Michigan "Anti-Hacker" Law's First Felony Charges

styles writes: "According to this article, two young men have been accused of gaining unauthorized access to third party computer systems. "The charges are the first under a Michigan law which makes the unauthorized alteration, damage or use of a computer system a felony." I have been a user on m-net (one of the two systems compromised) for a year and some change, and the fact that someone went and took the machine down for at least a month (more? I forget...), and that someone also hacked sshd to steal my password just kills me." And this raises the ever-sticky question of determining who is harmed, how much -- and then the stickier issue of what to do about the first. (Use your judgement in interpreting the source of this news, too.)

[Updated 19:00 GMT by timothy] As several readers have pointed out in comments, and as reader Conan Ford e-mailed, if that funny address sets your nose twitching suspiciously, note that http://www.ag.state.mi.us/AGWebSite/press_release/pr10189.htm does get you to the same place.

Re:Staying within the law

[empesey]

Don't you feel there's a difference between intentionally breaking into someone's computer system, and slightly speeding? In the first case, it's an intentional, willful act. In the second case, it's simply a matter of not being able to completely control your muscles to maintain a certain speed. Even the police officers give a grace speed. Don't get me wrong, I'm not endorsing speeding at all. However, it's much easier to plead your way out of a speeding ticket, than pleading your way out of an offense against cracking.

--

Has anyone else ever known a cracker...

[deep_magic]

...I have unfortunately. I would venture to say that most of them are *not* just the curious garden variety hacker types. In some sense, they are pretty much sociopaths. The ones that I have known (crakers, that is) don't necessarily *want* to destroy information -- its just that it truly doesn't matter to them. They don't see months or years of work, all they see is a way to fulfill their need to break into a system and anything that gets in their way is expendable.

There was a cracker that used to work for my company -- once management found out about him, they let him go. But during lunch, he used to go on and on to me about the new virii he was creating. I kid you not, there was a certain passion to his voice about it. (much like pyros, I'm told). Anyway, you really got the sense talking to him that people simply didn't matter -- all that mattered was cracking as many systems as possible.

I don't know if these kids in MI were just a little too curious or if there's something more to it. But often times, this goes beyond a simple "boys will be boys" explanation.

Re:fp!

[Open+Source+Sloth]

If you enjoy homo-sexual encounters, and you are large enough to be the 'male' of such encounters then I encourage you to do so.

As to computers in prison, I'm quite sure that the other things are tax dollars paid for are far more of a waste (like the ever popular weight training programs for prisoners) than adding a computer to the cell of inmates.


Behold the Open Source Sloth...

Gov't screwin up?

[Lullabye]

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. The Internet, unfortunately, has become one more tool to pick the locks of companies across the country."

Well, although I think it's great that we can get info on products we want, or even buy them, I also feel that all of these "victim" companies are the same companies that are destroying the net with their petty patents, and greed grabs at cash (although this comment is not directed at this company, who I'm really not familiar with, I'm making a generalization about MOST companies, and no, I don't condone cracking). These companies have done everyhting in their power to make the net a nice fat Lazy-boy for buisness, and practically ruined it for the end users. Then they cry boo-hoo when people retaliate. I hate crackers too, but sometimes I get overjoyed when I see some fat-cat buisness, who has contributed to these "process patents" or "IP" lawsuits, get whacked by a cracker.

The M-Net system remained down into July and became available only after M-Net replaced the system's equipment.

Doesn't this sound more like random hardware failure? In all seriousness, it doesn't sound like the cracker was trying to damage the hardware, and it's pretty unlikely that hardware damage would occur without a malicous user's intent. Could this just be ordinary failure on a system that wasn't properly fault tolerant? I'm just wondering if this is another un-tech-savvy, bone-headed, government move, that is going to end up convicting a person for a crime he didn't do (although if he hadn't cracked in the first place blah blah blah...you get the point).

Re:Don't know much about psychology, do you?

[bluGill]

You forget one point: Even though police catch 1 in a 1000 window breakers. However that 1000th window breaker gets a big spread on the news: Window breaker gets 10 years. Sub-headlines: Police cracking down on window breaking problem.

