Kevin Mitnick was unemployed, depressed and in danger of losing his treasured amateur radio license. He was starting to think that even though he'd been released from prison, he'd still somehow be serving time forever.

	See also:
•	Mitnick Warns Other 'Scapegoats'
•	Mitnick and Gates, TV Stars
•	Mitnick to Plead for Ham License
•	Discover more Net Culture

Now he's happily wondering how he'll manage to juggle a cross-country book tour schedule with the demands of his new security business.

Things are certainly looking up for the man who was once the media's evil hacker poster boy. Mitnick even has the government's seal of approval now -- the Federal Communications Commission has just officially declared him a reformed man and has decided to allow Mitnick to keep his radio license.

The commission's report cited Mitnick's new book, The Art of Deception: Controlling the Human Element of Security, as a contributing factor in their decision.

Both business and book are designed to help others defend against exactly the sorts of social-engineering scams that put Mitnick behind bars for 4.5 years on charges of computer fraud.

The book, which Mitnick co-authored with William Simon, will be released Friday. It focuses on the scams used by so-called social engineers who manage to convince people to reveal sensitive information that can then be used to bypass a system's security.

Mitnick hopes the book will prove that information can't be secured simply by barricading it behind firewalls, passwords and data-encryption schemes.

Mitnick said that hacking people is "equally as easy" as hacking computers. But he believes that far too much attention is paid to pure cyberthreats, leaving the door wide open for social-engineering attacks.

Mitnick and other security experts were disturbed when they discovered that the Bush administration's draft (PDF) of the "National Strategy to Secure Cyberspace," released Sept. 18, does not provide suggestions on how to avoid social-engineering scams.

"Clearly, social engineering is a problem that needs to be addressed, particularly where people ... have knowledge and/or special access to systems that are accessible via telephone," Randy Sandone, CEO of security firm Argus, said. "Humans will always be human. Social engineering will never go away."

Mitnick outlines dozens of social engineering scenarios in his book, dissecting the ways attackers can easily exploit what he describes as "that natural human desire to help others and be a good team player."

"People are prone to taking mental shortcuts," Mitnick said. "They may know that they shouldn't give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of a perceived authority figure -- all these are triggers, which can be used by a social engineer to convince a person to override established security procedures."

Mitnick is fond of telling people that the best defense against social engineering attacks is to "trust no one."

But he insists that he doesn't seriously advocate total paranoia, just a little common sense.

"When somebody asks for a favor involving information, if you don't know him or can't verify his identity, just say no."

Mitnick added that some measures outlined in the government's cybersecurity draft might be useful in circumventing social-engineering attacks. The draft proposal specifies security education for everyone, a measure that Mitnick endorses.

"Penetrating a company's security often starts with the bad guy obtaining some piece of information that seems so innocent, so everyday and unimportant, that most people in the organization don't see any reason why the item should be protected and restricted," Mitnick explained.

Mitnick also hopes to educate companies and government agencies on security issues through his new consulting firm, Defensive Thinking.