Kevin Mitnick, a dude with a past.

Kevin Mitnick was captured on February 15th, 1995 in the town of Raleigh, North Carolina (Gulker). He was then the most notorious computer criminal yet known. Or so we were led to believe. The capture, incarceration, and release of Kevin Mitnick remain a fascinating mystery to many in the computer and criminal justice world. Why was he held for so long without bail? Why were his parole conditions so restrictive? Would it not have been more prudent to “hire the hacker” once he was released and insure the crimes he committed not happen again? It is clear that the mistreatment of Kevin Mitnick in his parole should never happen again and the criminal justice system needs to change

Kevin was not always a criminal. It’s arguable that Kevin learned these skills as part of curiosity towards the world and technology. Growing up the son of single-mom waitress in Los Angeles, His first “hack” was to find out that the punch used on bus transfers was freely available at a certain store and the bus transfers books themselves were dumped at the bus station at the end of bus drivers shifts (Green, The Register). Kevin was curious which led him in various ways to such things as make his own bus passes to travel freely across town as a boy, learn about phone phreaking and computers.  It is worth noting that as Kevin grew up there weren’t any laws yet for computer hacking or telecommunications privacy. The things he was doing, such as obtaining his computer teacher’s password and hacking the computer system at Digital Equipment Corporation, were prior to any laws being written to the contrary. His best hacking was to be done in the form of social engineering. He simply called up un-suspecting phone company or technology company employees and convinced them to give him information or access to systems he had no real right to. His curiosity about the phone system and how technology and computer systems worked drove him.  At the age of 26, His first arrest  involved jail time, as noted in the film Freedom Downtime (Goldstein), because a cohort he had worked with in the past let the authorities know about his hack of the Digital Equipment Corporation. Specifically, he copied the source code for the DEC operating system, OpenVMS (Goldstein). His friend used his access to copy this same code but faced no jail time as Kevin did.

Kevin spent 8 months in solitary confinement in 1988 of his year sentence  in Lompoc prison for this conviction on the newly minted in 1986 Computer Fraud and Abuse Act(May, pg 2).  After his release and ongoing probation, Kevin attended computer addiction therapy sessions, but it did not dissuade his interest in hacking. His social engineering skill served him well as an information-gatherer for a private investigation company. He was nearing the end of his probation and monitoring period in 1992. It seemed the authorities were not done with him; they were building a case against Kevin, again. Kevin fled and went on a two year spree of hacking involving cloning cell phone software to get free telephone access, making new identities, and hiding from what was coming.  His capture in 1995 was aided by a then unknown computational physicist, Tsutomu Shimomura. Shimomura aided the FBI in the development of cell-phone tracking software and triangulation to track the cloned ESN’s of the cell-phones Kevin was using (Shimomura). ESN stands for Electronic Serial Number. These ESN’s are imbedded in a chip on a cell phone by the manufacturer. When a call is placed the ESN is tracked to verify the call’s validity according to the provider before a connection is made (Derr, TIA).

Kevin was promptly thrown in solitary confinement. Kevin was encouraged to sign an agreement to get out of solitary confinement that involved being denied a bail hearing, a preliminary hearing, and no phone calls other than to his attorney and two family members (Greene). Kevin was the first person ever in the judicial system to be denied a bail hearing. He remained in prison without trial or bail hearing for four and a half years while his lawyers worked with the prosecutors and the prosecution built their case. What was he accused of finally? Computer fraud, wire fraud and possession of unauthorized access devices were the items entered on the final plea bargain agreement of 1999 (Christensen). This included a newly written law that stated the mere possession of items that could gain access to telecommunications equipment and modify it was a crime.(Goldstein) Kevin served the remainder of his term and was released in January of 2000 with the most restrictive parole conditions yet seen for a computer criminal.

