The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [3]
The course my life would follow for the next fifteen years had been set.
In high school, one of my all-time favorite pranks was gaining unauthorized access to the telephone switch and changing the class of service of a fellow phone phreak. When he’d attempt to make a call from home, he’d get a message telling him to deposit a dime because the telephone company switch had received input that indicated he was calling from a pay phone.
I became absorbed in everything about telephones, not only the electronics, switches, and computers, but also the corporate organization, the procedures, and the terminology. After a while, I probably knew more about the phone system than any single employee. And I had developed my social engineering skills to the point that, at seventeen years old, I was able to talk most telco employees into almost anything, whether I was speaking with them in person or by telephone.
My much-publicized hacking career actually started when I was in high school. While I cannot describe the detail here, suffice it to say that one of the driving forces in my early hacks was to be accepted by the guys in the hacker group.
Back then we used the term hacker to mean a person who spent a great deal of time tinkering with hardware and software, either to develop more efficient programs or to bypass unnecessary steps and get the job done more quickly. The term has now become a pejorative, carrying the meaning of “malicious criminal.” In these pages I use the term the way I have always used it—in its earlier, more benign sense.
After high school I studied computers at the Computer Learning Center in Los Angeles. Within a few months, the school’s computer manager realized I had found vulnerability in the operating system and gained full administrative privileges on their IBM minicomputer. The best computer experts on their teaching staff couldn’t figure out how I had done this. In what may have been one of the earliest examples of “hire the hacker,” I was given an offer I couldn’t refuse: Do an honors project to enhance the school’s computer security, or face suspension for hacking the system. Of course, I chose to do the honors project, and ended up graduating cum laude with honors.
Becoming a Social Engineer
Some people get out of bed each morning dreading their daily work routine at the proverbial salt mines. I’ve been lucky enough to enjoy my work. In particular, you can’t imagine the challenge, reward, and pleasure I had in the time I spent as a private investigator. I was honing my talents in the performance art called social engineering (getting people to do things they wouldn’t ordinarily do for a stranger) and being paid for it.
For me it wasn’t difficult becoming proficient in social engineering. My father’s side of the family had been in the sales field for generations, so the art of influence and persuasion might have been an inherited trait. When you combine that trait with an inclination for deceiving people, you have the profile of a typical social engineer.
You might say there are two specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer. From the time of my bus-transfer trick, when I was too young to know there was anything wrong with what I was doing, I had begun to recognize a talent for finding out the secrets I wasn’t supposed to have.