Wouldn't such a customer be worth gold? A single user that constantly get's attacked by hackers would provide a great opportunity to detect and fix security holes. If a hacker get's through, it is just one person's account compromised. But each detected attack could prevent attacks on other accounts.
I think some other telco should pay Mitnick to become their customer. How else could you attract so many hacker brains and make them work on finding security flaws in your system?
A single user that constantly gets attacked by hackers would provide a great opportunity to detect and fix security holes.
Assuming that they want to fix the holes, which AT&T probably doesn't. They may be using the "infinite bugs" model, in which fixing one bug does not improve security because there are always other bugs the attackers can find.
Security through obscurity gets a bad rap. You rely on the "obscurity" of your password.
The main issue is relying on false obscurity, both in systems (your program rot-13s your password) and in passwords (you pick an easy to guess password).
There's no real security failing if you rely on obscurity that isn't exactly a password, so long as you can accurately assess the real obscurity, e.g. port knocking. If, let's say (and this is probably false) AT&T has a billing system where sending 100 specific, not-easily-guessable bytes allows you to get private data, that's no worse than a password, even if the reason that it works is a bug - unless the source code is available to the attacker.
Of course, AT&T's problem here isn't obscurity, it's that they don't want to invest enough for real security at all. Which could be reasonable from a business perspective.
Not really. Your password may be obscure (although it should probably be as random as you can get), but the key exchange protocols and encryption algorithms should be wide open. There's a reason why secret keys are called "secret" -- they should be the only thing you have to keep secret. If his hosting provider and wireless company can't keep his accounts secure, that's their problem, not his.
Reading my comment over, I realize that I wasn't so clear.
There are two almost unrelated issues:
AT&T has poor security - agreed.
Security through obscurity is a universal evil - not so fast. Quick example - you have ciphertext where you don't know the key vs. the same ciphertext where you don't know the key AND you don't know the algorithm. The latter is more secure, because it's harder to brute force.
The reason security through obscurity is usually bad is because it causes people to make poor assumptions - "He'll never guess I encrypted it with rot-15 instead of rot-13," but for a given secure system, adding obscurity will make it harder to break. But it's the poor assumptions that do you in, not an inherent flaw in adding obscurity.
The reason you use widely published encryption algorithms is because they've been vetted for poor assumptions. They need to be open to be vetted, not to be secure, and we've found that's always been a good tradeoff.
"The reason you use widely published encryption algorithms is because they've been vetted for poor assumptions. They need to be open to be vetted, not to be secure, and we've found that's always been a good tradeoff."
True. Most people (including Schneier, Ferguson, Rivest, etc) agree that the NSA is secure. This is because they have a veritable army of cryptographers at their disposal. Peer review is the most important part of cryptographic development. The key part of this is that there is probably no other entity in the United States that can satisfy these requirements. AT&T certainly does not have an impressive cryptographic department and they shouldn't pretend like they do.
"The reason security through obscurity is usually bad is because it causes people to make poor assumptions - "He'll never guess I encrypted it with rot-15 instead of rot-13," but for a given secure system, adding obscurity will make it harder to break. But it's the poor assumptions that do you in, not an inherent flaw in adding obscurity."
I don't think anyone would argue that the obscurity in the algorithm is the weakness. However, obscurity can never make a secure algorithm more secure. If your algorithm and key space are sufficient to prevent decipherment before the heat death of the universe, the two months it takes to reverse engineer the protocol are as close to zero as makes no difference.
"However, obscurity can never make a secure algorithm more secure."
If you're talking about the security of the algorithm, fine. But you're talking about the security of the system, and the algorithm is seldom the problem. If it takes two months to find the problem with the key management, then your obscurity that added two months just doubled the time to break in.
I still say you should use publicly vetted systems - but the community is in denial over the value (second rate, but still value) of security through obscurity.
Case in point: when Slashdot first released their source code, they didn't escape quotes in passwords, so it was possible to log in as an admin using an appropriately modified SQL statement. Sure, you could have figured what the command needed to be via trial and error before the code was released, but I was lazy. Releasing the code meant that I could now break into something I wouldn't try to break into before. The obscurity protected them from a certain threat model. It was still much better when they fixed the bug, of course.
Please give the public origins of the notion that security through obscurity is broken a closer look. Until you understand what that means, you will keep making arguments like "keeping your key" (such as a password) "secret is just security through obscurity".
I recommend starting with Kerckhoffs' Principle.
Basically, you can regard "security through obscurity" as any violation of Kerckhoffs' principle -- which translates to any reliance on keeping secrets beyond the key itself.
You're making an argument by assertion: Kerckhoffs' principle says don't keep secrets other than the key, so therefore you have to not keep secrets other than the key. Huh?
Kerckhoffs' principle is a great idea - but understand it. It doesn't say that extra secrecy makes you less secure. It just says that when you're designing a system using encryption, the key should be the single point of failure.
Let's say I'm locking a door. So you shouldn't be able to get in without the key - but it's going to be harder for you if you also can't find the keyhole.
When you're designing locks, don't try to hide the keyhole - spend all your effort getting a good, unpickable lock - but still, don't deny that hiding the lock isn't pointless.
No, that's not an argument by assertion. It's an argument by pointing out that your "definition" of security through obscurity is apparently at odds with the very origins of the concept.
I'm not saying that hiding the keyhole harms security. I'm saying that pretending hiding the key is the same as hiding the keyhole is an exercise in something so silly I can't even think of the word.
