Kevin Mitnik FOIA Final
vault.fbi.govThis will pair well with Mitnick's autobiography Ghost in the Wires, in which you get to read Mitnick's side of the story.
If you are into this topic, read as many point of view as possible and take a look at http://www.takedown.com/ (Tsutomu Shimomura's side of the story).
I've far more respect for Tsutomu. In the end he turned out to be the better hacker.
Reading Mitnicks book I sometimes get the impression that the he is making up half of it.
To the best of my knowledge, Mitnick didn't really code at all. There are (let's call them) intrusion specialists whose skillsets don't really involve systems programming, but rather intuition and tenacity, and there are others who write exploits. My understanding is that Mitnick was the former, and was using tools he got from friends and peers.
In the book he spends a lot of time on the social engineering parts of it to be honest. It's been a few years but I remember him mostly bragging about that rather than developing custom exploits.
He also comes from an era of intrusions where systems were so bad you didn't really need to code to get into them. For an alarmingly long time, the most effective tool you could use to pop a network was simply `showmount`.
That time is still today, as people are still the weakest link. A talented scammer can convince people to give them access to their WhatsApp account despite the E2EE, 2FA, and SMS verification codes.
In Mitnik's version, he RTFMs, learned the technical lingo, procedures, and even the names of telco employees.
100%
The majority of corporate breaches are a combination of poor Least Privilege practices and phishing/smishing.
Even with well secured, alert personnel, you often see ISPs and Telcos socially engineered to gain access to an employee account.
Yeah I think Mitnik’s abilities were mostly around thinking about doing stuff that no-one had considered that you could do. It’s still a big skill, but nowadays, there’s less stuff that no-one has thought about before.
He didn't really code in the book either... maybe 5% of the book... he did some script kiddie type exploits, some copying of proof of concepts, and some minor modifications (like modifying the "logon" program to save passwords somewhere in cleartext).
75% of the book is spent social engineering over the phone and 20% doing stuff on phone switches and other equipment.
the steve jobs of hacking
I have met the type on my time on the internet. All it takes is having the guts to push through with what others give you, things they themselves know would get them in legal hell.
He's also on the winning side, so I imagine it'd be in his best interest to make himself look better.
John Markoff was the one that made everything up.
Freedom Downtime is a documentary that explains it.
Anyone who has studied the later parts of the phone system know that at least a few of his stories are actually bullshit.
It wouldn't be until much later (in the 90s at least, while he was in prison) that the advent of pure digital switching would enable the random reassignment of phone lines like he describes in the story about turning his friend's home phone into a payphone.
The lines were separated and had differences in sender frames just for payphones, plus typical phones weren't too happy when 130VDC was applied to them for very long.
The fact of the matter is that Mitnick went around and shook doorhandles until something opened and occasionally convinced someone to open a door for him her and there, and the fact that the emperor had no clothes was too politically inconvenient for the kinds of companies that Mitnick hit up.
The 4ESS was a pure digital switch starting in 1976.
Medium-sized US exchanges were being converted to ESS in the 1980s.
I remember the day my busy signal changed from a buzz (350+440 Hz) to a tone (480+620 Hz).
I heard him on Art Bell multiple times talking about it. I many cases, someone else did the ground work and he just used it.
Kevin hasn’t hacked anything at all. He ran with a few other characters who never received anywhere near the amount of attention that Mitnick did. For example, no one ever figured out who “jsz” was.
I think pretty much everyone in that scene knows.
After hearing his voice messages in a fake asian voice trying to mess with Shimomura, I kinda lost all respect for Mitnick.
Ghost in the Wires[1] is a really phenomenal and entertaining book btw. If you go audiobook, Ray Porter does the narration and absolutely crushes it.
[1] Available DRM-free at Downpour (https://www.downpour.com/ghost-in-the-wires?sp=19991) and at Libro.fm (https://libro.fm/audiobooks/9781483067216-ghost-in-the-wires)
I think a lot of this was social engineering, but at one time the fbi considered mitnik some kind of super hacker. How did that disconnect happen? I imagine because his targets didn’t want to admit to the fbi how crappy their security was, so they would just say omg! We got hacked!