The fact that police have a poor record in catching these people is down played and the concequences are hyped up. Remember window breaking is a common problem in this senerco. Every month you get at least one window broken by vandals. (Take kids playing baseball accidently breaking the window out of this!) This will mean that there are plenty of vandals caught, and so there is plenty for the media to hype up.

Serves them right

[Threed]

Systems cracking is NOT just vandalism. It's breaking and entering. The crackers don't just spray-paint their names on the pages, they have to subvert the security of the webserver itself to do so.

IANAL, but I've heard from residents of some states in the US that if you catch someone breaking into your home you are allowed to use deadly force to protect your property. In this case, if they get caught cracking your system, their life is pretty much over (from a professional point of view). Works for me.

If systems cracking remains a crime that can be gotten away with, then companys will be more likely to accidentally hire some of these people who will likely go on to use the company's systems for their illicit adventures.

Screw 'em. If I had my way, I'd be allowed to shoot anyone I caught breaking into my cable modem connected PC at home. The ones banging on my firewall at work would be another story altogether; I'd keep them alive in extreme pain for a long time.

(Sorry to sound so venemous, but I really really really hate krad fuckoffs.)

The real Threed's /. ID is lower than the real Bruce Perens'.

--Threed

Re:Serves them right

[Col.+Panic]

Screw 'em. If I had my way, I'd be allowed to shoot anyone I caught breaking into my cable modem connected PC at home. The ones banging on my firewall at work would be another story altogether; I'd keep them alive in extreme pain for a long time.

I really hope you are kidding. First of all, you are not allowed to use deadly force to protect your property. You are allowed to use deadly force to protect your life. Bur you want to use deadly force to protect your *data*?

Build a firewall and take a stresstab.

Re:Serves them right

[StenD]

First of all, you are not allowed to use deadly force to protect your property.

You don't know that. You may not be, but I am, and Threed may be allowed to as well. As Threed said, in some .us states, you are allowed to use deadly force to protect property. In Texas, chapter 9, subchapter D, section 9.42 of the Penal Code defines the conditions in which "[a] person is justified in using deadly force against another to protect land or tangible, movable property".

Re:Serves them right

[kasparov]

(B) to prevent the other who is fleeing immediately after committing burglary, robbery, aggravated robbery, or theft during the nighttime from escaping with the property; and (3) he reasonably believes that: (A) the land or property cannot be protected or recovered by any other means

Wow, if I read the Texas law correctly, if it's nighttime and some guy runs into my house, takes a chair and straps it to his back and starts to run down the street and I can't catch him- I can shoot him in the head to get my chair back. Now that's pretty cool.

Re:Serves them right

[Col.+Panic]

Holy bloody cow. I read the statute and you are quite right. Apparently, if I try to take your property in Texas and am hell-bent on doing so, you may legally kill me to prevent it. Talk about "law of the land!"

In Florida, this is NOT allowed:

1. 776.012 Use of force in defense of person.--A person is justified in the use of force, except deadly force, against another when and to the extent that the person reasonably believes that such conduct is necessary to defend himself or herself or another against such other's imminent use of unlawful force. However, the person is justified in the use of deadly force only if he or she reasonably believes that such force is necessary to prevent imminent death or great bodily harm to himself or herself or another or to prevent the imminent commission of a forcible felony.

Re:Don't know much about psychology, do you?

[dirk]

Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.

Not true. Malicious vadalism tends not to occur in public view, which proves that the vandals have some understanding of the risk levels involved. While imagining the consequences may be a bit fuzzy, even anti-social types do recognize levels of severity of punishment, and are able to relatively accurately assess risks.

This is OT, but relavant to this discussion.
Harsh punishments have never been proven to decrease the activity. One of the most famous example was during the Middle Ages, pickpocketing was rampant. It was a crime that was punishable by death, and in that time that meant public hanging. Now, where do you think the most pickpocketing took place? That's right, at the hanging themselves, because that was an easy place to do it. Most criminals never consider getting caught. They do take normal precautions, but they don't think about what will happen if they get caught, because they think they won't. I mean come on, if they thought they might get caught they wouldn't do it.

