US Wants UK Hacker To Pay To Fix Holes He Exposed 403
bossanovalithium writes "Gary McKinnon, whose tribulations we have followed for several years now, is the UK hacker trying to escape extradition to the US. It appears he is expected to foot the bill for the US Government patching holes his breaching uncovered — to the tune of $700,000. It's not really the norm for someone to pay for exploits to be patched — damages fixed, yes, but this is a very different thing." The article paraphrases Eugene Spafford as saying that the victim of a cybercrime should not take the blame. "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
Well, I've learned MY lesson! (Score:5, Insightful)
Potholes (Score:5, Insightful)
I have to agree with kdawson... (Score:5, Insightful)
This is exactly like charging for a lock that was never there. Another analogy -- it is like forcing the thief to pay for the security system that the store owner now feels that he has to buy to prevent future actions.
If he damaged a system by hacking in, that's one thing. He should pay for that. But it's hardly his fault that the holes were there in the first place and he shouldn't be held responsible for funding the software improvements to prevent such actions in the future.
Re:Taking responsibility for ones actions. (Score:5, Insightful)
The holes aren't his "damage". The holes were already there. I don't care if a whole wall was missing, if an individual walks into a building and does damage or steals, the damage or stealing is what they are responsible for. Building the wall or replacing the lock is not their responsibility at all.
Re:Taking responsibility for ones actions. (Score:5, Insightful)
Repaying any damage he would have caused: Expected.
Going to Jail for his actions: Expected.
Paying 700,000 Dollars to fix the hole he DISCOVERED (not created): Unlawful.
Well... (Score:1, Insightful)
Faulty locks (Score:5, Insightful)
Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?
It's not paying for the lock... (Score:5, Insightful)
Analogies should be correct to be effective. Sadly, the most effective ones are often incorrect.
Re:Potholes (Score:5, Insightful)
The good guys will make you pay them for exposing holes.
The bad guys will pay you.
Hmmm, maybe I got the "bad guys" and "good guys" mixed up there.
Analogy, sans car (Score:4, Insightful)
Re:Taking responsibility for ones actions. (Score:5, Insightful)
I know, right?
Like last week, these kids walked uninvited across my lawn, and caused substantial damage to a number of blades of grass! And then to add insult to injury, their damned irresponsible parents just couldn't grasp their liability to pony up for the slab, four walls, roof, and two garage doors to "repair" the space their crotch-fruit just casually trespassed across!
Sure, some scofflaws would point out that I didn't have a whole garage there to start with, so why should they have to pay for the rest? But hey, I had the good solid dirt underneath a future-garage, at least.
Re:Faulty locks (Score:4, Insightful)
I think not, I think that's ridiculous. But that quickly brings us to the argument that all software that we rely on should be open source so that we can modify it to fix it ourselves
logic doesn't enter into it (Score:4, Insightful)
The REAL crime is exposure. (Score:2, Insightful)
The real crime is exposing sensitive data through the internet. If a hacker shows his concern and makes it clear that the government is exposing sensitive data, the criminal is the government, not the hacker.
The funny thing is that the real crimes are often not legally the real crimes. In the Netherlands, it is not a crime to have a system full of sensitive data that is hardly secured. But it IS a crime for anyone to expose this insecurity. The Dutch government has created a special "theft of processor time" law to ensure this.
Me thinks (Score:3, Insightful)
"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"
More like they want him to pay for a lock that wasn't there because he was the first one to tell them that the lock wasn't there.
Or even more obvious, somebody forgot to put in a front door and now the store wants him to pay for a new door because he was the first one to tell the store that they had no door.
Re:logic doesn't enter into it (Score:3, Insightful)
Correct, and If I trespass onto someone property bu walking through a gate with no lck, I will not be force to buy a new lock. That doesn't mean I shouldn't be fined for trespassing.
Re:There is some logic to it (Score:2, Insightful)
However what is at issue here is what if you walk up to your neighbor and say "Hey don't you think maybe you should have a door on that house? Someone could get in you know..." He then sends you the bill for the door, lock, security bars, and exterior gate.
D.
Re:Potholes (Score:3, Insightful)
McKinnon didn't "report any kind of crime or safety hazard", and there is no reason to expect that, even if the approach the government used to here to assess damages from a violation of the law were to be accepted in that role that it would somehow affect people who "report any kind of crime or safety hazard".
Re:It's not paying for the lock... (Score:1, Insightful)
"Analogies should be correct to be effective."... "the most effective ones are often incorrect."
Your post is oddly self-contradictory...
Re:China and Iran will tell Washington about it? (Score:4, Insightful)
The original poster tossed South Korea (which Washington considers to be one of its strongest military allies) with Iran ( which Washington considers part of the so-called "Axis of Evil") and China (which Washington considers one of its strongest rivals), it is unlikely that he knows the difference.
Re:China and Iran will tell Washington about it? (Score:3, Insightful)
Faulty Lock Users (Score:4, Insightful)
Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?
