Michigan "Anti-Hacker" Law's First Felony Charges 263
styles writes: "According to this article, two young men have been accused of gaining unauthorized access to third party computer systems. "The charges are the first under a Michigan law which makes the unauthorized alteration, damage or use of a computer system a felony." I have been a user on m-net (one of the two systems compromised) for a year and some change, and the fact that someone went and took the machine down for at least a month (more? I forget...), and that someone also hacked sshd to steal my password just kills me." And this raises the ever-sticky question of determining who is harmed, how much -- and then the stickier issue of what to do about the first. (Use your judgement in interpreting the source of this news, too.)
[Updated 19:00 GMT by timothy] As several readers have pointed out in comments, and as reader Conan Ford e-mailed, if that funny address sets your nose twitching suspiciously, note that http://www.ag.state.mi.us/AGWebSite/press_release/pr10189.htm does get you to the same place.
Re:Staying within the law (Score:1)
--
Has anyone else ever known a cracker... (Score:3)
There was a cracker that used to work for my company -- once management found out about him, they let him go. But during lunch, he used to go on and on to me about the new virii he was creating. I kid you not, there was a certain passion to his voice about it. (much like pyros, I'm told). Anyway, you really got the sense talking to him that people simply didn't matter -- all that mattered was cracking as many systems as possible.
I don't know if these kids in MI were just a little too curious or if there's something more to it. But often times, this goes beyond a simple "boys will be boys" explanation.
Re:fp! (Score:1)
As to computers in prison, I'm quite sure that the other things are tax dollars paid for are far more of a waste (like the ever popular weight training programs for prisoners) than adding a computer to the cell of inmates.
Behold the Open Source Sloth...
Gov't screwin up? (Score:1)
Well, although I think it's great that we can get info on products we want, or even buy them, I also feel that all of these "victim" companies are the same companies that are destroying the net with their petty patents, and greed grabs at cash (although this comment is not directed at this company, who I'm really not familiar with, I'm making a generalization about MOST companies, and no, I don't condone cracking). These companies have done everyhting in their power to make the net a nice fat Lazy-boy for buisness, and practically ruined it for the end users. Then they cry boo-hoo when people retaliate. I hate crackers too, but sometimes I get overjoyed when I see some fat-cat buisness, who has contributed to these "process patents" or "IP" lawsuits, get whacked by a cracker.
The M-Net system remained down into July and became available only after M-Net replaced the system's equipment.
Doesn't this sound more like random hardware failure? In all seriousness, it doesn't sound like the cracker was trying to damage the hardware, and it's pretty unlikely that hardware damage would occur without a malicous user's intent. Could this just be ordinary failure on a system that wasn't properly fault tolerant? I'm just wondering if this is another un-tech-savvy, bone-headed, government move, that is going to end up convicting a person for a crime he didn't do (although if he hadn't cracked in the first place blah blah blah...you get the point).
Re:Don't know much about psychology, do you? (Score:2)
You forget one point: Even though police catch 1 in a 1000 window breakers. However that 1000th window breaker gets a big spread on the news: Window breaker gets 10 years. Sub-headlines: Police cracking down on window breaking problem.
The fact that police have a poor record in catching these people is down played and the concequences are hyped up. Remember window breaking is a common problem in this senerco. Every month you get at least one window broken by vandals. (Take kids playing baseball accidently breaking the window out of this!) This will mean that there are plenty of vandals caught, and so there is plenty for the media to hype up.
Serves them right (Score:2)
IANAL, but I've heard from residents of some states in the US that if you catch someone breaking into your home you are allowed to use deadly force to protect your property. In this case, if they get caught cracking your system, their life is pretty much over (from a professional point of view). Works for me.
If systems cracking remains a crime that can be gotten away with, then companys will be more likely to accidentally hire some of these people who will likely go on to use the company's systems for their illicit adventures.
Screw 'em. If I had my way, I'd be allowed to shoot anyone I caught breaking into my cable modem connected PC at home. The ones banging on my firewall at work would be another story altogether; I'd keep them alive in extreme pain for a long time.
(Sorry to sound so venemous, but I really really really hate krad fuckoffs.)
The real Threed's
--Threed
Re:Don't know much about psychology, do you? (Score:2)
Not true. Malicious vadalism tends not to occur in public view, which proves that the vandals have some understanding of the risk levels involved. While imagining the consequences may be a bit fuzzy, even anti-social types do recognize levels of severity of punishment, and are able to relatively accurately assess risks.
This is OT, but relavant to this discussion.
Harsh punishments have never been proven to decrease the activity. One of the most famous example was during the Middle Ages, pickpocketing was rampant. It was a crime that was punishable by death, and in that time that meant public hanging. Now, where do you think the most pickpocketing took place? That's right, at the hanging themselves, because that was an easy place to do it. Most criminals never consider getting caught. They do take normal precautions, but they don't think about what will happen if they get caught, because they think they won't. I mean come on, if they thought they might get caught they wouldn't do it.
Re:Before the knee-jerk reactions start... (Score:1)
I too have had my fill of the arguments defending these actions. I also agree with several posts I've seen that mention the owner of the server could be help responsible. It would seem, however, that to hold the owner responsible would require a client of the system to sue the owner. Another poster made the analogy of one's car being stolen from a mechanic's garage. The police won't arrest the mechanic, but the person can sue the mechanic. Same should be permissable.
Re:Reactionary Politics? (Score:1)
The question to ask, is if you come home, find your door unlocked, find fingerprints inside, and have to have every object in your house painstakingly examined to make sure, for example, that your TV isn't really a time bomb that looks like a TV, your phone isn't bugged, or bulldoze your house and build a new one, what sort of penalty should attach to the perpatrator? Should an act that costs you thousands of dollars carry a lesser penalty than stealing your $300 TV? I don't think so.
