Posted by mauvehaus 3 days ago
His report for a client that turned out to have been rife with SQL injection at the time was largely movie plot physical security stuff. Not wrong exactly, but not the center mass of the threat model they needed either.
He seemed to lack systems thinking, producing a report that focused on calling out specific employees as dumb or incompetent. Counterproductive at best. It seemed like his PR exceeded his utility by a great deal.
That trend continues beyond the grave, maybe.
Giving people a chance to discuss, as adults and professionals, how they got sniped beats any second hand training and experience by miles.
Now we get to hear that x% of a sample failed including #y elevated privileges people. How will somewhat naive management handle that?
Sometimes I get a feeling many HN-ers work in ultra toxic environments. HR is not your friend, your manager is there to screw you over and the firm will fire you for pennies. That’s just not my experience in working.
Many people in the world work in toxic environments, not just HNers. Especially when the jobs market is shit, people turn on each other like animals.
>HR is not your friend
Where did you work at that HR was your friends? Did they invite you for beers or visit you in hospital when you were sick?
HR everywhere protect the company from liability, that's it. They're your "friends" as long as you don't risk becoming a liability.
>your manager is there to screw you over and the firm will fire you for pennies.
Your manager maybe not, if you're lucky and cares about those below him more than his own corporate ascension, but managers levels above sure screw over the ones in the trenches when shit hits the fan, that's how they got to the top in the first place. The more unscrupulous one is the more likely they are to climb up.
> That’s just not my experience in working.
Good for you.
The second question: yes, in a time of need my manager and HR-consultant did indeed help me find appropriate psychological care. (And we also visit coworkers in the hospital.) This was part humanity, but also part of what ‘we’ (a firm is a collection of people) constitute as being part of what it entails to be an employer. It feels like a reductio ad absurdum to think that this was purely transactional on their part. It was deeply human, or at least I choose to see it as such.
This is unfathomably rare. I hope you realize this just how lucky you are.
> But non toxic I hope as well.
This never happen to me and I live, on paper, in the most livable country in the world. All bosses only care about my performance, not my healthcare. The moment I got too many sick days, I got dismissed and sent off on welfare.
>This was part humanity,
But most employment relationships are exclusively transnational. You're only virtue is usefulness to the boss's bottom line, not your "humanity", as that can't be monetized, unless maybe you work in government, healthcare or NGOs.
As someone who has been training and mentoring and managing people for over 25 years: shame is useless as a tool. There's no "you gotta have thick skin" in people management. That attitude is just covering for the deficiencies of the manager. Most people's natural reaction to shame is to shut down and either slink away or become vindictive. You don't get the right corrective behavior out of using shame.
One's employment of shame as a corrective technique also has a wide blast area. When one singles out and criticizes people in public, the people who aren't being criticized still see it and form new, negative opinions of the criticizer. You undermine your own authority as The Boss when you do that.
Truly being "results focused" means studying actual management theory, negotiation techniques, coaching techniques, and conflict management. Praise in public, criticize in private. Always. And when you do have to criticize, keep the emotion out of it and stick to just the facts.
I have two employees I've had to put on PIPs right now. One of them is actually improving. The other one is a habitual liar, for whatever reason HR won't let me fire him outright, but even him I won't break my rules for, regardless of how angry he has made me, because the rest of my team will see it. During the meeting where I informed them I would be formalizing the process, they were not surprised and agreed that it made sense, because I had done the work before then to establish expectations and work with them to try to improve. There's are also people in the past whom I have fired who have messaged me on LinkedIn, thanking me for being kind to them during the process, because it was what they needed to turn their lives around.
You can tell people they aren't meeting expectations. You can put people on official notice. You can fire people. And you can do all of those things in ways that preserve their dignity. And in that mode, you can get mediocre employees to be good, good employees to be great, and great employees to stay. Or you can treat people like shit and constantly have to go back to the recruiting well. I'm sorry, but I'm far too busy to be constantly interviewing and onboarding new people.
Specially for security, yes, shame the personal in a small setting, shame them in a positive way, as in lets all learn from this, but shame is very powerful. Much more powerful than saying "someone in this team failed this" and everyone thinks it was the other guy.
Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem. It kinda did, but with lots of collateral.
Essentially, the security consultants (and everyone else involved) were just being lazy and not doing their job correctly.
