How to Get A Real Security Budget

[This was originally published on SecurityFocus and mirrored on attrition.org.]

There you are, a highly paid professional administrator for a large Information Technology (IT) shop. Responsible for dozens, sometimes hundreds or thousands of machines that process company business;
business in the form of vital correspondence between Research and Development, financial transactions for your countless customers. Perhaps your systems also manage the entire payroll system of a fifty-thousand employee outfit: all things deemed important and sensitive by everyone from the janitor all way up the food chain to the management.

So if management considers those resources and income so valuable, why won’t they allocate more than a couple rolls of pennies for you to secure the networks you are there to run and protect? Worse, why do you receive the brunt of all heat when any security mishap occurs? The age old Corporate 22 (AKA, Catch-22): secure all of our networks, but you get no resources to do so, yet you will be blamed when something goes wrong. Good luck!

The Trick
So how do you get the budget or resources required to do your job? The trick is to provide hard evidence of insecurity that you can readily show to your boss. Often times administrators are given a small budget to achieve their goals. The trick is not necessarily using that limited budget to work miracles on your systems. The trick is turning that limited budget into real money. This is a gamble of sorts, but it is a safer bet than most.

Despite what you may have heard, penetration testing/auditing serves several good uses. Many people already know it can be a valuable method of testing network security and showing weaknesses in a corporation’s access points. However, this audit doesn’t need to come in the form of a six figure/six month ordeal. Hiring a team to do a quick audit can be much more effective.

Secure a reliable and talented penetration team. Define the scope of their test to include ONLY the resources you are responsible for, lest other administrators in the company deem the probes as genuine attacks. Further qualify that the team’s goal is to take some kind of trophy from the servers rather than leave a fingerprint. (1) Suggest a trophy such as a portion of a restricted database, headers to your CEO’s email, or your customer’s credit cards. There are two qualifications to this advice:

    1) Make sure this measure is approved by management in advance.
       Sniffing the CEO's email before it reaches him could prove
       risky to your career.

    2) Make sure the CEO will recognize the trophy as sensitive.
       CEO's don't care about theory or technology; they care about
       concrete, quantifiable items.  Company assets and company
       secrets rank high on that list. And handing your CEO his
       own words written to his senior management will certainly
       open his eyes.

If this is within the realm of your existing budget, explain to the team your goal. Their report should be written in a clear and concise manner as usual and indicate nothing about your secret agenda. The report should be accompanied by your own letter or paper introducing the team’s report. Who they are, why they performed the penetration audit, and the results. And should your CEO not comprehend the ramifications
of the report, your letter should go one step further and qualify the report; particularly how it specifically applies to your company. It is important that your letter and the audit team’s report do not exaggerate the
problem. As much as possible, let the facts demonstrate the issues and their severity. Most importantly, keep the report positive. Management does not like doomsday prophets and whiners!

Make proactive security a more-bang-for-the-buck sale. CEOs understand revenue; they understand revenue loss; and they understand revenue enhancement. Pitch security as that canonical ounce-of-prevention that
will save them untold dollars in the long run. If you must, give them a “you-can-pay-me-now-or-pay-me-later” pitch. Nothing drives home the point of how small the cost of a full security makeover pales in comparison to the recovery from an institution-wide intrusion.

Your friends

Security Professionals as Validators:

If your current budget is too tight to allow a penetration audit, you still have another option. The same security team can fulfill the same role by writing an assessment report based on information provided
by you and your staff. Instead of having the team find all of the information on their own, give them vital information about your network, trust relationships, firewall rules and more. From these details, the team
can piece together a good idea of the security posture of your network. From that picture, recommendations and concerns may be addressed. In many cases, your technical staff can write up the paper detailing the
network. At that point, use your small budget to get outside professional validation of your own assessment report.

Be careful, though. Politically-entrenched know-nothings in the CIO’s office may not take kindly to your actually consulting with people who actually know their Information Technology. There’s a fine line to walk in securing your system and burning as few bridges as possible.

Corporate Legal Staff:

Yes, lawyers can be your friend! Approach the company lawyers with your intentions. Illustrate your concerns and your goals as a basis for their help. Quote examples of how insecure networks can lead to
corporate liability lawsuits (2). At this point, the legal staff should be quite interested in what you have to say. In essence, you are making the legal staff part of the responsibility for maintaining a secure network.