There simply is no harmless way to compromise a system. Minimally there's time and expense involved in returning the system to a trusted state, which involves careful determination of what, EXACTLY, the intruder did. Reinstalling is all well and good, and necessary, but will only restore you to the state which left you vulnerable in the first place. No obvious damage means either none was done, or it was well hidden. If the system does anything at all important, there's cost associaed with the system being unavailable for its design purpose. Please lets not go down the path of blaming the SA unless you'd also blame yourself if someone broke the windows of your car and filled it with cement. After all, you know you should properly secure your car. Lexan windows, perhaps?
I think a severe penalty is just fine. If you're breaking into someone else's computer, potentially rendering it unusable for some period of time, with NO regard for what the consequences are, you deserve a severe penalty. It's rather like drunk driving. It's an irresponsible act that sometimes doesn't hurt anyone, but often enough the consequences are severe. People who break into systems don't care what the consequences are because they typically don't attach to them. It's time to change that.
Re:Two Sides (Score:1)
I'm assuming this means you're in favour of television/movie/internet censorship by legislation, then? After all, why should a parent have to monitor their children when punishment could be strong enough to discourage producers of violence/sex/thoughtcrimes from producing objectionable material in the first place.
The moral flaws in your argument alone astound me.
Re:What is unauthorized use? (Score:1)
Re:Odd reasoning, that (Score:2)
And lets acknowledge that not all damage can (or should) be given a financial value.
And what punishment would, in your opinion, fit the crime?
Re:Damages? (Score:1)
Re:Staying within the law (Score:1)
Absolutely. I didn't mean to give the wrong impression. I was talking about trends, not current events. My point was that as laws and restrictions pile up, it becomes harder and harder to even be aware of every law, let alone keep them. It is at that point that you get the situation I was talking about.
I am not condoning breaking into computer systems, but I do have issues with that being a felony except in the most egregious of cases. And yes, it's an entirely different thing to be caught speeding. For one thing, you won't make national headlines for doing so. For another, it's not a felony.
________________
Crimes (Score:1)
Thank you for not saying "a criminal using the same technology". They could have resorted to labeling everyone who commits crimes as a "criminal", but they chose a more responsible wording. (They still screwed up the sentence order, though, to make it seem like most of the crimes committed using computers involve cracking.)
--
Re:Don't know much about psychology, do you? (Score:3)
Not true. Malicious vadalism tends not to occur in public view, which proves that the vandals have some understanding of the risk levels involved. While imagining the consequences may be a bit fuzzy, even anti-social types do recognize levels of severity of punishment, and are able to relatively accurately assess risks.
The real benefit is that it's fun, if you're of the right mindset.
so what's your point? (Score:1)
Re:Anti-SPAM (Score:1)
I am not a lawyer, so don't take that as legal advice, but my theory is, you have the right to charge someone for storing their car in your garage, or boxes in your attic - this is no different.
--
Re:Harshness sometimes necessary (Score:1)
Re:Dangerous Laws (Score:1)
I'm suprised they (at least the guy over 18) weren't charged with a federal felony [cornell.edu] for this. They'd be facing a mandatory minimum 6 months' imprisonment. All it takes is causing damage in excess of $5,000 (including clean-up costs) to a computer connected to the internet.
Re:NEW EQUIPMENT! (Score:2)
Breaking and Entering (Score:2)
Many offices have employees only beyond this point signs, but if you delve deeper than a company wishes without seeing a sign, have you committed breaking and entering?
If I come to a login prompt and it does not specify who can and cannot enter, then am I free to assume that any password that lets me enter that I can come up with is fair to use? Should there be explicit statements about who may legaly enter a part of a system, or should we all just know not to poke around where people leave doors open.
Where is the line drawn between a publicly accessable palce and somewhere that the public is not invited? If I can access it and do not come across any warnings forbidding me to, have I broken and entered? Where does security through obscurity fit in here?
Real world examples rarely make perfect analogies for computer networks.
The source is real (Score:2)
Re:Harshness sometimes necessary (Score:2)
Most people don't get the death penalty, and many murders are pleaded down to lesser homicides, manslaughter, and the perp gets 5-7 with time off for good behavior, and is actually back on the streets in 3 years. Given that the ACTUAL penalty is not the ADVERTISED penalty, is it any surprise that capital punishment isn't effective?
When I was in college I had an internship in our state senate and I worked on corrections issues -- the average time served for all offenses, including murder, kidnapping, rape, and assault was LESS THAN 5 YEARS. Committing serious crimes doesn't mean you will go to jail for very long if at all. Career criminals and those exposed to that lifestyle know this.
Except in the case of mentally ill people, cracking isn't a one-time act of passion. It's a deliberate, calculated behavior which has a great deal of forethought.
And the people involved in cracking, are, generally speaking, higher on the socioeconomic foodchain than many people involved in murder, and hence are presumed to have a better developed sense of ethics, personal responsibility, and should also have a greater fear of involvement with the criminal justice system and the costs involved.
I find it hard to believe that exposure to the criminal justice system, and the consequences of prison (it's a violent, dangerous place, in college the prison surgeon said he sewed 3 rectums up per month on average) would not have a very real, very significant impact on "crackers" if those that were caught were given manditory jail sentances, stiff fines and long probation periods.
Trespassing? How about that? (Score:2)
I don't like new laws, and if we can avoid creating new ones for the Digital Revolution, that's a Good Thing.
I don't like the "vandalism" arguments. That implies a monetary damage, which is difficult to determine. So how about trespassing? We have property laws and private property rights, correct? (Okay, we don't, not really. But theoretically we do)
So why can't crackers be convicted on tresspassing laws?
Taco's Going to Jail?? (Score:3)
-Vercingetorix
Re:Handed In? Caught? Huh? (Score:2)
What bothers me is this line: On May 31, while Salcedo had access to the M-Net system, the system crashed and did not recover.
That's what they're charging him with. The hardware took a shit shortly after he got in, and they're using
Re:Odd reasoning, that (Score:2)
That's going to be a little difficult to extend to hacking when said hacker is living 2000 miles away from you!
