AuthorHappy World Pangolin Day! We are Louise Fletcher, pangolin researcher, and Jason Derry, professor of science communication, here to chat about the world's most trafficked animal. AMA!
Feb 18th 2017 by oakenday • 48 Questions • 9624 Points
In the mid nineties, I was the world's most wanted hacker for hacking into 40 major corporations just for the challenge. I'm now an author and security consultant to Fortune 500 and governments worldwide, performing penetration testing services for the world’s largest companies. I am also the Chief Hacking Officer for KnowBe4, a company that develops software to train employees to make smarter security decisions. Ask me anything.
Ok, it's time for me go. Thank you very much for participating in my first AMA. A final answer is to what I've been up to recently besides hacking and speaking. My 4th book, The Art of Invisibility, was released 2 days ago. This book is targeted to the everyday person that wants to protect their privacy or even get off the grid entirely. It's too bad the "fugitives" on Hunted didn't get a chance to read this first. In addition I've very excited to be involved with growing KnowBe4 to over 200 employees in the past 4.5 years. It's our job is to stop the former Kevin Mitnicks of the world. It's too bad John Podesta didn't take the training as he might not have clicked on that email.
My speaking schedule is posted on my website, stop by and I'll get you one of my famous business card for free.
What makes it the most trafficked animal? Why is it so sought after?
How hard do you laugh during movies when two hackers are locked digital combat, typing at 1,000mph?
Louise could probably answer this more thoroughly, but as this BBC article outlines pangolins are most valued for their meat and use in traditional Chinese medicine.
They are also extremely easy to catch, since the pangolin's defense mechanism is to stop moving and curl into a ball. Something that works great against tigers (their scales are nearly impenetrable to a tiger's teeth) but works terribly when it's just some poachers with cloth bags reaching down to pick them up.
I pretty much just role my eyes and chalk it up to non-technically astute writes. However Mr. Robot has changed that and are getting things spot on.
BTW, I do type at 1,000mph, 1,024 to be exact.
i am shocked to the point of incredulity that those little things can survive a tiger's jaws.
Also I have to admit now I'm a little curious how they taste. I will resist though!
Keep working at it and you may eventually get up to 2600.
The tiger is actually a core part of the plot of our story. It's the first jungle creature the pangolin protagonist Nallie ends up meeting.
I guess when you evolve alongside tigers you end up evolving tiger-resistant defense mechanisms!
I learned what I do know about pangolins from watching the Wild Kratts episode with my sons.
Have you seen that episode and did you like it?
Kevin! Just completed some of your training from KnowBe4 for work. I have my completion certificate hanging on my wall. But could we maybe get it in a font that's not comic sans?
I've not seen that episode, but I grew up on shows like that. Kratt's Creatures, Bill Nye, Beakman's World, Brainiac, even Fred Penner's Place.
They don't ever tend to show the data collection part of science, nor the staring at SPSS results and writing papers, but they make science fun and interesting.
People care about what they love, and they love what they know, and they like to know what's fascinating. So I think shows, books, curriculums like this are pretty awesome. I'd guess they are a significant influence into why I'm doing the things I'm doing today.
Ha! I'll tell you what, get your certificate over to KnowBe4 with a copy of this thread and I'll make sure that I sign it personally.
I'm a wildlife student about to graduate this May. This is the sort of thing I've always wanted to do, conservatory public education. How did you get to where you are now in your respective roles?
What was the most sensitive/surprising information you found out?
I outlined my story in this response, but there are numerous ways to get into conservation education.
If you like the research side, thinking about what area or animal you're most interested in and then seeking out graduate programs is likely a good idea. You can also do education and campaigns, but will have a primary focus on research. If I recall correctly from our conversations this is what Louise had done.
If you're more interested on the education side, you could try interning or finding work with an animal sanctuary or zoo or nature center. Those would be great ways to "get your feet wet" and make connections. There are also a few grad programs in environmental ed.
I think the best advice I've ever gotten once you know what you want to do is to look at job postings for those positions, and see what they're looking for, and use that as a guide as to how to market yourself. And if you don't have much relevant on your resume yet, then volunteering or interning is a great way to start getting that experience.
And actually, now that I think about it, this is precisely when a lot of nature centers are hiring for their summer staff. Check around your area - might be able to find a nice summer gig for when you graduate.
That a federal judge in northern California had an intercept on his line. I would check to see if any of my friends had a tap on their lines and stumbled upon the fact that a judge had one on his line.
Have you read Mary Douglas' Purity and Danger, and are you familiar with the Lele pangolin cult? I'm curious if the pangolin was awarded a similar mystical prominence in Asian societies for the same reasons.
I just want to thank you for your business card. Sadly I locked myself out of my house one day and had to take it apart in order to use the picks to break in.
In short you helped me break into a house and got me laid.
Where can I get more of your cards?
I have not read that, but I'm tagging Louise /u/Adelina84 because I want to know the answer to this too!
Wow! I better raise the price of my cards!
What would you say to teens that are into hacking? Are the consequences now worse than when you were phreaking? What projects should they channel their energy to?