Cover Your Assets:

Document EVERYTHING. Write memos, file reports, issue advisories, the works. If you don’t write it down, it didn’t happen. Keep a record of where you’re right and where you’re wrong. You can bet your detractors will keep the latter record, so you’re going to have to be your own champion. Even the most stern resistance from upper management can be worn away when a history of correct conclusions is brought to the fore. In short: nothing speaks like being right. If you see something dire coming down the pike, document it. If your cautions are ignored, keep hold of the documents until you’re vindicated. (I have a way of re-issuing memos authored years before, prefacing them only with a one line note which indicates that the attached document is a reiteration of cautions issued years prior. That has an unusually powerful effect.)

If All Else Fails…

Sometimes you may not have the resources to hire an audit team to help prove your point. In that case, fall back on the same tactics I use to attempt to help everyone else out there. Use your creative writing to persuade your boss you need more resources. Rather than a technical audit report, resort to at least a two-page paper outlining the same things the report normally would. The advantage to this method is that you get to use a bit more flare, a bit more creativity and scary proposed situations to help get your point across.

It’s not a matter of stretching those few dollars to accomplish the impossible. We all know that most IT shops are not given adequate resources to fulfill the requirements placed on them. With security becoming an ever popular buzzword thrown around by management, it will continue to come down on you.


Thanks: Carole Fennelly, Jay Dyson, Dale Coddington and Space Rogue for suggestions and editing. Thanks to B.K. Delong for the  URL and reference material.

Footnotes
1. Many penetration teams will touch a file owned by root/administrator
   in a restricted directory in order to prove they gained access. 

2. http://www.idg.net/crd_1998_9-70162.html
   German Court Ruling Another Blow to U.S. Encryption Standard

The Newbie’s Guide to Fear, Uncertainty, and Doubt

Introduction

Fear, Uncertainty and Doubt (FUD). We all live with it, and we’re all accustomed to it at one level or another: “Do I have enough insurance?”; “Did I leave the coffee pot on when I left for work this morning?”; “Will my proposal be accepted by management?” FUD is simply a facet of life; something with which we all must contend to the best of our abilities.

FUD is yet another method often employed by a party (typically a vendor in our context) to help propogate their product or service. In short, this is acheived by attempting to instill a sense of fear, uncertainty or doubt in the minds of consumers regarding a competitor’s product. By instilling FUD in the minds of consumers, the vendor obliquely promises dire consequences if the intended target does not buy their goods.

The obvious fallacy with this approach is that a vendor’s product or service (P&S) is not sold on it’s own merit; rather it is sold as a “reasonable alternative”. FUD’s primary goal is to scare consumers away from using superior P&S in favor of inferior (yet often more recognized) P&S.

According to the New Hackers Dictionary (aka the Jargon file), FUD is defined as: FUD /fuhd/ n.:

Defined by Gene Amdahl after he left IBM to found his own company: “FUD is the fear, uncertainty, and doubt that IBM sales people instill in the minds of potential customers who might be considering [Amdahl] products.” The idea, of course, was to persuade them to go with safe IBM gear rather than with competitors’ equipment. This implicit coercion was traditionally accomplished by promising that Good Things would happen to people who stuck with IBM, but Dark Shadows loomed over the future of competitors’ equipment or software. See IBM. After 1990 the term FUD was associated increasingly frequently with Microsoft, and has become generalized to refer to any kind of disinformation used as a competitive weapon. (1)
The past few years have brought a dramatic increase in the FUD tactic. Not only are large companies using it to help stifle new and upcoming competition, in addition, uneducated journalists are wielding it like a four year old with a loaded gun: unaware of the danger, or of the consequences.

The use of FUD in a marketing campaign is often subtle and hard to spot. Well written FUD will blend in among facts and be difficult to discern. Worse, this underhanded tactic is often problematic in trying to counter. Rather than fighting against incorrect facts or misguided opinions, you find yourself battling vague assertions, self-serving maxims, and half-truths.

Worse yet is spotting the FUD campaign in the first place. Because it is an effective weapon based on half-truths, distinguishing it from legitimate opinion may be difficult. For an excellent paper and well documented examples of this, consult the paper titled ‘FUD 101‘. In this document, Mr. Green outlines several elements and examples of Microsoft using a FUD campaign against the Linux Community.