Suffice to say, using B&E to describe hacking is only suitable as a METAPHOR - and not as a particularly good one either, since the resultant damage is not the same. Making laws based on such a bad metaphor is a really bad idea, even if hacking my computer makes me more pissed off than finding out that somebody was checking through my sock drawer
Re:so what's your point? (Score:2)
Police must be prepared to use deadly force at any and all times, even traffic tickets can get them killed. If they police are serving a warrant, and you reach for some unknown object, you WILL get shot.
LK
Re:It's a felony to press our panic button! (Score:2)
You seem to forget he didn't do this graffiti out in the open. HE first broke into someone's system, and then did the graffiti. If I spraypaint the outside of an office building, I get charged with vandalism. If I break into the office building and spray paint the CEO's office, I get charged with breaking and entering (and vandalism or whatever else I did while inside). It's not like the kid wrote a naughty note on a message board somewhere, he broke into a system and left the note all over.
Did you think of that? (Score:2)
That's one of the most succinct and insightful statements about society I've ever seen.
And to think I found it on /.
The noise doesn't totally overpower the signal
yet.
regards,
-l
Breaking and entering my ass! Think again. (Score:2)
Breaking and entering causes real damage. Someone has to pay to replace or repair what got broken during the entry. Trespassing, on the other hand, is just sneaking in through an existing hole. When someone cracks the security of a system, they haven't physically touched anything. They've just found a hole that was always there, and exploited it. The hole was caused by the software designer who didn't bounds-check, or the system admin who didn't secure something. The cracker didn't cause the hole, and if it gets fixed after the crack, then it needed fixing in the first place.
Follow me so far? That's Salcedo's case.
Now let's talk about what happens once someone's in. Malicious destruction of property is when you deliberately go break things just to break them, and it has a monetary value assigned to it. Vandalism is kid stuff, it's stupid, and it's usually trivial to clean up. So let's say some intruder changes some HTML. The sum total cleanup effort involves restoring the previous versions of the pages, which most vandals just rename in the first place.
Sounds like Salens is being charged with a FELONY, think about it, a felony, for defacing a web site from his own Earthlink account. Stupid, yes, but not a felony.
Judgement (Score:2)
You don't have to tell me that; I'm reading this on Slashdot...
Re:Yes, a MONTH (Score:2)
I was actually considering taking the first para out before submitting, but then hey, probably no one would have actually read the post then.
I also missed out "...until the plates met" . "just to impress their little friends."
And nope, hope I never have to, it's bad enough rebuilding after a crash without worrying about what they've done to any custom software you might have.
Yay! (Score:3)
Re:I agree. (Score:2)
Joe Saul, Executive VP, Arbornet seldon@arbornet.org
Re:Harshness sometimes necessary (Score:2)
Life without parole would be an equally good safety measure, and it avoids the small drawback of killing innocent people [amnestyusa.org].
Given the treatment of "hackers" in the US media, we should be almost as worried about unjust ramrod prosecutions as underprivileged murder suspects are now.
Uh oh, my SpiderKatz Sense is tingling. Jon could easily turn this topic into another epic, so I better stop now...
Re:Damages? (Score:2)
Say I am looking to buy a Coke somewhere.. if I see 2 stores, one with graffiti all over it, and one clean and nice-looking, I'll probably head to the latter to get my coke.
Re:Make automatic nightly backups (Score:2)
Ok, I'll bite. How is replacing a program with a trojan on an open source system any easier than doing so on a close sourced system?
Determination (Score:2)
This applies to computers and software too. No net connected machine is 100% secure. Even disconnected, placed in a steel room, buried in a mountain, it's still not 100% secure. When you bring people (admins and users) into the picture you really shoot your security to shit.
I'm gonna put a foot down here and give an absolute: I refuse to believe that anyone should be held liable for the laws of the universe. If it's impossible to make a 100% secure lock then you shouldn't be able to sue the lockmaker unless they purposefully introduced a flaw into the mechanism.
Of course, that doesn't mean that you can't publicly deride a lockmaker or software house for bad security.
(Begs the question: Has a software house ever been sued for a security flaw?)
The real Threed's
--Threed
Re:Odd reasoning, that (Score:2)
Oh please, hacking is only similar to B&E as information is to physical presence.
Somebody who has hacked into your computer is hardly as physically dangerous (unless they've hacked into something controlling a life support system!) as if they're standing in your house ready to brain you with a crowbar.
This is exactly the kind of reasoning which equates copying a CD with stealing cargo from ships on the high seas.
I've never been able to speel. (Score:2)
It took me 2 mintues to come up with that speelling, which was as close as I could get. It took me 5 minutes to find it in a dictionary (For starters because I was looking for sE, not sC.
Anyway, the proper spelling is scenario
Generally when someone asks me how to spell something I respond i-n-c-o-r-r-e-c-t-l-y. This just goes to prove I'm right there.
Wrong! (Score:2)
You're wrong, and YOU're the one trying to rewrite history. See Steven Levy's book "Hackers" for some of the documentation.
"Hacker" was MIT AI-lab slang for an exceptionally talented and persistent programmer - someone who could substitute that talent and persistence for a lack of tools and achieve impressive results. (This was particularly important at the time, beacuse to a large extent there WEREN'T any tools yet...)
One possible precursor was a Yiddish term meaning approximately "someone who builds furniture with an axe", and carrying the same positive connotation. (Contrast vs. a "hack" writer.)
To hack a problem was to attack it with all the skill you had and find a way to solve it. Yes, it could apply to hacking through a security barrier - but only to the extent that defeating a security barrier was a member of the set of all difficult software problems.
Saying "hacker" when you mean "(computer security) cracker" is like saying "sailor" when you mean "(sea) pirate" or "cowboy" when you mean "cattle rustler". Yes, crackers tended to be a subset of hackers, just as cattle rustlers were a subset of cowboys and sea pirates a subset of sailors. (Or at least that was true before the script-kiddie phenomenon lowered the bar on cracking.) But the misuse is exactly the same.
