Kevin Mitnick is thought of as the first hacker (or cracker if you prefer) to be placed on the FBI's 10 most wanted list and the first hacker to have his picture on a wanted poster (1). He was labeled a menace to society for his skills with electronic systems. Mitnick has been described as "loner" "underachiever" high school dropout from a broken home and a member of a "phone phreak gang" constantly in trouble with the law (2).

People like a story to be clean cut, with the men in white hats prevailing over the men in black hats. In this story, at least as it was told in the press and in court, John Markoff, the FBI, and the U. S. Marshals Service are the white hats; Kevin Mitnick, Lewis DePayne and their roving gang of phone phreaking "hackers" are the black hats. But did Kevin Mitnick's actions warrant the actions taken by the U.S. Government? Did the punishment fit the crime?


Who is Kevin Mitnick?

Kevin was born on August 6, 1963 in Van Nuys, California. His parents divorced when he was three. He grew up in a working class family in the San Fernando Valley of Los Angeles, California. His birth father was never around and his stepfather abused him. His stepbrother brother was athletic and popular. He was chubby and a nerd.

From a young age he was interested in electronics. He was incredibly intelligent and had a knack for understanding complex electronic systems. In a typical search for acceptance in his early teens he started using ham radios and phreaking phones with his friends. This group, who called themselves Roscoe Gang, were little more than uber-intelligent prank callers. They would alter phone routing so people's home phones thought they were pay phones (Please deposit 25 cents, where?). Once, they took over 411 and gave ridicules information (Yes, that number is 8750 and a half. Do you know how to dial the half, ma'am?).

His "hobby as an adolescent consisted of studying methods, tactics, and strategies used to circumvent computer security." His first (known) computer hack was at school. He was mostly curious to see if he could and didn't alter any information. And he was expelled for it. Mitnick continued to fulfill his curiosities and "successfully compromised all systems that [he] targeted for unauthorized access save one." Though he was never destructive to any of the systems he penetrated. He maintains, and there is no evidence to the contrary, that his only motives were educational. He broke into a lot of computers, although, he never hacked computers at the North American Aerospace Defense Command (NORAD) nor did any of his actions inspire the movie WarGames (3).


The United States v. Kevin David Mitnick

Aided by a 23-year-old consultant "computer specialist" (4), the FBI located and arrested Mitnick in Raleigh, North Carolina on February 15th, 1995. Blank warrants were used when they illegally searched his residence. This allowed the FBI to "fill in the blanks" with the items seized. He was charged with violating the Computer Fraud and Abuse Act of 1986 and his probation from a prior conviction. In all he was indicted on 23 counts. As part of a plea agreement he waved his right to a bail hearing and the case was transferred to his home state of California. He would plead guilty to being in "possession of more than 15 access devices" (a list of cellular network access codes) and he would not be charged for the other counts. He was sentenced to 22 months in a federal prison (8 months for the computer fraud charge and 14 months for the probation violation).

But this was just the beginning. On September 26, 1996 he was indicted on 25 additional counts, most of which regarded braking into and "stealing" computer data from several multimillion-dollar companies. A few of "the victim companies" as they are referred to in the indictment were Motorola, Nokia, Fujitsu, Novell, NEC, and Sun Microsystems. He must have been some super hacker if he was able to crack the leaders in network security like Novell and Sun.

How did he do it? The government alleged that employees of these companies simply gave him access. Mitnick "posed as an employee of the victim company working on a special project, and then deceived computer department personnel into creating a new user account on the victim company's computers." After which, he used his skills to elevate the account's permissions to Superuser, which allowed him to access anything on the network. He then copied their data to his personal computer.

In court the government claimed that these actions created a loss of over 80 million dollars to "the victim companies". That figure was derived from the cost of research and development of the data that he copied. Regardless of the fact that "the victim companies" still had their data and Mitnick never tried to use the copies in any way or sell them to competitors, and that none of these companies reported this loss to their stockholders, this 80 million dollars worth of damages was used to seek the harshest sentence possible and to keep him locked up with no bail. The actual damages were probably just a few thousand dollars, which represents the time it took the computer technicians to figure out what Mitnick had done on their systems and patch things up.

It is believed that Mitnick was held without a trial longer than any other person in United States history. His defense team tried to secure bail. They argued that he had never been formally detained, and the only reason he was in still custody was because he was indicted while in custody. When his 22-month sentence was satisfied he was kept in jail without a formal detention order or a bail hearing. This deprived him of his liberty without due process, a violation of his constitutional rights. A lot of time was spent just trying to get judges to review his bail hearing requests, only to have them ignored or denied on the grounds that he "poses a danger to the community", something that was unprecedented for non-violent crimes.

