Mitnick, who spoke at the RSA conference, and others like him have some valuable lessons to teach anyone who's concerned about security.

As you may recall, Mitnick was convicted of a variety of hacking offences in the early 1990s; in 1995, he was sentenced to five years in jail. That sentence also included three years of probation, during which he was forbidden from using a computer. In February of this year, Mitnick was finally allowed to access the World Wide Web again. He now runs his own consultancy and travels the conference circuit. Judging by the standing-room only crowd at RSA, he's a bona fide hit.

While there's no doubting Mitnick's proficiency at exploiting digital systems, what separated him from other hackers was his mastery of so-called "social engineering." For example, in what he calls "pretexting," Mitnick was able to extract sensitive, inside information from companies and individuals. Pretexters take advantage of human vulnerabilities to extract exploitable information from even the most casual of exchanges.