The misuse apparently began with an early self-appoionted security expert's presentation to early information-system management. He went on a lecture circuit trying to alert MIS people to the dangers of crackers (and to drum up consulting business). He used "hackers" as a term for crackers - much to the confusion of the techies in the audience (who recognized the misuse but considered it a sign of the cluelessness of the presenter).
But for many of the MIS executives (and the members of the trade press) this was their first in-depth exposure to both the threat of crackers and the term "hacker". So the misuse quickly caught on among the suits, and from there spread to the general media.
To this day one of the most effective ways to separate the technically literate from the hangers-on is to determine how they use the term "hacker".
Re:Odd reasoning, that (Score:3)
Even if no damage was done, breaking into someone else's computer is sure as hell an act of criminal trespass.
Here's how the State of Georgia, for example, defines criminal trespass [ganet.org]:
If a computer is an extention of my premeses, this sounds like cracking to me; frankly I'd be much more upset with you if you were going through my computer files than my tool shed.One important difference, though, between criminal tresspass and whatever tough-on-crime bullshit they've got going on in Michigan, is that criminal tresspass is a misdemeanor, not grounds for a five year prison term.
--
Re:we are all harmed (Score:2)
The problem arises when someone acts on out against society in a hurtful maner. Hacking systems is just as destructive as breaking into a bank or house. How would it feel if someone broke into your home. I'll tell you. I no longer felt safe in my old place. There is emotional damage. When someone hacks a computer system, the punishment shoudl probably be the same as breaking an entering. If they takes something the punishement shoudl prbably be theft.
Being different does not give you the right to harm others, and that is what you do when you hack systems. That was my point. You don't just hurt the corporation, you hurt everyone that uses that computer system. Hackers or maybe I should say "Crackers" which is the proper term should be punished.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Political Correctness "Cracking" (Score:2)
This could be bad for those who would define hacking as simply playing with advanced settings and programs on their own software and hardware.
-Ben
Odd reasoning, that (Score:5)
Yet another case of saying the net is like the real world as a justification for not treating it like the real world, I guess.
Re:The lack of necessity and need (Score:2)
Notice I said: If he doesn't do that and gets cracked. Checking for new security issues should be part of the sysadmin's daily routine, and it he's doing that, but gets hit before he's able to find out about the kiddies' new whiz-bang 'sploit, then it isn't his fault.
Yes, I will blame the sysadmin for poor security if he doesn't work at keeping his boxes safe from crackers - this is just plain common sense. Putting a computer onto a network entails responsibility that needs to be taken seriously. Would you have a child and not bother to educate him/her about the dangers present in society so that s/he will take common-sense precautions to remain safe?
No, this does not excuse the actions of the cracker - just like a pedophile who kidnaps your son because you didnt teach him about perverts can't use that as an excuse - but it also does not excuse the lack of responsibility on the part of the sysadmin.
Two Sides (Score:3)
Buy a different lock.
There are two parts to this. The server maker is responsible for not being as carefull as OpenBSD has proven that you can, the Admin is responsible for not doing his job right, and the script kiddie is responsible for breaking in.
Admins are unsaveable at this point, any fool can install a server and set up shop these days. Companies and kiddies should be punished. If you sold me a shit lock and some kid broken in my house, I would have the kid arrested and you, the lock seller, would be sued for any damage the kid did to my house.
If only our legislators could see that. But, noooo, MS is an 'innovator', Macs are 'toys', and Unix is for 'hobbists'. Great.
Re:Serves them right (Score:3)
Blowing things out of proportion (Score:3)
Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. '
She probably didn't mean that literally (how stupid would she have to be in order for that to be the case), but using such inflammatory language is wrong. Does she really mean to give the impression that half of the Net users are legitimate, and half are criminals? That would mean hundreds of millions of criminals!
(sarcasm)No wonder law enforcement has to work so hard to make the Net safe for us!(/sarcasm)
________________
Re:Determination (Score:2)
I am not a lawyer (and I doubt you are one either) [IANALAIDYAOE], but I take issue with your pronouncement. Parties should, in principle, be held responsible for incompetence or negligence that harms others. The matter should not hinge on "intent to harm," as this would give carte blanche for corporations to produce most anything under any claims whatsoever provided you couldn't prove a willful introduction of deleterious flaws into the product. Most people would see no problem with holding responsible, say, a factory that inadvertantly contaminates a town's groundwater with heavy metals or a contractor who builds a bridge that falls down under a normal traffic load due to corners that were cut during the construction process. Neither is technically a purposeful introduction of a flaw nor a violation of physics, yet both are examples of negligence.
Begs the question: Has a software house ever been sued for a security flaw?)
Negligence itself in the U.S. has a curious definition. In essence (if I recall correctly--lawyers, please correct my errors), the criterion is the answer to "In hindsight, would you have done anything different to have prevented this from happening?" If the answer is "yes," then one is negligent. This, like many USian laws, seems to leave little room for common sense, and it is a system that can be easily abused: Of course McDonalds employees would warn a person of hot coffee if they knew she would later injure herself. Of course the soda machine company would warn people that it is dangerous to try tipping the machine over to get a free soda.
Software companies are different, however, since they have a shrink-wrap licensing agreement that disavows them of any responsibility for damages resulting from potential use or misuse of their products. If I'm not mistaken, one generally cannot even pose the negligence question to a software company since they make no claims whatsoever on the suitability of their products for any purpose, much less the purpose that led to damages to a party. This is yet another way that software differs from the "real world."
Harshness sometimes necessary (Score:4)
For example, if breaking windows on houses was so widespread to be considered a real problem but so easy to get away with due to the sheer number of houses and the inability of law enforcement to track the criminals to their crimes then maybe a harsh law against window breaking will provide some kind of deterrant effect in the minds of those breaking windows.
