Mitnick Banned From Security Group

[InfoSec News <isn () c4i org>]

http://online.securityfocus.com/news/2403

By Kevin Poulsen
SecurityFocus 
Feb 13 2003 

By all accounts ex-hacker Kevin Mitnick created only a modest stir
when he sauntered into the December meeting of the Los Angeles chapter
of the Information Systems Security Association (ISSA). He sat
quietly, paid attention, and at the conclusion of the meeting joined
with some of the other 60-odd attendees swapping business cards,
chatting with fellow computer security workers and discussing his
plans for his new consulting business, Defensive Thinking. "He wasn't
flashy at all," recalls one chapter member, who didn't recognize
Mitnick until the conclusion of the meeting. "He introduced himself as
'Kevin.'"

But the celebrity hacker was noticed, and when he showed up next month
at the January meeting -- open to non-members for a modest fee -- he
was already at the center of a controversy. "People were saying, this
would reflect bad on the L.A. chapter if we let him in," says the
member, speaking on condition of anonymity. The members had coalesced
into two opposing camps: those who thought Mitnick's presence at the
gathering was an affront to everything the group has stood for in its
20-year history, and those who thought it was pretty cool.

"He's a published author, he's recently been involved in forming a
company, and he's got international recognition as someone in our
field with credibility," says Quinton Jones, a senior security advisor
with Breakwater Security Associates, and the treasurer of the ISSA's
L.A. chapter. "If you weigh the pros and the cons, I think he would do
more to contribute to the group than he would detract from it."

The ISSA is the largest not-for-profit security organization. It was
formed in 1982, when computer security was an arcane science, and is
now 2,000 members strong with chapters all around the world.

"Launching Defense Thinking and working in the space, I thought it
would be a good opportunity to network with people locally," says
Mitnick. After his second meeting, and despite the mixed reaction to
his presence, Mitnick surfed to the ISSA Web site and applied for
membership online, as one of his first uses of the modern Internet at
the conclusion of a court-ordered three-year ban. On January 23rd he
received a congratulatory e-mail, welcoming him into the association,
and giving him a password to the members-only section of the ISSA
site.

It didn't last long. Mitnick's password was quickly revoked, and a few
days later he received a letter in certified mail from the ISSA's
headquarters informing him that news of his acceptance was greatly
exaggerated. "The ISSA has determined that your past behavior does not
comply with the ISSA Code of Ethics, therefore we cannot accept your
application at this time," reads the unsigned letter.

Mitnick is taking the snub seriously, as a rare pothole on his road to
respectability in the security industry. With sales of his book, "The
Art of Deception: Controlling the Human Element of Security," still
brisk, Mitnick is working the lecture circuit, developing his
consulting business, and cutting a deal with a Hollywood studio to
produce information security training videos for corporate America.  
He's scheduled to give two presentations at the RSA Security
Conference in April, the security industry's largest gathering: one a
talk on social engineering, the other a panel discussion that will see
him share a podium with his former government prosecutor, Christopher
Painter.

"Most security people are accepting," says Mitnick. "Like at the RSA
conference last year, people came up to me to greet me and welcome me
to the conference. Usually, it's warm receptions all around."


Ethics Issues?

But while the ISSA's code of ethics doesn't explicitly ban convicted
hackers, its first commandment requires that members have a history of
performing "all professional activities and duties in accordance with
the law and the highest ethical principles." Mitnick, who plead guilty
to multiple computer crimes in 1999, says that shouldn't apply to him,
because his hacking was not a professional activity.

Stephen Robinson, president of the ISSA's Los Angeles chapter,
disagrees.

"There are people that are accepted and there are people who are not,"  
says Robinson. "We have ethics and we have standards, and we don't
just take anybody off the street that wants to join the group."

Robinson says he didn't make the decision to ban Mitnick from the
meetings, but adds that Mitnick's hacking experience and nascent
consultancy don't make him qualified to join a professional
organization.

Even Jones, who encouraged Mitnick to join, says he understands why
the ISSA would be reluctant to accept the ex-hacker into its ranks.  
"If you've got someone in the room with [the other members] who has a
history of breaking the law, they're going to less likely to bring up
their issues... So to that end, him attending could be a hindrance to
the goals of the organization," says Jones. Nevertheless, "He's been
in the industry longer than many of our members have... I think he is
someone who is somewhat a founder of our industry."

Steve Hunt, security research leader at Giga Information Group, and
past president of the Chicago ISSA chapter, says Mitnick's membership
was a heated issue among the association's board of directors. "The
prevailing sentiment among most board members was not anti-Kevin
Mitnick, it was a desire to be perceived as a professional
organization -- just like the American Medical Association or the Bar
Association." (Sandra Lambert, the ISSA's chairperson of the board,
declined to comment.) Still, Hunt, who arranged for Mitnick to speak
at the Chicago chapter last year, thinks the decision to ban Mitnick
was wrong. "There's no reason to exclude him. He has shown over the
last couple of years of his probation that he can contribute to the
security community, and he's bent over backwards to show that he only
wants to keep people from suffering at the hands of hackers and social
engineers."

Mitnick sent an appeal to the ISSA's board of directors last week,
asking the organization to consider placing him on a probationary
period as a non-voting member, as an alternative to an outright ban.  
"Despite my efforts over the past three years to build a legitimate
career in the field of information security, the stigma of my past
still haunts me," he wrote.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.