From what I can find of his "hacking" abilities on the black vault [theblackvault.com]:
Somewhat frustrated by the common avenues of UFO research, Gary began some basic computer hacking techniques from his girlfriend's Aunt's house in the mid-late 1990s. Soon he began using a system of scanning for blank administrator passwords on supposedly secure networks ...
Sounds more like the lock company distributed a working lock to many U.S. government entities and they put the locks on their sensitive possessions but some individuals simply forgot to close the clasp and had no policy for walking around double checking locks. If he did do $700k of damage and bring the system to a halt, he should pay for it. If they are charging him $700k for a script that scans for blank passwords on accounts on their systems and drop it in a chron job, I'll gladly fulfill the work order for half that price!
Re:If he's a hacker... (Score:5, Insightful)
couldn't he fix them himself? With supervision, I mean.
If I tell everyone that some houses have a big fucking gap where a door should be, am I responsible for not installing one?
Car analogy... (Score:4, Insightful)
Similarly, Ralph Nader [wikipedia.org] should pay for the research, development, and deployment of a new and improved Chevrolet Corvair?
Re:If he's a hacker... (Score:5, Insightful)
You are if you made the owner look like a FOOL!! You're gonna fry.
Re:If he's a hacker... (Score:5, Insightful)
Don't underestimate the arrogance of an attorney, or the ability of people to be swayed by theatrics over substance.
It's not about what's fair, it's about what one can get away with.
Re:If he's a hacker... (Score:4, Insightful)
"If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
More like being forced to buy a lock when he pointed out that there wasn't one to begin with. Whoever left the holes in the software should have to pay that 700k. If the Ubanti Motor Company* sells a car with defective brakes and the brakes fail and cause an accident, the Ubanti Motor Company will pay the damages, not some mechanic that demonstrated the brakes' fault in a different Ubanti Motors vehicle.
*Fake name to keep fanboys from mismodding
Re:I have to agree with kdawson... (Score:3, Insightful)
that would be paying for the materials necessary to catch the theif. Costs incurred while investigating someone breaking into your house.
This situation is more akin to you catching him and then the judge ordering him to pay for a new steel reinforced garage door with a retinal scanner for access.
If they were trying to get the hacker to pay for the expense of having caught him I might buy that. If, say, they spent a bunch of money on a new server and network setup to act as a honey pot to catch the hacker that might be reasonable.
Re:Well, I've learned MY lesson! (Score:3, Insightful)
He made the mistake of scanning a country of which his own is apparently (to judge by the terms of the extradition treaty) a dependency.
Re:I have to agree with kdawson... (Score:4, Insightful)
It's an interesting story - but the one thing that sets it aside is that the cameras were fundamental in the charging him for his crime, possibly even the capture.
In the full article, it doesn't say what the 700,000 dollars are for. Its a little sketchy on what can be claimed as the "Damage Caused" and whether or not the money is for the systems (and security checks) to be implemented after his breach.
Whereas you had to set up a Camera to catch the criminal, the US Government caught their criminal and now want to put up the camera. Two different scenarios, which can appear to be so similar that distinguishing who should pay what gets a little fuzzy.
Peter Sommer (the expert refered to in the article), is basically saying that the security should have already have been implemented. In your case, you can argue that you shouldn't require cameras to be set up in your garage as a basic security measure. Closing and locking doors and windows should be enough.
Basically the Government did not have a firewall or any security systems in place at all to stop someone from Remoting in. Thats like leaving your door open, and expecting someone not to enter without permission. Someone walks inside, does that constitute as breaking and entering?
The "Hacker" used a popular program used for technical support to log into a computer. My ISP can't even do that, and all because I have 60 dollars Linksys router at home (not even a firewall), which BY DEFAULT blocks any incoming traffic on those ports.
That is like placing a lock on your door, which is pretty standard. Which the government didn't do, and is now trying to claim almost 3 quarters of a million dollars for.
So many car analogies (Score:2, Insightful)
I don't have a car, you insensitive clod...
A better analogy would be for me to have to replace the emperor's wardrobe [wikipedia.org]
Well here is the US claim (Score:4, Insightful)
From Wikipedia
"The US authorities claim he deleted critical files from operating systems, which shut down the US Army's Military District of Washington network of 2,000 computers for 24 hours, as well as deleting US Navy Weapons logs, rendering a naval base's network of 300 computers inoperable after the September 11th terrorist attacks. They claim the cost of tracking and correcting the problems he caused was $700,000.[15]"
So I don't see where the idea that the claim the $700,000 is merely to secure previously unsecured systems originates from.
If you break into a networkof military computers, it seems reasonable that the owners of the computers would feel that a complete audit of the network to asses damages would be necessary.
Re:Potholes (Score:3, Insightful)
Perhaps this will teach some people that if you don't want to pay the fines for breaking the law, then don't break the law!