But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.
___
The solution would be to understand the individual node and apply the correct corrective measure. This can be shame, but it might also not be. And the level of it is also highly dependent on the situation.
This is a hard problem to solve, but it needs to be solved for good results.
The problem here being that scaling that up is hard, but everything needed to hyperscale. With either the individual nodes or the system integrity picking up the slack.
Very well said, and I think your exact description applies to management in general: management is hard, and require hard work to be done correctly, tailoring you response to every person, because two people being bad are their job aren't always bad for the same reason.
But most managers are not suited to the job, because it's mostly a status symbol and not something you give to the most qualified person, and most are too lazy to even try learning about it, so they don't make the effort of adapting to every individual, and in the end they end up either tyrannical or complacent.
Why would you do the hard work when you can also just not do that?
I mean I agree with "people are not suited for the job", however, I also feel like often, "the job is not suited for people".
It's rot all the way down, essentially.
As a junior I made the front page of national news. I answered a question with a very big number on a Friday afternoon. Hit headlines on Saturday. Our prime minister had to defend my mistake in public. (He never admitted any mistake. With just enough spin nothing sticks.)
The head of the organization literally cursed and spat at me. In that same meeting from the no. 2 down they stood up for me. It’s still a great story about how to treat mistakes 20+ yrs on. Admit mistakes. What did __we__ (not: he) do wrong? (Hint: from medior to board everyone had an afternoon off and we had never discussed stakeholder management. I was in no position to say no to a ministerial request.)
> I'd forever be paranoid about it
Some folks like to work that way, but I don't think most do. This obsession for outward correct behavior, even if it works at the end (at least externally), doesn't sound like a recipe for happy inner life but maybe I am reading too much into that.
Scenario 1: 20% of staff tested failed. Individual targeting is pointless because the issue is systemic. This has happened in aviation, it’s common for accident investigators to conclude that the entire company culture (or even the entire industry) has failed to handle a problem. They don’t waste time in cases like this pointing at individuals.
Scenario 2: you test very regularly and nobody fails the tests. Except Bob, he fails the tests. In this scenario, your threat analysis document will recommend retraining, firing, or restricting Bob specifically.
Scenario 2 almost never happens because nobody has data that good. If your sampling frequency or ability to conduct tests are limited, no specific sample is enough to cover the entire problem. If you focus on a punishing (or just re-educating) the 20% who failed then your next test will fail for (potentially) 20% of the 80% who weren’t retrained, and thus didn’t learn anything.
TLDR: you need to choose the approach based on the situation, but we collectively tend to treat security poorly enough that we’re almost never in the fortunate situation where scenario 2 fits.
Yes in general, because usually it's culture and not an individual failing. No in specific situations, because it's not just culture but also some people are just the weakest link.
Only focusing on either of these while ignoring the other is going to lead to bad results.
If he walked into a conference room and called them out by name, that would be a touch abrasive.
Bold of them to assume I'll answer the phone if I see my manager's number come up.
If I've learned anything from the scambait people such as kitboga on youtube, if you're bored you play along with it, pretend to have acquired the gift cards, and then tell the "boss" you've scratched off and emailed their company address the codes, as the scammer on the phone wails "do not redeem! SIR DO NOT REDEEM!"
Whole thing was so dumb. A floor full of smart monitors that they could have put a keylogger on. A plethora of physical network access and I get called out for leaving my laptop on the lock screen and going downstairs for food.
And they got found out because I ran little snitch I paid for myself and it caught their hijacked chrome making all sorts of weird network calls. But I don't remember being given credit for that.
(Sips mojito)
Screen-lock itself required a password. But lo & behold, if you'd pick up the headset & hit a button "accept call" (usually meaning you're back in action), screen would be unlocked.
Convenience (read: profit) trumps security every time.
People walked to conference rooms and to get food without taking their laptop with them all the time (of course) so it's not like I did something out of the ordinary or against policy. I remember them accusing me of leaving my laptop over night but I was just working late.
And this was in a secure area with cameras within earshot of the over night crew and behind a door in a private shared office (glass door, glass wall so someone could have seen them) so it's not like I was at a common area and just walked out leaving my laptop on a random table).
