USCN Archive Primary Server: Archive

$cat mitnick_advisory.txt
SUBJECT:
WHY EVERYONE IS TALKING ABOUT MITNICK

I keep hearing newspaper people call Kevin Mitnick a computer
criminal.

Maybe that's true according to the law.

But from where I sit, most of the people talking the loudest
about him don't understand what he actually does.

They imagine some kind of electronic burglar sitting at a
keyboard smashing through defenses.

The stories I keep hearing are different.

The interesting part isn't the computers.

The interesting part is the people.

Mitnick seems to understand something most system operators
don't want to admit: the weakest part of any system is usually
the human being sitting in front of it.

You can buy expensive hardware.

You can install every security patch available.

You can lock the machine in a concrete bunker.

Then somebody calls the help desk and asks the right questions.
Game over.

Every operator I've talked to worries about passwords.

Almost nobody worries about trust.

That may be the real lesson.

The stories making the rounds through bulletin boards are
getting larger every month.

Some say he can talk his way into anything.

Some say he can convince employees to hand over information
they were specifically trained to protect.

Some say he knows telephone systems better than the companies
that built them.

I don't know which stories are true anymore.

Probably not all of them.

But the reason people remember his name isn't because he breaks
things.

It's because he demonstrates that things were already broken.

Most organizations seem shocked when someone discovers a flaw.

They are rarely shocked that the flaw existed.

A lot of operators are angry about the attention.

The smarter ones are learning from it.

I know several local administrators who have started auditing
accounts, changing procedures, and questioning assumptions
because of the publicity surrounding the Mitnick case.

That's probably more useful than pretending the problem doesn't
exist.

If a lock can be opened by asking the guard nicely, the lock
was never the security mechanism.

The guard was.

Maybe that's the lesson everyone should take away from this.

Systems are built from people.

People trust.

People make mistakes.

People want to help.

Anyone who forgets that is going to have a bad day.

NightWatch
USCN Node R4
2400 baud and still connected

=========================================================================
ARCHIVE ANNOTATION
ADDED: 1996-08-11
Subsequent review indicates many claims regarding Mitnick
circulating on bulletin board systems during this period were
unverified, exaggerated, or based on rumor.
Document retained for historical context.
=========================================================================
$
$ cd..█