Appropriate Punishment For Crackers? 737
Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."
Depends... (Score:5, Funny)
Ah, honesty... versus federal sentencing (Score:5, Interesting)
"The punishment should fit the crime." Equally important, someone neutral (not indifferent) should pick the punishment.
*
However, few are aware that the federal judge actually has extremely little discretion in sentencing. In a nonviolent crime against strangers such as destructive hacking, setting aside criminal history, the amount of the losses essentially determines the sentence. Said damages are notoriously difficult to estimate and easy to inflate, as in the cases of Kevin Mitnick or Robert Morris, who were clearly culpable, but for what? State courts remain more flexible, but with the growth of federal law and the wire fraud aspect of computer crime, more cases are swept into federal court where the sentences are typically heavier.
Current federal sentencing guidelines [ussc.gov], dating from Reagan era reforms designed to crack down on crime by constraining "soft" judges, and created by the Sentencing Commission [ussc.gov], are purposefully wooden and mathematical in their determination of sentences. You literally add and subtract points [ussc.gov] based on different factors, then consult a chart [ussc.gov] to find the mandatory sentencing range. (In some cases, I think a minority, defendants do benefit from protection from excessively harsh sentences.) In certain drug cases, mere grams of a substance such as crack can add years to your sentence
At sentencing, the judge is given a presentencing report recommending a sentence plus or minus, say, 5% of a given fine or imprisonment or probation, a range from which it is very difficult to depart without breaking the law. What effectively happens -- and I hope this was foreseen -- is that sentencing authority is passed to prosecutor, whose decisions as to which offenses to charge or to drop, and amenability to plea agreements, set the outcome. If you believe the sentence unfair, it is the prosecutor or Congress, author of the ill-conceived guidelines, that needs influencing. The Guidelines long ago survived constitutional challenege.
I can tell you firsthand that many federal judges don't like the Guidelines, but if they depart from the prescribed sentences they are reversed on appeal.
Re:Ah, honesty... versus federal sentencing (Score:3, Interesting)
No - in this punishment, the hanging is not the same as in execution by hanging. A proper explanation from here [shu.ac.uk]:
Lovely stuff... I think I'd reserve that one for spammers, personally ;-)
Re:Depends... (Score:5, Insightful)
In the US version of democracy, the US government gives a mandate to the American people that they are going to war with Iraq. Over shouts of protest, the media begins the assault on the public mind to convince people that this is what they want to do and that the country of Iraq is of primary importance in their lives. After informing the American people, as well as Saddam Hussein, that he has weapons of mass destruction, a furious effort is made to find a pretext for invasion. Eventually, after months of campaigning, petitions start to circulate around the internet, so that the people of America can ratify the decision of their betters. So, it's a grass roots campaign, in reverse, of course.
The government gives it's mandate to the American people, and the American people automatically start discussing this issue. Granted, before the president gave his mandate, nobody was really concerned about Iraq, outside of a few oil companies, but that doesn't matter, and doesn't raise any doubts in our un-biased media about the president's honesty, despite the fact that several of his advisors are ex oil company executives.
The same thing happened with the War on Drugs that was increased by Bush I in 1989. Before the media campaign, the concern about drugs was only 4% in the gallup polls, and people were more concerned about the economy. Then Bush I gave a mandate to the American people, and immediately the "free" media started pumping out dramas about families being torn apart by drugs, despite the statiscally declining drug use in America. So, in spite of the fact that I nor anyone that I knew was on drugs, it was an important issue in my life because George Bush told me so. Another mandate by the government, and another assault on our freedoms. Yeh Bush!!
Re:Depends... (Score:4, Informative)
True, in a real democracy every person would have a say in every decision made by the government, but this only works in classrooms. Even in classrooms it doesn't work well, so we elect leaders who make decisions. If you don't like the decisions, either become an elected leader and change it, or just vote for someone else the next time around.
Re:Depends... (Score:3, Informative)
Re:Depends... (Score:4, Interesting)
1. There is no evidence linking Hussein to Al Queada or Bin Laden. Hussein and Bin Laden are bitter enemies, they absolutely despise each other. That hasn't stopped Bush and gang from trying in vain to link Iraq to 9-11. However, any insinuation that is made, upon further scrutiny falls apart, because that's all it is, is insinuation. Our government knows that Iraq had nothing to do with it.
2. The country that did participate quite a bit in the funding of Al Queada is Saudi Arabia. So, why doesn't our government attack them? Because they are our allies of course. They give us all the oil we want.
3. Our government put Hussein in power. Our government also looked the other way when Hussein "gassed his own people". Three words are missing, "with our support". Before 1991, 10 US corporations participated in the sale of arms to Iraq, even after he gassed his own people. That's part of why the dossier is kept out of the mainstream media.
4. Our government talks about creating democracy in Iraq, and we are to understand that the first step towards democracy is having a military dictatorship, much in the same way that we are to understand that "right to trial" means rounding up hundreds of "suspected terrorists" into concentration camps where they will eventually be tried by a military tribunal.
5. This war is about oil. That's all it is about. If we were out to have a "just war", there would be many other countries that have far worse human rights violations than Iraq.
graffiti? (Score:5, Insightful)
Re:graffiti? (Score:2, Interesting)
Re:graffiti? (Score:5, Insightful)
Forget Graffiti (Score:5, Funny)
Re:graffiti? (Score:4, Insightful)
Re:graffiti? (Score:3, Insightful)
IF they did do all this, would it be reasonable to go and sue the thief for all the trouble he caused them? Shouldn't walmart be responsible for not taking adequate action in the first place? Maybe the website that got hacked should have had a backup server which was completely independent and locked down from the outside world, so it was known to be good and pure, so downtime would be minimized?
Re:graffiti? (Score:4, Informative)
WRONG... cracking is getting into something that you dont belong... a Safe cracker breaks into safes.. a website cracker breaks into websites... etc...
a HACKER is a person who hacks hardware or software and makes it do something it wasn't supposed to do or do it better...
please get your terms right, and stop smearing the name of a type of person that deserves respect and admiration.
only the uneducated calls a cyber vandal/B&E artist a hacker.
Re:Oh shut up. (Score:3, Informative)
Blkdeath is right, checking the definition in The Jargon File: Hacker [people.ssh.fi]
hacker [originally, someone who makes furniture with an axe] n. 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in `a UNIX hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
We find the first SEVEN definitions agreeing with his sentement.
Definition 8:
8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. See cracker.
This one, although still under the definition of "hacker" refers one to "cracher"
QED
Congratulations Kramer, you win.
