Black hat, white hat

While nearly all hackers hide their identities behind a nickname, Mitnick presente white-hat hacker Adrian Lamo, who he says is one of the few who hack without masking their identities and, when they find a flaw in a system, tell the owner.

"These are the Robin Hoods of hacking. They should not be incarcerated but celebrated. They help companies wake up before some hacker of the malicious type does the company serious damage," Mitnick writes.

That, however, was not how the federal government saw things when Lamo got caught. But Lamo didn't go to jail, either.

Lamo, who hacked into Microsoft, Yahoo, MCI WorldCom, excite@home, SBC, Ameritech, Cingular and The New York Times, was sentenced to six months' home confinement and two years of supervised release and ordered to pay $65,000 in restitution.

While that may sound like a slap on the wrist to most nonhackers, Mitnick finds the fine excessive.

"Based on Adrian's earning potential and his lack of funds (he was homeless at the time, for God's sake), this amount of restitution is plainly punitive. An order of restitution is not supposed to be punitive. In my opinion, the judge did not really consider Adrian's ability to pay such a large amount, but probably instead set the amount as a way of sending a message, since Adrian's case has been so much in the news," Mitnick writes.

"In Adrian's case, the U.S. Attorney chose to ignore the fact that the companies learned they were vulnerable to attack because Adrian himself told them so. Each time, he protected the companies by advising them of the gaping holes in their systems and waiting until they had fixed the problems before he permitted news of his break-in to be published. Sure he had violated the laws, but he had (at least in my book) acted ethically," Mitnick writes.

Lamo is now trying to make a career in journalism, having turned down lucrative security jobs with the military and a government agency. Mitnick describes Lamo as a hacking purist, a thinking man's hacker.

Lamo, Mitnick writes, said: "Hacking is a unique ego issue. It involves the potential for a great deal of power in the hands of a single individual, power reserved for government or big business. The idea of some teen-ager being able to turn off the power grid scares the h--- out of government. It should."

Mitnick goes into great detail about how Lamo pulled off his spectacular intrusions. They use technical language and allude to devices and techniques that only those schooled in the argot of information technology can grasp.

Hacker jargon also pervades the other chapters, and hacker profiles covering such topics as penetrating the security of gambling casinos, terrorists recruiting hackers, hacking by inmates, hacking into banks, hijacking intellectual property from companies and even "social engineering" -- running a con game to get people to give you information, access or something of value.

Mitnick narrates and analyzes successful hackers' exploits and prescribes ways to correct the flaws in the systems that the hackers exploited. Again, that advice is directed primarily toward systems administrators and others who secure organizations' intellectual property, communications and operating systems.

Too many such people, Mitnick says, are in denial about their systems' vulnerability to hackers. Speaking from experience, he writes: "Determined intruders will stop at nothing to attain their goals. A patient intruder will case the target network, taking notice of all the accessible systems and the respective services that are publicly exposed. The hacker may lie in wait for weeks, months, or even years to find and exploit a new vulnerability that has not been addressed."

Although information-technology specialists may derive the most benefit from this book, there is intriguing material in it for the lay reader, particularly the biographical information about the intruders.

The core message about the danger that malicious, power-tripping hackers, many of them teen-agers, pose to national security, global stability and business is something that everyone needs to take to heart, especially those who bear ultimate responsibility for their organizations.

Mitnick is onto something when he suggests that organizations might be better off working with hackers who successfully intrude into their systems to try to correct their flaws and vulnerabilities. Some companies already hire former black-hat hackers to improve their security.

And some, like Mitnick, have gone on to successful white-hat careers as security consultants, authors and motivational speakers. But I beg to differ with Mitnick about not prosecuting Robin Hood hackers. That sounds like giving anyone who has the know-how a license to intrude without first getting the system owner's permission.

The Art of Intrusion:

The Real Stories Behind the Exploits Of Hackers, Intruders & Deceivers

By Kevin D. Mitnick and William L. Simon

John Wiley & Sons 304 pages

$27.50

Source: Dallas Star Telegram