R.I.P. Kevin Mitnick

Infamous social engineering hacker, and my friend, Kevin Mitnick, passed away on July 16th, surrounded by his wife and loved ones. To say he will be missed by many and that the hacking world will never be the same without him is an understatement. This is not to say our relationship was always one of friendship.

Many years ago, when he was only known as a mischievous hacker, I was not his friend. I was an adversary of his. I was not an adversary of his like Tsutomu Shimomura, who actively pursued and helped capture Kevin (which became the stuff of legends), multiple newspaper columns, and even a book, Takedown (https://www.amazon.com/Takedown-Pursuit-Capture-Kevin-Mitnick/dp/0786862106/). I was just a generalized good hacker trying to stop bad hackers, and Kevin, as infamous as he was at the time (late 1980’s to mid-1990s), was always in the headlines as a primary target to catch and stop. I did not know Kevin then.

And I was not his friend. When Kevin got caught and arrested for his final time in 1995, he had gained a sort of mid-mythical following of people who did not want to see Kevin do serious jail time. This was because Kevin mostly did not do serious financial crimes like most of the hackers do today. Sure, Kevin did steal credit cards and identities (he really did exploit people’s digital lives and cause them problems), but most of his crime was in pursuit of knowledge (usually telephone information) and the ability to use phone services for free to pursue more knowledge. Kevin definitely was not hacking for the money or to hurt people. To be clear, what he did was illegal and did hurt people when their digital accounts and credit cards were involved, but he was not in hacking for those things. He was in hacking for hacking’s sake – to learn more about computers and phones and how to use them, even if it was against the rules.

When Kevin was arrested, many of his friends and fans started a “Free Kevin” media meme. It built quickly and pretty soon, people who did not know Kevin at all were supporting him in getting out of prison without serving any time.

I wrote an independent column entitled, “Keep His Ass In Jail”. I was tired of all the hackers that were getting arrested getting off with a slap on the wrist and going on to do more hacking. I thought, and still do believe, that hacking is a serious crime and requires serious penalties to dissuade more future criminals. Kevin eventually spent 46 months in prison plus a few years of probation. Kevin paid his dues.

For a few years after he got out of prison (and after probation), I started to hear that Kevin had turned over a new leaf, had become a good hacker, and was now on the computer security conference circuit, telling people and companies how to get the bad hackers out of their environments.

I was still distrustful of him. I had seen many post-convicted hackers claim they had become only good hackers, who were really still doing malicious hacking on the side. The allure of the type of hacking they loved was just too strong for them to stay on the straight and narrow path for too long. I did not trust supposed “reformed” malicious hackers. At least not at first and not easily.

Years later, when we were both doing many different conferences, I would see Kevin do keynotes and presentations. And I had to admit that his presentations were great, entertaining, and full of good advice. I was especially delighted that he had not been caught doing malicious hacking again. It seems Kevin had made the turn from bad hacker to good hacker and was making a good living at it.

On a funny note, I was once following him at a conference. He had done the keynote and I was directly following him. As he came down the stage and as I was headed up, he asked if anyone had a USB storage key so he could copy his presentation materials and give them to the conference people so that everyone could get a copy. I did have a USB key on me, which I handed to him.

Right before he put the USB key into his laptop, he stopped and said he could not trust any USB key handed to him. So, he did not use it. A few of the other presenters milling about laughed at his lack of trust. But here is the kicker, my USB key had been infected by a very early USB key computer virus – one I had made myself. I had not intended to infect Kevin or anyone. I had been playing around with my demo USB key virus (the first in the world as far as I know), and I had just accidentally left it on my USB key after testing and had forgotten to erase it. Had Kevin used my USB key, then he would have infected his device. So, Kevin…in his supposed “paranoia,” avoided getting infected by my demo virus. He impressed me.

More years went by, and I came to trust that Kevin had truly made a permanent change to the “good side”. In 2016, I decided to interview Kevin for one of my books, Hacking the Hackers (https://www.amazon.com/Hacking-Hacker-Learn-Experts-Hackers/dp/1119396212). In the book, I interviewed over two dozen computer security professionals who helped to make the world a better place. It was a book to promote defenders, not malicious hackers. So, it says something that I felt that Kevin, after his over a decade of trying, had clearly moved to the good side.