Re:graffiti? (Score:5, Funny)
The word "cracker" is already spoken for. Try again.
Re:graffiti? (Score:3, Informative)
It being in print and in common usage essentially does make it true.
People use "hacker" to refer to a person who maliciously breaks into computer systems. Deal with it. Why the fuck does it matter, anyways?
Hell, it also means:
You don't see those people whining here about how the computer industry has stolen their terms, do you?
Grow up.
Depends on the damage done... (Score:5, Insightful)
I really don't see why there has to be separate laws for everything. Or at least put it in some real-world perspective.
Kjella
Re:graffiti? (Score:4, Insightful)
Yeah, yeah, I know, breaking and entering vandals want to be free. It is the web site's fault for being able to be cracked. It is my fault for having my apartment robbed because I had glass windows that were broken when I clearly should have had the windows bricked up in the first place. If that woman didn't want to be raped she should have been better equiped to defend herself---hey, if she wasn't carrying pepper spray, then she was just asking for it, don't blame the poor punks that did it.
Oh, silly me, I forgot: computers are fundamentally different somehow, because the hypocrites that make those kind of arguments also use computers, so somehow these kind of things should be treated differently.
Re:Please, think better analogies (Score:5, Insightful)
The responsibility you indicate mention is real, but it is the responsibility to the shareholders. If a bank transports money in a shopping cart and it's stolen, the thieves will go to jail. The directors who authorized the insecure transport will probably be fired, and might be sued by shareholders.
Crackers should go to jail. Incompetent admins should be fired. These are two separate problems.
Re:Please, think better analogies (Score:3, Insightful)
Would it not be a little more imaginative to offer them some sort of training?
Re:graffiti? (Score:5, Interesting)
Right, so running a brute force/dictionary routine is just an everyday normal part of browsing. I totally forgot that the vast majority of users out there have a "Obtain root/admin functions" button on the top of their Internet Explorer toolbar.
No, a better analogy for the internet marketplace would be a street full of vendors. You can buy from them, or if you're a sneaky bastard, you can break open their cart and make off with their earnings, or cripple their ability to perform business. Just how much common sense does it take to know that opening their cart (going someplace the html did not direct you to) whether or not it had a padlock on it, is not what they intended to do.
should hacker and defacers get treated as terrorists? probably not. should they get slapped with criminal charges. of course.
What a stupid post! (Score:4, Insightful)
In society we all have an expectation of privacy. That right is supported in common law.
For example if your neighbor puts up 15 ft solid brick fence and then sunbathes nude behind it and you put up a tower with a camera on it you can be arrested/sued for being a "peeping tom". A local TV station had an employee get busted for using the "skycam" weather camera to do just that. The courts held that the woman had a reasonable expectation of privacy and that it was violated by the man using the TV towers camera.
When someone puts up website they have a reasonable expectation that the back office parts of the site are to be private. Just because you CAN peer into the site (on into the backyard) doesn't mean you are allowed too!
The amount of effort required to circumvent them is irrelevant. The expectations still exist and are legally protected.
I don't consider break-ins, especially to insecure machines or business computers (but maybe I just value individuals more than businesses?), to be a very high crime.
That was the most stupid of your statements. Well I don't consider your dead-bolted door to be adequate security for your home. So by that logic I am free to break in and clean out the house. By God, you should have had a steel vaulted door.
Re:graffiti? (Score:5, Insightful)
It didn't wash for them, it shouldn't wash for punks that feel compelled to commit computer crimes.
Re:Double standard (Score:3, Insightful)
No, I don't think anyone should be assaulted for what they wear. I don't think someone should be mugged either, just because their wallet or cellphone is in their hand. Hell, I've seen on the news people getting mugged for their shoes!
But I am aware, as you should be too, that that viewpoint isn't universal. There are streets in London I won't walk down while talking on my phone. In some parts of town, I'm careful not to show a wallet full of cash. These are just basic precautions that everyone should take. But it's taboo to say that dressing so as not to draw attention is one of the basic precautions, and that is a double standard.
Re:graffiti? (Score:5, Insightful)
If someone circumvents your wall to get inside to do anything (regardless of the activity) it is breaking and entering. If someone does not have a legal means (hold the keys or expressed permission to 'jump the fence') then they have no right being there. Regardless of 'how high' and 'how wide' the wall may or may not be.
If you were to erect a wall and someone uses a bulldozer or stick of dynamite to circumvent the structure, then they have in fact damaged your property. No matter how strong (or week)your wall was.
The fact of the matter is that, the digital domain is being viewed upon as property. That is protected by the laws that protect real property.
Hmmmmm, I wonder if I catch a hacker on my site/server, that I cannot effectively 'kill' him (say by disabling his computer OS from loading again. Even if only for a short while.) just as I could if I caught him in my house, after he climbed through a window in the middle of the night....
Re:graffiti? (Score:5, Insightful)
The correct smart-ass statement would be:
"Ah, I get it. So if someone puts up a lock that can be broken by using a simple credit card, I can prosecute the punks for breaking and entering?"
Of course you can. Just because something is easy to break into does not justify breaking in.
If you break into a computer system, that system HAS to be taken down. It has to be ritually cleansed so that you are sure there are no backdoors inserted somewhere, and that the data is actually correct, which often involves restoring from backups. It might be the administrators fault that you actually succeeded in breaking in, it is NOT his fault that all this cleanup has to be done on a successful breakin.
If you break into a bank to take a leak, it is still a crime. The bank has to go over all of their routines, and they have to make sure all you did was take a leak. They surely cannot just take your word for it.
The bank should have improved their security, but what you did is still a crime.
Re:graffiti? (Score:3, Interesting)
Disclaimer: as it happens, I'm an info-sec professional myself - as a matter of fact, I'm a pen-tester
Firstly, apologies for the needlessly trollish Guantanamo refs... I was so sure it wouldn't get posted anyway, and I was casting around for the other end of the spectrum from the punishment for graffiti, and the Amnesty report was just in the news over here in the UK, so...
That said, I find it quite depressing the number of people saying "These people are evil!! We must execute them all!!" Yes, having a site cracked costs a lot of money, as does preventing it from happening in the first place. Yes, you'll have to pull the box, reformat the disks and restore from backups, and check out anythign else the cracker might have wormed his way into at the same time (you HAVE got those MD5 checksums burned to CD, right?) And this is a serious PITA, especially if you, the admin, have been trying to get management attention for the fact that your site is an accident waiting to happen. And now you get to work all night/weekend, because some PHB couldn't see the point of putting resources into proactive security measures.
There are several reasons why I do NOT think this justifies locking the kid up and throwing away the key. Firstly, YES, if you run a major site on a shoestring, don't bother patching your server, running an IDS and firewall, or even scanning yourself with Nessus or nmap, then YOU WILL BE OWNED. You might say that you don't deserve it. Well you don't deserved to be mugged if you go touring crackhouses with a $2000 camcorder and laptop, but what the fsck do you EXPECT to happen? Secondly, assuming the attackers are the proverbial greenhaired 15 yo's from Buttfuck, Nebraska, a disproportionate sentence is destroying someone's life for a foolish mistake. Anyone male here who didn't do something bloody stupid at some point during their childhood or adolescence? Hell I went through a brief stage of shoplifting. Got caught, had my arse paddled and a serious bollocking, didn't do it again. Testing boundaries and trying alternative identities out is part of growing up. Thirdly, you're destroying the potential for good in later life. The fact is that many of the leading lights of the security scene wouldn't be around if they'd been caught & gaoled for ten years in earlier life. I'm not mentioning names, but they know who they are ;) All you're doing is getting "revenge" - which is no kind of justice - by destroying the life of someone who was probably too young to know any better. No doubt many people reading this are thinking, "Ah, but I didn't go out and 0wn cnn.com!" No, but I bet you swapped games at school, or taped CDs from friends, huh? Right, but I'm sure you can see that the IP mafia want to make sharing == piracy == cracking == terrorism... and that in a few years time, you're going to have kids of your own. Want to bet they'll do something out of order at some point whilst growing up? Whaddya going to do, chain them up in the cellar?
The final reason not to throw the 15 yo's in gaol is that it'll achieve sweet F.A.. No matter how many American kids get slung in gaol, the scans and DoSes and script kiddies will keep on coming and you know what? that's a GOOD thing. It keeps sites secure, it keeps people pushing software to be more secure, and that all makes it harder for the real villains - the ID thieves, the industrial espionage and extortion types and so on. Oh yeah, and it pays my rent ;)
Of course, I'm specifically talking about under-age malcontents here. If you're, say, 25, and know what the consequences of your actions are, the difference between right and wrong , etc, and you sneak into a creditcard database for the purpose of id theft or extortion from the company , then hell yes, you're going to do some time and quite right too. And you'll never get work as a sysadmin again. Hmmmm, perhaps there's some cultural relativism at work here... in the UK, if you (genuinely) can't distinguish right and wrong, you're a sociopath, and you belong in a secure hospital. If you're underage, though, you're given the benefit of the doubt. Eg there was a cause celebre perhaps 6 or 8 years ago where two boys, aged 13 or 14, bullied a 4 year old kid, threw rocks at him and eventually murdered him. They're eligible for release soon - quite right in my view.
:( )
Oh yeah, and the US are rapidly burning through the goodwill we hold towards you, in Europe at least - the illegal incarceration at Guantanamo, the Bush/Cheney/Ashcroft junta's blatant wars of aggression against people who look at you funny, the willful destruction of human rights in your own country,.. the good news is that, I think and hope, most of us in Europe can distinguish between the actions of your corporations, government and corrupted legal system, and individual people who just happen to be citizens of the country. (If Bush gets re-elected, though... this might change
Re:graffiti? (Score:3, Funny)
Re:graffiti? (Score:3, Insightful)
Okay, so explain something to me.
I make a comment, modded up to 3, kicking off an on topic discussion of over 20 following posts. Well after the discussion got rolling, I pick up two overrated mods. Now, I don't really care about the Karma, but I was just wondering, from a standpoint of understanding the mind of a moderator, how the moderation of this post is anything other than "I don't agree with you." If it really was overrated, would 20 some-odd people take the time to reply?
Re:graffiti? (Score:3, Interesting)
You think if the brick-n-mortar manager forgets to lock the door at night, and the store is looted, he'll keep his job?
here's where hopefully someone can shoot me down. i believe if the doors aren't locked, then it can be only considered criminal tresspassing, not Breaking & Entering (a more serious crime). also, criminal activity has to be proven to have criminal tresspassing. you have to tell someone to get off your property, until then they're not tresspassing, they're passing through (not a crime).
The standard on high profile cases (Score:5, Interesting)
IMHO, this is the red herring effect in which the prosecutor only wants to punish the defendant up to the point in which he pleads down to.
The result is that the prosecutors get what they want, while looking merciful and fair, and the defendants get a long, unfair sentence.
On the other hand, a stiff sentence seems to have worked for the two Kevins. They seem to be completely reformed now after having gone through such bullshit.
Some kind of community/militairy service (Score:5, Insightful)
Done well this should teach them something...
Just mu 2 cents.
Re:Some kind of community/militairy service (Score:2)
I knew plenty of guys, from Fuel handlers to Apache Instructor Pilots that were "drafted" with that method.
Re:Some kind of community/militairy service (Score:2)
If you can't do the time, don't do the crime!
Appropriate Punishment For Crackers? (Score:5, Funny)
Cracking in self defense? (Score:5, Insightful)
Re:Cracking in self defense? (Score:3, Interesting)
If they're only breaking into your home, then you do not have the right to "shoot in self defense". Your home would need to have the right to shoot in self defense (which we don't recognise for inanimate objects), and it would have to fire the shot itself (which is, I suppose, at least possible). Neither of these really make make much sense.
If they are breaking into your home and you fear for your life then you have the right to kill in self defense. Thus, it depends on what you were feeling, or perhaps on what you claim you were feeling, or by extension, what you can convince the jury you were feeling. Thus, in a way, it could be said that while you may or may not have the right to shoot an intruder, the U.S. Second Amendment (right to bear arms) guarantees you have the power to shoot an intruder. And while the former is what matters to the Courts, the latter is what's likely to keep me out of your house, because even if you don't have the right to shoot me, I'll be just as dead.
(Contrast this with the DMCA, where the law guarantees you the right to fair use, but denies you the power to exercise your right.)
It does pose an interesting question, though. Our roadside mailbox has recently become a favorite target for vandalism of the "mailbox baseball" variety. (drive by, hit the box with a baseball bat, drive off...) I wonder what my liability would be for replacing my aluminum mailbox with one specially constructed from cast iron and concrete. Would I be liable for the broken bones of someone attempting to commit vandalism on my property and failing to understand the...um...consequences of their actions?
Depends on the state (Score:4, Informative)
Re:Depends on the state (Score:3, Interesting)
Don't leave out Arizona! We have such laws. It is legal to shoot someone committing first degree burglary (burglary of an occupied residence) and first degree arson (arson of an occupied structure). There isn't anything controversial about it... here. About once every three months I read an article about some septugenarian widow who blows away a punk who came into her house.
BTW... it is also legal to carry a concealed weapon on your property or place of business, without a permit.
The reason for these laws is to remove from the homeowner the (very dangerous) requirement to determine if the intruder is a physical danger/ The very act of intrusion into an occupied structure is construed as life threatening.
As a result of these laws, burglary of unoccupied residences is pretty rare. Most Arizonans don't need to fear intruders in their homes (except in some neighborhoods where massive armed invasions occasionally happen - usually with drug transactions involved).
Depends... (Score:2)
Re:Depends... (Score:5, Funny)
But you CAN smash them in the kneecap with a crowbar. I find it's an adequate, non-lethal deterrent in my homestead.
Trust me, they won't be doing much walking afterwards.
OF course (Score:5, Interesting)
Cyber-crime is no different to ordinary crime. If the 15 year old 'cracker' writes his name all over a site (i.e. graffiti) he should get the same as a 15 year-old who scrawls all over his local shopping mall (i.e. fuck all or a safari or something).
If however he goes and steals 10000 credit card numbers and uses them to buy every back issue of playboy he should be locked up for a long time. With lubricant.
the prejudice ain't the same... (Score:2, Interesting)
Hey, cleaning up a mall is expensive, cleaning up a web site should not take more than the time to restore a daily backup...
If you don't have one, then it's high time you started.
Re:the prejudice ain't the same... (Score:2)
Re:the prejudice ain't the same... (Score:2)
Companies that take security seriously have an incident response policy in place that presumes (unless proved convincingly otherwise) that a system which has been compromised has been totally compromised, i.e. backdoored, owned. In which case, the only appropriate response is rebuilding the system from scratch, and demonstrating that the new system is more secure in some relevant way from the old one. That's not also taking into account the forensics necessary to collect and/or preserve evidence to prosecute the cracker, if the victim wants to bother. (Many don't.)
Probably a mission critical website would be restored from a backup onto a backup server while this goes on, but that's an interim measure, and during that interim you're almost certain that the machine is vulnerable, so you're going to monitoring it continuously, which takes time and effort and tools.
I'm absolutely not a "throw away the key" guy regarding these teen crackers, but let's be realistic about the fact that security is expensive, and that they make it more expensive, when determining the cost of fixing their damage.
Re:the prejudice ain't the same... (Score:4, Insightful)
An international corporate website with a secure ordering component is slightly more complicated than "Insert tape, click Restore". There are distributed database servers that need to be examined, several web servers with load balancers in multiple geographically diverse locations, they need to investigate all involved servers and networking components to determine the possibility of a back door; and on top of all this, they have to leave the 'crime scene' untarnished so that security experts can determine a) how they got in, and b) how to prevent them from doing it again.
We're not just talking about somebody editing index.html here. Restoring from tape/CD-R may work for your home vanity domain website, but it falls slightly short in the real world.
I'd also like to echo the sentiments made by other posters;
As usual, the vast majority of analogies posted are flagrantly off-key, so I'll pose one; Breaking into a web server and defacing the content is like breaking into a webserver and defacing the content. Come on, people, we're a technical group and should be able to talk about these incidents without resorting to brick wall, spray paint, bomb-threats, or other wild analogies.
These crimes should be treated in context, and the lawmakers should be told, repeatedly, that the Internet is not a direct analogy to real life. Servers are not brick and mortar establishments. Components of a website do not have to physically reside in the same country, letalone the same building.
When a person violates a website, they shuold be charged as such. The more intricate and harmful their intrusion, the more harsh the punishment. They should be given rehabilitative sentences including community service if they're young, or prison time if they're age of majority.
Re:OF course (Score:3, Interesting)
The term "cyber crime" is like "gun crime" - it completely misses the point. If a man wears a mask to rob a bank, we don't call it "mask crime". If he makes a getaway by motorcycle, we don't call it "motorcycle crime". If he uses a gun, we do call it "gun crime" for some reason, but that's just silly: it's still a bank robbery, whatever you call it. The mask, the bike and the gun are just tools.
IMHO, it's not like graffiti - it's more like phoning in a bomb scare to a warehouse, in that there's no actual physical damage done, yet the business is unable to function until the issue is resolved (the analogy goes further, searching the building for a bomb is like auditing your network). And it should be treated as such by the courts.
Re:OF course (Score:5, Insightful)
He's old enough to know better.
He should be held responsible for the real consequences of his actions.
Anything less simply permits the activities to go further. The amount of work involved in recovering from a Cracker is far more extensive than physical graffiti.
Re:OF course (Score:3, Insightful)
Recovering from a cracker SHOULD be easier than cleaning up graffiti unless you have no idea how to do your job or unless they are really good. If they are that good at 15 then you better hire them. Good security, good backups, good logging will usually keep people from hacking you and if they manage will keep them from causing much damage.
Also I think companies that let their systems be cracked should be charged with nelegence unless they can show proof of having made a reasonable effort. I've never worked anywhere that had decent security before I took over and they certainly didn't want to pay me to do the job right. Not securing your systems endangers the rest of the Internet and you should be held responsible.
Equal protection? (Score:2, Insightful)
Talk about flame-bait lead-ins (Score:5, Insightful)
How about referencing recent hacker cases, and the sentences that were imposed. How about some information on the ages of the black-hatters. No, that would be relevant to the discussion...
Re:Talk about flame-bait lead-ins (Score:5, Insightful)
in fact, i'd like a little more detail about you mynameisfred. just post up your name and where we can contact you.
(btw, in case anyone was confused the above wasn't sarcasm. it was "your likely future.")
Re:Talk about flame-bait lead-ins (Score:2)
"...or will Aschroft [evil.com] shoot for a trial in Virignia [alaska.com], hoping for the death penalty. Will this ultimately lead to an Orwellian 1984 [happy.com] type future? I don't know about you, but I'm joining Amnesty International [republican.com] right now."
Re:Talk about flame-bait lead-ins (Score:3, Interesting)
The links to 911 detainees has NOTHING to do with hacker cases. Why is Hemos looking for an opportunity to lash out at the U.S. government?
If you are pissed about anti-terrorism, then post an opinion piece or at least make it a separate post. You harm your case by trying to link it something related to hacking and computers.
What kind of muddled thinking leads to this kind of front page post?
My opinion of Hemos and
Re:Talk about flame-bait lead-ins (Score:3, Insightful)
Use DOS (Score:2, Funny)
Lets think about this ... (Score:5, Interesting)
Grand theft auto
Assult and battery
Theft
Throwing eggs or spray painting a building
Hacking a computer a defacing a web site
Does that make sence????
I don't want to encourage people to commit cyber crimes, but it seems as though our society's values are a little out of whack
Perhaps some of these coorporations that are so worried about this kind of stuff shold place a little more of the blame on themselves
BTW: I am pointing at the corps. because it is their lobbiests that are pushing for these rediculous sentences for cyber crimes
Just my $0.02 cents
Re:Lets think about this ... (Score:3, Insightful)
Yes, let us think. In addition to the good points made by limekiller4 [slashdot.org], the following things make online attacks considerably more dangerous than plain theft or vandalism:
You can complain that those are technical problems that should be resolved by technical means -- but I personally would prefer stronger penalties for people who are caught (commensurate with the costs of identifying and prosecuting them) than having arbitrary strangers able to identify me at will over the Internet.
Where did you get 20 years? (Score:2)
Congress seems to have asked a reasonable question, are there situations in which hacking sentences should be based on on other things? Are cases possible where it is closer to murder? There many obvious examples of this, such as hacking into a water dam's control system and flooding towns downstream. Congress asking whether the current guidelines are relevant to these other scenarios is pretty good question.
Re:Lets think about this ... (Score:2)
But it has been my money before
And I have worked in places where it wasn't my "money", but it was my time
This is why sysadmins are kept on staff
Cyber Crime and other crime (Score:5, Insightful)
$G
IANAL... (Score:4, Funny)
Personally I think we should take a page from Singapore's book and explore the latest options in caning. Nothing drives a lesson in ethics home more quickly than being beaten severely with a bamboo stick by a martial arts master. I would also view caning as an appropriate remedy for spammers violating anti-spam laws, telemarketers ignoring do-not-call lists, as part of a comprehensive package for the last round of fraud-perpitrating corporate CEOs and companies who file frivolous patent lawsuits based on laughable patents.
Graffiti != Network Intrusion, Here's Why (Score:5, Interesting)
When a person writes on a wall (or a "reach"), the owner of the shop might show up and go, "oh crap" and they might very well pay someone a few bucks to cover it up or perhaps do it themselves. The artists' intention is clear -- to throw up some paint and that's it. The paint isn't going to seep into the wall and ruin everything inside, however. It isn't going to pick up the cash register and run off. It isn't going to take every customer's credit information.
When someone breaks into a system -- regardless of their motivations -- the breakee does not know what the intruder has in mind. Maybe it is benign, maybe it isn't, but there is no room to "let it slide." It must be treated as a malicious attack and thus computers must be shut down, customers/students lose services, huge costs in time and effort can and will be expended to purge the system of the problem which often involves what might very well be overkill -- like reinstalling a system or a number of systems because you Don't Know and you can't afford to leave loose ends.
Graffiti and network intrusion would be analagous if and only if graffiti caused the same sort of response. It doesn't.
And in case you're curious as to why I'd be into graf, check [graffiti.org] out [graffitiverite.com] these [puregraffiti.com] sites [eu.org].
Re:Graffiti != Network Intrusion, Here's Why (Score:2, Insightful)
Think about what you're saying!
A shop gets broken into at night and robbed, the thieves used no weapons. The owner of the shop decides to take measures to stop it happening again. Now he could install a metal grill over the windows, or he could go over the top and install video surveillance and hire a three armed security guards in case a gang of thugs with guns try and break in.
Now, ask yourself the question, what does his choice of security precautions have to do with the punishment of those thieves?
Absolutely nothing.
Taking advantage of a security hole is like robbing a house no lock on the door - IT IS WRONG - but noone tries to sue the thief for the cost of buying a lock. Instead, the thief gets punished for stealing.
Hackers threaten computer security! (Score:2)
Which protocol is that? (Score:3, Insightful)
Ignoring for the moment the practicalities of killing somebody over the Internet(!?), doesn't the USA already have murder/manslaughter laws? Why does there need to be special legislation depending on the method employed? Do you have special laws for murder with a knife; with a gun; with a mango?
I'm sure I'll never understand this. In the UK recently, there was a big hoo-ha in the tabloids about the need for "special laws" governing journalistic integrity for material published on the Internet. Why? There are already defamation laws.
Re:Which protocol is that? (Score:3, Funny)
Good questions. All I know is that a whole lot of MMORPG players are totally screwed.
DoJ: "What? You play a paladin in EverQuest? Murderer! We know about that guard you killed in Freeport to get your Soulfire!!! Take him away, boys!"
snicker
--K.
Why not treat it like real life? (Score:5, Interesting)
Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.
Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."
Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.
Re:Why not treat it like real life? (Score:2)
Justin Dubs
Re:Why not treat it like real life? (Score:3, Insightful)
" Here's a novel idea - let the punishment be the same as in real life. If you deface a website, you get the same punishment as you would for spray-painting the front of an office building."
On its face, that looks reasonable, but it stops being similar once you scratch the surface.
As others have pointed out in previous replies, graffiti has a very specific threat to the business (eg, virtually none). The relevant question (money) becomes clear when you compare these two questions:
1) If you show up at your local store and find that someone graffiti'd the wall, would you still buy something there, or would you get in your car and leave?
2) If you hit a website for a retailer and find that someone graffiti'd their front page, would you still buy something there, or would you go someplace else?
Interesting choice in misleading links. (Score:5, Insightful)
All that aside, hell no a non-violent criminal should not be locked up. Some other punishment is much more appropriate, like restitution of *real* losses (no making the defendant buy a new security team) and community service, etc.
Jail *should* be for the people that are a physical threat to society, not a theoretical or financial one.
Before the thread runs off the topic, see my website for my position on the death penalty before assigning one to me.
Phone support (Score:3, Insightful)
Re:Phone support (Score:3, Funny)
Or restrict them so that they will only be allowed to have internet access through AOL...
Give them a fitting sentence. (Score:5, Insightful)
Here's a story [wivb.com] about a man who kidnapped, tortured and abused a girl then tried to kill her by injecting her with bleach. His sentence? 10 years - he'll be out in half that time.
Sure, give crackers jail time but make it appropriate for the crime. Maybe 3 months in jail, or probation. When I see someone like Kevin Mitnick get 7 years, and violent criminals who, in my opinion, should never be allowed out of prison get the same sentences, it pisses me off.
One Issue (Score:2, Insightful)
Script Kiddies (Score:4, Interesting)
The thing is with the widespread of software and the internet and technology in general always brings in a high punishment. I think it comes down to you doing whats right. Now I am guessing if most of you see a car with the keys in the ignition you aren't going to hop in and steal it, but if you saw a website with a big vunrability more of you may be inclined to take advantage of the situation. I think the point that doesn't come home to a lot of people is computers are a part of everyone's lives now, and if we don't respect them, we will be punished.
