Kevin Mitnick's book?


Aug 14, 2003
Hey all,

Wondering if anyone else out there has picked up Mitnick's book, the Art of Deception, which is a view on social engineering and the use of that skill by both white-hat and black-hat hackers, as well as other members of society such as PIs to glean otherwise personal or confidential informations and utilize them in whatever way suits their purposes.

As I am not done reading it yet, I am finding it to be an interesting read and would recommend it thus far to anyone who is interested in psychology as well as computer security, has anyone else read it and what was their assessment of it?

I think that he is correct in some statements that regardless of how much hardening your network has, sensitive information will always be in possible jeopardy due to human nature, which is to trust and be helpful vs. those who take advantage of people's trust and compassion and also his point about the balance between security of one's infrastructure, as too much security can limit productivity and the function of the infrastructure, and too little makes one's organization susceptible.

Any other viewpoints?
I read it shortly after it came out, and indeed it is an excellent book.

Fun to read, even if you have no network to be in charge of, or don't intend to social engineer.

Having read two books on Mitnick's career and arrest, I recognized several tricks that he had actually used. I also liked the section of the book where he talks about getting someone's drivers license (I think) and sending it to a copy shop, and the forwarding it to another copy shop, as that was something he did and nearly got caught doing. If he had played the trick out like he described it in the book, he would not have almost been caught.

However, some of the situations seemed rather contrived. Especially the one about getting unmonitored calls in prison.

Is social engineering really a big threat though? I don't think its any reason to cause people to panic. Most of it is common sense, such as never giving out passwords, and always verifying who you are talking to on the phone.

There is a missing chapter to that book that the publisher omitted. It was floating around on the net a while ago, but I never read it.
theDot said:
Is social engineering really a big threat though? I don't think its any reason to cause people to panic. Most of it is common sense, such as never giving out passwords, and always verifying who you are talking to on the phone.

Yes, I came to this same conclusion, but I figured his angle has to do with companies like the one I work for, where you have about 2000+ users in one location where most of them don't know anyone else except their immediate administrative assistant, their local technical coordinator, and maybe the mail guy or if they have other members to their workgroup. I could see a situation where individuals such as these people, who are among some of the most technically inept end-users I have ever had the privilege of being looked down the nose by, would give out information they're not supposed to because someone could fake "talking the talk" to them. I have end-users that are too "busy" to sit with me when I install a software package on their box, so they write their passwords down, leave, and not change it when they come back, and it could be the day they just changed it as per policy. I have no doubt they would give this info to someone on the phone who sounds convincing enough.

Agreed that the scenarios do seem a bit contrived.

Heh, and as far as common sense goes, most people don't have any when it comes to general computing, or there'd be no tech support. :D

Waiting for his new one, the Art of Intrusion, which will, I hope, prove to be a good read along the lines of this one.
social engineering is a big problem in the telecom industry because the companies are so big(100,000+ employees).i work for 1 and we have had several incedints occure where they know the jargone and can worm they're way in to get privite info or free calls.
Ok I work for a big nameless company who is contracted with another very big nameless financial company. I'm one of the workstation tech guys and lets just put it this way giving passwords and usernames over the phone is a day to day thing. No one cares about security around there so thats why I pulled my own account from there when I started working for them. The only thing that protects them there is how large the place is 10,000+ users in 3 states not including the data center across the street. It makes me wanna cry for the network admins who try to keep the place running smoothly because nothing is enforced.