My interview of him was one of my favorites of the book. He was very forthcoming, charming, and just, in general, provided a lot of good quotes. That is something all authors appreciate. My favorite quote of his was how he still got the same thrill as a legal penetration tester that he did when he was illegally hacking, except for there was far more paperwork when doing it legally. So, true.

Then in a strange twist of fate, I went to work for him, and I did not know it at first. In 2018, I started to work for KnowBe4 (www.knowbe4.com), where I still work today, over five years later. Kevin was an early co-owner of the company. Through that relationship, I got to hang with Kevin many times a year. We became friends. And what I learned is what a good, loyal friend Kevin, was. We often fought over different hacks he had found and the defenses that I would propose that would stop them (I was often wrong). We had spirited debates of how long passwords had to be to stop hacking and whether the latest man-in-the-middle tool could easily bypass multifactor authentication. I have to admit, in every instance, Kevin was right on his facts and proved my beliefs incorrect. Kevin really knew his stuff.

At first, I had believed that Kevin was not a top hacker…that he was just an excellent showman…an entertainer…but I did not believe Kevin was an elite hacker, on his own ability. I was wrong. Kevin, by himself, was one of the best hackers I have come across. Not only was he great at nearly any hack, and discovering (and reusing) advanced hacking techniques, but he had the broadest range of hacking skills I have ever seen! Most hackers have a particular area of expertise, say Windows hacking, database hacking, or website hacking. But Kevin hacked all of those and threw in wireless hacking, hacking of cell phones, hacking of proximity cards, hacking of multifactor authentication, hacking USB keys, hacking of nearly anything that had electricity running through it. All his hacking, for decades, was done legally. I know of no other hacker that could hack so many different things.

Kevin was a first-rate showman when he showed you hacking. Part of this had to do with the fact that Kevin when he was a kid, wanted to be a magician. He even trained to be a magician for a short time. And it showed. If you attended any of Kevin’s hacking demos (he did dozens and dozens a year), he would be the master showman, entertaining the crowd, showing at least three different screens at once (e.g., victim’s, hacker’s, and hacking tool), while seamlessly moving around them as part of the demo. And all the time doing amazing hacks that no one else was doing.

One of the best things about Kevin, was whenever he performed a hack created by someone else, he always gave that person credit. Kevin never took credit for a hack that he himself did not create. Kevin always wanted the audience to know that what they were seeing was an example of a particular hack, but that the hack was created by some other person, often a close friend.

Kevin was busy, often traveling to some other part of the world. But he made time to email or call me every few months. The last time we talked, he shared with me that he had a tough, aggressive, life-threatening disease. He didn’t tell many people, but I was one of them. Just like Kevin hacking computers, Kevin was busy trying to hack his disease away.

He lived far longer than the doctors thought, but the disease won in the end. I guarantee you that it was a helluva fight, one that was fought outside the normal boundaries of what doctors at first said was possible. That was Kevin. He listened to good people, he listened to the experts, and then he would set about trying to hack the system.

Turns out, I was also fighting a similar disease. Kevin spent hours talking to me, telling me how to speed up the diagnostic process and get into the best therapy programs in the country. He gave me names and phone numbers of doctors to call. He taught me how to hack the system. And his information did get me faster treatment months faster than the original doctors said it would happen. I’m forever in his debt for helping to improve my odds.

I am going to miss Kevin. I am going to miss seeing his latest, cool hack. If you want to see some of Kevin’s hacks, just go to YouTube.com and type in ‘Kevin Mitnick hack’. You will be glad you did. Every video of Kevin hacking something ends with his recommendations on how to defend against that hack.

I am going to miss my debates with Kevin, with him always proving his hack could overcome my defense.

The Internet is a little less safe today. Kevin, who started out as a mischievous ne-ver-do-well hacker, ended up spending the remaining decades of his life telling us how to be better. There were few better.

Free Kevin Mitnick!