Big moments I remember from his book.
1. Gaining access to a telco C/O and social engineering his way out after being caught
2. Ultimately being caught by sloppy practices himself, logging into systems he was comfortable with and getting traced, and then forgetting some sort of identification in a ski jacket he hadn’t used in a long time, which was in his closet in a place he was living under a new identity.
It’s been awhile so I could be partly off on those details. But I’d say at least those pieces are very believable.
It should be illegal for the government to keep redactions in anything made public/declassified. It's a slap in the face to see entire sections of text (that most certainly contain important context) blocked out with a white blob.
Seems like a great way to ensure nothing gets declassified, as any tiny part that is still relevant then blocks the whole document.
If that were the requirement, documents would not be made public/declassified unless the entire document was considered safe to release.
In many cases, a partial public document is better than no public document.
A) a lot of what is censored ends up being publicly-known information already, so it's not a matter of safety but rather public image (imo), and B) this creates a perverse incentive to associate national security (...or other sources of unsafety) with unrelated topics to avoid having to hold yourself accountable for your work.
Plus, there's little way of knowing for the documents for which we haven't seen the uncensored version if they aren't just censoring arbitrary things.
It may be reality, but it's still pretty bad for any government that pretends to value transparency.
The people who generate the documents /cannot/ be the people who decide if they're safe to release. There needs to be independent oversight. These are not agency documents they belong to the public. They may be classified but the moment they're no longer _objectively_ worth classifying they are absolutely public domain material.
It's also extremely offensive to see the names of AUSA's (Assistant US Attourneys) and SA's (FBI Special Agents) redacted. They had personal involvement in this case so I genuinely don't understand why their names cannot or should not be a part of this document. They're public figures in a public role.
I completely disagree. In this case, it is clear there wouldn‘t be a reprisal but in many case law enforcement agents and prosecution teams get involved in might involve serious reprisal threat for them or their loved ones. Their names should never be revealed.
I think you possibly haven't read very many court documents. When these cases actually get tried much of this becomes public anyways. In particular this document details agents Mitnick _himself_ spoke with. Are you really suggesting their redactions here are to prevent reprisals? How could that possibly work?
It's one thing if Kevin Motnick knows and the other if all of the internet knows and it's indexable
So he goes on a blog and types it.
Are we not at square one again?
And did Mitnick ever know Motnick? Am I experiencing the Mandala effect here?
Why do we need to have the names of people like a random security guard that was duped by social engineering? To make sure he pays for a mistake or something? What is the reason for not reacting his name?
I'm not concerned with names. It's entire paragraphs that may have names in them that are redacted. If it's just a name or address, redact that, sure.
"Called -------- on July 1st, 1983 to get access to a router"
Is much better than
"----------------------------------------------------------"
Unless we get an unredacted version leaked in the future it's impossible to say what the redacted paragraphs say, but this document has a ton of the former style of redaction which makes me trust that the larger redactions (ie page 42) were in fact necessary to protect PII as labeled.
> What is the reason for not reacting his name?
The reason is GP doesn't understand the reason, so there is no reason, so it must be made public. /s
The Mitnick files contain information about innocent people who are alive and whose privacy rights remain paramount.
Perhaps too naive a question, but if they are innocent what is there to protect? I get it in the case of informants or agents that operate undercover or in plains clothes but if just a bystander how is it different than some news article?
Their privacy, which has value to them and should be respected. You can argue it on a case by case basis but the default is (and should be) to not disclose. As for comparisons to news articles, well maybe this is a place where the government is doing better than some news agencies (reasoning as to why is left to the reader).
What's your name and address? (Rhetorical question, please don't answer.) Is that info you'd be comfortable sharing on a public forum? I presume you're not doing anything particularly wrong.
This also assumes that we can all agree on a definition for "innocent."
> what is there to protect?
Their privacy. Some people have strong opinions on 3 letter agencies and poor reading comprehension. Some people are just mean spirited. Best way to prevent dumb stuff from happening is to not create a situation where dumb stuff could happen.