The same may be true about cracking -- the odds of getting caught may not be that great, but if the penalty is really severe and people are getting charged and convicted then it might make some people think twice about it.
I also don't have any sympathy for crackers caught in someone else's system who didn't want them there -- you're breaking the law. You might find safecracking a challenge, too, but if its not your safe you're going to jail. A common criminal is a common criminal, and intellectual justification doesn't make it ethical.
New Denial of Service Attack found (Score:5)
In other news today, a new Denial of Service attack, The Slashdot Effect was announced. To activate the DoS, the malicious user sends a story to the popular Slashdot [slashdot.org] web site, who posts this story, containing links to a web site that the story references. Slashdot users try to access the site with such frequency that the load causes general use of the site to be unavailable. This can effectively cripple the site for hours or days on end.
Fixes/Workarounds:
To prevent The Slashdot Effect, avoid doing anything noteworthy to "Nerds" or any technological group. Avoid getting into legal trouble with the Motion Picture Association of America, and most definitely, avoid anything to do with Linux, FreeBSD, X Windows, or Distributed File Sharing. Also, avoid interacting with the following companies professionally:
IBM
Micron
RedHat
Rambus
NEC
Compaq
Amazon
Yahoo
Google
id Software
AMD
Intel
Doing such could be hazardous, and increase the potential of being hit with this crippling DoS attack.
If this were a public warehouse... (Score:3)
EVEN if they had a piece of paper saying that they were not responsible.
Same goes with a mechanic that lets someone else drive off with your car (even if strangers just "borrow" it for a little while and you get it back).
Why does this have to be any different?
Until both the person messing with someone else's public server AND the owner of the server itself are heald accountable for their actions, this activity will not even begin to slow down.
Caviat: there is no telling if anybody accused even did anything in this story because the FBI is involved and they seem to skip over or invent "facts" as it suits them, ref. Kevin Mitnick damage assessment.
Visit DC2600 [dc2600.com]
Nature of Crime (Score:2)
Re:Reactionary Politics? (Score:2)
Nope, not in the US. You forgot the national motto. A Government by the People in the Corporation's pockets, of the People in the Corporations Pockets and for the Corporations.
Why do you think the line denoting dollar totals is the _Bottom_ line. It has the final word in any debate. Period.
Steven
Re:A note from m-net's sysop: (Score:2)
From what has transpired so far, I'd stay away from M-NET. I'd worry that they might misinterpret even more benign activity as "trespassing". What they should have done is learned their lesson, made their system more secure, and left it at that. There was no need to get the police involved.
this approach is bad for consumers (Score:2)
If companies can avoid responsibility for making their systems secure, they won't bother. They'll keep using outdated software and intrinsically insecure infrastructure. If there is a break-in, they just point the finger at the guy who broke in. The consumer is still at a high risk from the theft of their data, but the company is free and clear.
Yes, breaking into someone's computer system is wrong and should be punishable in serious cases. But more important is that companies should face stiff fines and criminal charges if they expose personal or private data through insufficient security. On balance, companies don't have to be protected from crackers--they can easily protect themselves if they have half a clue. People need to be protected from companies that venture out into the Internet without the technical competency to protect their customers' data.
Who is that IP anyways (The Answer) (Score:2)
Name: www.ag.state.mi.us
Address: 167.240.254.37
According to ARIN, it's in the Michigan State Government's net block. Unless this is someone having a happy time on the State's servers, or an trigger happy State person, it's legit.
Before the knee-jerk reactions start... (Score:2)
But I'm not a criminal, oh no. I'm just a more 733+ home security expert than you. You should thank me.
I say that if they've got proof beyond a reasonable doubt here that these little twits should be sent away for a few years to cool their heels. I'm so sick of people going "Well, I mean, I did these same things when I was a kid and I wasn't a criminal." No, you weren't, because there wasn't a law in place before. If you did some of the same things today, you would be. And don't give me the "well, they were just curious, kids are" line. There are plenty of legal ways to learn more about computers and systems security. Hell, do what we did. Have your friends set up a system hey think is secure and try to crack it. Learn. Repeat. But don't try to tell me that these kids aren't little thugs, because they are. Screw 'em, and I hope they get along with their new cellmates.
Re:Breaking and Entering (Score:2)
How would you feel if you found someone in your living room, and the police couldn't arrest him because he found a key to your front door? Should everyone blame you and suggest better deadbolts?
we are all harmed (Score:2)
In this particular case it hurts all the users of the system that was hacked and had there passwords stolen. It also hurts the people running the system. No not just the admins the whole organization is affected. Why? The admins are affected, cause they were not on top of there job, securing the system and maintenance and all that stuff (at least that is how some will percieve it). The owner looses his credibility to run a secure operation. Uses loose there passwords and possibly the system. Well we know it is not necessarily the admins fault. There is no perfectly secure system. Alsost all systems can or do get hacked weather by DDOS or what not somebody with nothing else to do trys to screw up someone else's life, cause they can and they are pissed off at the world for no real reason.
Someone recently told me that there will always be security breaches in software cause software today has so many lines of code. THere will always be hackers too.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Re:Damages: Community Network vs. Corporate Networ (Score:2)
As you said, a large company may have much more to lose, and the damage done may be much more costly than if a small non-profit site is hacked.
Are you implying they should receive the same in damages? That all depends on what happens.
can never think of anything to go here (Score:4)
If I were to let any of my clients sites go down for more than a day, I'd be dead, I already suffer from telephone phobia from times when servers have crashed/email has gone weird. These days there is no excuse for not having backups and at least some idea of an alternative if you do lose a machine (he sez hypocritically).
Having said that this was a public access system run by volunteers, and given it's nature pretty hard to recover.
