White House Web Page Cracker Faces Prison 139
gregstoll writes "Hacker Eric Burns (alias Zyklon) faces prison, according to this New York Times article (free registration required, of course...)" Meanwhile, according to an Excite News story sent in by lots of people, the DoD is thinking about removing JavaScript and ActiveX from its sites to make them harder for crackers to penetrate.
... (Score:2)
Expected. (Score:2)
You must suffer the consequences of your actions, and cracking the White House site is a bad idea...
Re:first post, NOT (Score:2)
Removing javascript..... (Score:1)
--codemonky
Good and bad... (Score:4)
I could go on. And given the slightest incentive, I probably will.
Remove Active X (Score:1)
jackchaos.com
Not allowed to use a PC for three years (Score:1)
Not defending what he did, punish him and let him go about his life. If he does it again punish him more severely.
This isn't like shooting someone and being unable to use a gun for 10 years or something...the puter industry is a little different.
ActiveX? Huh? (Score:4)
Or is this just the case of some non-tech-savvy DoD security wonk overreacting to something he's read and misunderstood about the security issues? It happened at NASA. You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*
--JT
Re:... (Score:1)
If the 40000$ damages were, even if in part, a result of the White House sysadmins updating security, you can't really attribute that to his crime.
Charging me for the fixing of a security hole I exploited is rediculous. The hole is there whether I broke in or not.
Little Steep? (Score:3)
Banning Client Side Code Helps Servers ?? (Score:2)
Re:ActiveX? Huh? (Score:1)
Response & responsibility (Score:3)
I don't agree with this punishment for computer intruders, but the law is the law until it is changed by your elected representatives. And if you got caught, then tough tittie. You knew the risks. HNN has an excellent article [hackernews.com] about it.
Basically, this type of activity is like trespass & vandalism. In the UK, that's more like a slap on the wrist community service type punishment. I'm not going to go on about ethics or morals; that's been done to death and everybody has a different standpoint.
What would ultimately benefit society more - imprisoning this kid for a year, or making him teach (under supervision) underpriveleged kids how to use computers?
reaching DOD "high security systems" from the web? (Score:3)
In the case of "(a)", I'd hope that no "high security systems" are accessible from the web. Surely the web servers are not on a network with access to sensitive data?
In the case of "(b)" the same thing applies. Would they really have a machine with access to both the WWW and sensitive defense info?
When the DOD talks about "high security" I assume this means as high as it gets anywhere. High security buildings have only one door. This makes it sound like they built a
"building" (so to speak) with thousands of doors and now they're lamenting the fact that they can't keep their eyes on all of them at once.
-
<SIG>
"I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht
Re:Good and bad... (Score:3)
The only charge which I can see as verifiably true is:
"All told, the attacks cost the government and businesses more than $40,000, prosecutors said"
Why? Because they wasted their time tracking this child down when the provider could have easily restored the page. Making examples of people, especially when the penalty it doesn't fit the crime, is wrong.
----------
Re:Removing javascript..... (Score:1)
I didn't realize it was a removal from ALL computers. Not just web servers. That makes much more sense.
--Codemonky
Go to prison for harmless fun? (Score:2)
With the government and police it's more serious. The major crackerclubs here got caught now and then and the worst punishment they got was that their computers were taken from them (to analyse) and tey had to pay for the damage they did.
There's not really a big mafia here, we just get along and don't make a big fuss about nothing.
So much for the American freedom...
Re:... (Score:2)
Yes you can. Security holes don't exploit themselves and cause $40000 in damages.
"Charging me for the fixing of a security hole I exploited is rediculous. The hole is there whether I broke in or not."
The charge is not for the fixing of the hole, but for reparations of the damages you caused by exploiting it.
In most cases the "damages" are grossly exaggerated, but in this case, the whole country has lost face and looks stupid. Imagine going to england.uk (or whatever...) to learn about England and seeing a defaced site. The whole country looks stupid.
ActiveX/Java/JavaScript (Score:2)
I worked for a company that had military contracts, and our corporate web pages had javascript -- but our firewall stripped out ActiveX/Java/JavaScript from external web sources. With ActiveX/Java/JavaScript the problem isn't usually the server, it's usually the client, right?
In any case, does anyone remember the _Far_Side_ that has the mother and son dog... the son is in Jail and the mother is visiting, saying ``You should't have chased the _president's_ car'' or something like that...
Re:Little Steep? (Score:3)
Maybe that was the point. Also, how do you quantify in monetary numbers the effect of a country losing face and looking really stupid to the whole world. What if the hacker put up something really inciteful, like slurs against other countries?
Justice, what else? (Score:1)
I'm all for looking around interesting boxes on the net, but surely he must have known that whitehouse.gov is another matter, and he must have known beforehand that the consequences would be very severe.
IMHO, in a more general sense, if you are choose to compromise a computer, that's one thing, but when you change the HTML, that is just plain stupid. It's the electronic equivalent of putting graffiti on a wall: if your real information (name, address etc) becomes linked to your handle, you are in the shit. The electronic sense is even more stupid though, there are logs.
It also seems that an example is being made here. If you tread on the toes of any
Security has two sides: learning it, and becoming extremely knowledgable to the point where you are hightly employable, and the more sinister side of defacing web pages. I'll let you figure out which one to choose.
To me, this seems like justice.
Aieeee, the time.
Justice, what else? (Score:3)
I'm all for looking around interesting boxes on the net, but surely he must have known that whitehouse.gov is another matter, and he must have known beforehand that the consequences would be very severe.