Licensed ham radio operators give their address every 15 minutes by law. And their full name. Sometimes it's a PO box, but mostly a home address's.
I can't think of anything more public than airwaves.
There are many things you're allowed to disclose about yourself that are considered unacceptable to disclose about others without their consent.
That regulation is known before one signs up to be a ham. So the disclosure is voluntary.
This is a bad take. Plenty of licenses involve essentially exchanging a right for a privilege (in simple terms). People who aren't comfortable with this compromise have the choice to not get a certain type of license (and many don't, HAM radio licenses aren't held by anywhere near a sizeable chunk of the population).
Is the underlying assumption that everyone redacted in that report is a licensed HAM radio user deprived of their right to have a private name and address?
Sure, they know what they're doing and they're doing it on purpose.
If you rented out a room (or even a hotel room) to Eric Weiss (mitnicks alias, one of many), do you really want everyone here to see your full name and address?
Or if someone hacked some database of users and used your name/surname to socially engineer someone else.
or worse!
maybe you told someone you were going to be some place else
maybe you were with your other family and this unwarranted disclosure revealed that to a scorned spouse and friend group that are always looking for holes in the story 40 years later
not criminal issues, not an FBI problem, and yet can alter your private life
Nothing to hide, nothing to fear?
Details about victims whose release might cause them further harm is the obvious one.
I completely disagree. Nothing would get declassified.
Anyway, each redaction has a usually-legible Exemption code next to it that tells you why it's redacted. You can find out what those are here:
https://foia.wiki/wiki/Exemptions
For example, you see 7c/b7c in the document a lot:
"could reasonably be expected to constitute an unwarranted invasion of personal privacy"
There may be a middle ground where, with some effort effort, a watered down summary of the redacted information could be given (e.g. if a name of a person is redacted, replace it with some sort of unique handle). As long as this is done as an annotations for the visibly marked redaction, I see no problem. The reader may choose to trust those annotations or not.
This would be fair (I hadn't considered names in my original comment). Whether truly sensitive or not, protecting names/addresses/numbers/etc. would make sense (especially if there was a footnote to a "why" something was redacted).
Ukrainian court rulings do this -- it's always person_1 meeting person_2 at address_1, so only the parties have an unredacted ruling, while redacted one is publicly searchable
Plain redactions require the same amount of trust in the redacter but are less likely to leak information.
I write a lot about history, and as part of that work I occasionally file FOIA requests. There was one occasion where the FBI's response contained dozens of pages that were typewritten memos consisting of:
To: [recipient name]
From: [sender name]
Date: [date]
[Multiple paragraphs of redacted text]
...and that was basically it. It was funny, but frustrating (funstrating?).
Also, the human effort required to make the redactions is high.
That means records cannot be automatically declassified after N years because the effort to redact every document created N years ago would be extreme.
This is pretty damn interesting, it's definitely the earliest example of a computer intrusion incident response report that I've ever seen. These reports detail stuff he was doing in 1980/1981 at the earliest I can see just skimming the top few pages. His own side of this particular chapter of his history is maybe worth a read, maybe not - he was known for embellishments:
https://web.archive.org/web/20090317050834/http://www.themem...
Surprised that personal info such as Kevin’s SSN wasn’t removed prior to release.
Other people have mentioned this… but it’s been established in policy that the SSN of a deceased person is not PII. There are a ton of different ways to get the SSN of someone who is deceased.
If anything, having it public could dissuade others from trying to use it.
They aren't "public" but if you have a good reason, the govt will let you see the list of dead people SSNs. It's one of the first things checked when you're trying to open a line of credit because it's so easy to verify.
Er, what risk does the release of an SSN pose to someone two years deceased?
TIL.
Now I’m wondering how many other people in this thread don’t know he died (pancreatic cancer). 59 isn’t that old. And he was expecting a baby at the time, which suggests maybe they didnt think so either.
Looking at the post made after he passed, not many people were aware he was sick.
Pancreatic cancer is a fast and deadly one.
