I’ve long been a fan of the Kevin Mitnick story. His hacking, capture by the FBI, and subsequent legal drama all make for a complex story.
This week, I had the opportunity to present the story to one of my classes. I think the lesson went really well. A little background on how Kevin Mitnick fits in my daily routine: The students in this class are studying for their A+ Computer Technician certification exam and our topic is computer security. Here’s how I presented Mr. Mitnick to the class:
- Sketch the Mitnick story in broad strokes to the class. Describe his breakin to Tsutomu Shimomura‘s computer (based on previously reading Takedown and various Free Kevin websites), his history with social engineering (based on the introduction to The Art of Deception), and the time he spent in jail — both before and after trial.
- Read a social engineering story from The Art of Deception with students reading the roles. It reads like a play, where the students have the opportunity to ham it up.
- Discuss and reflect. The students spontaneously offered comments (“no way, no one would ever do that!”) and I asked questions (“What weakness is the attacker preying off of here?”).
- Assign students to research the Free Kevin movement and the FBI’s position. For resources, Wikipedia’s Kevin Mitnick article is flagged as biased — so that’s a great discussion point. Tsutomu Shimomura’s website for Takedown has good pro-government information. Set up a class discussion on both sides of the story.
Colorful stories like Kevin Mitnick’s involvement in social engineering help show teens that the weakest spot in security is the human element. Once I can get the kids to put themselves in the shoes of a Joe in accounting or a Sue in marketing, they’re able to see how a social engineer, posing as a computer technician, can gather seemingly innocuous bits of information.