, SecurityFocus 2003-02-13
By all accounts ex-hacker Kevin Mitnick created only a modest stir when he sauntered into the December meeting of the Los Angeles chapter of the Information Systems Security Association (ISSA). He sat quietly, paid attention, and at the conclusion of the meeting joined with some of the other 60-odd attendees swapping business cards, chatting with fellow computer security workers and discussing his plans for his new consulting business, Defensive Thinking. "He wasn't flashy at all," recalls one chapter member, who didn't recognize Mitnick until the conclusion of the meeting. "He introduced himself as 'Kevin.'"But the celebrity hacker was noticed, and when he showed up next month at the January meeting -- open to non-members for a modest fee -- he was already at the center of a controversy. "People were saying, this would reflect bad on the L.A. chapter if we let him in," says the member, speaking on condition of anonymity. The members had coalesced into two opposing camps: those who thought Mitnick's presence at the gathering was an affront to everything the group has stood for in its 20-year history, and those who thought it was pretty cool.
"He's a published author, he's recently been involved in forming a company, and he's got international recognition as someone in our field with credibility," says Quinton Jones, a senior security advisor with Breakwater Security Associates, and the treasurer of the ISSA's L.A. chapter. "If you weigh the pros and the cons, I think he would do more to contribute to the group than he would detract from it."
The ISSA is the largest not-for-profit security organization. It was formed in 1982, when computer security was an arcane science, and is now 2,000 members strong with chapters all around the world.
"Launching Defense Thinking and working in the space, I thought it would be a good opportunity to network with people locally," says Mitnick. After his second meeting, and despite the mixed reaction to his presence, Mitnick surfed to the ISSA Web site and applied for membership online, as one of his first uses of the modern Internet at the conclusion of a court-ordered three-year ban. On January 23rd he received a congratulatory e-mail, welcoming him into the association, and giving him a password to the members-only section of the ISSA site.
It didn't last long. Mitnick's password was quickly revoked, and a few days later he received a letter in certified mail from the ISSA's headquarters informing him that news of his acceptance was greatly exaggerated. "The ISSA has determined that your past behavior does not comply with the ISSA Code of Ethics, therefore we cannot accept your application at this time," reads the unsigned letter.
Mitnick is taking the snub seriously, as a rare pothole on his road to respectability in the security industry. With sales of his book, "The Art of Deception: Controlling the Human Element of Security," still brisk, Mitnick is working the lecture circuit, developing his consulting business, and cutting a deal with a Hollywood studio to produce information security training videos for corporate America. He's scheduled to give two presentations at the RSA Security Conference in April, the security industry's largest gathering: one a talk on social engineering, the other a panel discussion that will see him share a podium with his former government prosecutor, Christopher Painter.
"Most security people are accepting," says Mitnick. "Like at the RSA conference last year, people came up to me to greet me and welcome me to the conference. Usually, it's warm receptions all around."
But while the ISSA's code of ethics doesn't explicitly ban convicted hackers, its first commandment requires that members have a history of performing "all professional activities and duties in accordance with the law and the highest ethical principles." Mitnick, who plead guilty to multiple computer crimes in 1999, says that shouldn't apply to him, because his hacking was not a professional activity.
Stephen Robinson, president of the ISSA's Los Angeles chapter, disagrees.
"There are people that are accepted and there are people who are not," says Robinson. "We have ethics and we have standards, and we don't just take anybody off the street that wants to join the group."
Robinson says he didn't make the decision to ban Mitnick from the meetings, but adds that Mitnick's hacking experience and nascent consultancy don't make him qualified to join a professional organization.
Even Jones, who encouraged Mitnick to join, says he understands why the ISSA would be reluctant to accept the ex-hacker into its ranks. "If you've got someone in the room with [the other members] who has a history of breaking the law, they're going to less likely to bring up their issues... So to that end, him attending could be a hindrance to the goals of the organization," says Jones. Nevertheless, "He's been in the industry longer than many of our members have... I think he is someone who is somewhat a founder of our industry."
Steve Hunt, security research leader at Giga Information Group, and past president of the Chicago ISSA chapter, says Mitnick's membership was a heated issue among the association's board of directors. "The prevailing sentiment among most board members was not anti-Kevin Mitnick, it was a desire to be perceived as a professional organization -- just like the American Medical Association or the Bar Association." (Sandra Lambert, the ISSA's chairperson of the board, declined to comment.) Still, Hunt, who arranged for Mitnick to speak at the Chicago chapter last year, thinks the decision to ban Mitnick was wrong. "There's no reason to exclude him. He has shown over the last couple of years of his probation that he can contribute to the security community, and he's bent over backwards to show that he only wants to keep people from suffering at the hands of hackers and social engineers."
Mitnick sent an appeal to the ISSA's board of directors last week, asking the organization to consider placing him on a probationary period as a non-voting member, as an alternative to an outright ban. "Despite my efforts over the past three years to build a legitimate career in the field of information security, the stigma of my past still haunts me," he wrote.