// jon c foro, 1967 -

View Original

Trust no one

“That’s some catch, that Catch-22.”

If you’re reading this, you’re reading it on some sort of electronic device that’s connected to the internet. Chances are, you do more than just read on your devices: email long ago superseded the post, social media keeps us in touch with friends and family, and online retailers offer low prices, wide selection, and the satisfaction of shopping in your yoga pants. [Full disclosure, if it isn’t obvious: this is the Amazon Books blog, and I am an Amazon employee who occasionally wears comfy pants.]

It’s not just that the Web is the most convenient way to do things; the Web is becoming the only way to do things. But the internet is also more convenient for criminals, those who would steal your credit, file fraudulent tax returns, or publish compromising information for the whole world to see. And there’s there’s the catch: We have to feed more and more personal information into the internet, but most of us don’t have the knowledge or patience to adequately protect ourselves against it. It’s a destructive compulsion: the recurring crush we know doesn’t have our best interests at heart, the irresistible urge to mix one too many metaphors. We’re going to have to get smart about it, because despite what anyone says, we’re probably (hopefully) not going back to couriers, pigeon or otherwise.

Kevin Mitnick understands both sides of the equation. As a high school student, he indulged an enthusiasm for exploring the darker corners of telecommunications networks, generally as an uninvited guest. His interest naturally expanded to computers and the early internet, which in kind drew the attention of federal prosecutors. Following a stint as a fugitive and some government-imposed time “off the grid,” Mitnick re-emerged as a champion of online privacy, founding his own security company and authoring a series of books dedicated to teaching good digital hygiene. “The world’s most famous hacker” had gone straight.

His latest, The Art of Invisibility, lays out the basics for the rest of us, covering everything from password management for average surfers to more extreme measures for the “anally retentive privacy activist,” including strong email encryption, secure messaging apps, and anonymous Web browsing. (Unsure which camp you’re in? Ask yourself if you’ve ever laundered Bitcoin.) If it all seems a bit much, recall another line from Heller’s classic: “Just because you’re paranoid doesn’t mean they aren’t after you.”

I spoke with Mr. Mitnick over the telephone earlier this week about the book and digital security in general. The following is a transcript of our conversation, edited for length and continuity. The Art of Invisibility is a February 2017 pick for the Best Books of the Month in Nonfiction.

For the reader who might not be familiar with your backstory, could you describe the unusual route you took to computer security?

As a youngster I was fascinated with magic. I met this kid in high school who could do magic with the phone system, and he was involved with this hobby called phone phreaking. At the time I was quite a prankster in high school, so I wanted to learn all the tradecraft of phone phreaking. One of my favorite pranks was to change a friend’s home phone to a pay phone, so whenever his parents tried to make a call it’d say “Please deposit 25 cents” and this sort of stuff.

I moved onto computers, and other students thought I’d be interested in taking a computer class. The instructor let me in and waived the prerequisites because of all the cool phone tricks I could do at the time. He gave the class an assignment to write a Fortran program to find the first 100 Fibonacci numbers. I thought that was boring. Instead, I wanted to write a program to steal the teacher’s passwords. So it took me a lot of hours. I went to the local university, got a manual about how to interact with the operating system from a user level. And when it came time to turn in the assignment, the teacher was walking through the class collecting the assignments from each individual desk. When he came up to mine, I didn’t have it. He goes, “I can’t believe it, Kevin. I stuck my neck out for you. I let you into class and you’re not even doing the programming work.”

I said, “But, Mr. C—, isn’t your password J—–? I wrote my program – a utility that actually stole your password.” And he showed the entire class, saying what a whiz kid I am. And that was the ethics talk to Kevin Mitnick in high school: That hacking was cool. And then I went on from there.

How did you move from the hacking side to the security side?