The terms of Kevin Mitnick’s release were as such:

“Without the prior express written approval of the probation officer:

• The defendant shall not possess or use, for any purpose, the following:

• Any computer hardware equipment;
• Any computer software programs;
• Modems;
• Any computer related peripheral or support equipment;
• Portable laptop computers, “personal information assistants,” and derivatives;
• Cellular telephones;
• Televisions or other instruments of communication equipped with on-line, Internet, world-wide web, or other computer network access;
• Any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a “land line” telephone);

• The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be in any capacity wherein he has access to computers or computer-related equipment or software;
• The defendant shall not access computers, computer networks, or other forms of wireless communications himself or through third parties;
• The defendant shall not act as a consultant or advisor to individuals or groups engaged in any computer-related activity;
• The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes, or other access devices that enable the defendant to use, acquire, exchange, or alter information in a computer or telecommunications database system;
• The defendant shall not use or possess any data encryption device, program or technique for computers;
• The defendant shall not alter or possess any altered telephone, telephone equipment, or any other communications-related equipment;
• The defendant shall only use his true name and not use any alias or other false identity.” (Painter)

The terms also prevented him from gaining employment in the computer or telecommunication industry.  Kevin’s probation officer rejected several employment offers in these industries that Mitnick was receiving. He suggested that Kevin might find work in the fast food industry (Goldstein).  Why haven’t we heard a lot about this? Kevin was also prevented from telling his story as a result of a gag order on the same parole agreement. This agreement expires in 2010 (Goldstein).

It is interesting to note that once released in January of 2000, Kevin Mitnick was called upon to testify before a Senate Committee that was examining the security of the federal government’s information systems (2600, Mar 2000). The government that had held him in custody for 59 months and 7 days was now interested in what he had to say on security. It is worth mentioning that they could have requested this information earlier and it would have been forthcoming. The ethic that Kevin Mitnick and many other hackers follow is the freedom of information and curiosity to learn new things. While it is understandable that the Senate could not hold meetings within the confines of a penal institution, while Kevin was incarcerated the Senate could have requested documented forms of his now in person testimony on the subjects of computer, personnel, and network security.  It is ironic that this testimony was enough to get Mitnick seen and then hired by several companies as a speaker at conferences on security and computer matters.  Mitnick now has written two books on the subject of computer and information security; The Art of Deception: Controlling the Human Element of Security and The Art Of Intrusion: The Real Stories Behind The Exploits Of Hackers, Intruders, And Deceivers. Kevin has his own company Mitnick Security Consulting that essentially has companies pay him for him and his company to hack their resources and tell them how to shore up their own security. This company was formed after the end of his supervised release in 2003.

The parole conditions of criminals vary, however it is worth comparing Kevin Mitnick’s parole conditions (as a non-violent offender) to those of other computer criminals and other offenders as well. Robert Tappan Morris, was the first person convicted under the Computer Fraud and Abuse Act of 1986. (Wikipedia) His conviction for some of the same crimes as Mitnick involved a sentence of very limited restrictions, supervised probation that he had to pay a monthly fee for, restitution for damages of 10,000, and court fees. Morris was still allowed to own and use computers and cell-phones even though his use of a computer caused actual loss of data and damage to computer systems unlike Mitnick’s crimes (Goldstein).

Justin Tanner Peterson was convicted of fraud for rigging a radio contest involving and pocketing $150,000 from a financial services company in 1995. His parole conditions were as thus: payment of a $40,000 fine and conditional probation that allowed him access to computers at his work only (securitystats.com).  The crimes he committed were clear examples of financial losses on the part of the companies involved and destruction of reputations. Yet, Peterson was still allowed to access computers on his parole so he could earn a living. What made Kevin Mitinick such a special case? His crimes did not involve financial loss on the part of any of the cell-phone or telecom companies involved. If it had the companies would need to have reported the loss on their annual statements. To date, none have for the years Mitnick used their services for free (Goldstein). This constitutes a fraud to the American judicial system on the part of the accusers in the case presented upon Mitnick’s capture in 1995.