IMHO, in a more general sense, if you are choose to compromise a computer, that's one thing, but when you change the HTML, that is just plain stupid. It's the electronic equivalent of putting graffiti on a wall: if your real information (name, address etc) becomes linked to your handle, you are in the shit. The electronic sense is even more stupid though, there are logs.
It also seems that an example is being made here. If you tread on the toes of any
Security has two sides: learning it, and becoming extremely knowledgable to the point where you are hightly employable, and the more sinister, less knowlegable side of defacing web pages. I'll let you figure out which one to choose.
To me, this seems like justice.
Aieeee, the time.
newbie (Score:1)
Re:Security?? (Score:2)
We all know the end of the world will be because of Y2K. Sheesh...get a clue
Re:ActiveX? Huh? (Score:1)
Banning Javascript is a GOOD thing! (Score:2)
I've never liked Javascript ever since it became too popular. Personally my Netscape has Javascript disabled, simply because too many sites pop up lame consoles without my permission and it annoys me to no end.
I view websites as repositories of information, not entertainment theatres. If you want "interactive" entertainment, you can always download Quake :-) or go to the arcade. But when I search for useful information on the Web, the absolute last thing I want to see is a site that takes forever to load, pops up endless consoles with irrelevent ads/notices/whatnot, cluttered with useless animations and "interactive" crap. Give me a break, just deliver your goods! (If you have anything other than those useless crap, that is.) When I'm looking for something, sites with Javascript, ActiveX and what-not just don't fit the bill.
I realize that many people browse the web just for fun, so these things serve more like curiosities than annoyances. But to me, there are cleaner ways to do this than with JavaScript, or ActiveX (with all its security flaws). But technicalities aside, I still think it's utterly rude for an unsolicited, irrelevent console to pop up every time I load something from a particular site.
Also, the article seems to be making the claim that HTML forms will not work if they ban Javascript?!?!?! Come on, people, CGI is NOT "mobile code", which is the question at hand! Banning Javascript is a good thing. Your CGI scripts can still work (or use Java servlets instead, if you're paranoid about security. Not that that is much more secure, though). Just cut that useless Javascript crap from your pages, the net (IMNSHO) will fare better without it.
Re:ActiveX? Huh? (Score:3)
In this case I'd say it is because of internal use. Consider Internet Explorer - most people these days use it - holy wars aside, it is the best browser for standards complience that's available now. You can set security for 4 different areas:
- Internet
- Local Intranet
- Trusted Sites
- Restricted Sites
Their servers are likely to be in either (2) or (3) for most internal users, i.e. "dangerous" stuff will be allowed to run.This allows your average "script kiddy" hax0r to break in and change some Javascript or ActiveX code and cause more damage than if the browsers are set to not trust the servers.
It does sound a bit far fetched though, since it doesn't stop the original defacement.
There is always "server side Javascript" in the Netscape server and other server side CGI and ASP style code that can introduce security risks, but that's not what they say.
You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*
I'm acually quite impressed with the idea of Java, designing a language which is safe enough to use in most environments. It's still open to denial of service risks for the client (and the issue of trusted providers, but that's another rant entirely).
I just wish that the authors of the security nightmares mentioned above had the same commitment to safety over creaping featuritus.
Bron "Windows is the sandbox, just store important data safely somewhere else" Gondwana.
Computer Crime Sentencing (Score:4)
15 months for breaking into a computer. Whats the going rate for assault and battery, probably close to the same. I'm sure that people have gotten 15 months plus/minus for manslaughter. Lets look at the damage that was done here, someone posted 'j00 h4v3 b33n 0wn3d' with a list of names at the website. And now White House officials are screaming and yelling that he caused two days of downtime to their internal and external networks. I'm not a sysadmin but I know enough to be able to say that a hacked webserver should not affect a well built network to that extent. Plus, this kid is 19 years old. In our current day and age, lets be happy that he was messing around in front of his computer rather then planning to bomb his school. What will 15 months in jail teach this kid, do you really think he will come out with some positive reinforcement.
He did *not* deface Whitehouse. (Score:2)
He did not deface the Whitehouse webpage. He denied it, he knows who's responsible but refused to name them. (read Hackernews, www.hackernews.com) as an example.
I don't like the idea of limiting him to "3 years without a computer". I think that the laws are very vague on the definiton of what a computer is. Can he use an ATM machine? Work at McDonalds? Or operate any Point-Of-Sale system for that matter? Prison is supposed to reform prisoners, but denying someone computer access (not internet access) is like denying someone a way to make a living, and a lot of good that does to help them fit back into society again.
-=- SiKnight
Re:Security?? (Score:1)
a time and a place... (Score:1)
out.
--bc
-----------------------------------------
the amazing bc
latin/funk flugelhorn & trumpet
webnaut, music junkie, sysadmin from hell
Re:Good and bad... (Score:2)
Granted crimes like fraud carry stiff penalties as well. This is different in that they weren't dealing with material that had any much value. Seriously, it was the whitehouse web site -- not some mission critical army operations system.
It's not likely that this kid will serve that much time, but I'm still furius that they can take attempt to take 1.5 years away from someones life for manipulating a web page. If it was ebay where they would be losing thousands a second, maybe. The whitehouse web page? I seriously doubt it.
----------
stupid stupid stupid (Score:1)
Who in their right mind would try to do that? Isnt it basically akin to walking up and spray painting the white house?
I know what would be worse than jail for this guy, make him watch some "educational" videos on how hacking is "bad".
Or let Clinton boot him like the aussies tried to do on the simpsons...
Re:Graffiti (Score:1)
//rdj
Hackers, crackers, what is what? (Score:1)
Hacking originally was smart solutions for problems. (for example the coke-machine trick)
Hacking and entering is when a hacker enters a system, reads and changes data. Ie you hack a website, you dont crack it.
