My name is Kevin Mitnick. . . . I have 20 years' experience circumventing information security measures and can report that I've successfully compromised all systems that I targeted for unauthorized access except one. I have two years' experience as a private investigator, and my responsibilities included finding people and their money, primarily using social engineering techniques. . . .

The average American's confidence in the public telephone system is misplaced, here's why. If I decided to target a computer system with a dial-in modem, my first step would be to use social engineering techniques to find the number of the modem. Next I would gain access to the telephone switch that controls the number assigned to the modem line. Using that control, I would re-direct the modem number to a log-in simulator that would enable me to capture the passwords necessary to access the target machine. This technique can be performed in real-time to capture dynamic passwords that are changed once per minute. All of the actions I just described would be invisible to anyone monitoring or auditing the target computer security.

What's important here is to consider the big picture: People use insecure methods to verify security measures. The public's confidence in the telephone system as secure is misplaced, and the example I just described demonstrates the reason why. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information. . . .

I'd like to bring to this committee's attention how I successfully breached information security at the IRS and the Social Security Administration using social engineering techniques before 1992, which so happens to be beyond the applicable statute of limitations. I called employees within these agencies and used social engineering to obtain the name of the target computer system and the commands used by agency employees to obtain protected taxpayer information.

Once I was familiar with the agency's lingo, I was able to successfully social engineer other employees into issuing the commands required to obtain information for me, using as a pretext the idea that I was a fellow employee having computer problems. I successfully exploited the security measures for which this committee has oversight authority. I obtained confidential information in the same way government employees did. And I did it all without even touching a computer.

Let me emphasize for the committee the fact that these breaches of information security are ongoing, even as I stand before you today, and that agency employees are being manipulated using social engineering exploits, despite the current policies, procedures, guidelines and standards already in place at these agencies. . . . .

In closing, I'd be happy to offer my knowledge and expertise to the committee regarding methods that may be used to counteract the weakest link in the security chain: the human element of information security. . . .

[Ed. Note: After his opening statement, Mitnick took questions from members of the Committee.]

U.S. SENATOR FRED THOMPSON (R-TN): . . . It seems, in essence, what you're telling us is that all our systems are vulnerable, both government and private.

MITNICK: Absolutely. . . .

THOMPSON: And you also point out that the key to all of this--we sit here and think of systems and programs and all, but you point out the key is personnel--that that is the weakest link, no matter what kind of system you have . . . . Can you explain on the importance of the personnel aspect to this, and what you think we might can do about it?

MITNICK: Well, in my experience when I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. And I was so successful in that line of attack that I rarely had to go toward a technical attack. . . .

The problem is people could do what they call information mining. It's where you call several people within an organization and you basically ask questions that appear to be innocuous but it's really intended to gain intelligence.

For instance, a vendor might call a company and ask them what software, what are you currently using, what computer systems do you have to sell them a particular product because they need to know that information. But the intent of the caller might be to gain intelligence or try to target their computer systems.

So I really have a firm belief that there has to be extensive training and education to educate the users and the people who administer and use these computer systems that they can be victims of manipulation over the telephone. Because, like I said in my prepared statement, companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking.

THOMPSON: So you can compromise a target without even using the computer?

MITNICK: Yes. For example, personally, with Motorola, I was working at a law firm in Denver. And I left work that day and just on an impulse I used my cellular telephone and called Motorola, their 800-number, and without getting in details of how this because of the time constraints, by the time I left work and by the time I walked home, which was about a 15-to-20- minute period, without any planning or anything, by the time I walked to the front door, I had the source code to the firmware which controlled the Motorola ultra-light telephone sitting at a server in Colorado. Just by simply making pretext telephone calls, within that 15-to- 20 minute period, I had the software. I convinced somebody at Motorola to send the software to a particular server. . . .

U.S. SENATOR JOSEPH LIEBERMAN (D-CT): Mr. Mitnick, thanks for your testimony. My staff lifted up some clips in preparation, and one of them described you as, and I quote, "arguably the most notorious computer hacker in the world." And I thought I would ask you if you would be comfortable, as we confront this problem, helping us to answer the question of why? ... If a foreign government as the Serbs did during the Kosovo conflict or some sub-national group of terrorists tries to break into our computer system, that's pretty clear why. But this is not like most crime waves. To a certain extent, as I've read about your story and hear about others, and the kind of daily breaking of government computer systems, it seems to me that there's a different sort of motivation here. And in some sense, it almost seems to be the challenge of it. If you would, just talk about why you, or if you want to third-personize it, why people generally become hackers.

MITNICK: Well the definition of the word hacker, it's been widely distorted by the media. But . . . my motivation was the quest for knowledge, the intellectual challenge, the thrill and also the escape from reality--kind of like somebody who chooses to gamble to block out things that they would rather not think about. My hacking involved pretty much exploring computer systems and obtaining access to the source code of telecommunication systems and computer operating systems, because my goal was to learn all I can about security vulnerabilities within these systems.

My goal wasn't to cause any harm, it wasn't to profit in any way. I never made a red cent from doing this activity. And I acknowledge that breaking the computers is wrong, and we all know that. I considered myself a trespasser, and my motivation was more of--I felt kind of like as an explorer on these computer systems.