And as for the people who hacked it (and kuro5hin) they really have to rank in the intelligence stakes with people who would put their own balls in a vice and slowly turn the wheel until the plates met. You don't attack people who are helping the net remain open, and a community, many of whome may previously have had some sympathy for (h|cr)ackers, or at least draw from the same knowledge base.
Also stupid acts like this are just making it so much easier for various governments to sneak in with legislation that is inthe end just going to make it harder for everyone, and turn the internet into little more than a commercial, monitored service (anyone ever used aol?).
Perspective!! (Score:2)
All metaphors and analogies aside, is cracking really a felony offense? Will we put people in jail for 10 years, effectively ending any chance they had to be productive (if a bit subversive) members of society, simply because they pissed AT&T off? Waving a gun at old people, abusing little kids. That's really despicable stuff. But breaking someone's precious computer? Put them in the can for 3 months, fine them good, and put them back out on probation. Get them a computer security job where they can play their security games in a supervised environment and get them back in to life. A 17 year-old kid, prosecuted for felony hacking? Give me a break... They fear what they can not begin to understand.
Bennu
Cruiser Tune Up (Score:2)
Who should work on the Crusier?
Richard M. Stallman
Pros: Works for free (specifically, for contributions and government grants)
Cons: Long-winded politically-charged explanations of any problems.
Biggest Concern: If he does anything to the Cruiser, I have to let anyone drive it who wants to.
Eric S. Raymond
Pros: Does same work as RMS, but calls parts by different names.
Cons: Wants to own a piece of the Cruiser when he's done working on it.
Biggest Concern: Liable to use the Cruiser for target practice and put several
Bruce Perens
Pros: Will try to calm me down if he finds anything wrong with the Cruiser.
Cons: Needs someone to calm him down.
Biggest Concern: Will want to file lawsuit against oil companies and auto makers if the Cruiser is out of gas.
Rob (CmdrTaco) Malda
Pros: Will get Cruiser running eventually.
Cons: May continue to add parts until problem is fixed or nobody cares anymore.
Biggest Concern: Wiring mistakes may cause radio to change stations whenever I turn on the wipers.
Re:Damages? (Score:2)
While the 'altered' web site is up, how many customers will read it, expecting to find the company's normal site? How much business will this cost the company? Not to mention the labor costs and lost productivity (however small) involved in having a web site maintainer repair the damage.
=================================
What is unauthorized use? (Score:4)
My question is simple: what is unauthorized use? Does authorized mean "written permission"? Or is it implied?
I ask because of a simple case of sendmail: if it is running, is that an implicit authorization to send email to the owner via that port? I saw an article over at rootprompt [rootprompt.org] where a sysadmin tried to contact the owner of a box by sending him email via the sendmail port of the box (the box was apparently on a DSL line). The owner got all pissed because he didn't "authorize" the sysadmin to use that machine. The sysadmin argued that sendmail was PRECISELY for doing exactly what he did--sending email.
This may seem stupid to most of you, but remember that many people do not understand the technology they use, let alone legislate about. Could this law be used for suing people who connect to your machine? If you have sendmail up, and someone connects to it, is it their fault or yours? What about FTP and HTTP? If you do a base install of RedHat, you get FTP, HTTPd, Sendmail and a bunch of others. If someone connects to your web page or your FTP server, is that unauthorized?
There are obviously two sides to this issue. I personally get all paranoid when people connect to my box--it is a firewall with nothing running but ssh and ident. If someone tries to connect to my RPC port (i.e. NFS), I am a bit suspicious of their intentions. So this is unauthorized? But what about someone who gets hacked and my machine's address is used as a decoy (or in the case of ADSL with PPPoE, I'm now at the address that was used to attack them, but I'm a different person) and they run a port scan in an attempt to figure out if I am hostile. Does a port scan count as "unauthorized"?
The issue is pretty simple: the techniques used by crackers are legitmate techniques used by security concscious sysadmins every day. Will clueless legislation start to put honest, hardworking sysadmins at risk?
My feeling is "yes". And that bothers me. Sigh.
Reactionary Politics? (Score:3)
What's the real story here? Beats me. Felonys are things like Grand Larceny, and Killing Grandma. Serious repercussions and lots of damages are required for something to be a Felony, right?
Or it may be that any crime which is so unknown that its damages may not be easily talliable becomes a felony as a deterrent. It may be that making laws banning data theft and hacking become 'cutting edge politics', and all the street savvy politicians want their name on that bill.
Probably, the severity of the law is caused by the blinding fear the average luser has about his machine being hacked, or all the dirty emails he sends his mistress being looked at by someone.
Theft is theft -- and if its information, how that information is used should determine the crime, or how much the (unrecoverably) destroyed data is worth.
Consider this: If someone broke into your house, while you were watching TV, romped through the kitchen naked, and left out the back door, but didn't take anything, would the courts care? No -- the police officer who showed up would say that since nothing was stolen, and no one was hurt, it's probably not worth the hassle to take it to court. But if someone were to enter your computer system it's a felony?
Case of sexy politics here, methinks. I could be wrong, but everyone runs that risk. Bugs me, though that while I can't get a guy who threatens to kill me sent to jail when I provide the officers with his name and address, as well as a witness to the event, laws exists that state unauthorized access to a system is a felony.
I don't dispute that charges should be brought -- it's the severity that gets me down.
Some Issues that Come Up (Score:2)
Re:Anti-SPAM (Score:2)
OOps, NOT FBI (Score:2)
The same office that gave us the Michigan State Riot Tip Website "hack".
In that case, the State of Michigan had a website up for folks to give anonymous tips on who was rioting. However, all of the information was wide open to the public because the webmaster set it up that way.
BUT, the State said the site was "hacked" and were going to prosecute anybody that passed along the URL to the info.
Sorry, my bad, not an FBI thing this time.