Cracking has always been to crack copy protection. Cracking has nothing to do with hacking.
Lost Carrier
What a profoundly anti-democratic sentiment! (Score:2)
--
Javascript/ActiveX (Score:2)
Just what exactly is 'interactivity' defined as here?
Most 'interactivity' can be achieved through well-coded HTML/forms and server-side code such as PHP3 or perl (hell, even a shell-script with CGI).
Perhaps 'pointless memory-hogging eyecandy' might be a better expression for most of the 'interaction' that Javasctipt/ActiveX offer
... if it doesn't work with lynx, it doesn't work at all, IMHO.
--
Re:reaching DOD "high security systems" from the w (Score:1)
The problem with damages in computer 'crime' cases (Score:1)
--
Security Inacuracies... (Score:2)
The Department of Defense is considering banning all JavaScript and other mobile code from
military Web sites because the tools could pose a security risk to its computer systems.
If they want to keep security tight they should disable ActiveX and JavaScript on the workstations used to access at the DoD. Banning scripting on their web pages will do nothing. After all if a hacker breaks into a site the hacker can easily add a script to the site.
"Your sites will end up being less competitive overnight," Plummer said, adding that a
complete ban on all mobile script capabilities could lead to a Web presence that does not
permit online chats or the filling out and sending of online forms.
This is totally wrong. You don't need client-side scripting to make chat rooms or fill out forms. Server-side scripting (CGI for example) is adiquate. Sure you can't make a stupid little bear dance across the screen but who cares?
To give an example the tripod chat at chat.tripod.com even works with Lynx. So much for needing JavaScript or ActiveX.
In any case if you want to protect security disable ActiveX first. It basically allows anything to happen to your computer without your knowledge. Disable Java and JavaScript later. Some code might exploit a security hole in Java and might be able to cause some damage.
Interesting... (Score:1)
Some Excellent Reading Material (Score:1)
Anyway - 15 months for a defacement??? OUCH...
Re:... (Score:1)
as a result of one individual who was brought up in that country. It's a bit harsh for some casual grafitti.
I imagine the $40,000 accounts for a massive investigation into finding the culprit so they could save face. They probably went on to prepare their legal case on the subject before even contacting the culprit.
Rather than do what most ISPs who suffer a cracked site would do, which is to just patch the hole, get the original site from backups, send a complaint to the upstream provider it came from, possibly block that provider out for a while and compensate the owner of the site if they get arsey about it. That's 2 hours work by one techie (eg $50). These things happen and there's not much you can do about it.
But no, whitehouse.gov is petrified of the teenagers they failed to educate (where $40000 would be more useful). unwise and stupid.
Looks stupid (Score:1)
//rdj
Is this Plummer guy a Newbie, or what? (Score:2)
Is this Plummer guy a Newbie, or what? (Score:1)
Hasn't he ever heard of PERL? HTMLScript? PHP? C/C++? Director? Etc. (and sorry for the others I missed)?
Which time capsule did this guy crawl out of that he thinks interactivity requires Javascript and ActiveX?
Get a grip Plummer!
Re:Justice, what else? (Score:2)
but what that cracker did was illegal - so surely he should be punished?
No! You've got it completely backwards. Laws aren't the word of God. They're just a bunch of letters and numbers on a piece of paper.
Just because something is illegal does not mean it's wrong or that someone "should" be punished for doing it. The government is supposed to create laws to help protect the rights of the people. But lately the whole thing has just fallen apart. Everything's upside-down; instead of protecting and serving us, the government is abusing and harassing us.
It also seems that an example is being made here. If you tread on the toes of any .gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.
Do you think it's right that the government should be allowed to "make an example" of us? The government is supposed to have fewer rights than the average citizen does, not more.
Where I come from, someone who takes advantage of weaker people is called a "bully". But apparently, if you're in D.C., bullying is not only tolerated, but encouraged.
Someone who defaces a government web site should get a small fine to cover the costs of restoring the web site. No jail time, and no forfeiture of other civil rights should be imposed.
To me, this seems like justice.
To me, this seems like a police state.
Re:newbie (Score:2)
A friend pointed me to a web site that had at least 30 pages each with a different evil javascript on it. Most of them were slightly annoying, but at the time, one of them could read files from your hard drive and display them in your browser window.
If you have ever gotten stuck in a porn site that you can't get out of you know what I mean. They have java script set to open a new browser window (or two of them) whenever you close one. This one is fairly easy to fix by disabling java script and then closing the window.
One of the evilest hacks on the this site was one that made your window jump around. Java script allows the webpage to some location. Somebody got the bright idea of calling moveWindow(currentX + random, currentY + random) where random was between like -5 and 5. This made the window jump around like nothing else. You couldn't close the window because it was just about impossible to click on the x in the corner, nor could you access the menus for the same reason. The only thing to do was to end the browser process (which took a while because the computer was busy moving the damn window around).
Too bad more sites don't use it, or everybody would disable javascript.
Re:Justice, what else? (Score:1)
But the punishment should fit the crime. 1.5 years in jail for defacing a web page is like executing someone for having cigarettes underage (OK, those are necessarily equivalent, but you get my drift). This isn't even a money-making organization... if it were someone like ebay or e*trade I could understand that there were monetary damages, etc. and it would seem at least a little reasonable (but not really). There is no reason for the govt to be doing this except that he made them look like idiots, and they don't like it, though I don't see why they don't just get used to it, seeing how often it happens.
That said, breaking into the White House's web page is pretty fscking stupid. If he was smart, he would have posted the vulnerability to Bugtraq (along with a working 'sploit), got a lot of publicity, and someone else could get busted for actually using it. Oh, well...