In today’s world of articles and press releases, we can identify several levels of FUD. This is important as it tells us how to respond to the ‘news’. The more FUD, the more skepticism that should be given to it. The less FUD, the better the chance it was just uneducated conclusions that lead to the text.

Twelve Elements of FUD

To help newcomers to the world of FUD, I have come up with a list of twelve elements that can and are used. In order to make this even easier for the consumer, I have devised a scale to help qualify the ‘FUD level’ used in a particular piece of writing. While this delineation is by no means an exact science, it can help put into perspective the subtle technique of disinformation.

a) Urgency

1) Buy our product now to avoid headache tomorrow! While this may be appealing initially, this often comes at the sacrifice of features or performance. Yes, it may be easy to use, but odds are it does a third of what competitor’s products do.

2) Buy our product now because tomorrow our product will kick ass! The promise of future development (also known as ‘vaporware’) encourages you to purchase the product now in order to receive future upgrades that will be better than what is on the market now. Obviously, this does nothing but hurt you in the here and now.

b) Supporters

3) No quoted names. In this world of technology professionals, it is easy to find someone who is a) qualified, b) supportive of the product and c) willing to go on the record. Anytime an article comes out that claims a P&S is desired or supported, but lacks names to back those claims, should be questioned. Why couldn’t they find at least one person to go on record endorsing the product?

4) Quoting known frauds and charlatans. Worse than quoting no one is to quote frauds. Rather than not finding someone to endorse a P&S, they had to turn to someone that is well known for NOT knowing technology. These people will often go on the record endorsing anything if it propogates their name or company, or leads to them receiving some kind of incentive (read: cash).

c) Technical

5) Epiphany Nomenclature Significance Naught (1) The use of large or fancy words in place of readily understood technical terms. Obscuring features behind words that sound impressive is a common way of hiding the truth. This technique is often known as ‘buzzword compliance’.

6) Hyping up old or standard features in place of current or impressive technology. We all use and trade email, so a company drooling over themselves in light of their amazing use of the SMTP protocol means very little.

d) Harm

7) Without our P&S, you’ll be hacked! New security and crypto based companies are fond of using this ploy. Without their products, you are a time bomb waiting to go off! Come tomorrow, evil and malicious hackers will intrude upon your network, deface your web page, read your corporate secrets and pour sand in your gas tank!

8) Without our P&S, you will not get future business! The trend of business is moving toward our product and what we deem standardizations! If you and your company don’t jump on our bandwagon, no other company will do business with you! As we all know, new technology and new standards are only adopted after long and rigorous testing. To move over to a new platform or protocol simply because some companys says so is ludicrous.

9) Without our P&S, you will lose time and money! This varies slightly from #2 in that the FUD centers around your company losing time and money today, not tomorrow. As we all know, any enterprise outfit that could possibly lose money in a matter of days without a specific product not already implemented is doomed to begin with.

e) Spin Doctoring (2)

10) Hyping opponent’s weakness. No more than a form of mudslinging, the company doesn’t rely on its own merit to pursuade you to use their products. Rather, they must display their opponents weaknesses and use them to convince you not to use theirs.

11) Creating weaknesses for the opponent. Sometimes an opponent has very few weaknesses. So, why not make some up? Clever wording and sometimes outright lies lead to one company creating supposed weaknesses in competitors P&S.

12) Attacking opponent’s strengths. Akin to #1, this relies on attacking the selling points of a competitor’s P&S. Often times, you will see this used in conjunction with #1 to attempt to completely belittle the opposing P&S.

For fun and amusement, you can use the twelve points above to rate articles. If an article or press release uses some of the methods above, attribute it one point per method. In the end, you can say that a given article has a “FUD Factor of 4” or rated “7 on the FUD scale”. Recent months have shown Microsoft to be repeat offenders, often rating between 5 and 10 on the FUD Scale. Their fear of the Linux operating system shows. No one should ever rate higher than a 10, unless the article is made up of nothing but FUD.

Response to FUD

As with all problems, it does little good to discuss them without proposed solutions. With FUD, it is much more manageable and easy to deal with.

The first thing is recognizing FUD in all its forms. Awareness for the average person is the tricky part. Consider the average person that has an interest in the ever changing world of technology and networking. They go day to day without the benefit of forums that readily challenge these huge companies oozing FUD at every crevice. Unfortunately, they are a bulk of the customers and supporters of these P&S. Educating them is the first step toward an honest profession.

