The story of Kevin Mitnick is legend. As a hacker he was able to gain access to strategic systems in order to poke around and satisfy his curiosity. He spent years in jail as authorities tried to figure out what he did and if they could prosecute him somehow. They were simply scared of his abilities and keeping him locked away alleviated those fears. In a recent NPR Talk of the nation interview Mitnick compares LulzSec to Mafiaboy who launched relatively simple DOS attacks on American e-commerce sites from his house (literally next door to where I lived) in the late 90s.
I am fascinated by the legal and enforcement process when it comes to hacking because it requires a whole other set of competencies compared to traditional case work. Hacker friends have been arrested for accomplishing awesome tricks only to be released because the arresting officers don’t understand what the heck they did. Prosecuting a hacker requires incredibly detailed and tedious chain of custody work and it’s really hard to prove after the fact. And because every piece of evidence is highly corruptible along the way (be it photos, emails, logs…) and the general public, prosecuting and defense attorneys do not have the technical knowledge to point the finger to potential problems, the world of cyber crime is going to become really interesting. I was privileged enough to watch the entire Mafiaboy case as it happened and held in my hands one of the key judge order to allow for the gathering of data to correctly document the crime. I was very impressed with the technical knowledge of the local and FBI teams who devised the methods to document all aspects of Mafiaboy’s online activity. And also, I was surprised that so much money was invested to catch someone who did something so simple. But just like every crime lab in the USA is not equipped like CSI, not all events can benefit from the full attention of the best cyber crime labs. I wonder if authorities understand what is important to focus on and what is a waste of energy and money.I do not deny that hackers can use attacks effectively to bring attention to their message however, these attacks are not dangerous to the infrastructure by themselves. I live close to an epic underpass. On it runs 4+ lanes of trains and really impressive maintenance equipment leading to the Hochelaga train yard. Under the tracks graffiti artists paint interesting murals at the rate of 5-8 per day. This means that if you do not walk by everyday (or even twice a day) you will miss the artwork constantly being repainted over. Generally speaking I loathe graffiti vandals who have written their name on every piece of Montreal wall and vehicle that goes unattended for more than 5 minutes… but the underpass is a cool focused place that can almost be categorized as an art studio.
There is a fine line between art and vandalism and it is the same thing on the Web. The Web is only a little bit safer than an unattended wall and it will fall prey to vandals and require cleaning and patching. However saying that Web vandalism is a huge threat to national security is inaccurate. That’s like saying the kids who paint the tunnel under the trains are compromising train travel in Montreal.
And another thing about Mitnick. After his release from prison, he was prevented from using a computer. That did not prevent him from writing a landmark book about social hacking called The Art of Deception. The human link is ALWAYS the weakest part of a system and the Internet is simply an optimization tool for criminals whose business is deceiving regular folks.