Punishment out of line with crime (Score:2)
1) If someone "breaks into" a computer it is not the same as breaking into a person's home. There is no physical threat present, and monetary damages have other aveneus for recompense.
2) A government or corporation operates on a completely different fiscal scale than an individual. $40,000 in damages to a large corporation is tiny (even microscopic when the government, with its $5 trillion budget, is the target. Whereas for an individual that is allot of money -- often more than one makes in a year. It is bad enough that corporate America is the recipient of enormous tax breaks, development grants, and other forms of corporate welfare, not to mention preferred status when it comes to legal and economic rights, but to eqaute a $10,000,000 corporations $40k loss with an average individual's $40k loss is really absurd.
3) Most of the "damages" this particular cracker is being accused of amount to fixing security flaws which already needed fixing. How would it have been if, instead of a punk teenager, cybersquadrons working for Slobodan Milosovic had cracked the site instead? They needed to fix their security regardless of what this kid did -- the only "damage" they can reasonably accuse him of causing is the time needed to recover the old web pages from backup and put them back on the server. The rest was work they needed to do, anyway -- sticking this cracker with the bill is extremely unjust.
4) Oh, they didn't have backups? Well, to blame that level of stupidity, incompetence, even negligence, on a cracker (however malicious) goes well beyond absurd.
Cracking is wrong. It should be punished. But to equate it with real-world breaking and entering, and to argue that financial damages which are miniscule to a large corporation and governments are the same as those for an individual of modest means and should be punished the same, is to toss justice to the winds and replace it with an ugly form of modern corporate witchburning.
Alas, while cruel, this kind of crushing penalty for individual misdeeds against a large corporate or government entity is hardly unusual in this country, so it is unlikely that this cracker will succeed in appealing his sentence on the grounds that it is "cruel and unusual."
Re:fake guru list (Score:1)
I thought anyone who chooses to use Windows was a freak
--
Re:... (Score:2)
Imagine going to england.uk (or whatever...) to learn about England and seeing a defaced site. The whole country looks stupid.
Yes -- the country basically sends the world the message "we're too stupid to stop script kiddies from defacing our web sites".
This whole thing reminds me of an old Simpsons episode: the one where Lisa steals all of the Teachers' Editions of the text books. The whole school comes to a screeching halt because none of the teachers know anything about the subjects they're teaching. In the end, she has to write "I will not expose the ignorance of the faculty" (or words to that effect) over and over.
[really OT] (Score:1)
And this was "Insightful" how?
Oh good, an unfounded opinion with no supporting evidence...
...followed by an incomprehensible statement. So either you don't want things to change at all, you're missing some key words in there, or you're using "now" to mean two different timeframes.
As a comment this isn't too far from the average /. comment posted here. But it's definitely not "Insightful". I've read it five times and still have no insight into what the author was getting at.
[even more OT] While I'm ranting, what's up with everybody cutting and pasting their signatures at the bottom of their posts? If you have a /. account, you can put your signature in the space provided on your user page. Then other readers can turn off signature displays in their user profiles, and not have to download and view signatures. If everybody just pastes their signature lines at the bottom of their messages, then the system doesn't work.
OK, I think I'm done now.
Removing ActiveX/JavaScript from DoD's WILL help.. (Score:1)
If internal sites no longer require mobile code to be executable, then it will be easy (well, easier) to disable those features in the browser permanently with little impact on legitimate use.
Maybe I'm judging too harshly, but hey, I've just been asked to spell 'ls' by one of my users...
Re:Good and bad... (Score:2)
Your analogy of changing the electric sign in a store doesn't fit here because we are not talking about him hacking some department store website, he hacked the White House website. Try making a series of obscene phone calls to Jane Doe and then do it to the WhiteHouse. Would you expect to receive a harsher penalty for the former or the latter? Lets face it, hacking the White House is not the act of a well centered, mentally balanced individual.
I think if you are stupid enough to hack the White House website then you deserve whatever you get. If you don't want to get fined and go to jail then act like a responsible human. It's really not that hard to do.
Lawyer: prison not for reform (Score:2)
The notion of people reforming in prison is nice, but it just doesn't happen. Yes, you see the occasional article about it,which is exactly the point: it's so rare that it's newsworthy when it happens.
Prison renders criminals incapable of committing crimes for some period, and it punishes them. The criminals that do go straight usually do so because, in a moment of lucid thought, they realize that if they don't commit any more crimes, they don't have to go back! This is obvious to most of us, but a revelation to a large portion of the population in question.
This doesn't mean that we shouldn't try to teach them useful skills: this changes the choices that they're making about whether or nto to commit more crimes. But for Heaven's sake, please don't put the white collar criminals inthe same prisons with the regular folks--we don't want them cross-polinating.
While I'm at it, prison *is* cost effective for felons. I wish that I had a nice cite for it handy, but studies have shown that the financial losses alone from the crimes commited by felons are lowerthan incarceration costs. We pay taxes to lock them up, butwhile lose, they inflict a random tax.
Re:What a profoundly anti-democratic sentiment! (Score:2)
*sigh*.
I was actually trying to imply this; I didn't think
But hey, that's your definition of democracy and not mine. I'd go further to state that my definition of democracy would also encompass a bit more influence on Government than mere "Questioning" - I'd like to think that they may actually take the feelings of the populace into consideration...
This isn't a just a personal rights issue, it also incorporates business law. Which I suppose is the great pity - who can shout the loudest? Huge companies with expansive expense accounts vs a bunch of [geeks|nerds] - see recent articles
Re:Javascript/ActiveX (Score:1)
By doing it in JavaScript, I can offer the tutorial as a downloadable file that can be used off-line at hard disk speeds -- we don't all have T1 lines into our houses, you know.
