BW: Cyber Alert: Portrait of an Ex-Hacker

BusinessWeek: A journey into the mind of Kevin Mitnick shows just how vulnerable companies are to Internet crime

It's April, and more than 1,600 corporate techies crowd into a ballroom in San Francisco's Moscone Center. The room buzzes with excitement as the star attraction, convicted computer hacker Kevin D. Mitnick, saunters onto the stage. He's on a panel of security gurus and legal experts ready to talk about whether companies should hire ex-hackers to safeguard their computer networks.

It's an explosive subject in the industry, and sparks fly as Mitnick takes on other panelists, including Ira Winkler, chief security strategist at Hewlett-Packard Co. After Winkler warns against hiring ex-hackers, Mitnick mocks him, claiming Winkler himself once hired ex-hackers to work at a consulting company he owned. "I know them personally," Mitnick says acidly. "I had traded [break-in secrets] with them."

The world's most notorious hacker is back in circulation. Known by his handle, "Condor," Mitnick spent 15 years marauding through the computers of the world's largest tech corporations, conning his victims into letting him into their systems. He served more than five years in jail. Only when his probation ended in January was he able to get back on the Internet and start a consulting company, Defensive Thinking LLC, which helps clients to prevent hackers from snagging credit-card numbers, medical records, and trade secrets.

His timing is impeccable. Hacking has reached epidemic proportions because of the explosive growth of the Internet. While Mitnick says he hacked for the sheer thrill of the break-in, never stealing money or destroying property, many of today's computer criminals have far more destructive goals in mind. The recent SQL Slammer "worm" shut down 13,000 Bank of America (BAC ) automated teller machines and slowed worldwide Internet traffic to a crawl. And intelligence experts fear terrorists could use the Net or other computer technology to attack the U.S. The Homeland Security Dept. is concerned that al Qaeda or another group could launch cyber and physical attacks simultaneously, attempting to disable safety systems at nuclear plants or air traffic control systems. "[The prospect of such an attack] is a tremendous threat," says Sallie McDonald, deputy chief of the information and warning division of Homeland Security.

Faced with such threats, companies and government agencies have been pouring cash into their defenses. The amount of money spent on computer security is expected to hit $13.5 billion this year, according to market researcher Forrester Research (FORR ) Inc., twice the total in 2000. The forecast for 2006: $20 billion.

Just spending money on the latest security software isn't enough, though. Corporations and governments are especially vulnerable if they ignore the human side of hacking. In security consultant parlance, it's called "social engineering" -- and it's Mitnick's specialty. Hackers use it to dupe their victims into coughing up passwords and other sensitive information. In nearly all his attacks, Mitnick broke through the toughest network firewalls with persistence, a telephone, and a string of lies. His message to corporations: "There is no patch for stupidity."

His own crimes show that the best key to any locked system is neither a computer nor a modem. It's a gullible human being. Mitnick once pulled a fast one on Motorola (MOT ) Inc. by posing as an employee and calling a Motorola engineer to persuade her to send him the core software for one of the company's new phones.

Mitnick's story is a journey inside the slippery mind of a hacker. It's Catch Me If You Can for the computer realm. A tour of Mitnick's psyche provides a clearer understanding of the dark forces that thrive in the digital world. His criminal career, say experts, is a point-by-point primer on what spawns hackers, how they think and operate, and how difficult it is for them to mend their ways. It's an alert to parents and educators to steer potential "Condors" in the right direction -- before normal teenage rebellion turns into something poisonous. And it's a warning to government and corporate leaders to arm themselves against hackers and cyberterrorists.

These days, operating from the 17th floor of a fashionable West Los Angeles high-rise, the 39-year-old Mitnick strives to present himself as a reformed, mature tech consultant. His Defensive Thinking has attracted nine clients, whom he declines to identify. He has lined up more than 25 speaking gigs at seminars and private companies, each paying $5,000 to $20,000. And he has become something of a celebrity, publishing a book called The Art of Deception and making a cameo on television's Alias as a CIA agent.

Still, many corporations don't trust him. Not only is he a convicted con man but he's also world famous for it. "Do you hire the bank robber to guard your money? I don't think so," says Linda McCarthy, an executive security adviser at antivirus software maker Symantec (SYMC ) Corp. The same fame that Mitnick relies on for marketing collides head-on with his credibility. Unless Mitnick can resolve this conflict, his consulting business may not thrive. And if his speaking engagements peter out once the novelty wears off, he might be tempted to fall back on his old ways. He denies it will happen. "I just won't fall back. It's not an option," he says.

Mitnick is out to prove to the world that he really has changed. He gave BusinessWeek access to his new life through a series of interviews and referrals to his family and friends. And he recounted the long, strange trip of his hacking career, the prison stints, the years on the run, and his attempts to come to terms with himself and society.

As an overweight, nerdy teen in Van Nuys, Calif., Mitnick was desperate for a place to belong and a way to succeed. The hacker's life gave him what he needed. He was the only child of Shelly Jaffe, a waitress who dragged him through four divorces and countless failed romances, mostly with men who gave little thought to keeping her bright but hyperactive son on the straight and narrow path. His father, Alan, a record promoter, was rarely around.

Left to his own devices, Mitnick escaped by learning magic. But card tricks soon bored him, so he sought out the hacker crowd in high school. Their high jinks -- stealing computer passwords and cracking phone lines so they could make free calls -- seemed like magic, but on a grander scale. "It was about the intrigue, the adventure, the pursuit of knowledge," says Mitnick. "I wanted to be in that clique." Recalls Ronen Rahaman, a friend of Mitnick's in high school: "Some guys wanted to do varsity football. Kevin wanted to do varsity hacking."

Mitnick was driven by the need to prove himself. Hackers are typically wallflowers, shunned by the in-crowd, so they look for ways to show off their smarts. "They show their power by screwing over the system," says Dr. Jerrold Post, director of the political psychology program at George Washington University. Mitnick shocked his friends with his audacity. At 16, he phoned a Digital Equipment (HPQ ) Corp. system manager. Pretending to be the lead developer of a new DEC product, he snookered him into handing over a password. Once inside, he didn't steal anything. Breaking in was reward enough.

Computer crime can be addictive, and Mitnick knows it all too well. In his mid-20s, he hacked into DEC again, got arrested, and was convicted of felony computer fraud. He served a year in prison -- including eight months in solitary confinement. Yet after his release, he couldn't resist the draw of the flickering computer screen, the challenge of that next great hack. "It's like being sober and having a guy show up at your place with a line of coke," Mitnick says. "He's enticing you. 'Come on...it's just one time...it won't hurt."'

When the FBI start