Famed hacker Kevin Mitnick has chimed in on the Microsoft hack, stating that the software giant's constantly changing story about the attack is simply not believable. Mitnick, who rocketed to infamy for his highly publicized hacking attacks and subsequent incarceration, is now on probation, and he made the comments about Microsoft during a satellite keynote address to the Software Developers 2000 Conference earlier this week. But Mitnick draws a line between what he did--hacking for the fun and challenge of it--and the suspected industrial espionage that Microsoft suffered last week. And he doesn't believe that Microsoft's latest version of the story about the attack--where the company knew about the hack all along--makes any sense. More importantly, Mitnick says that Microsoft has blundered in its public discussions about the attack.
"Microsoft admitted that they were not using the latest anti-virus software, or that they're using static passwords," Mitnick said. "That's foolish in today's environment. Now the whole world knows. That's a huge vulnerability."
In its third version of the account, Microsoft now says that the hack lasted only twelve days and that they were aware of, and monitoring, the hackers the entire time. The company says that it is "very comfortable" that none of its Windows or Office source code was compromised, and that the source code for only one future, unnamed, program was accessed. "We were aware of it immediately when it began," a Microsoft spokesman said. "We tracked the hacker in real time, and knew what the person was doing." Mitnick says this is ridiculous, as any hacker accessing source code would be immediately booted off the system. The FBI, which is examining Microsoft's computers this week, would not corroborate Microsoft's new version of the story. But security experts say that Microsoft's private actions--including shutting down all 38,000 employees' remote access to the internal network--speak volumes. If the company were so sure that it had a handle on the situation that early, this action would not have been required. Likewise, it's unlikely that company officials would have publicly stated that its Office and Windows source code were accessed, as they did last Friday, unless such a thing had probably happened: A company that was monitoring every step made by the hackers would have known where they had been, and what they had seen.
Security experts are shocked at the possibility that Microsoft would allow employees to access the source code to Windows and Office--which the company refers to as its "crown jewels"--from home. This admission, on its own, is likely to lead to some serious rethinking about security at the software giant, which has been roundly criticized in the past for the lack of security in Windows and its other products. Microsoft maintains that the attack did not take advantage of a security vulnerability in any of its products, however