I must confess that I do open up a sub-window in part of the Russian tutorial for the audio player control. Now if only I could add some really annoying animation.
Java/Active X? (Score:1)
Re:Graffiti (Score:1)
Re:Computer Crime Sentencing (Score:1)
I wonder... (Score:1)
Also, if this is indeed the case, it doesn't take a web page defacement to gather that they're stupid anyway.
--
Re:Good and bad... (Score:1)
People are forgetting the fact that not only did they have to clean up the cracked web server (a simple task) but also ensure that he had not attacked other systems - this is the costly part of a cleanup. Reparing the actually damage is often very easy but first you have to ensure that you've found all the damage otherwise your cleanup efforted is wasted when the crackers come back next next using the security holes they created on there first visit.
--
Re:Punishment out of line with crime (Score:1)
admittedly the punishment does seem a bit steep for the crime. However, there are a couple of aspects of this that need to be considered:
1> You've got to send a message now, that that kind of behavior will not be tolerated. It needs to be made clear that it is illegal, and you will be punished _severely_ if caught. This helps deter repeat offenders - and occasionally inspires more offenders who are irate about how big brother came down hard on some fool who broke the law.
2> Equating it to real world breaking, entering and vandalism is perfectly correct. Think about it, if I break into egg-head or buy.com - that is there only store-front. They are completely virtual, they have no real-world stores. If you vandalize, or crack the system to get yourself some cool stuff - that is just as bad as real life. To continue operating under the apprehension that virtual == not real means that online businesses, and citizens are always second class, and not necessarily afforded the same rights as their IRL counterparts.
When you say there is no physical threat, I think you severely underestimate the possibilities. Much of this depends on what kind of system I break into - but the possibility exists for theft and larceny on a grand scale. Those crimes are punishable by long prison terms, and large fines. Poking around government sites, and grabbing info from them, and confidential corporate information can result in some very serious physical threats. You may unknowingly be threatening hundreds or thousands of people's livelyhoods, or revealing information which leads directly to physical action being taken by certain individuals....
In this case - none of that occured. But you've denied the fact that it could have.
3> When you read the article, they mention that he broke into several sites - and he's being punished with a $36,000 fine. If you figure around 5K damages to each site that's not unreasonable - as it represents the damages caused by lost functionality during the time the sites were vandalized, and the cost of restoring from backup - and probably a week of some engineers time to patch the security hole. Personally, I think the prison term of 15 months is enough, and would forgo the fine - but don't even imagine that 36K is _unreasonable_.
- PW
Re:... (Score:3)
Aside from that, this is the White Houses website. It's not just Joe's Site About His Pet's.com. It's the whitehouse. The fine for spraypainting the side of a building in New York is probably much less than that for spraypainting the whitehouse. I know it's not the same, but an example needs to be made.
If someone does that, and expects that the FBI isn't going to be involved and that he's not going to be tracked down and therefore he won't face any consequences, well, this is Darwinism at it's finest.
Re:Hackers, crackers, what is what? (Score:1)
Re:Justice, what else? (Score:2)
If "us" refers to crackers, then yes.
I stand by my view that if you break into a system, then change the HTML, you really must have an urge to experience the justice system.
Just look at the Attrition (or any other) mirror. Do these pages, complete with their 31337 talk demonstrate any sort of desirable qualities?
Someone who defaces a government web site should get a small fine to cover the costs of restoring the web site. No jail time, and no forfeiture of other civil rights should be imposed.
I'm pretty sure anybody who hosts a web page, and has been the victim of these attacks will disagree with you. You don't have to break in, do you? No matter how "cool" it may look to your fellow 3133 h4x0r friends.
No! You've got it completely backwards.
Nah, I'm pretty sure that's the right way round. You break the law, you get punished. Maybe 15 months is harsh for changing a website, but come on...nobody is forcing you to.
Re:Computer Crime Sentencing (Score:3)
When something like this happens, the admins don't just go "ho-hum, let me just fix the web page.." The system likely had been root compromised. This automatically means the system in question needs its OS rebuilt from scratch. As this guy had root-level access to this system for a time, and his intentions were obviously less-than-honorable, it's also quite likely other systems on this network were compromised in a similar fashion.
Intrusions like this cost people money. They have to shut down their network connectivity (to prevent access to other potentially compromised systems), rebuild the operating systems on the affected machines, restore the content, and then restore connectivity. This is not cheap.
Now, I'm not going to argue about the differences between prison sentences with other crimes. Instead of comparing it with violent crimes as you seem to want to do, compare it with real-life charges similar in scope. Specifically, compare it with breaking into a U.S. government building and damaging/destroying property. I believe you'll find a similarity in sentencing.
It always boggles me that there are so many people on Slashdot that go out of their way to defend kids like this when they clearly did a premeditated intrusion into a private system/network with the intent to cause damages/harm. He should be punished, just like all of the other l33t packet kiddies out there who do the same thing on a daily basis.
Oh No, It's The Gartner Group! (Score:1)
(They're my favourite consulting firm. Really. Very entertaining when there's nothing else to read.)
I dunno: many of the sites I visit (and the ones I implement) seem to manage fine without any mobile code whatsoever.
This is a bad thing?
(a) Untrue; (b) Since when was the DOD competitive?
BTW: has anyone seen mention of any kind of class action lawsuit against MICROS~1 for their criminal negligence in design and implementation of security models in their internet and web tools?
