2600 publishes FBI's inflated Mitnick money figures

Mike Schiraldi writes "2600 published some letters they have acquired which were originally sent to the FBI by companies whose systems Kevin Mitnick had compromised. In a nutshell, the FBI asks, "How much damage did he do?" and they say, "Well, it cost us $10,000,000 to develop this application, and he got a copy of the source code, so he did $10,000,000 worth of damage." Now the government is furious, and is trying to hold Mitnick's lawyer in contempt of court! But the information that was leaked is supposedly public information. " Yeah-compare contrast the two letters. OK-maybe government intelligence is a misnomer.

Sometimes it's just startling.

For a community (the "open source" community) that always guards vigorously against misuse of the word 'hacker' to pay so much attention to the plight of a 'cracker' like Kevin Mitnick is startling.

The man is a cracker. If you look at 2600 magazine sometime, you will find that it's simply a stew of scripts and sub-literate schematic diagrams. Mitnick isn't a technical wizard by any stretch of the imagination. People like him have this technique called "human engineering" that they use- it's also known as "lie to people in any way necessary to get them to tell you their password." Think about what people like him represent next time you're nervous about paying for an online transaction with your credit card.

The whole romantic notion of the 'electronic bandit' is badly in need of updating. I've looked at some of the virus newsletters and the supposed 'virus source code' they contain. Mostly I have found debug scripts (basically similar to UUencoding- hex dumps of the object code for virii). It's very unimpressive and makes it apparent that most virus distributors are simply the electronic equivalent of a snotty nosed 5 year old kid spreading a cold virus at kindergarten.

The "true believers" in Mitnick will read this and just fume, or ignore it. The rest of you, think about it a bit and reflect on wether you want anything to do with the likes of Mitnick.

Re:Slashdot nutshell description is disingeneous

[devil's advocate mode: on]

Both of the examples you gave were for physical things that were stolen. Money and a MP3 player. While the felony robbery for $20 would carry a high sentence (primarily for the "assualt with a deadly weapon" aspect) not much in material damages was done. Emotional distress may apply here, having a gun in your face would not be fun. The MP3 player you were going to market is a bit closer to what is claimed. However, to be really accurate make it the MP3 player DESIGN. The schematics and source code. And let's say they broke into your computer and downloaded your CAD and C files.

Now we're close.

OK. He had stolen property. That I will agree with. However, as you sated, the penality for that should relate to the damage caused by stealing that property. This really isn't "stealing" in the traditional sense. It is copying. The rightfull owner still has full use of the property in question (unless he deleted the files after downloading). So, the only damage caused is that there is now a copy of your source/designs/etc. out there running arround. Oh, and maybe the fact that a password has been comprimised. Change the passwords and add 5 minutes worth of time for each employee at thier respective hourly rate to the damages bill.

Now. How is one person having a copy of your code damaging you? Can you prove monetary damage from that copy EXISTING? Remember, as the prosecution you must prove "beyond a reasonable doubt" that there was damage, and how much damage. Of course, given some of the stuff I've heard about how this guy has been treated by the government I wouldn't be surprised to see them ignore the law. There have been murders treated better in our criminal justice system.

Now we must consider the distribution of the code in question. Was it distributed? To whom? Were they just friends of the accused? Competitors of the victim? Posted on the internet? Let's assume that the value of the code is basicly what it would go for in the stores as a binary. It's worth is the price of the compiled product on the store shelf. A bit simplistic, but for the sake of discussion... So anyone he gave a copy to has priated the program and as the distributor he is responsible. I doubt that figure is in the hundreds of millions. If it was a competitor, then there may be more to consider.

[devil's advocate mode: off]

I don't agree with what he did, but the figures quoted are rediculous if all he did was make a copy, which is what I've heard. I'm not following the case, so I may well be wrong. If all he did was copy some data, breaking and entering would be a better charge. And the bail should have been reasonable and available to him. I've heard he keeps firing lawyers and simply couldn't make bail, but that it was very high. If he's still in prison because he didn't/couldn't make a reasonable bail, he has no right to complain. If he keeps firing lawyers so the court has to keep moving his trial date back, he has no right to complain that he didn't get a speedy trial. As long as the court had set a reasonable date for the trial before the firing of the lawyer.

This is all based on my basic understanding of the case and I've tried to present differing viewpoints for the reader to consider. As usuall, check the facts, I might be very wrong.

Slashdot nutshell description is disingeneous

[killbill]

In the slashdot description for this story, it stated the "damage" estimates were in the millions. It is setting up a straw man argument here.

If you actually go read the response letters, it seems pretty clear that government requested figures for the "value" of the stolen material, as well as the damages done. The large dollar values were for the "value" of the source code stolen, not the "damages" as indicated by the slashdot blurb. Is slashdot trying to arbitrarily stir people up, or to report the news?

Mitnick was in possesion of stolen property. Period. The normal metric fo determining value is what price the product would get on the free market. If the product is not available on the free market (proprietary code), then the costs for development is as good a metric as any to try to determine value.

If we don't think access to source code is important and valuable, then why do we get so rightously indignant about proprietary software under Linux? If having the source code means little or nothing, then why is OpenSource software so important?

Kevin Mitnick was in possession of stolen property, and I believe he had no illusions about the legality of his actions.

The court has asked the owners of the stolen property for their best guess at it's value. They have provided it. This is why we have jury trials folks, it will be the jury's job to decide to sentence relative to actual damages, or relative to the value of the stolen property. Whats wrong with that?

If somebody holds up a liquor store at gunpoint and gets $20 bucks, then later gets caught, the individual is properly charged with a felony, not a $20 misdemeanor.

If somebody breaks into your car and steals a linux MP3 player that you spent a year developing and plan to market, then sells it to his buddy for $15, do you want them charged with a $15 crime? Do you want them only charged with a $200 crime because that's all the hardware parts were worth?

These companies just answered a question that was asked them, and the question was a reasonable one to be asked for an upcoming criminal trial.

Funny part is....

[MISplice]

If the companies claim their source as part of their intrinsic value(book value) then the losses they are saying happened need to be reported to share holders. Since nothing has been reported to share holders then either they don't consider their software a "valuable" part of their company or the SEC hasn't seen the letter yet.

A Lack of Accurate Info

[maw]

The frustrating thing about following the whole Mitnick case is that the various sources of information about him seem to be wildy at odds with each other.

At one end of the spectrum, you have people like the 2600.com guys who probably gloss over some things that Mitnick may have done and probably also paint the US Gov in a worse light than perhaps is fair.

On the other hand you have US Gov lawyers and their ilk painting Mitnick out to be the digital Anti-Christ.

It's probably pretty safe to say that the truth lies somewhere in the grey area in between, but due to both biases and ignorant reporting in journalism, most people don't really know what's going on.

Are there any unbiased people who know much of anything about this?