Don't follow in my footsteps. Become good at offense using virtual machines and the various toolsets that are available. Learn about development and network administration to get your fundamentals before going directly into security.
The consequences are certainly more severe, and likely will only get worse. This is because of rise in publicity of hacking with public events such as the Russian hacking during the recently election and news around Edward Snowden. What your seeing in the making is a "War on Hacking" to replace the "War on Drugs".
Are you releasing this children's book in Vietnam and other places where there is an actual market for these animals? It seems like that is vastly more important, to educate these people.
Hey Kevin, thanks for the AMA. What motivated you to go into Hacking and what tools did you start with?
We're waiting to hear back from a translator actually about commission costs, but it's a very small publishing team. Just me and Louise actually for this entire book project, so things move more slowly. A localized version is definitely in the works though!
We're hoping to do more!
What motivated me to get into hacking was because I was involved in phone phreaking and used to pull pranks on my friends. I wanted more control of the systems involved and one thing led to another. My first tool was a telephone, after that was a VT100 terminal and a Hayes 300 baud modem. Remember I started in 1978.
What was the most memorable or impressive item of the "FREE KEVIN" campaign that you recall seeing?
While I was in a Federal Detention Center in LA I could look out the very small window and was able to see an airplane with a "FREE KEVIN" banner flying around.
Kevin, for people thinking of getting into the security industry, what particular skills do you see being the most valuable now, and the most valuable in 10 years? In other words, of which types of current emerging tracks or concepts will tomorrow's infosec managers be skilled practitioners?
Right now: It depends on what area of security, for me I'm always looking to hire expert pen testers. I look for people with skill sets in physical/technical/wireless areas.
What's hard to find today are those that have the skills to find find bugs in web apps.
10 years? I need my crystal ball because I have no fucking idea. I would say that one needs to constantly and vigilantly keep up to date with what is going on on both sides of the fence. It's a matter of keeping aware of the landscape as it evolves. 10 years in this industry is 100 years in any other industry. What did we have to watch for 10 years ago?
Do you have kids? If so, do they realize they will never be able to pull anything secretive past their father?
I don't have kids yet but I believe they'll be the best social engineers in the world. They'll get good practice on their parents.
If you had never been exposed to computers when you were younger, what direction do you think your life would have taken? What would be your job today?
I would probably be competing against David Copperfield as a magician because I love magic.
Yes, I don't think I could have any others at this time.
What are your thoughts on Fortran program language, is it good? Is it dead? My university is insisting that I have to learn how to program in Fortran, so here am i asking this.
Funny thing you would ask, the very first program I wrote was in Fortran. It simulated the login process of my teachers computer and I used that to phish his login credentials. I never did "hello world", I got my teacher's password as my first project.
C and Python make more sense but if the university says you need it, well, you probably should learn it. But certainly don't stop there.
What is your favorite tool? What tool blew your mind the first time you saw it?
Burp Proxy Pro is really a great tool. XKeyscore is what blew my mind the most. Back in the 90s it was direct access to the DMV in CA.
My position is that Ed is a whistle blower, not a traitor. I was happy when he revealed that the US government was breaking the law by spying on our citizens. That was an illegal activity and needed to be revealed.
It's my position that Ed shouldn't have revealed our operations related to the monitoring of foreign entities, that's what the NSA is expected to as part of their mission, just like foreign entities do with us. That's the spy game.
I know nothing about hacking. Just out of curiosity, if someone really pissed you off with a question here, could you hack them? Is that how it works? Do you need a certain level of ability or could anyone do it with a YouTube tutorial?
If the answer is yes please don't demonstrate on me! Thanks for the AMA!
Edit: Aw, downvoted... hope I didn't seem rude...
Edit: Aw, upvoted! Glad I didn't seem rude!
Let's take this offline, I'll email you later ;)
Hi Kevin, Do you think the rise of crypto currency (Bitcoins, etc.) will have a net positive or negative effect on society?
I think it's a positive effect, it gives the public another way to pay for products and services somewhat anonymously. It's just another tool that can be used by society in a positive manner.
Hello Kevin, Big fan, Have read you book tons of times. I am also a fellow ham radio operator and living in North Carolina. After reading your book I had some questions.
When was the last time you ever messed around with radios and police scanners? This is one of my current hobby's.
Also, to me one of the most interesting people in your book was Jonathan "JSZ". Have you ever talked to him since 1995?
After reading you book and reading about you editing the firmware and disabling registration in the Motorola MicroTac Ultra lite , I also have always wondered how knowledgeable you are in programming languages such as C and other languages.
Hope their is sometime in the future I can meet you in NC.
Nice to meet you as well. I haven't messed around with police scanners since the 90s. I do occasional ham radio.
I've spoke Jonathan very few times, he had really distanced himself from me due to the prior history with the Shimomura hack. Now that the statue of limitations has run he has nothing to worry about.
Regarding languages, my first programming was at 21st Century Fox as a COBOL programmer. I'm familiar with many languages but modifying the existing assembly was how I did the work on the Motorola.
