[HN Gopher] Kevin Mitnik FOIA Final
___________________________________________________________________
Kevin Mitnik FOIA Final
Author : thembones
Score : 98 points
Date : 2025-02-14 19:02 UTC (3 hours ago)
(HTM) web link (vault.fbi.gov)
(TXT) w3m dump (vault.fbi.gov)
| thembones wrote:
| Kevin Mitnik's FBI file final Freedom of Information Act request.
| LorenDB wrote:
| This will pair well with Mitnick's autobiography _Ghost in the
| Wires_ , in which you get to read Mitnick's side of the story.
| fabiensanglard wrote:
| If you are into this topic, read as many point of view as
| possible and take a look at http://www.takedown.com/ (Tsutomu
| Shimomura's side of the story).
| daghamm wrote:
| I've far more respect for Tsutomu. In the end he turned out
| to be the better hacker.
|
| Reading Mitnicks book I sometimes get the impression that the
| he is making up half of it.
| sidewndr46 wrote:
| He's also on the winning side, so I imagine it'd be in his
| best interest to make himself look better.
| tptacek wrote:
| To the best of my knowledge, Mitnick didn't really code at
| all. There are (let's call them) intrusion specialists
| whose skillsets don't really involve systems programming,
| but rather intuition and tenacity, and there are others who
| write exploits. My understanding is that Mitnick was the
| former, and was using tools he got from friends and peers.
| vasco wrote:
| In the book he spends a lot of time on the social
| engineering parts of it to be honest. It's been a few
| years but I remember him mostly bragging about that
| rather than developing custom exploits.
| tptacek wrote:
| He also comes from an era of intrusions where systems
| were so bad you didn't really need to code to get into
| them. For an alarmingly long time, the most effective
| tool you could use to pop a network was simply
| `showmount`.
| indrora wrote:
| Anyone who has studied the later parts of the phone system
| know that at least a few of his stories are actually
| bullshit.
|
| It wouldn't be until much later (in the 90s at least, while
| he was in prison) that the advent of pure digital switching
| would enable the random reassignment of phone lines like he
| describes in the story about turning his friend's home
| phone into a payphone.
|
| The lines were separated and had differences in sender
| frames just for payphones, plus typical phones weren't too
| happy when 130VDC was applied to them for very long.
|
| The fact of the matter is that Mitnick went around and
| shook doorhandles until something opened and occasionally
| convinced someone to open a door for him her and there, and
| the fact that the emperor had no clothes was too
| politically inconvenient for the kinds of companies that
| Mitnick hit up.
| jamal-kumar wrote:
| After hearing his voice messages in a fake asian voice
| trying to mess with Shimomura, I kinda lost all respect for
| Mitnick.
| freedomben wrote:
| Ghost in the Wires[1] is a really phenomenal and entertaining
| book btw. If you go audiobook, Ray Porter does the narration
| and absolutely crushes it.
|
| [1] Available DRM-free at Downpour
| (https://www.downpour.com/ghost-in-the-wires?sp=19991) and at
| Libro.fm (https://libro.fm/audiobooks/9781483067216-ghost-in-
| the-wires)
| daft_pink wrote:
| Do they have a processing step where they add in random dots
| everywhere?
| gwbas1c wrote:
| It's called noise. It's clearly typewritten text scanned at
| black and white.
| kobieps wrote:
| Sheesh now I feel old
| NikolaNovak wrote:
| I get a dismissable dialogue box upon viewing the document,
| explaining the context and quality (i.e. scanning noise),
| including fairly explicit:
|
| "The image quality contained within this site is subject to the
| condition of the original documents and original scanning
| efforts."
|
| Hope that helps! :)
| Helithumper wrote:
| Surprised that personal info such as Kevin's SSN wasn't removed
| prior to release.
| dgacmu wrote:
| Er, what risk does the release of an SSN pose to someone two
| years deceased?
| hinkley wrote:
| TIL.
|
| Now I'm wondering how many other people in this thread don't
| know he died (pancreatic cancer). 59 isn't that old. And he
| was expecting a baby at the time, which suggests maybe they
| didnt think so either.
| themaninthedark wrote:
| Looking at the post made after he passed, not many people
| were aware he was sick.