All that “Free Mitnick” support from the early 2000s he got must have gone to his head, or he was just a dick all along
VS
2002 “Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.” — Kevin Mitnik
“Amateurs hack systems, professionals hack people.” — Bruce Schneier
source < https://archive.md/LiQN4> / (paywall) <https://economist.com/special-report/2002/10/26/the-weakest-...>
I understand he probably just lent his name to the company (though he did show up in some of the videos), but still...
I might say "sorry for your loss of job" .... but seriously not. You shouldn't got that job in first place.
Atleast you can brag about getting unemployed thanx to Mitnick.
He did cost people their jobs though, so I guess he's a good person.
Social engineering is just that, exploiting people having insufficient intellect for the job.
They left out convicted criminal.
Absolutely better at PR than any actual work, pay careful attention and none of his early stuff was particularly novel, from a technical perspective.
But for whatever reason, we venerate him just because he was victimized by the state. The world is not a dichotomy -- sometimes bad things happen to bad people.
If he had been treated fairly by the justice system he wouldn't have gotten nearly as much attention.
He was also autistic, a lot of the behavior can be explained through that lens.
That was uncalled for on the part of DOJ.
>He was also autistic, a lot of the behavior can be explained through that lens.
I'm autistic. Maybe I should go commit a bunch of felonies to increase my chances of a good job and stature in the hacker community, since things like publishing code, publishing peer reviewed papers, and mentoring newbies have not been productive ways of finding gainful employment nor respect of my peers.
I have friends who did things like take a gap year to travel the world or met their spouses on nights I stayed in to study, and some evenings when browsing HN I feel very sad that I wasted my 20s on a society that does not care about me.
Anyways, sorry to wall of text, but what you said really struck a nerve with me -- there are hierarchies in any community, and one thing I've noticed with the hacker scene is one group of people can mess up over and over using the same sets of facts or diagnoses, but others can expect to have worse outcomes with better behavior for reasons that elude me to this day.
I'm glad you have finally recognized the problem.
Stop living for your idea of others and start living for yourself.
Unfortunately, I exhausted my emergency fund trying for certs and attempting to escape a domestic violence situation, so I do not have that option. I'm trapped.
For the rest: nothing's stopping you from having fun, regardless of age.
I've been there before, but its my understanding I'd have visa issues doing anything beyond tourism.
Because missing that that seems to be the main problem of the poster above.
I'm involuntarily destitute, not involuntarily celibate :-)
But well, he also is looking for respect and regocnition among his peers and vienna is a nice city.
If more people strived to be like Mitnick today, the tech world would have a lot more power.
I recently re-read "Cyberpunk: Outlaws and Hackers on the Computer Frontier". It was published in 1991 and the first third of the book provides an early contemporary account of Kevin Mitnick. It's a great book that I first read in my high school library in the 90s and it completely captured my imagination.
However, I had never connected the dots that the subject of the last third of the book was Robert Tappan Morris, creator of the Morris worm, who went on to cofound Y Combinator! Paul Graham is also quoted in the book.
The book has aged pretty great. They added an updated epilogue in 1995 in the early part of the Free Kevin era, but honestly re-listening to the book in 2025, I was wondering where the updated Y Combinator epilogue was!
Then few weeks after finishing book I ran into his LinkedIn post (bit OT sure) if what book told was his recollection still accurate in part where book refers his work at DEC Systems Research Center (SRC) at the time. Following is what he replied to me:
" markoff and hafner did extensive research and the book is accurate in all ways i could know. note that while mitnick has paid his debt to society (jail time), i've never received from him an apologia. my only other written mention of those breakins was here:
Interesting fact about Shimomura, he was a student of Feynman's
Regarding the full weight of the police, Shimomura did have an easier time to convince the ISP and phone companies to give him access to the logs. He was able to ask the cellular company to locate the cell tower where Mitnick's cell phone connected and traced him to the general area. If Mitnick had been careful, he could have hacked into the ISP/phone companies and erased all his access logs.
odd for a hacker to take that attitude ...
Why not? Sometimes it's not what you know, it's who you know.
Seems a distinction without a difference from the traditional AFAIK As Far As I Know.
I highly recommend this Youtube video....its 4 hours long but it is pretty amazing!
Takedown Evidence: Kevin Mitnick's "sessions" (Complete Transcripts) https://www.youtube.com/watch?v=r5EGMYsr6uY
Ed: https://www.imdb.com/title/tt0159784/
Ed2: can't recall if I ever got around to reading takedown - I think I did. Much prefer ghost in the wires.
