ATT dumps Kevin Mitnick(theregister.co.uk) |
ATT dumps Kevin Mitnick(theregister.co.uk) |
Isn't that what everyone is supposed to do with their passwords?
I think some other telco should pay Mitnick to become their customer. How else could you attract so many hacker brains and make them work on finding security flaws in your system?
Assuming that they want to fix the holes, which AT&T probably doesn't. They may be using the "infinite bugs" model, in which fixing one bug does not improve security because there are always other bugs the attackers can find.
As long as you're not a high profile celebrity you should be ok because not one wants to own you...
The main issue is relying on false obscurity, both in systems (your program rot-13s your password) and in passwords (you pick an easy to guess password).
There's no real security failing if you rely on obscurity that isn't exactly a password, so long as you can accurately assess the real obscurity, e.g. port knocking. If, let's say (and this is probably false) AT&T has a billing system where sending 100 specific, not-easily-guessable bytes allows you to get private data, that's no worse than a password, even if the reason that it works is a bug - unless the source code is available to the attacker.
Of course, AT&T's problem here isn't obscurity, it's that they don't want to invest enough for real security at all. Which could be reasonable from a business perspective.
Not really. Your password may be obscure (although it should probably be as random as you can get), but the key exchange protocols and encryption algorithms should be wide open. There's a reason why secret keys are called "secret" -- they should be the only thing you have to keep secret. If his hosting provider and wireless company can't keep his accounts secure, that's their problem, not his.
Which is not to say that AT&T has good security, all we can tell from this is that it can be broken...
Also, it wasn't just AT&T that is refusing service to him, his webhost HostedHere.net did the same thing.
And if this has been happening over and over again for 9 years why didn't he just want to go to another service provider?
More importantly you have to question how much of the security problem Mitnick poses in this? If he is part of the cause I think AT&T & HostedHere probably are reasonable to want to get rid of him
(btw I suspect the 8 numeral password is a pin number: similar to the ones handed out by banks for online logins. Could still be his fault it is out in the wild though)
It's not super secure, but it really should be secure enough if a website cares about security -- they should be limiting login attempts, and shouldn't be storing them in plain text.
Mitnick said that per AT&T policy, his password could only be digits and no more than eight characters long.
"The move by AT&T came this week after Mitnick hired a lawyer to complain that his privacy was being invaded by people posting Mitnick's account information in public hacking forums"
You need a lawyer to complain these days ?
Most other 'celebrities' have these issues but being a high profile hacker makes you a great target.
The best defence against this is don't get caught hacking... that way your privacy stays yours.
What Mitnick should do is give tit for tat, expose the identities of his attackers. For such a hotshot security consultant (all digits?) that should be a piece of cake, really.
That said, AT&T has no business cutting him off, rather the opposite, they should secure their systems and use the publicity surrounding this to brand themselves as the provider that is good enough to secure even Kevin Mitnicks account.
It means that a lot of people that you are putting down will see you as their prime target. This goes with the territory.
If KM would have taken a job as a programmer somewhere I highly doubt that this would have happened. After all, he is minting his reputation as a former bad guy, nobody forced him to do that.
If he had been a white hat all along it would be different, but a burglar complaining he's been burgled is a bit hypocritical imo.
I guess it sucks being on the receiving side.
Basically all these little jerks do is make him look silly, personally I wouldn't even bother to respond to them, just take it as praise and laugh at it. By taking it so serious he is actually fanning the fire.
--pg
It seems many people have responded to you though.
It's the same thing Sprint did a couple years ago when they dumped people that called customer service too much.
Cue mass attempts to break into AT&T from every angle (which is sure to end badly) :)
It's been 9 years (we dont even know how much of it is AT&T vs. Mitnicks fault and what contact he has had with them): it's looking like an infinite battle to "secure" his identity. If there are crucial security flaws in their process then yes I am in agreement - but I doubt that is the case (because Mitnick would then be the least of their problems :)). Wash hands, move on.