I look forward to meeting at some point, I don't have anything scheduled in NC at the moment. Check my website as I keep my speaking schedule there. Mitnick Security
Could you start a nuclear war just by whistling into a payphone?
I can not confirm or deny
What's the most important, or foremost thought process when attacking or protecting a digital entity?
Really thinking out of the box, expecting the unexpected. Really to me, the thought process is like puzzle solving. It's much harder to protect than it is to attack, the attacker needs only to find one hole to make it in.
Back in the day, when you were wanted, the tech was different, you did't have tools like Metasploit, Armitage, etc. Was it easier or harder to break into stuff? And also how long did it take you to adapt to the "new ways of hacking" after getting out and serving probation? Or did you need time to adapt? And, also, it this day and age it's unimaginable to be AFK for even a day let alone for the time you were, so how was it? Big fan! Keep whistling those launch codes!
I would say it's the same. Systems were less secure but to compromise them you had to write your own exploits. An effective method was social engineering the operators of the systems, a tactic that is still very successful today. That part works the same today as it did yesterday.
While I was in custody I continued to read and follow what was happening in the wild. I couldn't use a computer for 3 years so there was some catch up to do but I wasn't completely in the dark about what had been going on. People sent me books on HTML and whatnot while I had no access to computers.
Constantly, all the time. Since there are so many ways to compromise a target I completely reload all of my systems at least once every 6 months from a trusted source. If I was on Windows I would do it every week.
Hey there Kevin, What is one area of security/hacking that you would like to improve at? What is your favorite story in hacking history that you were not a part of?
In the security and IT field there are so many things that are changing on a daily basis so you can't be good at everything. Right now there is a big need for people with the ability to find exploits in web apps.
An interesting bit of data is that when my company does engagements I still involve myself because I really enjoy the hacking process.
I have many favorite stories but I really enjoyed Kevin Poulsen's attack on Pacific Bell. I was very impressed by his bravado and how he would physically go into facilities. I would have liked to have met him earlier on in my hacking career when I was hacking the phone companies as that was my true love back in the 90s.
I would say the book was 90% false and defamatory, the movie was 99%. The good news is that Jeff Estin, creator of White Collar, is doing the script for Ghost in the Wires. I hope that the script is picked up and it turns into something picked up by a production company.
Dear mr Mitnick,
Did you stay up to date on developments concerning your field of work during your incarceration and (iirc) supervised time? And if so, how?
And following up on that question; is it getting harder to stay up to date with the current developments while getting older?
My kind supporters sent me lots of materials, including books, emails and information. At one point my watchers tried to stop this, saying that I was getting encrypted data on how to escape in the mime headers of the printed emails.
Hi Kevin, do you think overall computer security is getting better as we devise way's to make things more secure, or is the growing number of tech illiterate people, or even techie people who just can't be bothered to keep to good security practices off setting the gains we are making?
It's really hard to find skilled security people, we really need to help develop people's skills in security testing. Testing security is an important step that needs to be taken.
What's the most immoral/questionable thing you've seen while being involved in this whole hacking thing?
The Albert Gonzalez case, you can read about it here
Hey Kevin. Big fan of your books, and you in general. I was wondering if you still have those nifty business cards, and how hard it would be to get one in Canada?
Thanks man. I do still have those cards and Canada shouldn't be a problem, you can get them from my website if you like, or catch me at a show.
If you could go back and give yourself any advice just before you started hacking, phreaking etc, what would it be or would you?
Don't get caught and if you're using cell phone to dial in always keep moving :P
Oh are you the one they call 4Chan? Such a good hacker. In all seriousness, anything us average computer users should be doing/avoiding that may not be common knowledge?
Finally, what did you think of the show Mr. Robot?
I'm not actually 4Chan, sorry to break that news.
Not common knowledge? Use 2 factor authentication, use a password manager, use VPN when on public WiFi, and be aware of phishing attacks. Phishing is likely the number one way someone would be able to get you.
Regarding Mr. Robot, I love it. I've had the pleasure of meeting several of the people involved with that production.
I could tell you but then I would have to kill you. Are you trying to do reconnaissance on me?
I will say I like OSX and I like the aesthetics of the Apple hardware. I'll use VM for my Windows systems. I do use Linux and I typically go with Debian or Ubuntu.
With all the news we've seen lately about security, what do you feel is under reported or over exaggerated?
I think sophistication that was behind the John Podesta phishing was highly exaggerated. This was a case of standard phishing, basic security awareness training would have prevented this. It wasn't a huge technological achievement, it was simple spear phishing.
What does your playlist consist of and what is your fuel when locked in a long work session?
I don't play music while I'm working because it's distracting. When I am listening it's Def Leppard, Lynyrd Skynyrd, Eagles, AC/DC and other classic rock. And throw in some Eminem and Black Eyed Peas.
Why did you choose Condor as your hackername back in the day?
At the time one my favorite movies was 3 Days of the Condor. In the movie Robert Redford called up the CNA bureau to get someones number. I was impressed that the writers had included such an accurate detail.
I saw Takedown 15-ish years ago, so obviously I already know the whole story, right? :P
Yeah, not so much. Check out Ghost in the Wires for the full story.