Well, back in 2000, I got myself into a lot of hot water for hacking telephone companies – not for money, not to cause damage, but more for trophy hunting. [I] decided to play a very stupid game with the government – cat and mouse – thinking that I could outsmart the FBI with my knowledge of hacking. They finally got their man, [and I] ended up serving five years in prison. Once I got out, the federal government called me for help. And the whole world had changed. The ARPANET went to the internet. There were companies out there like Yahoo!, eBay, that sort of thing, and naturally – and I think my case brought a lot of attention to this – a need for security. Once I was off supervised release, I opened up a company that would simulate real hacking against corporations, so they could test their security controls to better their defenses, along with writing a book on how companies could better protect against social engineering. Just a bunch of different projects I involved myself in, all towards the end of helping businesses and the community better protect themselves against the threats out there.

What sort of reader did you have in mind for this book?

It’s Privacy 101 for the everyday person. I want everybody to read this who understands the fear of having your communications monitored by foreign governments, your own government, criminals, your competitors, your teachers, your students, your kids, your wife – anyone that might be interested. And a lot of people understand the security threats out there.

What I want to do in this book is really help the reader understand that the only thing that’s going to really protect their communications is encryption, if it’s implemented right. I don’t want to say that you need to use [specific] applications, because those change on a daily basis. I want to be able to say: The best thing to-date is what we call end-to-end encryption, [and] this is how it works a little bit. My whole goal of the book is to help people become more aware about what privacy implications are out there, and how they can better protect themselves, if they want to.

Why is privacy important for everyone?

You have the people [who say], “I have nothing to hide. I’m not breaking the law.” But right now, especially with the new presidency, I think we’re going to be moving much more to a surveillance-type state. And we have under [Obama], obviously because of Snowden. I think that the government’s not going to be curtailed in monitoring people’s communications. And if you just give up your right to privacy, people’s behavior changes. If you know somebody’s watching you – like of you’re in class as a kid and you know the teacher’s watching you – you’re going to behave a lot differently than if you act on your own accord. Not that you’re doing anything wrong or malicious or anything, [but] your business is your business.

Is true privacy achievable?

Not really. I don’t think anything is 100% secure. Two cases in point: When I was a fugitive, running from the government, there was a company called Norton, and they advertised a program that allowed you to encrypt your hard drive. It’s 56-bit [encryption], it’s secure, the government can’t track it, and you can’t export it, because it would be [classified as] a munition. And I used that a bit to protect my own communications in case I was found out – I didn’t want people to read the contents of my laptop, of course. Because I was curious if the claims were true, I hacked into Norton, found access to the source code server, looked at the source code, and realized that they were lying, that they weren’t using 56 bits of the key. They were only using 30 bits, which means it was trivial to crack the encryption for any law enforcement agency, government, or criminal. That creates some distrust.

Secondly: I was hired by a company who was developing a new security product – it’s a keychain USB stick, and all your personal stuff is on there, but it’s encrypted. You just plug it into a Windows computer, and if you don’t have the password, you’re out of luck. They hired my company to see if we could break it. We did a bit of reverse-engineering and realized the programmer had secretly put in a backdoor into the program, so your key was actually hidden within the encrypted volume, which was accessible without knowing the key. Obviously this was included in my report. The CEO of the company calls me three weeks later and goes, “Kevin, you did a fantastic job, but I do have a question for you. Do you think we should keep the back door in the program?” I never verified whether they did it or not.

Those two incidents reduce my trust in products. Even in this book, as I recommend [security products], you’ve got to look to other resources to see if you can really trust the product. And the only way you can really do that is academic review. There’s no such thing as absolute privacy, no matter what you do. But if your adversary’s not the NSA or a foreign intelligence agency, then you have a much better chance – if you practice good OPSEC [Operations Security] and you use the right tools.

A lot of people will think they can use a VPN (Virtual Private Network) service, and they thought that these VPN services could be trusted – they say they don’t keep any logs and they protect your privacy, and not even the cops could force [them] to turn anything over. That is all bullshit. And I don’t know how they get away with the lying, but people are naive if they believe it.