Kevin Mitnick, airline pilot. What's a deadhead?
This helps to fill in some of the details. It's a really nice story showing the humanity that can be found in situations when you look close.
That's miles away from "largely law enforcement" though. I talked to an FBI agent at PyCon but people aren't claiming it's a LEO convention.
A generation of hackers (specifically, the vBulletin generation) stayed as far away from the CFAA as possible after that fiasco, which I suspect is exactly the chilling effect that the DOJ intended.
Kevin was particularly annoying because he never failed to penetrate a target. The reason that's annoying is it just takes one slip, one weak point, one inattentive admin and it's over. People will stay mad about that. I get it.
But those who say he had no talent are just ignorant.
His goal was to make the world safer, and making people pay attention to risk didn't make him a lot of friends. All the hate I am reading here is just sad.
If you hate Kevin and did not know Kevin, I feel bad for you. Hate is an expensive emotion, even when you're just being a keyboard warrior. It should be reserved for people who have really wronged you. Kevin is not with us anymore. The hate is hurting you, not him. And he has a son who will read this someday. Have a heart.
Speaking for myself as someone very early in my journey during the time when Mitnick was still active as a grey hat: he advanced our thinking about security and the nature of trust itself in ways that have never been more timely.
Paradoxically he profited personally far more as a white hat than he ever did in the grey area, his motivations were clearly not extractive. The authorities compelled him to go do lucrative things! (after persecuting him mercilessly).
RIP Kevin. We are ill equipped for the vulns of the AI, but without you we'd be helpless.
TBF that's likely a symptom of social media and people commenting on things they don't know about with a bit too much confidence. You can see similar takes on snowden today.
Back in the day (90s, 00s) he was both widely supported and a bit of a myth in the early Internet communities.
I don't think anyone says he had no talent, what rubs people the wrong way is that the thing he had talent for is the same thing that the people have who try to scam call your grandmother out of her pension money. You can be the world's greatest burglar, you're still a burglar. The whole cringy "social engineering" thing turned media persona and consulting business is to engineering what chiropractics is to medicine.
He leaned pretty heavily into monetizing his own image and for a lot of people what he did became synonymous with the word 'hacking' in a not particularly positive way and critising that isn't hate.
Look, I know that people form their opinions in a bubble. All I am saying here is you should expand your bubble. You know nothing about Kev. Again, that's OK, but it also means you should try to understand what you're hating.
You'd try to make money on your image if you could, I'm betting. Especially if you had been put in prison and left there with no bail hearing, and put in solitary confinement for 'hoarding tuna' in your cell. For 9 months. While your father died. This was not a normal treatment of any person in custody.
Kev was a good person. Full stop. Just as curious as all of us in that era.
I understand you're defending your friend, but that's a little uncalled for. Personally, my first real knowledge of him was from his 2002 book The Art Of Deception, which is specifically a book about social engineering. That is how he himself chose to present himself - as a successful social engineer - so you can't criticise others for that.
There's good and bad in all of us. I don't think the person you responded to said Kevin was all bad, and made it clear it isn't hate.
That's not just curious, that's not something we all did when we were young, those were legitimate crimes and they still are for good reason. He had a big part in popularizing the image that a hacker, rather than someone who writes software for the public good, is someone who tricks other people and steals personal data.
And no I wouldn't be proud if I ran phishing scams and stole IP from random companies, I wouldn't monetize that, I'd say I'm sorry which from reading his books at least I don't think he ever was.
But be honest...
How sweet is that 911?
It's entirely possible to be on opposite sides of the fence, hate the other party's actions, but still respect (or even like) them on a personal level. Imagine yourself in their shoes & dial it up to 11.
[insert favorite movie scene here]
Ring me up, Mate.
Neill.
That made me smile. But what the hell? I figured: he already knew he had been hustled, so I had nothing to lose.
I called.
“Hey, Neill, what’s up?”
“Hey, mate.” No anger, no threats, no hostility. We were like two old friends.
We spent hours talking, and I shared all the intricate details of how I’d hacked him over the years. I decided I might as well tell him, since it wasn’t likely to work on him again.
We became telephone buddies, sometimes spending hours on the phone together over several days.
