Kevin Mitnik was one of the original hackers, a bit of a pioneer in the field of social engineering before the term was even coined. Back then he would have been referred to as a con man, a confidence scammer, a manipulator or a hustler.
He used a combination of technical know how to manipulate computer systems, and psychological know how to manipulate humans. This book offers a peek into the mind of an individual who looks at the world as a system to be manipulated, and in turn has one reflect on themselves, asking the question, “Would that have worked on me?”.
Overview
I found the book to be a good balance of being both lighthearted and insightful, it reads like a biography presented as a story, with a technical twist. I would recommend this to people who are have a curiosity for understanding how the systems we take for granted could be and have been bent to the will of individuals or groups.
Some sections left me shaking my head at the audacity required to perform some of these feats of social engineering, while others are a sobering reminder of just how susceptible we, as humans, are to our default behaviors.
The Story
The story starts in the 70’s with a young Kevin’s penchant for magic tricks, shortly followed by a fascination for amateur radio. He discusses his first ever “hack”, a way to ride the bus for free by punching his ticket in a manner that would mislead the driver into believing that the journey he was presenting the ticket for was a pre-paid continuation.
This demonstrates that his journey in this space is not really that of the tech whiz cliche that many would assume. It is simply a mindset, a way to observe and understand systems, then exploit them. Admittedly, he was later diagnosed with Aspergers Syndrome.
The chapters progress though Kevin’s fascinating life, with a detailed section on phone phreaking, the art of manipulating the public telephone system. One thing that this book taught me, was that the old phone systems, the “touch tone” system, literally operated through the use of tones. When people would dial a number using the keypad, tones of a specific frequency were emitted, these tones represented a number.
What would happen if someone could whistle the appropriate tone? The phone system could not tell the difference. It is the same as pushing the appropriate key. This discovery (which was not really public knowledge at the time) lead Kevin down another long and winding road, ultimately ending up with him being jailed.
He steals source code, hacks into the Department of Motor Vehicles among many other targets, clones cellular phones and lies, cheats and manipulates his way through the chapters. There is a rivalry with other phreakers (hackers) leading to deception, betrayal and conflict.
Kevin ends up on the run for two and a half years, detailing the technical steps utilised to stay hidden. By assuming the identity of a dead child, he manages to be gainfully employed, with a bank account, rented accommodation and it all seems to be going well until the facade crumbles away and he ends up arrested.
The judge presiding over his case did not understand the technical implications of what had been done, or what Kevin was capable of. This allowed him to be misled by exaggerated claims by the prosecutor, and the blatant lie of Kevin’s ability to “start a nuclear war by whistling into a pay phone”. This ultimately ended up with a lengthy prison term, including 8 months in solitary confinement.
His post prison life is actually very similar to his pre prison shenanigans, the difference is this time he has the permission of the companies he is hacking. With a penetration testing firm, he can use his technical skills alongside his social engineering skills to assist in strengthening his clients defenses, whilst legally making a bit of money.
My Thoughts
I found the technical details of the phone system to be fascinating, it was a whole complex system that the public would use with no idea of what is going on behind the scenes. Kevin developed an intimate understanding, but was met with hurdles. He lacked the credentials to access a specific system, so he utilised social engineering, impersonating a field technician in order to get the access hes required.
This touches on another underlying theme, humans are hackable. By using the lingo and referring to knowledge that only someone authorised would know, he could lead support staff into doing what he wanted. The confidence he would project alongside the human desire to help, got him where he wanted to be. The specific techniques may not work as well in the modern age, with multi factor authentication among other security protocols, but the general underlying techniques will.
Overall I found this book to be very entertaining and it encouraged me to think about things with a deceptive mindset. I learned a great deal of outdated information about the legacy phone system, but the biggest take away for me was regarding the simple behaviors that humans default to, the willingness to trust and assist are ripe for abuse. This book was engaging enough to encourage me to dig deeper into his work and led me to another publication of his: “The Art of Deception”.