Here's to hoping for some early detection tech:
Cheap blood test detects pancreatic cancer before it spreads https://news.ycombinator.com/item?id=43035147 - Yesterday (233 comments)
Thanks. I had no idea he'd passed, either.
Steve's Job SSN is 549-94-3295. How can this release harm a dead person?
Him, probably not. His estate, however, potentially. Perhaps one could get a loan, using his SSN, and his estate gets the bill and subsequent harassment.
SSNs make terrible secrets and it's insane that you could harm a live person by knowing their SSN. I doubt that insanity stops just because you're dead.
> I doubt that insanity stops just because you're dead.
It really does stop. What can you do with someone’s SSN? Get loans, open bank accounts, receive government benefits, set up utilities, etc. It harms someone because creditors falsely believe that the SSN’s holder owes the debt, or the government believes that the SSN’s holder received benefits, etc.
People who are falsely reported as dead have a difficult time doing anything… certainly a hard time getting loans. It’s certainly going to be hard to make a claim against an estate that’s been closed for a couple years, with a debt that is dated after that person’s death.
It's worse if you share a name and birth date with someone, doubly worse if they die before you.
In general, identity verification is a joke in the US. At best its a racket.
If someone is asking for an SSN they’ll be doing a credit report which will show if you’ve died.
Well, it might show if you've been reported to have died. It's possible you were reported as dead but you're still alive. It's possible you weren't reported dead but are. And it's also possible that regardless of how you were reported, the credit agency will botch the lookup and report your dead-or-alive status wrong.
Given the amount of erroneous information in credit files, I wouldn't be surprised if the above scenarios happen regularly.
Estates are issued their own, fresh TIN (taxpayer id). Once established they don't operate under the SSN of the deceased.
Creditors have access to the death index too.
Didn't you read Elon's post? SSNs database isn't deduplicated!
That's because there are SSNs shared by multiple people.
What? That sounds less than ideal.
It usually wasn't intentional: https://www.ssa.gov/history/ssn/misused.html
The system still has to disambiguate and support the prospect of it happening though.
On top of that, he'd be super popular as a target for anything because tons of folks, including non-technical, know the name "Mitnick" very well.
But they clearly left the year visible so blocking out the AUSA's name seems dumb too as it wouldn't be hard to look up who were the AUSAs to narrow down who was named in the file.
The entire redacting seems just so superficial
s/Mitnik/Mitnick/
1981? Security mostly was knowing which phone number to dial in, according to a deceased friend of mine.
I guess thats why Matthew Broderick's character had a script which dialed random numbers in a target area code (I think he used Sunnyvale, CA in the movie)
I wonder if anyone did that back in the day. Not sure how much the telco would have appreciated it ...
Never used an auto-dialer myself, but it would be trivial to code one. Just send ATDT<number> out the serial port and see if "CONNECT" comes back before timing out.
Back in that time, I think a good rate was $0.01/minute for a local call on a consumer landline. Unlimited calling plans came later. Not attributing any intent to the telco, just saying, there would be no cost issue to motivate an investigation.
It definitely wasn't local - he was in Washington but dialed into Sunnyvale, CA.
I can't remember charges for local exchanges (same area code), but I only remember as far back as the late 80s. It was something like 10 cents a minute. I remember all the adds about "friends and family" special rates/etc. Metering on voice calls persisted into the 2000s.
But the calls were very brief (if they did pick up) unless he got a "hit". So thousands of calls could have no charge
Or maybe he spliced into his neighbors line :-)
The password to the system was "BRIS," the name of the vendor.
I laughed when I read that, too. Like locking up that “$2MM dollars of information” in a vault secured with a piece of string.
I have read Ghost in the Wires many times. I'm excited to see the other side of the tale. Thanks for sharing!
Do they have a processing step where they add in random dots everywhere?
It's called noise. It's clearly typewritten text scanned at black and white.
Sheesh now I feel old
I get a dismissable dialogue box upon viewing the document, explaining the context and quality (i.e. scanning noise), including fairly explicit:
"The image quality contained within this site is subject to the condition of the original documents and original scanning efforts."
Hope that helps! :)