My personal take on all this is that Kevin Mitnick once was a hacker, good but probably not even that great (he did get caught, remember) who is now minting his newfound reputation.
These kids prove that his reputation is somewhat less than he presents it to be and he's pissed off about that.
There is a proverb in there somewhere: High trees catch lots of wind...
AT&T is a bunch of weaklinks for terminating his account (same goes for his provider), they should secure their stuff with or without Kevins help. To terminate a user because they 'attract bad people' is ridiculous, imagine your bank telling you that they can no longer take your business because because of you the keep having burglary attempts. It's too silly for words.
I think you're right that he wasn't all that great - IIRC, he mostly got into stuff by getting information out of people.
However, the kids aren't proving anything - they're hacking other people's systems, not his.
There are two almost unrelated issues:
AT&T has poor security - agreed.
Security through obscurity is a universal evil - not so fast. Quick example - you have ciphertext where you don't know the key vs. the same ciphertext where you don't know the key AND you don't know the algorithm. The latter is more secure, because it's harder to brute force.
The reason security through obscurity is usually bad is because it causes people to make poor assumptions - "He'll never guess I encrypted it with rot-15 instead of rot-13," but for a given secure system, adding obscurity will make it harder to break. But it's the poor assumptions that do you in, not an inherent flaw in adding obscurity.
The reason you use widely published encryption algorithms is because they've been vetted for poor assumptions. They need to be open to be vetted, not to be secure, and we've found that's always been a good tradeoff.
True. Most people (including Schneier, Ferguson, Rivest, etc) agree that the NSA is secure. This is because they have a veritable army of cryptographers at their disposal. Peer review is the most important part of cryptographic development. The key part of this is that there is probably no other entity in the United States that can satisfy these requirements. AT&T certainly does not have an impressive cryptographic department and they shouldn't pretend like they do.
"The reason security through obscurity is usually bad is because it causes people to make poor assumptions - "He'll never guess I encrypted it with rot-15 instead of rot-13," but for a given secure system, adding obscurity will make it harder to break. But it's the poor assumptions that do you in, not an inherent flaw in adding obscurity."
I don't think anyone would argue that the obscurity in the algorithm is the weakness. However, obscurity can never make a secure algorithm more secure. If your algorithm and key space are sufficient to prevent decipherment before the heat death of the universe, the two months it takes to reverse engineer the protocol are as close to zero as makes no difference.
If you're talking about the security of the algorithm, fine. But you're talking about the security of the system, and the algorithm is seldom the problem. If it takes two months to find the problem with the key management, then your obscurity that added two months just doubled the time to break in.
I still say you should use publicly vetted systems - but the community is in denial over the value (second rate, but still value) of security through obscurity.
Case in point: when Slashdot first released their source code, they didn't escape quotes in passwords, so it was possible to log in as an admin using an appropriately modified SQL statement. Sure, you could have figured what the command needed to be via trial and error before the code was released, but I was lazy. Releasing the code meant that I could now break into something I wouldn't try to break into before. The obscurity protected them from a certain threat model. It was still much better when they fixed the bug, of course.
I recommend starting with Kerckhoffs' Principle.
Basically, you can regard "security through obscurity" as any violation of Kerckhoffs' principle -- which translates to any reliance on keeping secrets beyond the key itself.
You're making an argument by assertion: Kerckhoffs' principle says don't keep secrets other than the key, so therefore you have to not keep secrets other than the key. Huh?
Kerckhoffs' principle is a great idea - but understand it. It doesn't say that extra secrecy makes you less secure. It just says that when you're designing a system using encryption, the key should be the single point of failure.
Let's say I'm locking a door. So you shouldn't be able to get in without the key - but it's going to be harder for you if you also can't find the keyhole.
When you're designing locks, don't try to hide the keyhole - spend all your effort getting a good, unpickable lock - but still, don't deny that hiding the lock isn't pointless.
I'm not saying that hiding the keyhole harms security. I'm saying that pretending hiding the key is the same as hiding the keyhole is an exercise in something so silly I can't even think of the word.