The legal system is a horrible deterrent (Score:2)
In recent years, the same philosophy has been applied to information crimes like hacking. The difference is that there is such a thing
as a hack-proof web site. If the goal is to stop hacking, the best way to do it is to make your web site hack-proof, not rely on the incredibly inefficient legal system as a deterrent. (inefficient: how much does it cost for the judge, court staff, courtroom, lawyers, etc. to prosecute a single case?)
As society changes, legal philosophies need to change too. (c.f. the FSF.
As a side note, 15 months in prison? For a 19 year old who was able to put some files on a disk in Washington because the web site designers didn't do their jobs correctly? How many lives did he put at risk? Give me a break.
Re:Little Steep? (Score:2)
...and if you have a box cracked, I'd *hope* you do more than simply reach for the tapes. There was obviously at least one way in; there may be many more, some new; and you may simply be keeping the doors unlocked while straightening up a few tilted pictures. At that point, you need to study what went wrong and how to prevent it -- and that takes time and $.
Re:Indeed (somewhat off-topic) (Score:1)
Re:Computer Crime Sentencing (Score:1)
It's not cheap to fix a network after a crack, but should this kid have to pay for the hole to be fixed? he didn't put the hole there, he jsut exploited it. Sooner or later someone else would have or the hole would have been caught. Either way, the work would have had to have been done. He didn't do any real damage to anyone. He just replaced a web page. There should be a penalty for that, but 15 months and $36,000? What's the penalty for breaking and entering? I'd say that's what he did. And you could argue for some restitution for the time lost on the web page. Unless his message was left up for a LONG time, that doesn't make $36,000... I understand that they're charging him for the man-hours of work to close the hole, but like I said, he just pointed out that the hole was there. Charge him for the man-hour or so to re-create the page from the backup, sure, but this is too much (and for the record, I'm all for penalizing crackers, just make the punishment fit the crime).
Re:Banning Client Side Code Helps Servers ?? (Score:2)
anyway, if the gist of the idea is to make most of their pages entirely static, I'd say it's a good idea. government agencies aren't in the business of building online communities with forums and stuff like that. in order to present themselves and their information to the public, static pages should be more than enough.
while we're at it: how to build a secure static server in a few minutes: set up a Linux box with only httpd and sshd running, and sshd firewalled at the internet-connecting router. install thttpd [acme.com] for the web server, chrooted to its document root, running under an uid that can't write to any of the files or directories inside of the chroot. then you have exactly two attacks to worry about: 1) kernel networking bugs (nothing much you can do about these except trust that they are rare, and that fixes are available very quickly), and buffer overflows in the webserver (which crash the process, but don't let the attacker actually do anything with the system, like write anywhere or run any programs).
Re:Lawyer: prison not for reform (Score:1)
This guy figured out how to break in to a location that should be impossible to get to. And the first thing that comes to the governments' minds is smack the guy around fooling themselves that he will automagically reform.
Instead, they should be promoting his talents. Put him on salary. Tell him to hack into government networks. Because if he can do it, someone from a less friendly country can too. Who would you rather have breaking into your computers?
Ozwald
Re:Good and bad... (Score:1)
As someone else pointed out, he didn't make the holes in their security. He just exploited them, thus letting them know that they existed. Someone would have had to fix them eventually anyway because they were security holes. They're trying to charge him for the costs of something they should have fixed themselves already. Slap him with the bill for restoring the website from backup, but not for fixing the problems that already existed.
Are you kidding? (Score:1)
What if the hacker put up something really inciteful, like slurs against other countries?
Fine. If someone does that, they should be held accountable. What does that have to do with this case? Should the lawyers prosecute him for something he could have done, but didn't? As for making the country lose face, how is it his fault that they had crappy security? I'd say if anyone caused anyone to lose face, it's the admins responsible for the website. They were the ones that didn't have a secure box. Maybe they think they shouldn't have to worry about security because they can just prosecute anyone that makes them look bad. God help us if the military starts thinking this way.
"What do you mean the missile missed? The target moved?! Dammit! Get the legal department on the phone! Those bastards are trying to make us look bad!"
Re:Good and bad... (Score:1)
Your analogy of killing a nigger doesn't fit here because we are not talking about him killing some nigger, he murdered a white girl. Try making a series of obscene phone calls to Jane Doe and then do it to the WhiteHouse. Would you expect to receive a harsher penalty for the former or the latter? Lets face it, murdering a white girl is not the act of a well centered, mentally balanced individual.
I think if you are stupid enough to murder a white girl then you deserve whatever you get. If you don't want to get fined and go to jail then act like a responsible human. It's really not that hard to do.
Re:Computer Crime Sentencing (Score:2)
Not quite. The victims of the intrusion MUST work under the assumption that the system has been backdoored ten different ways. The only thing they can do is wipe the system and rebuild it from scratch. The costs incurred by this are significantly more than the costs of applying a patch to fix a vulnerability.
It really bothers me when people try to put the blame on the victim because they failed to keep up to date with patches and fixes. Exploits are frequently released before patches/fixes are available, and for organizations that have a lot of systems to keep track of or are understaffed in this respect, upgrades can take a while to be propogated to affected systems. Just because the vulnerability was made known does NOT in any way mean the attack was OK.
Web hax0ring kids like this aren't doing it because they want to show the company that they're vulnerable to attack. If this were the case a simple e-mail would have sufficed (though it wouldn't have made the intrusion any more legal). They're doing it because they want to look 'l33t' in front of their haX0rZ 1RK friends, which is why they deface the web page (can you think of any more public way?).
I'm not going to pretend like I know precisely how the damages were assessed (though it's certainly possible that information has been made public), but it isn't as simple as just charging him for the man-hours. For every hour a worker spends rebuilding systems after an intrusion, that's an hour he can't spend working on the stuff he normally works on. Projects fall behind, work gets put on hold. Costs add up.