Even in the case of sexual offenders, the parole conditions in California seem more lenient than Mitnick’s.  In a report by the California Research Bureau, it’s noted that the typical confinement period for a sexual offender is two years (Mitnick served over 4 just waiting for trial), and while the supervision periods are longer, the parolee is still allowed access to computers and other communications media such as cell phones (Nieto).  Released child pornographers may still have access to computers as long as monitoring software is installed on those in their homes in many cases (Nieto). While the crimes of sex offenders and computer criminals can often be different, it is worth noting that some of the same tools such as cell-phones and computers are used in enticing victims. Apparently, California felt Kevin Mitnick’s crimes were more terrible than many sexual offenders.

The contention that criminals must be removed from any temptation from their former lives to prevent return to their former ways is false in some cases. Computer crime in your past does not necessarily mean you will continue to stray. In the case of Kevin Mitnick, once paroled even with his restrictions appeared at several security and computer conferences speaking on the subjects of computer security and social-engineering and prevention of the same (Pimental). Might it not behoove the criminal justice system to make this same enlightened self interest mandatory? Why shouldn’t the computer criminals of today be encouraged or at least incentivized in their parole agreements to teach the public and local governments how to prevent the same crimes from happening? The information gained could be invaluable to local law enforcement and the general public at large.

Current parole conditions outlaid at Cybercrime.gov are as us thus in addition to the courts mandatory guidelines:

“In general, in addition to certain mandatory conditions of supervised release, the court may order “any other condition it considers to be appropriate” so long as the conditions are “reasonably related” to the factors set forth in 18U.S.C. §§3553(a)(a), (1)(2)(B), (a)(2)(C), and (a)(2)(D). 18U.S.C. §3583(d). Specifically, conditions of the release must be reasonably related to the following factors:

• the nature and circumstances of the offense and the history and characteristics of the defendant; and
• the need for the sentence imposed – (B) … to afford adequate deterrence to criminal conduct; (C)to protect the public from further crimes of the defendant; and (D) to provide the defendant with needed educational or vocational training, medical care, or other corrective, treatment in the most effective manner. 18U.S.C. §3553.”

“U.S.S.G. §5F1.5 allows a court to impose a condition of supervised release restricting employment in a specified occupation, business, or profession if it determines that:

• a reasonably direct relationship existed between the defendant’s occupation, business, or profession and the conduct relevant to the offense of conviction; and
• imposition of such a restriction is reasonably necessary to protect the public because there is reason to believe that, absent such restriction, the defendant will continue to engage in unlawful conduct similar to that for which the defendant was convicted.” (Painter)

What this means is the court can feasibly make any other condition they feel necessary for that particular computer crime case and prevent the same person from using their same skills to earn a living after they are paroled. The state and federal guidelines seem to make it policy that they can unfairly punish a computer crime parolee if they feel they are entitled to. This needs to change.

The current judicial system in the United States already has a solution for this uneven treatment of computer criminals. The use of problem-solving or specialty courts would seem to be highly beneficial for both parties involved. Specialty courts are already in use for across the United States to solve repeated issues and specialty problems for Drugs, Family Law, Mental Health, Domestic Violence, and Teens.

“Problem-solving courts represent a shift in the way courts are handling certain offenders and working with key stakeholders in the justice system. In this approach, the court works closely with prosecutors, public defenders, probation officers, social workers, and other justice system partners to develop a strategy that will pressure an offender into completing a treatment program and abstaining from repeating the behaviors that brought them to court. “(Minnesota Judicial Branch)

The creation of a special computer crime court could lead to real progress in the areas of law, prevention and provide for an area of the criminal code to be expanded. These same specialty lawyers, judges, probation officers, and court personnel would also provide much needed jobs in this economy.

Many of the lawyers consulted for the film Freedom Downtime agreed that the law was severely lacking in knowledge of computer crime and its capabilities at the times of Kevin’s trials. A prosecutor in Kevin’s trial in 1988 was convinced that he could cause a nuclear missile launch by whistling tones through an ordinary phone (Goldstein and Shimomura). This was patently untrue and impossible. These same accusations would not be possible with a more enlightened and educated criminal justice system. Being aware of the law and being cognizant of what truly is possible within computer crime could prevent such embarrassing anecdotes.

