World's greatest computer hacker raises alarm

Of course, the whole thing was a ruse. The founder was traveling, but Daggot worked for the competition. Having gained the trust of a few engineers and gotten the documents he needed, Daggot disappeared. When the founder returned, he called in the police, but was told that no crime had taken place. A few months later, the competitor announced a product that was nearly identical to the one described by the stolen documents.

Daggot's story is a good one, and there are a lot of them in "The Art of Deception." But alas, all of these stories have the same problem: None of them is true. Under the terms of Mitnick's plea bargain, he's prohibited from selling his story for 10 years. As a result, this book shines no light on the crimes that Mitnick allegedly perpetrated – or on the government's alleged excesses in prosecuting him.

Ironically, it's Mitnick's reputation as a deceiver that gives him the credibility and even the moral authority to write this book. In interviews, Mitnick has confirmed that many of these stories are based on exploits from his past.

Although some will accuse Mitnick of creating a handbook that teaches crooks how to break into organizations, the truth is that we all need to understand these con games to protect against them. To stress this point, his last two chapters contain policies, procedures, and training that companies can implement to further protect themselves. In keeping with his premise that the most damaging security penetrations are the result of deceit – not technical penetration – almost none of Mitnick's suggestions is technical in nature.

The most important recommendation is that when somebody contacts you claiming to be from your organization, you need to verify that they are working for your organization – no matter whether they are asking for your help, offering to help you, or just trying to be friendly.

A more controversial suggestion is that organizations should launch simulated "social engineering attacks" on their own employees. Although the training would be invaluable, Mitnick acknowledges that some companies might not want to intentionally lie to their employees.

"Nine out of every 10 large corporations and government agencies have been attacked by computer intruders," states Mitnick, basing his analysis on the Computer Security Institute's annual survey. Let's hope that if they implement the strategies in this book, companies that are attacked won't be so easily penetrated.

• Simson Garfinkel is a graduate student at the MIT Laboratory for Computer Science, and the author of numerous books on computers, security, and privacy.

Page: 1 | 2