The prosecution buried Mitnick's court appointed counsel with discovery documents and the Judge with arguments that enumerated to thousands of pieces of paper. He was hampered from assisting in his own defense. For one, policies at his prison, which contradicted Bureau of Prison's policies, restricted him to five hours a week in the law library. Also, he was restricted from using a computer, which could have aided him in milling through the thousands of pages of evidence and the 10 gigabytes of electronic data or a tape recorder for listening to the hours of cassette tapes. It took the government an incredible amount of time to turn over all the evidence, most of which was delivered less than a week before their deadline. Mitnick was forced to wave his right to a speedy trial several times so his two attorneys and a few volunteers could take the time to make some sense out of the Government's evidence and prepare for the trial.

Eventually the government's tactics wore Mitnick and his defense team down enough that they conceded. On March 18, 1999 Mitnick's lawyer filed a plea agreement. Kevin was forced into admitting that he caused 5 to 10 million dollars in damages (significantly lower than the original claim of 80 million dollars, yet still outrageously inflated and unrealistic). However, he was only ordered to pay $4125 in restitution to "the victim companies" and $350 in court fees. He was sentenced to serve a total of 68 months and nine months were taken off for good behavior. He was finally released January 21, 2000 to start his three years of supervised release with "the most restrictive conditions ever imposed on an individual" in federal court. Throughout these three years he could not touch a computer or cell phone unless his parole officer said he could. This restriction violated Mitnick's first amendment rights because it prevented him from talking or writing about specific computer related subjects.


Mitnick's Effect

As a result of his supervised release conditions, for these three years Mitnick was unable act as a consultant for any computer related subject. He was unable to communicate via email. He was basically restricted from doing what he does best. So with this impotence, he did the best he could.

He went around the country talking about the importance of computer security. He testified before Congress. He gave lectures at several technology conventions. He wrote articles for several publications such as TIME and the Guardian. He appeared on countless radio and television shows including Good Morning America, 60 Minutes, Fox News and National Public Radio. He even figured out how he could start his own business, a consulting firm called Defensive Thinking. All without violating his supervised release conditions.

It is pretty apparent that the U. S. Government wanted to make an example of Kevin Mitnick and went out of their way to do so. The FBI illegally searched his residence infringing upon his fourth amendment rights. He was held without due process of law or a bail hearing infringing upon his fifth and eighth amendment rights. Through legal tactics by the Prosecution he was denied a speedy trial infringing upon his sixth amendment rights. He was forced to eat non-kosher food in prison against his religious beliefs and was restricted from speaking or writing about computer related subjects infringing upon his first amendment rights.

But what effect did his arrest and inprisonment truly have on society. It did very little to actually curb cracking in general. In fact, it has increased its popularity by bringing the "hobby" into the spotlight. However, it did establish "unspoken rules" from which hackers operate. Things like never hack anything bigger than you, like a multimillion-dollar corporation who has a few congressmen on the payroll. Never hack a bank, anything ending with .gov or .mil or anything across state lines to avoid getting the Feds involved. Never get caught, cover your ass and don't leave incriminating evidence lying around.

Kevin's case points out what the government can do if they are so inclined. They have unlimited resources and unlimited time. They can completely throw out the rights of the accused and have him rot in a cell until he pleads guilty. The writer of a letter to Congressman Henry Waxman expressed his fears by saying "if this can be done to Kevin, then it could be done to me." It can be done to anyone of us.


Notes:
  1. This is not true; it is urban legend created by John Markoff and repeated many times in the press. "Michael White of the Associated Press researched this issue with the FBI, and FBI representatives denied ever including me on their 'Ten Most Wanted' list."
    -– Mitnick's testimony before the Senate Governmental Affairs Committee on March 2, 2000.

  2. Descriptions by Tsutomu Shimomura and John Markoff in their book Takedown.

  3. Another figment of John Markoff's imagination.

  4. In a 1997 speech, FBI director Louis J. Freeh stated that they were able to find Kevin Mitnick because they "hired a 23-year-old computer specialist to locate exactly where he was and where he was transmitting from." Seeing that Tsutomu Shimomura was 30 when Mitnick was arrested and claimed he worked for free, it is unclear how much involvement Tsutomu Shimomura actually had in Mitnick's apprehension.


Sources:

http://www.kevinmitnick.com
http://www.defensivethinking.com
http://www.takedown.com
http://www.usdoj.gov/usao/cac/pr/cac70627.1.html
http://www.cnn.com/SPECIALS/1999/mitnick.background/
http://uhaweb.hartford.edu/mevans/paper.htm
http://www.users.muohio.edu/shermalw/honors_2001_fall/honors_papers_2001/stoneberg_mitnick2001.htm
http://www.kfi640.com/darkside.html
http://www.wired.com/news/politics/0,1283,16684-2,00.html
http://interviews.slashdot.org/article.pl?sid=03/02/04/2233250&mode=thread&tid=103&tid=123&tid=172