Second, is the response. Even if you do recognize a company peddling FUD, how do you respond? Very simple.

1) Mail the author of the FUD as well as their editor. When doing so, be polite and present facts to back your mail. Site reference material, URLs or anything solid to back your argument and counter theirs.

2) Once mailed, give them a chance to correct their mistakes. Do not assume the FUD was intentional. The correction can come in the form of a retraction or followup article. As much as I hate to say it, the media machine may not allow for either. At that point, you must decided what to do.

3) Openly dispute the article in a public forum. Be it a mail list or web board, post the relevant parts of the article containing the FUD and refute them with your own facts. This causes a bit more strife but may be the only solution.

Fin

The use of Fear, Uncertainty, and Doubt in marketing campaigns — while certain to get the public’s attention — is plainly wrong. Armed with the above information, it’s our hope that the reader will now be able to spot it, refute it, and most importantly, not buy into it.


(1) By using standard synonyms from http://www.dictionary.com, we can create an alternate phrase that sounds impressive, yet means nothing.
Fancy -> Epiphany, Words -> Nomenclature, Meaning -> Significance, Nothing -> Naught. “Fancy words meaning nothing”.

Thanks

Space Rogue (spacerog[at]l0pht.com) for the idea of this paper and harassment. ATTRITION Staff (staff[at]attrition.org) for peer review and harassment. Anna Henricks, Geekgrl, and especially Jay Dyson for proof reading and suggestions.

The Newbie’s Guide to Fear, Uncertainty, and Doubt

[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]

Introduction

Fear, Uncertainty and Doubt (FUD). We all live with it, and we’re all accustomed to it at one level or another: “Do I have enough insurance?”; “Did I leave the coffee pot on when I left for work this morning?”; “Will my proposal be accepted by management?” FUD is simply a facet of life; something with which we all must contend to the best of our abilities.

FUD is yet another method often employed by a party (typically a vendor in our context) to help propagate their product or service. In short, this is achieved by attempting to instill a sense of fear, uncertainty or doubt in the minds of consumers regarding a competitor’s product. By instilling FUD in the minds of consumers, the vendor obliquely promises dire consequences if the intended target does not buy their goods.

The obvious fallacy with this approach is that a vendor’s product or service (P&S) is not sold on it’s own merit; rather it is sold as a “reasonable alternative”. FUD’s primary goal is to scare consumers away from using superior P&S in favor of inferior (yet often more recognized) P&S.

According to the New Hackers Dictionary (aka the Jargon file), FUD is defined as: FUD /fuhd/ n.:

Defined by Gene Amdahl after he left IBM to found his own company: “FUD is the fear, uncertainty, and doubt that IBM sales people instill in the minds of potential customers who might be considering [Amdahl] products.” The idea, of course, was to persuade them to go with safe IBM gear rather than with competitors’ equipment. This implicit coercion was traditionally accomplished by promising that Good Things would happen to people who stuck with IBM, but Dark Shadows loomed over the future of competitors’ equipment or software. See IBM. After 1990 the term FUD was associated increasingly frequently with Microsoft, and has become generalized to refer to any kind of disinformation used as a competitive weapon. (1)

The past few years have brought a dramatic increase in the FUD tactic. Not only are large companies using it to help stifle new and upcoming competition, in addition, uneducated journalists are wielding it like a four year old with a loaded gun: unaware of the danger, or of the consequences.

The use of FUD in a marketing campaign is often subtle and hard to spot. Well written FUD will blend in among facts and be difficult to discern. Worse, this underhanded tactic is often problematic in trying to counter. Rather than fighting against incorrect facts or misguided opinions, you find yourself battling vague assertions, self-serving maxims, and half-truths.

Worse yet is spotting the FUD campaign in the first place. Because it is an effective weapon based on half-truths, distinguishing it from legitimate opinion may be difficult. For an excellent paper and well documented examples of this, consult the paper titled ‘FUD 101’. (2) In this document, Mr. Green outlines several elements and examples of Microsoft using a FUD campaign against the Linux Community.

In today’s world of articles and press releases, we can identify several levels of FUD. This is important as it tells us how to respond to the ‘news’. The more FUD, the more skepticism that should be given to it. The less FUD, the better the chance it was just uneducated conclusions that lead to the text.

Twelve Elements of FUD

To help newcomers to the world of FUD, I have come up with a list of twelve elements that can and are used. In order to make this even easier for the consumer, I have devised a scale to help qualify the ‘FUD level’ used in a particular piece of writing. While this delineation is by no means an exact science, it can help put into perspective the subtle technique of disinformation.

a) Urgency

1) Buy our product now to avoid headache tomorrow! While this may be appealing initially, this often comes at the sacrifice of features or performance. Yes, it may be easy to use, but odds are it does a third of what competitor’s products do.

2) Buy our product now because tomorrow our product will kick ass! The promise of future development (also known as ‘vaporware‘) encourages you to purchase the product now in order to receive future upgrades that will be better than what is on the market now. Obviously, this does nothing but hurt you in the here and now.

b) Supporters

3) No quoted names. In this world of technology professionals, it is easy to find someone who is a) qualified, b) supportive of the product and c) willing to go on the record. Anytime an article comes out that claims a P&S is desired or supported, but lacks names to back those claims, should be questioned. Why couldn’t they find at least one person to go on record endorsing the product?

4) Quoting known frauds and charlatans. Worse than quoting no one is to quote frauds. Rather than not finding someone to endorse a P&S, they had to turn to someone that is well known for NOT knowing technology. These people will often go on the record endorsing anything if it propagates their name or company, or leads to them receiving some kind of incentive (read: cash).

c) Technical

5) Epiphany Nomenclature Significance Naught (3) The use of large or fancy words in place of readily understood technical terms. Obscuring features behind words that sound impressive is a common way of hiding the truth. This technique is often known as ‘buzzword compliance’.

6) Hyping up old or standard features in place of current or impressive technology. We all use and trade email, so a company drooling over themselves in light of their amazing use of the SMTP (4) protocol means very little.

d) Harm

7) Without our P&S, you’ll be hacked! New security and crypto based companies are fond of using this ploy. Without their products, you are a time bomb waiting to go off! Come tomorrow, evil and malicious hackers will intrude upon your network, deface your web page, read your corporate secrets and pour sand in your gas tank!

8) Without our P&S, you will not get future business! The trend of business is moving toward our product and what we deem standardizations! If you and your company don’t jump on our bandwagon, no other company will do business with you! As we all know, new technology and new standards are only adopted after long and rigorous testing. To move over to a new platform or protocol simply because some company says so is ludicrous.

9) Without our P&S, you will lose time and money! This varies slightly from #2 in that the FUD centers around your company losing time and money today, not tomorrow. As we all know, any enterprise outfit that could possibly lose money in a matter of days without a specific product not already implemented is doomed to begin with.

e) Spin Doctoring (2)

10) Hyping opponent’s weakness. No more than a form of mudslinging, the company doesn’t rely on its own merit to persuade you to use their products. Rather, they must display their opponents weaknesses and use them to convince you not to use theirs.

11) Creating weaknesses for the opponent. Sometimes an opponent has very few weaknesses. So, why not make some up? Clever wording and sometimes outright lies lead to one company creating supposed weaknesses in competitors P&S.

12) Attacking opponent’s strengths. Akin to #1, this relies on attacking the selling points of a competitor’s P&S. Often times, you will see this used in conjunction with #1 to attempt to completely belittle the opposing P&S.

For fun and amusement, you can use the twelve points above to rate articles. If an article or press release uses some of the methods above, attribute it one point per method. In the end, you can say that a given article has a “FUD Factor of 4” or rated “7 on the FUD scale”. Recent months have shown Microsoft to be repeat offenders, often rating between 5 and 10 on the FUD Scale. Their fear of the Linux operating system shows. No one should ever rate higher than a 10, unless the article is made up of nothing but FUD.

Response to FUD

As with all problems, it does little good to discuss them without proposed solutions. With FUD, it is much more manageable and easy to deal with.

The first thing is recognizing FUD in all its forms. Awareness for the average person is the tricky part. Consider the average person that has an interest in the ever changing world of technology and networking. They go day to day without the benefit of forums that readily challenge these huge companies oozing FUD at every crevice. Unfortunately, they are a bulk of the customers and supporters of these P&S. Educating them is the first step toward an honest profession.

Second, is the response. Even if you do recognize a company peddling FUD, how do you respond? Very simple.

1) Mail the author of the FUD as well as their editor. When doing so, be polite and present facts to back your mail. Site reference material, URLs or anything solid to back your argument and counter theirs.

