This absolutely sucks, but Kevin should be doing a lecture circuit, not attending meetings where people come clean with their vulnerabilities. How do we know he isn't simply applying social engineering for his next conquest? Though he isn't malicious, he is dangerous.

I liken him to a big friendly saint bernard in a china shop. He doesn't mean to cause damage and cost us money, but it could happen if you invite him into your world.

Given the technical nature of the issues brought up at those types of meetings, and Kevins obvious skills with social engineering, and his past, it is easy to imagine him finding it easier than ever, and a little too tempting to play.

I honestly believe that the government demonized him and punished him way too hard on very trumped up charges. He was propaganda fodder.

However, even the very mild reality of the stuff he did, is enough for me to not want to tell him what types of servers I am running, where my vulnerabilites are in my network, etc. I wouldn't even want to give him my work phone.

Most computer professionals are like red riding hood talking to the big bad wolf around him. He could probably get any information he needs out of them *if he wanted to* and didn't tell them who he was.

He may never put that hat back on, but he has in the past, so it is possible...

Kevins place is in teaching and helping people learn more about security, not in helping people to solve real world problems with production equipment. His skills are unmatched but that shadow will follow forever.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/2403/18177#18177