It really wasn't towards any end. What I would do is, I would try to obtain information on security vulnerability which would give me greater ability at accessing computers and accessing telecommunications systems. Because ever since I was a young boy, I was fascinated with communications. I started with CB radio, ham radio, and eventually went into computers. And I was just fascinated with it. And back then, when I was in school, computer hacking was encouraged. It was an encouraged activity. . . . In fact, I remember one of the projects my teacher gave me was writing a log-in simulator. A log-in simulator is a program to trick some unknowing user into providing their user name and password. And of course I got an A.

(LAUGHTER)

But it was encouraged back then. We're talking about the '70s. And now it's taboo.

And a lot of people in the industry today, like Steve Jobs and Steve Wozniak , they started out by manipulating the phone system. And I think even went to the point of selling blue boxes on Berkeley's campus. And they're well recognized as computer entrepreneurs. They were the founders of Apple Computer.

LIEBERMAN: So that the fork in the road went in different directions, in their case.

(LAUGHTER)

MITNICK: Just slightly.

LIEBERMAN: Just slightly. Well, maybe there's still time. Well, you're young, so there is still time. Your answer is very illuminating. Part of what you're saying has struck me, which is unlike other forms of trespass or crime, you didn't profit at all.

MITNICK: I didn't make a single dime. One of the methods how I would try to avoid detection in being traced was to use illegitimate cellular phone numbers and electronic serial numbers to mask my location. I didn't use this to try to avoid the costs of making a phone call, because most of the phone calls were local. I could have picked up a phone at home and it would have been a flat rate. I did it to avoid detection. But at the same time, it was cellular phone fraud because I was using air time without paying for it.

LIEBERMAN: Were you aware, as you went through this pattern of behavior, that you were violating law?

MITNICK: Of course, yes, I was aware of it.

LIEBERMAN: You were. And were you encouraged or at least not deterred by the fact that you had some confidence that there were few or no consequences that attached to it? I mean, there are occasions where people know that they're doing something illegal, but they think that the prospects of them being apprehended and charged are so slight that they go forward nonetheless.

MITNICK: Well that's true. Because as you're doing some illegal activity, you're not doing a cost-benefit -- well, at least I wasn't doing a cost-benefit analysis. And I didn't think of the consequences when I was engaging in this behavior. I just did it and I wasn't thinking about, well, if I were to get caught I'd have these consequences. I was just focusing on the activity at hand and just doing it.

LIEBERMAN: Because of what you described before as the thrill of it, or the challenge of it, the adventure.

MITNICK: It was quest for knowledge, it was the thrill, and there was the intellectual challenge. And [with] a lot of the companies I targeted, to get the software was simply a trophy. I'd copy the code, store it on the computer and go right on to the next without even reading the code.

LIEBERMAN: Interesting.

MITNICK: And that's a completely different motivation of somebody who's really out for financial gain or foreign country or competitor trying to obtain information, like economic espionage, for instance. . . .

LIEBERMAN: You've talked about the prominent role of what you described as social engineering, which is to kind of manipulate unwitting employees. I know this is hard to state a percentage on this, but would you guess that most of the hacking done is being done in that way by the manipulation of the cultural weaknesses, the human weaknesses? And how much does hacking depend on successful human penetration of a system, as opposed to technological penetration of a system without any assistance from anybody inside? . . . .

MITNICK: Well in my experience, most of my hacking involved the social engineering exploitations. But I think that most of the hacking out there is really the weaknesses that are exploited in the operating systems and the software applications. Because if you go on the internet, you can simply connect to computer sites that basically have scripts of the exploit codes so anybody that has access to a computer and modem can download these exploits and exploit these vulnerabilities that are in the operating systems developed by the software manufacturers. And that's why . . . I think it's important for the software manufacturers to be committed to thoroughly testing their software to avoid these security flaws from from being released to the marketplace. . . .

U.S. SENATOR JOHN EDWARDS (D-NC): In answering one of Senator Lieberman's questions about why you got involved in hacking to begin with, I was listening to the words you were using. And they sounded very much to me like a description of addictive behavior. Do you believe that addictive behavior is involved with folks who are habitually involved in hacking like you were?

MITNICK: I'm not sure I'd consider it addictive behavior. It was just an activity I was intensely interested and focused on because ever since I was a young boy I was interested in telecommunications and computers. And that was just my calling, just like somebody who is very interested in sports and every day they go out and practice. I'm not sure that you could really equate it to like a physical addiction. But then again, I'm not a health services professional so I wouldn't know.

EDWARDS: I understand. But did you feel like you yourself were addicted to this hacking behavior?

MITNICK: I enjoyed it. I would say it was a distinct preoccupation, but I don't think I could label it as an addiction per se.

EDWARDS: Did you ever try to stop?

MITNICK: I did stop for a while and then at that time that I wasn't engaging in that behavior, the Department of Justice, specifically the FBI, sent this informant to target me. And basically, I got hooked back into computer hacking because of the enticements that this fellow that they sent to target me kind of enticed me back into that arena.

EDWARDS: What advice would you give to other hackers, or probably more importantly, potential hackers?

MITNICK: That's hard to say, I'd have to really think about that. I don't encourage any activity which maliciously destroys alters or damages computer information. Breaking into computer systems is wrong. Nowadays--which was not possible for me when I was younger, as computer systems are now more affordable--if somebody wants to hack they can buy their own computer system and hack the operating system and learn the vulnerabilities on their own system without affecting anybody else with the potential for causing any type of harm. So what I would suggest if people are interested in the hacking aspect of computers, they can do it with their own systems and not intrude upon and violate other personal or corporation's privacy, or government.