2) Once mailed, give them a chance to correct their mistakes. Do not assume the FUD was intentional. The correction can come in the form of a retraction or follow-up article. As much as I hate to say it, the media machine may not allow for either. At that point, you must decided what to do.

3) Openly dispute the article in a public forum. Be it a mail list or web board, post the relevant parts of the article containing the FUD and refute them with your own facts. This causes a bit more strife but may be the only solution.

Fin

The use of Fear, Uncertainty, and Doubt in marketing campaigns — while certain to get the public’s attention — is plainly wrong. Armed with the above information, it’s our hope that the reader will now be able to spot it, refute it, and most importantly, not buy into it.


References


(1) http://attrition.org/~modify/texts/jargon/html/entry/FUD.html

(2) Eric Green (eric[at]linux-hw.com) for his paper ‘FUD 101’. An excellent resource for real world examples and definitions: http://badtux.org/home/eric/editorial/fud101.php

(3) By using standard synonyms from www.dictionary.com, we can create an alternate phrase that sounds impressive, yet means nothing.
Fancy -> Epiphany, Words -> Nomenclature, Meaning -> Significance, Nothing -> Naught. “Fancy words meaning nothing”.

(4) SMTP stands for Simple Mail Transfer Protocol. The existing protocol that has been delivering your e-mail for over a decade.

Thanks

Space Rogue (spacerog[at]l0pht.com) for the idea of this paper and harassment. ATTRITION Staff (staff[at]attrition.org) for peer review and harassment. Anna Henricks, Geekgrl, and especially Jay Dyson for proof reading and suggestions.

Life in and around 6 South, 626

[This was originally published on Aviary Magazine and mirrored on attrition.org. It was written by Dale Coddington and myself.]

Recently, two of the Attrition Staff caught up with Kevin Mitnick and asked a few more questions about his living conditions. We presented him with an article by Kimberly Tracey (-1-) to establish a baseline for our talk and a reason for this follow-up.

Life as it REALLY stands

Here’s a little bit about Kevin Mitnick’s life at the Los Angeles Metro Detention Center (MDC), a bit more up to date:

At the MDC there IS a yard for exercising. It is called the “rec deck” (Recreation Deck), rather than a yard and offers fresh air and sunlight, through a protected metal grating. On this patio Kevin has the option of playing basketball, walking or using the universal weights.

The call for “lockup”(-1-) (known as ‘lockdown’ in most prisons including MDC) means that inmates must return to their cells. This is typically done for a count to ensure all inmates are still within the confines of the
prison, or if any of the individuals get out of control. The times when they are all rounded up on the balcony means they are ‘tossing cells’ or doing a ‘shakedown’ (looking for contraband items).

There are two ‘units’ per floor. Each unit has three TV’s giving a total of six per floor. However, inmates from one unit may not use the resources from (or visit) another unit. Short of personal or legal visits (or court appearances), they do not leave their unit.

As of May 24th, the vending machines were removed from the floors. Despite this, the microwaves (2 per unit) are still available. Along with the removal of vending, many items were added to the commissary.

 "I never buy food from the guards. No inmates including me purchase food or any items from MDC staff. 
  It's strictly forbidden" Kevin says.

The only source for Kevin to buy food is the commissary which offers a small variety of food (as well as toiletry items).

We learned that the MDC does offer a couple exercise bikes that still work. “I use them all the time” Kevin smiles.

While using one of the four phones in his unit, he often brings a stool from his cell to make the calls a bit more comfortable. Often times, the phones are turned on as early as 6am he says. The practice of ‘buying’ phone time is frowned upon by MDC staff.

 "The MDC does not allow inmates to have any cash or change, money is contraband so it's impossible to 
  buy phone time for a 'few extra dollars'" Kevin reports.

Since February, Kevin has been able to use the government approved laptop on weekdays, with appropriate supervision. This time is usually spent sorting through the many gigs of evidence in preparation for his case. Now that a plea has been entered, time is spent making a much more educated guess at the actual damage figures being leveled at him.

Unfortunately, the friendly advice about tapes and videos that was offered by Ms. Tracey is a bit inaccurate.

"I appreciate any tapes or CD's, however, I'll have to wait until I'm released before I can listen to 
 them." 

Kevin has no resource to play tapes or videos with or without his defense team present.

No Place Like Home

Each day that Kevin comes down to the visiting room, he carries a cardboard box overflowing with legal declarations, printed evidence, news articles and more. Ten minutes later, one of the MDC staff bring him the government approved laptop so that he can examine the bulk of the evidence. Outfitted with a locking device preventing floppy use, Kevin can only receive programs and evidence via CDROM. Dual booting into RedHat Linux and Windows 95, he is able access almost all of the evidence. To be more accurate, he can not access
any of the evidence from the VMS backup tapes, megs of logs from various CDs, and of course the evidence still not provided by the government.

After visiting his direct family or legal staff, Kevin returns to what he has been forced to call ‘home’ for four years, five months, and twenty one days. Not that he or anyone is counting. Home is a cell smaller than the
largest of private visitation rooms reserved for legal visits. Those rooms are perhaps 8×10, and yet still larger than Kevin’s cell (that he shares with one other inmate). Cell #626 sits off the ‘common area’ and is separated by a wooden door with a narrow glass window, offering less view than the narrow window that grants him a view of the Roybal Federal Building. Along with the other inmate, the tiny cell has two bunks, a toilet, sink, all acceptable personal possessions and a tendency to give people a cramped feeling.

The common area is available to inmates from 6:30 to 9:45 roughly. This area contains the bikes, microwaves, televisions and phones. Also provided are billiards and ping pong tables. While the common area may sound fun and recreational, it is not conducive to those trying to read or study legal briefs.

Kevin’s cell has a lovely view of the sixth floor of the Roybal Federal building. A building with more stringent metal detectors than the MDC even. Even from the sixth floor, he gets to view more federal offices.

A Day in the Life of..

With a better image of the material life surrounding Kevin, hopefully it will be easier to envision a typical day.

      6:30  -  wake up
               sign up for phone time (typically two 20 minute blocks)
      7:00  -  light breakfast (example: pastry and milk)
      7:45  -  head to patio, walk for half an hour
      8:15  -  weight lifting on patio
      10:20 -  use part of phone time
      10:40 -  grab lunch tray (example: eggs, burrito, potatoes, milk)
               lockdown for lunch
      12:00 -  "boring time"
               legal visits, phone calls, lay out in sun, read, socialize
      3:45  -  lockdown for count
      4:45  -  grab dinner tray for later
               use part of phone time
      6:00  -  ride bike, exercise
      7:30  -  shower
               eat dinner
      9:45  -  lockdown
               shave, read
      11:00 -  sleep

During most of his workouts, Kevin is able to listen to an AM/FM walkman. For those of you interested in his music selection, his radio is programmed with the following channels:

Memory Location Radio Station
#1 93.1
#2 95.5 (KEZY)
#3 103.1
#4 106.7 (KROQ)
#5 98.7 (STAR)

Drop Him A Line

The letters and comments he receives are an uplift to say the least. Continued support and cards are welcome and he sends his thanks to the many people who have written him. Kevin enjoyed his birthday on August 6th, especially when the State of California opted to drop the outstanding charges leveled at him some seven years prior. Despite his birthday passing, cards or words of encouragement would be a great gift. Federal judge M. Pfaelzer sentencing him to the defense proposed restitution and ‘time served’ would be the best gift though. 😉
If that is too much to ask, recommending his immediate release to a half way house would be acceptable.

As Ms. Tracey said, sending him money via postal money orders is appreciated so that he can enjoy it right away. Another way to support Kevin is to purchase ‘Free Kevin’ bumper stickers from http://www.freekevin.com as the profit goes toward his legal defense fund. For those not keeping up, Kevin is due to be sentenced on Monday, August 9th at 1:30pm. Judge Pfaelzer can be found at the US Court House (-2-), room 12.

Kevin Mitnick
89950-012
P.O. Box 1500
Los Angeles, CA 90053

Both of us have spent long hours locked in a government SCIF on previous security contracts. We were paid to be in these small depressing rooms and hack military networks. I could barely stand 8 hours in those 10×10 rooms full of computers with no windows. Now, Kevin gets to sit in his less than 10×10 cell for allegedly hacking other networks. It’s sick and ironic.


1) “Mitnick’s Life – As It Stands Now” by Kimberly Tracey
7-2-99 (original article)
We refer to this article because of the errata contained within it, and our correcting it. Many of the facts presented here are included to refute material from the original article.

2) US Court House
312 N. Spring St
Court Room #12