Kevin Mitnick plagued the corporate world with his chicanery, forcing administrators to work long hours while tracking his movements and securing their networks. Meanwhile he siphoned off their proprietary source code without so much as a "thank you."
How do you put a price tag on that kind of disrespect?
Easy. It comes to exactly US$299,927,389.61.
That's the bottom line according to recently released letters from attorneys and corporate security agents at six of the companies that Mitnick penetrated. The companies sent the letters to the FBI immediately following Mitnick's 1995 capture, and they probably formed the basis of the sky-high damages asserted by the government for the last four years-- including the megabucks figure that helped prosecutors hold Mitnick without bail.
The letters became public late last month when defense attorney Don Randolph attached them to a discovery motion. In his filing, Randolph asked for a court order explicitly requiring the government to hand over any evidence relating to restitution-- the amount Mitnick will be ordered to pay his victims when he's sentenced on June 14.
Federal Judge Mariana Pfaelzer denied the motion Monday.
The statements suggest that Mitnick may be held accountable for a lot of money. The court may order him to cover the US$1.75 million that NEC America spent developing its cellular phone software, because Mitnick copied it illegally.
Because he downloaded the source code for Sun Microsystems' Unix-based Solaris operating system, Mitnick might foot the bill for the US$80 million the company spent on its Unix license. Fujitsu suffered US$2.1 million in similar "damages" the moment Mitnick looked at its software. The list goes on.
"The question is how much restitution is appropriate," offers defense attorney and computer crime specialist Jennifer Granick. "Here, what the companies are suggesting is they might as well not have developed the software in the first place because of Kevin's actions, and clearly that's not true."
Indeed, because the companies didn't lose any of the software mentioned in the letters, they stand to make a lot from a restitution order.
"The restitution should be equivalent to the actual economic harm the victims suffered," Granick opines. "Otherwise, criminal prosecutions result in a windfall for these companies at taxpayer expense."
Do Mitnick's victims really believe he owes them US$300 million dollars for peeking at their software? Well, no.
The property values As refreshing as it is to hear someone make that distinction outside this column, I have to wonder why these six companies would even mention the irrelevant "development costs" in their letters.
Wouldn't the cost of computer downtime, or the expense of countering Mitnick's attacks, be more reasonable? More honest? Whose idea was it to stick Kevin Mitnick with the bill for megabucks of programming time?
Yeah, like you didn't know.
"The US$80 million was a figure we derived for the FBI because they wanted to have an estimate of the damage done from his illegally acquiring the source code," explained Sun spokespwoman Lisa Poulson. "It was important to provide a measurable, quantifiable value." Sun sells the Solaris source code to educational institutions for US$100.
"These are the losses within the parameters that the FBI provided," said Melanie Scofield, a lawyer with Fujitsu who wrote one of the letters. "We came up with these numbers based upon what we were asked for."
Scofield hastens to point out that unauthorised copying of proprietary code could cost a company plenty, and she commends the FBI for ending Mitnick's crime spree.
"If you spend a lot of money on a product that becomes publicly available to any competitor, then you've lost your competitive advantage," she said. Mitnick has not been accused of passing proprietary software on to any competitors, but at the time of his arrest, Fujitsu couldn't know how far the software had strayed.
Government officials are outraged over the release of the letters that show the sophistic roots of the egregious loss claims. They're particularly angry that the statements and wound up on the 2600 and Free Kevin Websites, which lead to reports from Wired News and the Los Angeles Times.
In a motion filed last week, Assistant US Attorneys David Schindler and Chris Painter accused Mitnick's lawyer of violating a written confidentiality agreement.
"Mr. Randolph's public disclosure and dissemination of the victim loss letters was clearly designed to cause additional injury to the victims of defendant's conduct," reads the motion, "or to cause such victims embarrassment or ridicule."
The government is seeking sanctions against the attorney. "I'm not surprised," says Fujitsu's Scofield, who heard from the FBI after the letters were released. "They were pretty mad."
And, perhaps, just a little bit embarrassed and ridiculed.
Kevin Poulsen is a columnist for ZDTV's CyberCrime.
"Rather than assessing damage done, the letter simply assessed the value of the property involved in the case," Novell spokesman Jonathan Cohen said. "There's a difference."