Well it's teaching me that if you break the law, you'll have to pay fines for things you didn't do.
That doesn't really encourage respect for the law, you know.
He didn't create the vulnerabilities, he exploited him. Punish him for the illegal computer trespass, but fix your own damn security holes, because those were your fault.
Re:Well here is the US claim (Score:3, Insightful)
The imagination of slashdotters, who can never escape that techies-vs-the-rest-of-the-world mentality.
Re:Somebody drain this weasel. (Score:1, Insightful)
Except there was no password, no security breach, no rooting, and no subsequent vandalism. There was no security whatsoever: he just walked right in. He didn't break anything, he didn't delete anything, he only looked. This is the virtual equivalent of trespassing, not breaking and entering. Furthermore, he only got caught because he left a note.
That's the problem. Crazy people leave notes; stupid people who don't know any better leave notes; honest people who don't believe they're doing anything wrong leave notes. Criminal masterminds, however, do not leave fucking notes. From the plain facts of the case, it's obvious that Gary McKinnon is crazy, stupid, and pitiably honest, but not a criminal. He apparently didn't even realize he was breaking the law, as evidenced by the fact that he intentionally identified himself. Unfortunately, this hasn't stopped prosecutors in both the US and UK from slandering him and trying to utterly ruin his life.
At this point, the US and UK governments have probably spent vastly more money prosecuting McKinnon than McKinnon ever possibly could have caused in damages, and they have done so for the most asinine reasons. It's not even as though successfully prosecuting him will set any kind of useful example: McKinnon was either too stupid or too crazy to understand that he was breaking the law, so it's not like legal precedent would have affected his actions. The next time some dipshit decides the US government is hiding UFO secrets on publicly available computers, it's not as though he's going to stop and research the legal issues of accessing those computers first.
What upsets me most about this case, however, is that the prosecutors have revealed themselves to be much stupider, much crazier, and much more dangerous than McKinnon himself. They apparently feel no remorse in expending significant government resources hounding some stupid bastard for no useful purpose. They're a bunch of Goddamn sociopaths.
Re:If he's a hacker... (Score:4, Insightful)
Or more to the point....
Its like he noticed your house had ACME InsecureLocks and exploited the ACME InsecureLock to get in. Then told someone "hey, you know his house uses ACME InsecureLocks?"
Your house is no more or less secure than when he started. The only difference is, now people know that you bought locks that were not worth shit. How should that make him liable to buy you "TopBrand SecureLocks"? He didn't buy and install the ACME InsecureLocks, he just pointed out what everyone else could have found out if they just walked up to your front door and looked.
-Steve
Re:Well, I've learned MY lesson! (Score:3, Insightful)
Unfortunately this is exactly why trying to do something ice for someone is ridiculous, and that the last die hard movie, based on true story within the government about how lax the system is, and that when this was brought to the attention of certain individuals, they were sentenced for breach when they showed they broke easily into one organization's file system...I tend to agree that it seems the government is not making any friends, and setting precedent that even people within the US who would want to see their private info kept private, could be held accountable for such treason because they got the gut feeling they should let the US government in on their mistakes.
Re:If he's a hacker... (Score:2, Insightful)
Re:logic doesn't enter into it (Score:3, Insightful)
These are US government and legal matters which we are talking about here.
There fixed it for you.
Re:I have to agree with kdawson... (Score:4, Insightful)
Besides, to your "point", the law is on my side [wikipedia.org]. I have a right to be secure in my possessions and person.
I will not shoot someone on sight for trespassing. But I will shoot someone who routinely (or even once) burglarizes my home, or assaulted my wife or family. Given the very low rate of catching people for doing those kinds of things, there is very little incentive for criminals to not run rampant, unless there is the risk of them getting hurt. Why do you think that all mass [wikipedia.org] shootings [wikipedia.org] in recent memory [wikipedia.org] have happened in "firearm free" zones?
Re:If he's a hacker... (Score:3, Insightful)
Better analogy would be, that if you trespassed into someone's house, then got caught, should you be responsible for the amount they paid to have someone come in and check the place out and make sure you didn't damage anything? And the answer is...well, maybe.
Re:Well, I've learned MY lesson! (Score:2, Insightful)
Gary McKinnon [wikipedia.org] didn't report anything to anyone. He got caught logged in to computers he wasn't authorized to access.
Re:If he's a hacker... (Score:2, Insightful)
You first. I'm not saying it's a good idea. But this is not an innocent person pointing out the security hole, this is someone who themselves used the hole. He's not innocent. Also, if you *break* the lock or even the door on my house, and I need to replace it, I can easily see making you pay for the carpenter to come repair the door and the locks. And I can see making you pay for better locks and doors, to discourage the next idiot from using the same vulnerable-to-attack.
Let's be clear. He didn't walk in a publicly accessible system, he broke into a poorly secured one. That's not an open door, that's a thief committing forced entry.