Kevin Mitnick cannot be given back the time taken from him, nor the people involved in his trial punished for what seemed perfectly legal actions on their part. However, changing the way courts work now, providing for specialty courts and making sound decisions involving the parole conditions of future offenders is paramount. One in 31 people in the United States are on parole or probation, (PEW) the missteps of the American criminal justice system in the treatment of Kevin Mitnick must never happen again.

Sources and Works Cited

Burkeman, Oliver. “Why did I do it? For fun.” The Guardian 13 Dec 2002 Web 31 Jul 2009. <http://www.guardian.co.uk/technology/2002/dec/13/g2.usnews&gt;.

Christensen, John. “The trials of Kevin Mitnick.” CNN.com 18 Mar 1999 Web.01 Aug 2009. <http://www.cnn.com/SPECIALS/1999/mitnick.background/&gt;.

“Computer Crime – Arrests and Convictions.” SecurityStats.com. Web.01 Aug 2009. <http://www.securitystats.com/crime.html&gt;.

Derr, John. “Electronic Serial Numbers (ESN) and MEID.” Telecommunications Industry Association. Web.01 Aug 2009. <http://www.tiaonline.org/standards/resources/esn/&gt;.

Goldstein, Emmanuel.Freedom Downtime.2600 Films, 2001.

Greene, Thomas C. “Chapter One: Kevin Mitnick’s story.” The Register 13 Jan 2003 Web 31 Jul 2009. <http://www.theregister.co.uk/2003/01/13/chapter_one_kevin_mitnicks_story/&gt;.

Gulker, Chris. “The Kevin Mitnick/Tsutomu Shimomura affair.” Random Access 17 Sep 2001 Web.01 Aug 2009. <http://www.gulker.com/ra/hack/&gt;.

May, Maxim. “Federal Computer Crime Laws.” SANS Institute Reading Room for Infosec. 2004. Web.01 Aug 2009. <http://www.sans.org/reading_room/whitepapers/legal/federal_computer_crime_laws_1446?show=1446.php&cat=legal&gt;.

“MITNICK TO TESTIFY BEFORE SENATE COMMITTEE.” 2600 Magazine 02 Mar 2000 Web.01 Aug 2009. <http://www.2600.com/news/view/article/334&gt;.

Nieto, Marcus. “Community Treatment and Supervision of Sex Offenders.” California State Library. DEC 2004. 01 Aug 2009 <http://www.library.ca.gov/crb/04/12/04-012.pdf&gt;.

“One in 31.” The PEW Center on the States Mar 2009 1-45. Web.01 Aug 2009. <http://www.pewcenteronthestates.org/report_detail.aspx?id=49382&gt;.

Painter, Christopher M.E. “Supervised Release and Probation Restrictions in Hacker Cases.” USA Bulletin DOJ Mar 2001 Web.01 Aug 2009. <http://www.usdoj.gov/criminal/cybercrime/usamarch2001_7.htm&gt;.

Pimental, Tom. “Presentations.” Mitnick Security, LLC. 01 Aug 2009 <http://www.mitnicksecurity.com/presentations.php&gt;.

“Problem-Solving Courts.” Minnesota Judical Branch Web.01 Aug 2009. <http://www.mncourts.gov/?page=626&gt;.

“Robert Tappan Morris.” Wikipedia. Web.01 Aug 2009. <http://en.wikipedia.org/wiki/Robert_Tappan_Morris&gt;.

Shimomura, Tsutomu. “Catching Kevin.” Wired 4.02.01 Feb1996 Web 31 Jul 2009. <http://www.wired.com/wired/archive//4.02/catching.html?person=kevin_mitnick&topic_set=wiredpeople&gt;.

Standler, Ronald B.. “Judgment in U.S. v. Robert Tappan Morris.” Examples of Malicious Computer Programs 14 Aug 2002 Web.1 Aug 2009. <http://www.rbs2.com/morris.htm&gt;.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: