US Wants UK Hacker To Pay To Fix Holes He Exposed 403
bossanovalithium writes "Gary McKinnon, whose tribulations we have followed for several years now, is the UK hacker trying to escape extradition to the US. It appears he is expected to foot the bill for the US Government patching holes his breaching uncovered — to the tune of $700,000. It's not really the norm for someone to pay for exploits to be patched — damages fixed, yes, but this is a very different thing." The article paraphrases Eugene Spafford as saying that the victim of a cybercrime should not take the blame. "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
If he's a hacker... (Score:5, Interesting)
...couldn't he fix them himself? With supervision, I mean.
Re:Well, I've learned MY lesson! (Score:2, Interesting)
Isn't it... (Score:2, Interesting)
"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"
No, it's more like making him pay for new locks because he wrote a lockpicking book. The flaws existed, and he exposed them, but it's not his fault that people might use them to perpetrate crimes. If someone tells me how to crack a safe, I'd generally blame the safe's maker for designing that fault... not the person who realized the problem. Eh?
reward him (Score:1, Interesting)
vulnerabilities exist. this is true of all systems, no matter who uncovers them
therefore, an intelligent organization: a bank, a military, a government, will have a system where private disclosure of vulnerabilities results in a reward for the discoverer
if you don't have such a policy, a discoverer might turn to finding reward in your vulnerability with your enemies or criminality instead
unfortunately, the discoverer must consider the possibility that if he divulged the discovered vulnerability quietly, the organization he penetrated might find the least costly solution to the problem to be the the disappearance of the discoverer
such that the most moral and safest approach for a discoverer is to go public with the vulnerability instead. which of course invites the wrath of the organization penetrated. its a no-win situation for the moral discoverer of a vulnerability, such that there is constant pressure on white and gray hats to go black
No, that's just plain silly. (Score:3, Interesting)
This is where dogmatic views and analogies really contrast with technological reality. Those security holes would have existed whether or not he abused them in some misguided and naive attempt at finding info about UFOs. This is clearly a very intelligent person whose skills are of immense value. He just wasn't mature enough to realize the consequences and he certainly wasn't paranoid enough to keep his mouth shut.
It makes no sense whatsoever to lock him up with dumbasses whose greatest accomplishment in life is learning that beating their girlfriends is a bad thing or that guns and drugs don't mix well. What a sad waste of talent.
No, instead, I say: let him pay that $700000, but let him do it in the form of consulting. And fire the idiots who made those security holes in the first place.
Re:There is some logic to it (Score:2, Interesting)
Such laws always come with boundaries. If you walk through his front door, and "trespass", to tel him that, then yes you get the bill. If you manage to tell him without "trespassing", then you don't get the bill.
If you ping a server, it returns a version number that you know is insecure, you don't get the bill. If you login with the default password, you do get the bill. Because logging in is trespassing if you're not authorized to login.
The benefit, of course, to going with "trespassing" is that you get the benefits of existing laws. Someone can accidentally trespass, and appeal to a judge, who can easily say "the private property sign was not properly displayed".
It's not the pointing out an insecurity that's at issue. It's the proving it.
Re:Taking responsibility for ones actions. (Score:1, Interesting)
Firstly, the guy has Asperger's, so he probably wasn't aware that what he was doing was actually wrong until someone told him (afterwards) that it was.
Secondly, these holes shouldn't have been present in such a system up front. The holes weren't patched, the system was incomplete.
If I have a choice, I'm not buying American goods until you grow some balls and admit that you fucked up in this case, and stop harrassing someone else for it.
Re:I have to agree with kdawson... (Score:5, Interesting)
This is not entirely unheard of.
I had someone repeatedly break into my garage and take my gas cans for the lawnmowers and root through the cars for money. Eventually, they took an expensive looking but stock car radio. The time that happened, my then girlfriend walked into the garage to go to work and startled the intruder. He knocked her down and ran but wasn't afraid to come back.
I eventually placed some hidden cameras in the garage and back yard with a dummy camera on the side of the house in plain sight. It took the guy about 5 days to realize the visible camera was a dummy and I got his picture including him rooting through everything and taking crap. I then placed a piece of a set of antique lamps made of sterling silver in the garage but locked them in a cabinet with a window. Anyways, those lamps were valuable enough to make his repeated breaking in worthy of a felony on the crap I could prove he stole alone.
The prosecutor advocated that the guy pay for the security system and cameras that I had to install because of his actions. The judge agreed and order it as part of his restitution. Of course he couldn't pay while sitting in jail, but as a term of his parole, he had to make payments to an account until the costs were paid off. As I understood it, I could have sued him for the costs but doing it this way made it a condition of his freedom which meant I was more likely to get paid.
Re:If he's a hacker... (Score:3, Interesting)
Seems to me that we ought to thank him for exposing the vulnerability and pay him for his discovery as well as any useful work he does to further increase security.
Re:If he's a hacker... (Score:4, Interesting)
It doesn't matter how he got that information: that's breaking other laws, and there are other punishments for it. Also, he didn't create those bugs, he merely used what was already there.
To complete my analogy: I may be a robber, but I'm not the one whose job it was to build a complete wall in that house.
Re:Well, I've learned MY lesson! (Score:4, Interesting)
Very good point except you were probably thinking of N. Korea.
I get really annoyed that people try to discourage hackers from their own country that might be somewhat loyal. I'd recommend encouraging and paying them.
The analogy in the summary is flawed... It's more like suppose there are hundreds of people trying to break into your house every minute--Knocking at the door, twisting the knob, slamming against the door trying to gauge it's strength, ...
Now one kids comes up and notices that you have an open basement window. None of the other attackers have noticed it yet.
The kid climbs in, doesn't touch anything, looks through your old family pictures maybe, climbs back out--
At this point he has a choice to make. Does he let you know that you screwed up, does he walk away, or does he try to sell the info to one of the guys hanging around on your front porch?
What could you do to encourage this kid to make the correct decision?
Out of all the people in the world, you are unlikely to stop them all by punishing them. You're only likely to influence the decisions of the few that are likely to want to help (and make them less likely). That's the only effect this crap has.
Re:If he's a hacker... (Score:3, Interesting)
They're not arguing he's not responsable for the crimes he committed. They're arguing that what the US wants him to pay is the equivalent of a burglar robbing a house by walking through the back door that has no lock, then expecting the burglar to PAY for installing a lock.
Of course, at the expense it's probably also like all he stole was a postage stamp, and not a rare one either.
Re:If he's a hacker... (Score:3, Interesting)
I dont really agree that he should have to pay to fix the holes, but if he took data, which is essentialy property he should be held accountable.
No. Data is not property. It's data. It's not even copyrightable.
Again we need to stop blaming the victim. Just because I leave my car unlocked does not give you the right to steal it or the property inside it. Its still theft. Just like a store. They dont lock up all their merchandise, so that means you should be able to just take it without paying for it? No of course not, its still stealing.
In this case, it's like someone walking down the street with a large hole mesh bag and getting mad cause your crap fell out on the sidewalk and someone else picked it up... then telling the person who picked up your crap to buy you a new bag. Cause you were too lazy or stupid to use a solid bag - or at least one with small enough holes to keep your crap in it.