Visit DC2600 [dc2600.com]
a victim perspective (Score:2)
My server has been compromised twice. Once trojans are installed, it's pointless to try to figure out what's safe and what's compromised. That sort of analysis takes a day or more, a day which could be spent reinstalling, which course is guaranteed to get finished. All of this activity takes place uncomfortably hunched among the racks in a closet during which time I and a bunch of other people can't get our mail. Dealing with the emergency takes place at some random time the black hats choose, and I have to immediately take several days out of my schedule fixing things.
So, my feeling is: death penalty is not harsh enough. People are doing it on purpose, and they're fucking up my life. The commercial losses are not measurably large, which is what gets the authorities involved, but the stress and disruption to me is huge.
Yeah, I know that teenagers are prank-prone, I was, but that's why their heads need to be put on stakes outside the gates of every town, so the other little twerps will see what they'll get too. It's not funny, it's not even a challenge, and the punishments should be very harsh.
Re:Taco's Going to Jail?? (Score:2)
-Vercingetorix
Re: (Score:2)
is vandalism a felony? (Score:2)
This is an honest question: is vandalism a felony or misdemeanor? If it is the latter, you'd think that based on this prosecutor's line of logic that "virtual vandalism" ought to be a misdemeanor, too. OTOH, if it's a felony, then why are there specific resources devoted to "virtual vandalism" when physical vandalism is still a real problem in many areas?
Not to say this isn't a good thing, however.
Staying within the law (Score:2)
Well, Something that I doubt they are thinking about, and they _really_ should, is that many people in computing are staying within the current laws because there are some things that they can still do legally, or they can work around the restrictions. Eventually, they will have too many restrictions, and if they force people to break laws to do things that they are legally doing at this moment, what is to make these people not do other illegal things? I try to think that I do a pretty good job with not breaking laws; I run all open source software, so I'm not pirating, I don't go intentionally knocking people's PCs and servers out, I don't destroy property. What happens if they start restricting based on content, or other things? What happens when more commercial products are reverse engineered in GPL, and more companies start chopping down forests to send enough cease and desist orders? what happens when these are upheld in court as IP when all the reverse engineering people did was the _SAME THING_ that compaq did to IBM's bios back in the '80s? I don't think many of us will really care what the laws are, we'll do what we want anyway. Obviously, the MPAA's rabid enforcement of their faulty product's restrictions aren't affecting Joe User, who probably has the DeCSS code. Back before Linux was really an option, and we were all running (shudder) DOS, did we care if we made many systems boot if whe had only one copy of the OS? I doubt it... We generally seem to do what we want, and the more difficult they make it to do this legally, the harder they'll have to enforce. It may become almost impossible.
(/rant)
A note from m-net's sysop: (Score:5)
Uh oh. Is my TiVo a 'third party' system? (Score:3)
Dangerous Laws (Score:5)
And it goes like that. In the past, these ignorant people would cite the US law which applies to unauthorized access to government systems. It didn't apply either way, but the point of the stupid email is this: "unauthorized use" and "unauthorized access" do not take into account the implicit permission for connections when you hook a box to the net. Knowing people in ISP/NSP abuse departments, I've seen way too many complaints along the lines of: "Someone connected to my webserver and this isn't a public server!" Could you call it unauthorized? Technically, yes. But shouldn't connecting a machine to the net be implicit authorization if you don't take steps with a tcpd, ipfilter, ipchains, firewall, etc? Absolutely. Or a password on your web pages. The same goes for pings -- people will get a single ping packet, and complain that they are "being hacked".
This brings me to an even stickier anecdote: someone has a box on the net running an irc server. Someone hacks a box at a government agency, connects to their irc server. The irc server, as many do, autoconnects to the client box on port 1080, maybe port 23, looking for (1) Wingate and (2) stupidity. Not much later, someone (maybe Nasa, maybe the SS) manages to unlink and postmortem the box, seeing the auto connects logged, and goes after THAT person. Thankfully, they were never dragged into court or anything, but the government actually believed that the person had a hand in the hacking of the box, and that even if not the mere autoconnects were a violation of the law.
That said, I think the "uproar" over hacking is causing laws that also may be too harsh. Removing the $1000 cap on the michigan law is irrelevent -- any hacked system can easily generate a $10k tab, just by citing expert recovery time for dozens of hours at >$100/hr. The simplest 1-machine hacks of companies have generated 6+ figure "damages" in the past.
Even as a security professional, and agreeing that cracking a system when not invited should be a crime, cracking should be a reparation case. If someone spends $5k in time and loses $10k in business because of your crack, you should pay that back, do a few hundred hours community service. It's rough, but it is a crime. It should remain a misdemeanor, unless things are done to multiple systems, with malicious intent to cause harm to the system(s), etc. I'm sure there's a lot of room for discussion, but felonizing script kiddies is not, in my opinion, what we need to do. At least the original bill seems to allow for _10 year_ sentences for "damages" of >20k. Sending some 18 yr old to jail for 10 years over a hacked box is absolutely insane. As a network security professional, I'm also fully cognizant about how easily most of these boxes ARE compromised, and replacing security precautions on shared machines with draconian laws with absurd sentences is absolutely unacceptable.
Don't know much about psychology, do you? (Score:5)
Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.
Making a stiffer penalty will not lower the crime rate--the few people put off by the increased danger will be more than offset by the people turned on by the increased danger.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
Re:Damages? (Score:2)
I always find this argument baffling. Just because it's not that hard to change a tire, doesn't mean I easily dismiss the fact that someone took it upon themselves to slash it. If someone knowingly breaks the law, then they should pay the consequences. Pure and simple. Nowhere in any state of federal statutes do I read that small corrective action allows anyone a free pass.
--
Re:What is unauthorized use? (Score:2)
Re:we are all harmed (Score:2)
And don't forget that the *only* sure way to secure a box after being cracked is to reinstall the whole system. That means restoring all accounts (with new passwords), restoring backups, downtime for reinstall, etc.