What *I* really don't understand is this: People are being convicted of these types of things all the time, and every time it happens we hear shouts of protest about how the penalty is much too harsh, etc. (mostly from Slashdot kiddies). Why, then, do people STILL DO IT? Do they think they're making a statement?
The kid deserves what he gets. He knew what he was doing was illegal, and he was no doubt aware of the penalties he'd bring down upon himself when he was caught. But, like most idiot adolescent packet kiddies, his head was too big for him to acknowledge the fact that he might be discovered. There's always a trail. Don't fuck with the people that have the resources to follow it.
Re:Little Steep? (Score:1)
Question -- what the bleep do sysadmins do for a living? Seems to me that keeping crackers out of the Web pages would be featured prominently in the job description. As far as I'm concerned, the sysadmins screwed up by letting him in and then they had to work overtime to clean up the mess. Big deal. Far as I can see, it's part of the job.
The crackers that "deface" Web pages are *not* the ones you worry about. Think what you could do by changing some subtle bits of information
In any case, Zyklon seems to be utterly clueless. He needs to learn that he's a big boy now, and his actions can have real consequences. In particular, twisting the tails of the Powers the Be can get you into Real Trouble (tm). It's their laws, their cops, and their courts.
The sentance is, IMHO, 'way too severe, but not at all surprising.
Re:Little Steep? (Score:1)
At that point, you need to study what went wrong and how to prevent it -- and that takes time and $.
Money that should have been spent securing the site anyway since it obviously wasn't very secure. Just because he pointed out that the holes existed doesn't mean he should have to pay to have them fixed. Make him pay for restoring the site from backup, but not for fixing what should have been fixed in the first place.
Re:Computer Crime Sentencing (Score:2)
A) I am not a "kiddie." I'm 27 and trying to decide if I want to attend my 10 year re-union.
Why is it that the average slashdotter assumes that if you disagree with him/her you are either stupid or a kid? Geesh people this is the real world, people disagree with one an other and it's ok.
B) Gee, maybe the penalty is a little too harsh. Let's think about it... hmmmm, on the radio today there was a story about a man who was sentenced to probhation after killing someone at a off-campus UNC party. And this kid gets jail time. Are you really going to sit there and tell me that taking someone's life is less of a crime than costing the government or a corporation money?!?!?!??!?!?!?!?!?!?!?
The kid deserves what he gets. He knew what he was doing was illegal, and he was no doubt aware of the penalties he'd bring down upon himself when he was caught
And if he'd spary painted a wall would he deserve the same? What if he'd keyed someone's car?
Yes, hacking is wrong. But to say that the punishment fits the crime here is ridiculous. Yeah, it costs money to set the system back up... so garnish the kids wages for life, or make him/her do community service...that would be more in keeping with the kind of damage done.
Re:Java/Active X? (Score:1)
Re:What a profoundly anti-democratic sentiment! (Score:1)
Re:Punishment out of line with crime (Score:1)
It is not the purpoise of the criminal justice system to "send messages". Each case should be judged as a unit. Remember: Those who break the law still have rights - and if the punishment doesn't fit the crime it should be considered cruel and unusual.
Re:Good and bad... (Score:1)
Re:reaching DOD "high security systems" from the w (Score:2)
In the China nuclear spying cases it turns out that the nuclear scientists had secure systems on their desktops right next to the insecure ones, but by the time a pc model gets certified for secure work it is obsolete. So, you can either wait for your secure P90 to grind out results or you can rock on your PIII/500.
I wouldn't be surprised if there were similar issues in the military of people trying to get their job done by working around the regs.
Re:[really OT] (Score:2)
The combination of a browser and quasi-executable content that is interpreted by outside applications is a security witch's brew. Stir in a little OLE automation and you've got real trouble.
Any piece of executable script should come with a signature that's checked against a trusted authority. This shouldn't just be when you click on a ".exe" in the browser, but when activating any object or macro throughout the system.
Java and Javascript aren't too bad. What they should really do is band the ".doc", ".xls", ".ppt" and any other kind of file format that can be executable from their servers and e-mail systems, unless the interpreter limits access to the system, the way Javascript and Java do.
Re:It's all about arrogance, attitude and vengeanc (Score:1)
Re:Good and bad... (Score:1)
As much as I would prefer to think otherwise, I must recognize that the Government is not composed of drooling idiots. Backwards often, stubborn always but not complete idiots. They aren't quite smart enough to know that they're wasting too much time on this kid, but they are smart enough to realize that taking computers away from him for three years will be devastating. So, what they're are doing will ruin his life. They must be aware of that, and thus can't we assume that it's their aim?
The government, after having a major hand in the creation of computers, took up a long standing policy of hatred and fear of those who can use them. So, being the reactionary bastards they go straight for the jugular when provided the opportunity. They've got it and they did.
They're doing all they can to screw this guy, and they'll keep doing it. Can we do anything about it? Probably not, you won't find much overlap in the type of people who want to be politicians with the type of people who are pro technology.
Well, its a Good Thing{tm} (Score:1)
So, if I understand the legal thinking behind this:
Masturbating on the White House Lawn is far more Bad{tm} than masturbating on your common, everyday suburban front yard lawn.
In order to make that point, a judge could sentence you to non-use of your penis for 3 years.
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Why not do both? (Score:1)
Re:Computer Crime Sentencing (Score:2)
Who said I was specifically talking about you? All I meant is that there is a tendency for packet kiddies to hop on Slashdot and defend their packet kiddie friends after they're caught/imprisoned. Don't take my comments so personally.
