This article can also be found in the Premium Editorial Download "Information Security magazine: Buying spree: 2003 product survey results."
Download it now to read this article plus other related content.
Would anyone who wants to attend Kevin Mitnick's "360º Security Summit" please stand up? I dare you! I double dare you...and you know you can't say no to a double dare.
Mitnick is trying to shield his guests from the scrutiny and ridicule that would most certainly follow their soliciting advice from a convicted hacker.
Our favorite ex-con is making his first foray into the world of self-promoting infosec conferences under a veil of secrecy. Only accepted C-level applicants will be allowed to attend his two-day event at an undisclosed location, and the $4,995 fee must be paid in advance.
Attendees' identities will be kept confidential, and a nondisclosure agreement on the application form intends to keep details about the October retreat equally cloaked. The location won't be revealed until 45 days before the event, and even then attendees must get their travel agents to sign NDAs before booking flights.
This is really covert, kind of like that "double secret probation" in Animal House. This exclusiveness also means no onlookers, and absolutely no press. (Shucks, I had my notebook and digital camera ready to go.)
Mitnick and New Leaf Productions, the aptly named group organizing the event, have yet to release a list of speakers or an event agenda. Amy Gray, who runs New Leaf from her Boston apartment, says those details aren't available because they haven't nailed down all the speakers or topics. Once they do, she adds, the attendance fee may go up.
Why all this secrecy that would make the CIA envious? Gray says it's necessary because attendees don't want to get washed in Mitnick's limelight.
"Curiosity seekers pretty much follow Kevin wherever he goes," Gray says. "Kevin and I don't so much mind it, but certain people who are coming want to avoid that spectacle."
Let's be honest. The spectacle of Mitnick's legions isn't the reason. Mitnick is trying to shield his guests from the scrutiny and ridicule that would most certainly follow their soliciting advice from a convicted hacker.
Security pros have no problem showing up for the events where Mitnick is a featured speaker. Several infosec vendors--including Authentify, NetIQ and Zone Labs--have paid Mitnick as a "spokesperson" for their events because he's a draw. But such events are like car wrecks--everyone stops to look, but no one really pays attention.
Mitnick knows better than anyone that no executive will openly pay him big money for his counsel. He promises attendees high-level, insider info "from the pros," which executives can use for setting their 2004 security agendas. Do you, Mr. Chief Executive, want to explain to your board that your security strategy is based on advice from a guy whose corporate Web site opens with an eBay ad about memorabilia from his hacking days?
Honestly, who can blame Mitnick for anything he does? He was never known as a technically sophisticated hacker. Rather, his real skill was social engineering--our fancy infosec term for being a con man. Between his consultancy, Defensive Thinking, his book- The Art of Deception--and now the security summit, Mitnick is doing what many famous criminals have done before--capitalizing on notoriety.
Could executives learn from Mitnick? Well, Jennifer Granick, the Stanford Law attorney who vehemently defends hackers, said at last month's RSA Conference that people could definitely learn about social engineering from Mitnick's experiences. Well, the irony is even Mitnick isn't immune to social engineers or hackers. Mitnick's own Web site has been hacked twice since his probation ended in February and he regained his right to use computers. And Wired, allegedly tricked him into a phone interview by posing as The Associated Press.
So, please, 360º Security Summit attendees, don't be ashamed of paying for time with infosec's celeb de jour. Stand up and proudly proclaim, "I based my enterprise's security program on Kevin Mitnick's security expertise!"
And, for those who are rejected by Mitnick, take heart. You'll get your money back, less a $295 application fee, and an autographed copy of his book. What a bargain!
Lawrence Walsh is managing editor of Information Security.
This was first published in May 2003