Re:Odd reasoning, that (Score:2)
I mean lets say you steal a candy bar at a store. They're not gonna throw you in jail for 10 years and charge you 10,000$ in fines, because of a 60|cent candy bar. Thats just cruel. So lets say you only do like 100$ worth of damage in some cracking incident. Then because of that you gotta start putting that on your job aplications and such. OUCH! Punishment should fit the crime.
Re:Harshness sometimes necessary (Score:2)
Do some research before you fix your mind in this state. Murder carries the harshest of penalties, and numerous studies have shown that the death penalty is not a deterent.
If you want to keep them from commiting a crime, the chance that you are caught doing it has to be very great.
It's a felony to press our panic button! (Score:4)
First I would like to point out Jennifer's poor sense of perspective:
For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime.
The suggestion that there "may be" one "criminal user" out there for every legitimate user is nothing less than retarded. If there were 10 million+ hackers out there it seems unlikely that Jennifer's toaster would remain unhacked after a display of such blatant prejudice.
But reactionary posturing aside, the ugly part of this mess is that these two people can be mentioned on the same page.
Salcedo is likely a criminal under non-computer law. And additionally, he's an idiot. If he's responsible for intentionally, irrecoverably (to the novice of course) crashing a business system, there is no need for computer-oriented law to prosecute him.
Salens on the other hand is just a punk kid to did a little digital graffiti. It's ironic that Jennifer can make the connection to real world graffiti, but then go on to push for the digital version (which is cheaper and easier to clean up) to be a felony.
Obviously to people with so little sense of the spirit of the law, anything their afraid of should be a felony.
When they are killing children for stealing lollipops, and the children start shooting back, the authoritarians will wonder, "What kind of monster would kill for a lollipop?" The bell tolls for thee.
Re:Two Sides (Score:2)
Ah, but you implicity agreed to the End User Locksmith Agreement when you opened the shrink-wrapped package for the Micro-lock Deadbolt 2000 product you used and are now claiming to be defective.
The EULA clearly states that Deadbolt 2000 is not guaranteed to be fit for any particular purpose and that Micro-lock cannot be held liable for damages resulting from improper installation or or use of the product. Deabbolt 2000 uses Java technology, and as such should not be used in any critical application such as medical devices, manufacturer processing control or securing your front door.
(sorry, I'm bored at work. Moderators, please help me bleed off excess karma!)
here comes the drug war (Score:4)
It probably won't be too many years now before some "hacking" task force has a budget along the lines on the drug war. I've seen more than a few "between the lines" suggestions by politicians that this is exactly what we need. With a mostly ignoranat public, the politicians will probably get what they want.
I wonder how much it will take to piss off the public though. Seeing a 13 year old skinny white kid from the suburbs being hauled off to jail for "hacking" might have a different effect on the public than some poor hippie or black pot smoker being thrown into jail on drug charges.
Re:Odd reasoning, that (Score:3)
I think vandalism is a really poor comparison. It may be good for when a hacker actually defaces a website, but the actualy hack itself is much more akin to breaking and entering. B&E is (I think) a felony, no matter what you are breaking into. Anything else you do while you are there is a seperate crime, with it's own charges. I think this is the same approach that should be taken to hacking. Hacking into a system is a crime. Anything you do while you are there may be another. If you just look around, all you get is hacking. If you deface a website, you might get the electronic equivalent of vandalism. If you destroy files, that's another charge. But the hacking into a system is a crime unto itself. Unlawful entry is unlawful entry, no matter if it's a house, business, or a computer system.
NEW EQUIPMENT! (Score:3)
system's equipment. "
What in the hell did they do to make it require NEW EQUIPMENT to recover from a crack? I understand lost data, etc. I know it used to be possible to spin a HD until it blew up or set a monitor resolution that burned it out, but I haven't heard anything of the sort in a long, long time. What's up with this? Is the AG wrong? Did M-Net not know how to reinstall a system? Or is this kid really lucky or some kind of jedi master and made all the chips explode in a fiery blaze destorying the MBs?
I agree that unathorized cracking is wrong; there are also ample ways to set up practice if you really want. Cracking free sites is not only wrong and illegal, it's evil and stupid.
I was going to moderate this dicussion, but no one brought up my first point, and I'm really curious.
Re:Make automatic nightly backups (Score:2)
Anti-SPAM (Score:2)
You do not authorized SPAMMERS to put spam on your system. You do not authorize SPAMMERs to take use your POP3 server. Now, a SPAMMER used your POP3 to send data to your POP3 client without your authorization.
A stretch, yes.
Re:Odd reasoning, that (Score:4)
Granted, that doesn't allow for the political "get tough" and Internet buzzphrase newsbites.
Re:Harshness sometimes necessary (Score:2)
Really? Imagine that, dead convicts rising from their graves to commit crimes. Scary stuff.
To me, the death penalty isn't supposed to be a deterent, it's a safety measure. Replacing a blown tire doesn't deter the others from blowing--but it makes driving the car a lot safer.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
only to protect companies? (Score:5)
across the country."
And long license agreements full of mumbo-jumbo legalese has become one more tool to pick the locks of the average computer user across the country.
If I install a program, say a graphics program, would this law cover behavior that sereptiously sends valuable personal information to the company that wrote the program? We know the info is valuable (the company plans to sell it), but they haven't paid me for it and I haven't given it to them. Isn't this crime analogous to workplace theft? ie, I gave you permission to work here, but I didn't give you permission to take what you wanted home with you.
How can digital graffiti be a felony, but digital theft is winked at?
Re:NEW EQUIPMENT! (Score:2)
Expect this to be the future's new form of insurance fraud.
Re:Down for a month ?! (Score:2)
M-net is also all voulenteer, and the timing couldn't have been worse, as most of the admins were overloaded at their real jobs. Poor timing, a collection of ghod only know what kind of equipment, and admins who couldn't be pulled from their real jobs resulted in the month long downtime. fortunatly the community (grudgingly) understood and let the admins do their job when they could.
--
Re:But for Tennessee v. Garner (Score:2)
LK