Are you really going to sit there and tell me that taking someone's life is less of a crime than costing the government or a corporation money?!?!?!??!?!?!?!?!?!?!?
As I'm quite sure you're aware, as you seem to be an educated fellow, laws like this aren't black and white. The judges in question took lots of facts into account when pronouncing sentences. In a black and white world, no I don't think it would be fair for an intrusion like this to warrant more prison time than a murderer, but there's more to this "killing" case than you're letting on, isn't there? The judges usually have reasons for pronouncing the sentences they do.
But to say that the punishment fits the crime here is ridiculous.
I guess that's where your opinion differs from mine, and I'm not going to pretend as though I can change your mind in this respect.
Remember that by attacking a government-owned system, he committed a FELONY, not just a silly hack against some no-name company. He compromised a network run by the United States government.
If you think the laws in this respect don't spell out penalties more to your liking, try writing your congressmen. Posting on Slashdot won't get anything done.
Re:Good and bad... (Score:1)
you say they "they wasted their time tracking this child down when the provider could have easily restored the page"
erm....if you have something like your front page defaced, ah...how do i put this, you're *stupid* if you don't go hunting
around the system for other things that might have been comprimised.
sure, restoring a web page would be *trivial*. but that's not all that they were doing. I can garuntee you that.
when you've been (cr|h)acked, "you can no longer really trust any file on the system b/c the data you have isn't good
enough to determine which files have been altered." (Essential System Adminstration, AElien Frisch)...when you don't know
what's good and what's bad, you're only *real* option is to re-install the system (i doubt they were running corel linux w/ it's 7 minut install time)
and prey you have some decent backups that you trust.
besides, this is more than just "some kid rooting a web server", this is cyber-terrorism. flat-out.
that's the sort of shit that will put you back for a LONG time.
breaking www.some-dumb-isp.net is a LOT different than breaking www.whitehose.gov, just
like killing a cop is a lot different than killing your nosey neighbor.
anyway, just my $.02
-Peter
No Computers for you...Bad Bad boy (Score:1)
Is someone who steals from a convenience store forbidden from shopping in a store after they get out from prison?
Are there other examples where someone who commits a crime can be denied freedoms after they serve a prison sentence?
Good, bad and the ugly (Score:1)
i got this dialog on irc:
doodz 1: dude! they got eric! shit!
doodz 2: let's not hack another site again! agree?
doodz 1: i'll never touch a computer again!
do you think that by punishing eric will makes the kids stop. hell no! the only action that 2 of eric's friend will do is cr|h the site again. and this time they will make sure they won't get caught. i'll bet on all of my $34.98
--
Re:Lawyer: prison not for reform (Score:2)
Restraint: Prevent them from comitting crimes while locked up.
Restitution: Pay for any physical or psychic harm which resulted from the crime.
Retribution (Retaliation): This covers the belief that someone who has done wrong should be punnished.
Rehabilitation: A person should come out of prison not wanting, nor needing to commit more crimes. This serves the incarcerated individual as well as society as a whole.
The "R" with the greatest potential for reducing costs for the average citizen is the one which you discount: Rehabilitation. If we could get at, understand, and change the reasons for so many people returning to prison, we would dramatically reduce the cost of criminal justice, as well as save a few souls.
Hrm (Score:2)
Surprise surprise. What do you know? The right to silence, and the right to an attorney are pretty well enshrined in a very high proportion of all first world countries, including most of Europe, and Australia, Canada, etc.
Enough with the ego massage.
Re:Computer Crime Sentencing (Score:2)
Sorry this week has been really bad for "As every intelligent person knows.." posts. You obviously aren't doing that.
You know, I was going to let this go, I wasn't going to respond but this part really bothered me... I just can't let this go without finding out... are you implying that I am hiding something here? I'm sure that you are an educated person and could
Remember that by attacking a government-owned system, he committed a FELONY, not just a silly hack against some no-name company. He compromised a network run by the United States government.
I don't see why this makes a difference... all of the gov's classified stuff is not connected to the internet. You're not going to argue that the gov. has more rights than a private company/citizen are you? That it's somehow more wrong to deface the property of a governemnt by the people than the property of a person?
If you think the laws in this respect don't spell out penalties more to your liking, try writing your congressmen.
I do. Often. I also give to orgs. like the EFF which try to bring a little sanity to hacking discussions. (For example, Mitch's comments in "The Hacker Crackdown" by Bruce Sterling)
Posting on Slashdot won't get anything done.
You mean discussing the issue with other people is pointless? Debating the issue is a fruitless endevor? Hmmm... who knew. I though that by debating such issues people on both sides honed their arguements and brought there message to a larger audience.
Re:Lawyer: prison not for reform (Score:2)
> [four R's]
Yes. ALthough when most states lay out their philosophy, they at most use 3.
> The "R" with the greatest potential for reducing
>costs for the average citizen is the one which
> you discount: Rehabilitation.
It's not that I discount it--I used to believe in it. But with very few exceptions, it just plain doesn't work. It's not any bias that I have, but a bitter conclusion from dealing with criminals.
>If we could get at, understand,
This we have. It's easier to steal, and they have a weak understanding (at best) of the correllation between crime and being sent back to prison.
> and change the
>reasons for so many people returning to prison,
>we would dramatically reduce the cost of criminal
>justice, as well as save a few souls.
Yes, if we could find a way. I no longer have much hope, but still think we should give them chances to learn productive skills while incarcerated.
Incidentally, the notion of a penitentiary comes from the Quakers. The idea was (roughly) to leave them in the cell with nothing but a Bible, and eventually they might find the error of their ways, become penitent, and leave a good person.