|
| Pancreatic cancer is a fast and deadly one.
| silisili wrote:
| Thanks. I had no idea he'd passed, either.
| cap11235 wrote:
| On top of that, he'd be super popular as a target for anything
| because tons of folks, including non-technical, know the name
| "Mitnick" very well.
| joering2 wrote:
| Steve's Job SSN is 549-94-3295. How can this release harm a
| dead person?
| spydum wrote:
| Didn't you read Elon's post? SSNs database isn't
| deduplicated!
| cyberax wrote:
| That's because there are SSNs shared by multiple people.
| jfengel wrote:
| Him, probably not. His estate, however, potentially. Perhaps
| one could get a loan, using his SSN, and his estate gets the
| bill and subsequent harassment.
|
| SSNs make terrible secrets and it's insane that you could
| harm a live person by knowing their SSN. I doubt that
| insanity stops just because you're dead.
| klodolph wrote:
| > I doubt that insanity stops just because you're dead.
|
| It really _does_ stop. What can you do with someone's SSN?
| Get loans, open bank accounts, receive government benefits,
| set up utilities, etc. It harms someone because creditors
| falsely believe that the SSN's holder owes the debt, or the
| government believes that the SSN's holder received
| benefits, etc.
|
| People who are falsely reported as dead have a difficult
| time doing anything... certainly a hard time getting loans.
| It's certainly going to be hard to make a claim against an
| estate that's been closed for a couple years, with a debt
| that is dated after that person's death.
| sidewndr46 wrote:
| It's worse if you share a name and birth date with
| someone, doubly worse if they die before you.
|
| In general, identity verification is a joke in the US. At
| best its a racket.
| colechristensen wrote:
| If someone is asking for an SSN they'll be doing a credit
| report which will show if you've died.
| dgacmu wrote:
| Estates are issued their own, fresh TIN (taxpayer id). Once
| established they don't operate under the SSN of the
| deceased.
| gosub100 wrote:
| Creditors have access to the death index too.
| klodolph wrote:
| Other people have mentioned this... but it's been established
| in policy that the SSN of a deceased person is not PII. There
| are a ton of different ways to get the SSN of someone who is
| deceased.
| userbinator wrote:
| If anything, having it public could dissuade others from
| trying to use it.
| wildzzz wrote:
| They aren't "public" but if you have a good reason, the
| govt will let you see the list of dead people SSNs. It's
| one of the first things checked when you're trying to open
| a line of credit because it's so easy to verify.
| dylan604 wrote:
| But they clearly left the year visible so blocking out the
| AUSA's name seems dumb too as it wouldn't be hard to look up
| who were the AUSAs to narrow down who was named in the file.
|
| The entire redacting seems just so superficial
| jonstewart wrote:
| s/Mitnik/Mitnick/
| rglover wrote:
| It should be illegal for the government to keep redactions in
| anything made public/declassified. It's a slap in the face to see
| entire sections of text (that most certainly contain important
| context) blocked out with a white blob.
| toast0 wrote:
| If that were the requirement, documents would not be made
| public/declassified unless the entire document was considered
| safe to release.
|
| In many cases, a partial public document is better than no
| public document.
| taurknaut wrote:
| A) a lot of what is censored ends up being publicly-known
| information already, so it's not a matter of safety but
| rather public image (imo), and B) this creates a perverse
| incentive to associate national security (...or other sources
| of unsafety) with unrelated topics to avoid having to hold
| yourself accountable for your work.
|
| Plus, there's little way of knowing for the documents for
| which we haven't seen the uncensored version if they aren't
| just censoring arbitrary things.
|
| It may be reality, but it's still pretty bad for any
| government that pretends to value transparency.
| timewizard wrote:
| The people who generate the documents /cannot/ be the people
| who decide if they're safe to release. There needs to be
| independent oversight. These are not agency documents they
| belong to the public. They may be classified but the moment
| they're no longer _objectively_ worth classifying they are
| absolutely public domain material.
|
| It's also extremely offensive to see the names of AUSA's
| (Assistant US Attourneys) and SA's (FBI Special Agents)
| redacted. They had personal involvement in this case so I
| genuinely don't understand why their names cannot or should
| not be a part of this document. They're public figures in a
| public role.
