Also, it wasn't just AT&T that is refusing service to him, his webhost HostedHere.net did the same thing.
And if this has been happening over and over again for 9 years why didn't he just want to go to another service provider?
More importantly you have to question how much of the security problem Mitnick poses in this? If he is part of the cause I think AT&T & HostedHere probably are reasonable to want to get rid of him
(btw I suspect the 8 numeral password is a pin number: similar to the ones handed out by banks for online logins. Could still be his fault it is out in the wild though)
It's not super secure, but it really should be secure enough if a website cares about security -- they should be limiting login attempts, and shouldn't be storing them in plain text.
Mitnick said that per AT&T policy, his password could only be digits and no more than eight characters long.
"The move by AT&T came this week after Mitnick hired a lawyer to complain that his privacy was being invaded by people posting Mitnick's account information in public hacking forums"
You need a lawyer to complain these days ?
Most other 'celebrities' have these issues but being a high profile hacker makes you a great target.
The best defence against this is don't get caught hacking... that way your privacy stays yours.
What Mitnick should do is give tit for tat, expose the identities of his attackers. For such a hotshot security consultant (all digits?) that should be a piece of cake, really.
That said, AT&T has no business cutting him off, rather the opposite, they should secure their systems and use the publicity surrounding this to brand themselves as the provider that is good enough to secure even Kevin Mitnicks account.
It means that a lot of people that you are putting down will see you as their prime target. This goes with the territory.
If KM would have taken a job as a programmer somewhere I highly doubt that this would have happened. After all, he is minting his reputation as a former bad guy, nobody forced him to do that.
If he had been a white hat all along it would be different, but a burglar complaining he's been burgled is a bit hypocritical imo.
I guess it sucks being on the receiving side.
Basically all these little jerks do is make him look silly, personally I wouldn't even bother to respond to them, just take it as praise and laugh at it. By taking it so serious he is actually fanning the fire.
--pg
It seems many people have responded to you though.
I think some other telco should pay Mitnick to become their customer. How else could you attract so many hacker brains and make them work on finding security flaws in your system?
Assuming that they want to fix the holes, which AT&T probably doesn't. They may be using the "infinite bugs" model, in which fixing one bug does not improve security because there are always other bugs the attackers can find.
As long as you're not a high profile celebrity you should be ok because not one wants to own you...
The main issue is relying on false obscurity, both in systems (your program rot-13s your password) and in passwords (you pick an easy to guess password).
There's no real security failing if you rely on obscurity that isn't exactly a password, so long as you can accurately assess the real obscurity, e.g. port knocking. If, let's say (and this is probably false) AT&T has a billing system where sending 100 specific, not-easily-guessable bytes allows you to get private data, that's no worse than a password, even if the reason that it works is a bug - unless the source code is available to the attacker.
Of course, AT&T's problem here isn't obscurity, it's that they don't want to invest enough for real security at all. Which could be reasonable from a business perspective.
Not really. Your password may be obscure (although it should probably be as random as you can get), but the key exchange protocols and encryption algorithms should be wide open. There's a reason why secret keys are called "secret" -- they should be the only thing you have to keep secret. If his hosting provider and wireless company can't keep his accounts secure, that's their problem, not his.
Which is not to say that AT&T has good security, all we can tell from this is that it can be broken...
Isn't that what everyone is supposed to do with their passwords?