But in general, technologists have always been risky with the law. If I created a nuclear device for the sake of doing it, even though I have good intentions and no feelings of using it, I would probably be jailed for a LONG time.
Easy... (Score:5, Funny)
Hack me? Nail the fucker to a tree...
Put them in jail and improve the US world record (Score:2)
Why not put them in jail and improve the US world record in imprisonment statistics [kcl.ac.uk]?
Punish the admins, not the crackers (Score:3, Troll)
The Internet's Achilie's heel is it's awesome complexity and size. The result is that it's very east for a group to appear, do damage, and then disappear, and never be traced. Worse still, the ease with which this can be done is itself an incentive - a downtime of DNS, or of a Microsoft server, or of Yahoo, is seen as unimportant, easy, and untracable, and people - for whatever reasons, be they sociopathic, vengeful, curious, or egocentric - are attracted to perform these kinds of acts.
It's difficult for any reasonable person to know where to begin solving these issues. Traditionally, nailing down machines and networks so they are more secure has been seen as the best approach, but there's little anyone can do about having bandwidth used up by unaccountable "hacked" machines, as is seemingly more and more the modus-operandi.
Attempts to trace crackers are frequently wastes of time, and stiffer penalties for hackers are compromised by the fact that it's hard to actually catch the hackers in the first place. The situation is made worse that many of the most destructive hackers do not, themselves, set up anything beyond sets of scripts distributed to and run by suckers - so-called "script kiddies".
Given that hackers usually work by taking over other machines and coopting them into damaging clusters that can cause all manner of problems, less focus than you'd expect is put onto making machines secure in the first place. The responsibility for putting a computer on the Internet is that of a system administrator, but frequently system administrators are incompetent, and will happily leave computers hooked up to the Internet without ensuring that they're "good Internet citizens". Bugs are left unpatched, if the system administrators have even taken the trouble to discover if there are any problems in the first place. This is, in some ways, the equivalent of leaving an open gun in the middle of a street - even the most pro-gun advocates would argue that such an act would be dangerously incompetent. But putting a farm of servers on the Internet, and ignoring security issues completely, has become a widespread disease.
There is a solution, and that's to make system adminstrators responsible for their own computers. An administrator should be assumed, by default, to be responsible for any damage caused by hardware under his or her control unless it can be shown that there's little the admin could reasonably have done to prevent their machine from being hijacked. Clearly, a server unpatched a few days after a bug report, or a compromise unpatched that has never been publically documented, is not the fault of an admin, but leaving a server unpatched years after a compromise has been documented and patches have been available certainly is. Unlike hackers, it is easy to discover who is responsible for a compromised computer system. So issues of accountability are not a problem here.
Couple this with suitably harsh punishments, and not only will system administrators think twice before, say, leaving IIS 4 out in the wild vulnerable to NIMDA, but hackers too - for the same reasons as they avoid attacking hospital systems, etc - will think twice about compromising someone else's system. Fines for first offenses and very minor breaches can be followed by bigger deterents. If you were going to release a DoS attack into the wild, but knew that the result would be that many, many, system administrators would be physically castrated because of your actions, would you still do it?
Of course not. But even if you were, the fact that someone has been willing to allow their system to be used to close the DNS system, or take Yahoo offline, ought to be reason enough to be willing to consider such drastic remedies. Castration may sound harsh, but compared to modern American prison conditions, it's a relatively minor penalty for the system administrator to pay, and will merely result in discomfort combined with removal from the gene-pool. At the same time, such an experience will ensure that they take better care of their systems in future, without removing someone who might have skills critical to their employer's well being from being taken out of the job market.
The assumption has always been made that incompetent system administrators deserve no blame when their systems are hijacked and used for evil. This assumption has to change, and we must be willing to force this epidemic of bad administration to be resolved. Only by securing the systems of the Internet can we achieve a secure Internet. Only by making the consequences of hacking real and brutal can we create an adequate response to the notion that hacking, per-se, is not wrong, that it causes no damage.
This quagmire of people considering system administrators the innocents in computer security when they are themselves the most responsible for problems and holes will not disappear by itself. Unless people are prepared to actually act, not just talk about it on Slashdot, nothing will ever get done. Apathy is not an option.
You can help by getting off your rear and writing to your congressman [house.gov] or senator [senate.gov]. Write also to Jack Valenti [mpaa.org] [mpaa.org], the CEO and chair of the MPAA, whose address and telephone number can be found at the About the MPAA page [mpaa.org]. Write too to Bill Gates [mailto], Chief of Technologies and thus in overall charge of security systems built into operating systems like Windows NT, at Microsoft. Tell them security is an important issue, and is being compromised by a failure to make those responsible for security accountable for their failures. Tell them that only by real, brutal, justice meted out to those who are irresponsible on the Internet will hacking be dealt with. Tell them that you believe it is a reasonable response to hacking to ensure that administrators who fail time and time again are castrated, and that castration is a reasonable punishment that will ensure a minimal impact on an administrator's employer while serving as a huge deterent against hackers and against incompetence. Tell them that you appreciate the work being done to patch servers by competent administrators but that if incompetent admins are not kept accountable, you will be forced to use less and less secure and intelligently designed alternatives. Let them know that SMP may make or break whether you can efficiently deploy OpenBSD on your workstations and servers. Explain the concerns you have about freedom, openness, and choice, and how poor security harms all three. Let your legislators know that this is an issue that effects YOU directly, that YOU vote, and that your vote will be influenced, indeed dependent, on their policies concerning maladministration of computer systems connected to the public Internet.
You CAN make a difference. Don't treat voting as a right, treat it as a duty. Keep informed, keep your political representatives informed on how you feel. And, most importantly of all, vote.
That Depends... (Score:3, Insightful)
Your entire argument seems to depend on legally defining computers as dangerous weapons as opposed to tools.
Tools are unregulated and the owner is not responsible if someone steals their tool and uses it in a crime. If I leave a shovel leaning against the side of my house and someone takes it and uses it to kill someone, I am not legally responsible. Even if I knew that risk existed when I failed to secure the tool.
Guns are regulated and the owners are (somewhat) responsible for the actions taken with them, even by others and even without the owner's permission or knowledge. However, the owner is never held fully responsible for the actions of the person who took and used their gun. And the level of responsibility is negligible unless bodily injury results and there was a minor who has legitimate access to the premises involved.
Somehow, I don't think anyone is going to agree to classify computers as deadly weapons and make the penalties for their unauthorized use greater than those for the unauthorized use of firearms.