| dkga wrote:
| I completely disagree. In this case, it is clear there
| wouldn't be a reprisal but in many case law enforcement
| agents and prosecution teams get involved in might involve
| serious reprisal threat for them or their loved ones. Their
| names should never be revealed.
| Latty wrote:
| Seems like a great way to ensure nothing gets declassified, as
| any tiny part that is still relevant then blocks the whole
| document.
| runjake wrote:
| I completely disagree. Nothing would get declassified.
|
| Anyway, each redaction has a usually-legible Exemption code
| next to it that tells you why it's redacted. You can find out
| what those are here:
|
| https://foia.wiki/wiki/Exemptions
|
| For example, you see 7c/b7c in the document a lot:
|
| "could reasonably be expected to constitute an unwarranted
| invasion of personal privacy"
| palijer wrote:
| Why do we need to have the names of people like a random
| security guard that was duped by social engineering? To make
| sure he pays for a mistake or something? What is the reason for
| not reacting his name?
| palmotea wrote:
| > What is the reason for not reacting his name?
|
| The reason is GP doesn't understand the reason, so there is
| no reason, so it _must_ be made public. /s
| rglover wrote:
| I'm not concerned with names. It's entire paragraphs that
| _may_ have names in them that are redacted. If it 's just a
| name or address, redact that, sure.
|
| "Called -------- on July 1st, 1983 to get access to a router"
|
| Is much better than
|
| "----------------------------------------------------------"
| ocschwar wrote:
| The Mitnick files contain information about innocent people who
| are alive and whose privacy rights remain paramount.
| vasco wrote:
| Perhaps too naive a question, but if they are innocent what
| is there to protect? I get it in the case of informants or
| agents that operate undercover or in plains clothes but if
| just a bystander how is it different than some news article?
| dgacmu wrote:
| Details about victims whose release might cause them
| further harm is the obvious one.
| itishappy wrote:
| What's your name and address? (Rhetorical question, please
| don't answer.) Is that info you'd be comfortable sharing on
| a public forum? I presume you're not doing anything
| particularly wrong.
|
| This also assumes that we can all agree on a definition for
| "innocent."
|
| > what is there to protect?
|
| Their privacy. Some people have strong opinions on 3 letter
| agencies and poor reading comprehension. Some people are
| just mean spirited. Best way to prevent dumb stuff from
| happening is to not create a situation where dumb stuff
| could happen.
| genewitch wrote:
| Licensed ham radio operators give their address every 15
| minutes by law. And their full name. Sometimes it's a PO
| box, but mostly a home address's.
|
| I can't think of anything more public than airwaves.
| gmueckl wrote:
| There may be a middle ground where, with some effort effort, a
| watered down summary of the redacted information could be given
| (e.g. if a name of a person is redacted, replace it with some
| sort of unique handle). As long as this is done as an
| annotations for the visibly marked redaction, I see no problem.
| The reader may choose to trust those annotations or not.
| rglover wrote:
| This would be fair (I hadn't considered names in my original
| comment). Whether truly sensitive or not, protecting
| names/addresses/numbers/etc. would make sense (especially if
| there was a footnote to a "why" something was redacted).
| jamal-kumar wrote:
| This is pretty damn interesting, it's definitely the earliest
| example of a computer intrusion incident response report that
| I've ever seen. These reports detail stuff he was doing in
| 1980/1981 at the earliest I can see just skimming the top few
| pages. His own side of this particular chapter of his history is
| maybe worth a read, maybe not - he was known for embellishments:
|
| https://web.archive.org/web/20090317050834/http://www.themem...
| taylorbuley wrote:
| The password to the system was "BRIS," the name of the vendor.
| TimC123456 wrote:
| I laughed when I read that, too. Like locking up that "$2MM
| dollars of information" in a vault secured with a piece of
| string.
| toomuchtodo wrote:
| https://web.archive.org/web/20250206232604/https://vault.fbi...
| CodeWriter23 wrote:
| 1981? Security mostly was knowing which phone number to dial in,
| according to a deceased friend of mine.
___________________________________________________________________
(page generated 2025-02-14 23:00 UTC)