The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.

Computer hacking really results in financial losses and hassles. The objectives of terrorist groups are more serious. That is not to say that cyber groups can't access a telephone switch in Manhattan on a day like 9/11, shut it down, and therefore cause more casualties.

I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access.

Of course I'm sure half the people there hate me and half the people like me

When I was in prison, a Colombian drug lord, offered me $5 million in cash to manipulate a computer system so that he would be released. I turned him down.

I made stupid decisions as a kid, or as a young adult, but I'm trying to be now, I'm trying to take this lemon and make lemonade.

I obtained confidential information in the same way government employees did, and I did it all without even touching a computer. ... I was so successful with this line of attack that I rarely had to go towards a technical attack.