NO NEW LAWS (Score:5, Informative)
why we have to treat it any different than in the real world I dont understand...
if a bunch of no-brain-punks smash in the front doors of saxs 5th ave. and spraypainted all over the interior... there are a nice set of laws in place to nail the little idiot bastards.. the same happens when you B&E a website and put your no-skills drivel in place of index.html.. and the same laws need to apply.
the hard part is when the punk is in Guana and the website that was vandalized is in Alaska.. how do you prosecute the little turd without acting like a global government enforcer?
if it happens in your state with a victim and victimizer in the same state... it's easy to prosecute... but 90% of these cases are never that way.
Comment removed (Score:4, Insightful)
We can not use 'menu' sentencing... (Score:2, Insightful)
Sending someone to jail for 20 years for doing the equivalent of petty larceny is a crime in itself. However, if someone brings a major network down and the loss is quantifiable - then they absolutely should pay the price - both in restitution and jail time if appropriate.
Each case has different circumstances, and each punishment should be allocated accordingly.
Why do we need special laws for "cyber crime?" (Score:5, Insightful)
A problem of proportion (Score:2, Interesting)
Of course, graffiti isn't, either. The US costs are around $15 billion a year, which doesn't count things like lowered property values for folks in graffiti-filled neighborhoods. Both forms of expression are anti-democratic and exploitive, much as those of pseudo-anarchist bent would like to think otherwise.
Appropriate punishment? (Score:2)
Web Changes Nothing: Follow Existing Standards (Score:5, Insightful)
The important thing is to prevent and punish people who act criminally, and to counter the popular impression that many "geeks" don't take the issue seriously.
IT is part of the Real World. (Score:3, Interesting)
Bring charges appropriately. Note that you might need to legislate to clarify the scale of the offense in the new setting. As others have already pointed out, defacing a web site in a way that stops it being usable is not just graffiti, it's (probably) nearer breaking and entering followed by deliberate (albeit relatively easily repaired) vandalism.
This can affect charges and sentencing.
If yes, charge those people, too.
More than just graffiti (Score:5, Insightful)
More like breaking into your office to erase every whiteboard in the place and replace them with poorly spelled tags, changing the locks, or jus took the door off it's hinges, smashing the alarm system, and taking/destroying the gods know what else in the process.
Hacking a website doesn't just mean that the site was changed. Anyone with a lick of sense after an intrusion needs to take a hell of a lot of time and take stock of what they still have, what they might have copied or deleted, and if they left any backdoors so they could get back in and have their little fun. Calling is "just graffiti" shows a complete lack of understanding of information security. There is real damage done when someone "just" defaces a website. It can't just be painted over.
Digital != Different (Score:5, Insightful)
Let's see... hax0r kid defaces web-site.
1. Trespassing.
2. Breaking-and-Entering.
3. (possible) malicious destruction of private property.
If someone logs into your (wide-open, no password root shell) server without your permission, that's trespass.
If someone hacks your server to get in, that's trespass and breaking-and-entering.
If someone changes your web-site, etc., while they're there... that's destruction of property.
There are already well-established laws to deal with these crimes, and those laws have ranges of punishments appropriate for the severity of the offense. Why should special "digital" versions be created when existing laws already work?
This country needs fewer laws, and better enforcement of the ones it already has. More laws simply make more money for lawyers, and more loopholes for the rich and powerful.
Crackers? (Score:5, Funny)
Wait... what are we talking about again?
Cracker spectrum (Score:4, Insightful)
The mildest is the person who breaks into a system, just because he can. He (or she, after all) breaks in, looks around, and leaves before doing any damage, changing anything, or "taking" anything. It doesn't impact any services that the target is providing. True, after any break-in that is discovered, the admins of the site will spend time cleaning it up and making it more secure. And I wouldn't like it if someone broke into my house just to look around. But I don't think that the punishment should be too harsh in this case, perhaps on the same scale as graffiti, maybe a little harsher because of the more expensive "cleanup".
The worst case is the cracker who breaks into a system to destroy or deface it. He changes the way external sites look and destroys information that is vital to those systems and may not be able to be rebuilt. Even a DoS could fall into this category if it leaves the site offline long enough, and is clearly deliberate. These guys should get harsher sentences, both for the public nature of their crime and the potential for data to be lost without hope of recovery.
The middle case is the cracker who breaks into a site and doesn't change anything, but just copies information from the site. In this case, the nature of the information itself and the mindset of the cracker must be taken into account. If the information was something that the cracker would have no way of using, and doesn't pass it on, then that would fall under the "curiosity" end of the spectrum. If the information was something that the hacker could directly use or sell, like credit card numbers or confidential documents sold to competitors, that would fall under the "malicious" end of the spectrum and be punished more harshly. I don't think the cracker should have to actually use the data to qualify for harsher punishment, as long as he had plans to use it. Notice that in this case, it is not necessarily the object that is copied that dictates the severity, it is the cracker's intentions.
The main problem with the way computer crime is punished right now is that whenever an item is copied/stolen, there is the tendency to assign the highest possible value to that item, without taking what the cracker plans on doing with it into account. After all, a confidential document could be worth lots of money to the company it is taken from. But nobody takes the capabilities and intent of the cracker into question; if he doesn't know how to capitalize on the value of the document, how could he be liable for "stealing" that much value?
Yes, I know that someone who steals jewelery in real life and then hocks it for a tenth of its value still stole the jewelery, not 1/10th of it. But when physical objects are stolen, the victim doesn't possess it anymore. When documents are "stolen" but not deleted, the victim still has access to it. Therefore, I think it is proper to assign the "value" of the theft to be how much the value of the document is reduced, not the value of the document itself. And if the cracker doesn't know how to use the document or who to sell it to, how can its value be reduced?
A point on cracking (Score:3, Insightful)
But creating an environment where cracking itself is utterly ilegal is the most stupid thing one can think of. First because it will create a situation similar to America in the 20's-30's where nearly all alcohol production was outlawed. By making cracking illegal, one will not stop it but feed the criminal hordes with experienced people and tool experts. What will come out of that is unpredictable. The future cyber-Scarface will not only stop by Chicago and not only restrict his doings in the waters of the Great Lakes.
Besides, making cracking wholly illegal will not give ground to capitalism. It will be the best show of feudalism in modern times, as all "good-netizens" will be utterly dependent of the wills and whishes of a bunch of corporations who will care or discare for the their security and/or privacy.
Also it will be a violation of our freedom. I can check up the engine of my car. I can try to fix my washing machine. I have the right to change a light bulb in my living room. But I have to go to jail because some jerk locked up any interactivity of his program with any other system and I need that for my everyday's needs?