Well, they are admitting that their security system isn't flawless. Having Kevin Mitnick using your service is the equivalent of asking to be hacked by a particular set of people... eventually your security will get broken.
Which is not to say that AT&T has good security, all we can tell from this is that it can be broken...
A service provider whose top priority was security could have taken another approach to KM... using him like the canary in a mine shaft, an indicator of problems with their security system (allowing all-numerals password would be just one example of such a problem that ought to be fixed).
Indeed. Other providers host and maintain the security of as-high-profile "targets".
More importantly you have to question how much of the security problem Mitnick poses in this? If he is part of the cause I think AT&T & HostedHere probably are reasonable to want to get rid of him
(btw I suspect the 8 numeral password is a pin number: similar to the ones handed out by banks for online logins. Could still be his fault it is out in the wild though)
How is it reasonable for AT&T to admit blatant incompetence? Couldn't they have worked with Mitnick to secure his account and even use his case to attract more celebrity customers?
It's probably just a business decision. (assumption)They can provide cell phone service for 1000 people for the same cost as Mitnick since he is a target.
It's the same thing Sprint did a couple years ago when they dumped people that called customer service too much.
I'm sure it is, but it doesn't seem like a bright business decision. He claims he spends up to $20K a year - sure, maybe this still isn't worth it to AT&T. But more importantly, you'd think they would see this as an opportunity to make their system more robust for all their clients, save money that way (more than $20K/year? likely), AND turn it into a good PR piece.
well we have no specific information on any of the problems (plus Im a little biased personally in that Mitnick seems to be in a habit of loudly crying foul no matter what - I do that sometimes because it gets results, takes one to know one)
It's been 9 years (we dont even know how much of it is AT&T vs. Mitnicks fault and what contact he has had with them): it's looking like an infinite battle to "secure" his identity. If there are crucial security flaws in their process then yes I am in agreement - but I doubt that is the case (because Mitnick would then be the least of their problems :)). Wash hands, move on.
I had to re-read the article about the eight digit password. As it is for his phone provider, I presume it has to be numbers so it can be typed in from any phone keypad. I can't believe someone with Mitnick's track record would use an all-numbers password by choice.
An 8 digit, all numerals password? Really, Mitnick?
It's not super secure, but it really should be secure enough if a website cares about security -- they should be limiting login attempts, and shouldn't be storing them in plain text.
That's why you get an unlocked phone and buy an international SIM chip that you swap in overseas. $20K/year is ridiculous, and probably an exaggeration or lie on his part to try to make himself look like a desirable customer.
Except you also incur roaming charges for receiving calls, and expecting people to call an overseas number (let alone keep them up to date on your whereabouts) really is pushing it.
I find Kevin Mitnick going to the authorities for protection a little bit weird. If your claim to fame is that you are the 'worlds baddest hacker' you take the script kiddies as going with the territory. It's like Billy the Kid complaining about the wanna-be's that want to meet him at noon on main street.
"The move by AT&T came this week after Mitnick hired a lawyer to complain that his privacy was being invaded by people posting Mitnick's account information in public hacking forums"
You need a lawyer to complain these days ?
Most other 'celebrities' have these issues but being a high profile hacker makes you a great target.
The best defence against this is don't get caught hacking... that way your privacy stays yours.
What Mitnick should do is give tit for tat, expose the identities of his attackers. For such a hotshot security consultant (all digits?) that should be a piece of cake, really.
That said, AT&T has no business cutting him off, rather the opposite, they should secure their systems and use the publicity surrounding this to brand themselves as the provider that is good enough to secure even Kevin Mitnicks account.
Sure, but if you are a 'master burglar' selling your services to companies securing other peoples goodies your reputation as a 'master burglar' is what allows you to do that.
It means that a lot of people that you are putting down will see you as their prime target. This goes with the territory.
If KM would have taken a job as a programmer somewhere I highly doubt that this would have happened. After all, he is minting his reputation as a former bad guy, nobody forced him to do that.
If he had been a white hat all along it would be different, but a burglar complaining he's been burgled is a bit hypocritical imo.
I guess it sucks being on the receiving side.
Basically all these little jerks do is make him look silly, personally I wouldn't even bother to respond to them, just take it as praise and laugh at it. By taking it so serious he is actually fanning the fire.
When he sells his services, he either has access to the systems to look at their security, or has authorization to try and get in (don't know how he works, really). With ATT, he does not legally have access to fiddle with their vulnerable systems in order to keep the pests out.
Obviously AT&T is responsible for their own systems. But what better publicity for the two parties than to come together and fix this.
My personal take on all this is that Kevin Mitnick once was a hacker, good but probably not even that great (he did get caught, remember) who is now minting his newfound reputation.
These kids prove that his reputation is somewhat less than he presents it to be and he's pissed off about that.
There is a proverb in there somewhere: High trees catch lots of wind...
AT&T is a bunch of weaklinks for terminating his account (same goes for his provider), they should secure their stuff with or without Kevins help. To terminate a user because they 'attract bad people' is ridiculous, imagine your bank telling you that they can no longer take your business because because of you the keep having burglary attempts. It's too silly for words.
I think it's ok to use the up and down arrows to express agreement. Obviously the uparrows aren't only for applauding politeness, so it seems reasonable that the downarrows aren't only for booing rudeness.
--pg
It seems many people have responded to you though.
Downmodding isn't for disagreement anyway; it's about the kind of comment HN users want, not the stance taken by the commenter. I don't have downmodding power, but I chose not to upmod you because of your flippant tone.
Isn't that what everyone is supposed to do with their passwords?