What about dumb security models (Score:3, Interesting)
The thing with computers is security is a relative term. Its not something people can visualize like a criminal using a crowbar to break a lock. Instead they visualize someone preplanning breaking into a store, thinking of ways to do it, and then maliciously doing it. And for what? Not to get money to feed their kids, but to be l33t and say they hacked something. Also the fear of the destruction that can be done is enuf to warrant these punishments.
Now, what if I have an old version of outlook, with known vunrabilities and some 10 yr old runs a script and screws up my companies computers, am I screwed or will the police help me in catching this guy? Its kind of a catch-22 like the DMCA, if its illegal to do things like pirate warez or file share mp3s that I own to people that don't, why make breaking the security scheme to do so also illegal, in fact, why have that security mechanism even there? Wow I am confused.
Punishment according to damage. (Score:4, Insightful)
I believe that the penalties for merely defacing a website, or cracking into a machine and not actually doing much damage or "stealing" anything should be light. Sure, it is annoying, but it isn't that major.
If someone cracks into a database server and steals credit card information, that is another thing altogether. They should be charged with theft of credit cards (or whatever the actual crime is).
If someone (hypothetically) manages to crack into a computer that controls air traffic radar, and planes end up crashing because of it, they should be locked away for mass murder.
Some of the proposed punishments for computer crimes are quite harsh, treating the perpetrator like a terrorist or violent criminal.
However, someone who simply defaces a web site and writes "I 0wn j00!" on it doesn't deserve to be given more time than a rapist.
"Deterent Value" is counter-productive. (Score:3, Interesting)
However, there's a real limit to how far analogies can take you. We can't just say "it's like vandalism / theft / graffiti / spying / workplace disruption / copyright infringment" and expect applying the equivalent punishments to produce the best results for our society. There are ways that internet-based activities are completely unlike anything that's come before.
Lets focus on just one of the most important differences between "cyber-crimes" and the old-fashioned physical variety: it's now possible (and easy) for the victim and perpetrator to be in different jurisdictions when the offense is committed.
During the early popularization of the internet, most users were in the US (or its servant-states like the UK), so often enough the vic & perp were under the same set of laws. The FBI was able to haul in domestic hackers like of Cpt. Crunch, Bob Morris, Mitnick, and later Mafiaboy. (I think Jaegar was a notable exception)
But is arresting those guys really the best way to protect the US economy? The US government is using guns and handcuffs to protect US businesses' computers from tampering- can we expect that defense to remain viable in the future?
Physical force is not a lasting solution to an electronic threat
(It's like "security through obscurity"- it will work at first, and is easy to implement. But someday the enemies become experienced enough to circumvent that defense, and by then you need real protection)
Threat of arrest only works on perpetrators inside your jurisdiction. "Cyber-Crimes" can be performed by anyone with a PPP stack- which is everyplace with reliable electricity. The US has a powerful law-enforcement/military presence, and with extradition treaties can bump up their effective jurisdiction to cover a majority of the earth's landmass. (Although with reduced precision in the less-friendly or less-developed nations, or where local cops are too busy with violent crimes to go hunting down script-kiddies)
What about nations that are downright non-friendly?
If a Canadian teen can inflict billions of dollars of economic damage in 3 days (and only be caught after public bragging), what about government-sponsored agents in "The Axis of Evil"? Suppose China takes offense at "US imperialists", and assigned 200 CS PhDs to build innovative DOS strategies for e-commerce sites?
Unless we can rely on forming a durable "Pax Americana", with a single organization enforcing a uniform law code across the entire planet, there will always be places for hackers to hide beyond your reach. (The Bush administration wants to create such an empire, but they will fail.)
I would argue that so-called "cyber-terrorism" hasn't happened yet, and will never be a major concern (the small number of computer-operated systems capable of producing enough violent damage to evoke "terror" will be heavily protected, with much redundancy and human oversight).
But "cyber-economic-warfare" is a real risk in next 20 years, and so far the US government has been allocating serious funds to make the problem worse when it starts to hit.
All of the FBI efforts to strongarm and incarcerate computer pranksters is just reducing our resisitance to the eventual onslaught. The government subsidizes insecure software by arresting people who break it, relieving the developers from fixing their own products. Microsoft might not publish such dangerously insecure systems if they faced the traditional punishments that the free market unleases on inferior products.
Let's privatize computer security! Save tax dollars, and increase effectiveness at the same time. We could reduce the penalty for "hacking" type crimes (or DOS) to the magnitude of a traffic ticket. (Teens cannot commit them with impunity, but companies can't rely on arresting offenders as their sole defense).
(Naturally, using "hacking" perform any real crime- unauthorized fund transfer for instance, or copyright infringment- should be punishable just like that crime by itself)
Depends on the attitude of the cracker (Score:4, Insightful)
If he/she is a minor, however, I think state of mind should have some sway over the consequences. You'd be surprised just how effective a simple visit by law enforcement personnel can be in "adjusting" the cracker's attitude.
In 1997 I was caught dorking around in school district systems. In my adolescent mind I thought it was all fun and games. Until I was hauled into a room by several very serious looking detectives and interrogated. Bad-cop-good-cop games, the whole works. This was quite possibly the fastest attitude readjustment I've ever experienced.
The detectives, I think, had some sympathy for my plight. His boss wanted to bust me hard and basically ruin my life. I was hauled before the head honcho (don't know exactly who he was or what his title was) and was given a stern lecture. I was asked if I'd ever used drugs or done anything violent. In the end, I was let go with 40 hours of community service to the school district and a warning to not get caught "so much as pinging" the district machines.
When my computer was returned to me from evidence, an entire year later, I found that the detective had upgraded the CPU and put 16 megs of RAM into it. I guess I made an impact on him, as well.
Now, on the other hand, if you've got a script kiddie, and he's whining and bitching and making life hard for investigators, and basically has a "fuck you copper" attitude, then I say... Bust him, throw him in the lockup, and let him think about how much of an asshole he is for a few months. Let him out, and if he does it again, hit him with the full force of adult penalties. Breaking-and-entering, defacement of property, theft of property, the whole works. Fuck up his life and let him figure out why it happened.
I was given a wonderful second chance, and I haven't wasted it. I was just being a stupid kid. People who scoff at the opportunities that law enforcement is trying to give them deserve prison.
Re:Most 15 year olds (Score:3, Insightful)
IT IS A STINKING WEB SITE!!!
Some of these judges need to put life into better perspecitve sometimes
the thrill... (Score:5, Funny)