Re:Before the knee-jerk reactions start...

[mrbuckles]

Right on!

I too have had my fill of the arguments defending these actions. I also agree with several posts I've seen that mention the owner of the server could be help responsible. It would seem, however, that to hold the owner responsible would require a client of the system to sue the owner. Another poster made the analogy of one's car being stolen from a mechanic's garage. The police won't arrest the mechanic, but the person can sue the mechanic. Same should be permissable.

Re:Reactionary Politics?

[SecurityGuy]

Consider this: If someone broke into your house, while you were watching TV, romped through the kitchen naked, and left out the back door, but didn't take anything, would the courts care? No -- the police officer who showed up would say that since nothing was stolen, and no one was hurt, it's probably not worth the hassle to take it to court. But if someone were to enter your computer system it's a felony?

I think you're deliberatly misunderstanding here. When I see a compromised system with no apparent damage other than an obvious exploit, say a spare inetd running, I may have a clueless script kiddie, or I may have a more sophisticated intruder who has installed his rootkit, but didn't get rid of the initial hole yet. Rootkits can be *quite* good. In theory, they can be made undetectable short of offline examination of the data on disk. I don't know that anyone's done this yet, but the major building blocks are definitely available. Your example leaves out the reality that when someone breaks in you typically don't get to see what they've done. You get evidence which they've quite possibly altered.

The question to ask, is if you come home, find your door unlocked, find fingerprints inside, and have to have every object in your house painstakingly examined to make sure, for example, that your TV isn't really a time bomb that looks like a TV, your phone isn't bugged, or bulldoze your house and build a new one, what sort of penalty should attach to the perpatrator? Should an act that costs you thousands of dollars carry a lesser penalty than stealing your $300 TV? I don't think so.

There simply is no harmless way to compromise a system. Minimally there's time and expense involved in returning the system to a trusted state, which involves careful determination of what, EXACTLY, the intruder did. Reinstalling is all well and good, and necessary, but will only restore you to the state which left you vulnerable in the first place. No obvious damage means either none was done, or it was well hidden. If the system does anything at all important, there's cost associaed with the system being unavailable for its design purpose. Please lets not go down the path of blaming the SA unless you'd also blame yourself if someone broke the windows of your car and filled it with cement. After all, you know you should properly secure your car. Lexan windows, perhaps?

I think a severe penalty is just fine. If you're breaking into someone else's computer, potentially rendering it unusable for some period of time, with NO regard for what the consequences are, you deserve a severe penalty. It's rather like drunk driving. It's an irresponsible act that sometimes doesn't hurt anyone, but often enough the consequences are severe. People who break into systems don't care what the consequences are because they typically don't attach to them. It's time to change that.

Re:Two Sides

[Nezumi-chan]

Why should I have to buy a lock in the first place? Punishment must be strong enough to discourge the behavior in the first place

I'm assuming this means you're in favour of television/movie/internet censorship by legislation, then? After all, why should a parent have to monitor their children when punishment could be strong enough to discourage producers of violence/sex/thoughtcrimes from producing objectionable material in the first place.

The moral flaws in your argument alone astound me.

Re:What is unauthorized use?

[merlyn]

The issue is pretty simple: the techniques used by crackers are legitmate techniques used by security concscious sysadmins every day. Will clueless legislation start to put honest, hardworking sysadmins at risk?

It has already happened to me. See the story about my ongoing legal case on how I became a triple-felon while doing my job.

Re:Odd reasoning, that

[StenD]

I mean lets say you steal a candy bar at a store. They're not gonna throw you in jail for 10 years and charge you 10,000$ in fines, because of a 60|cent candy bar.

They can and, in some localities, will if it's your "third strike". Or, rather, they won't fine you, but there are people in .us prisons serving life sentences whose proximate crime was on the level of stealing a handful of cookies.

So lets say you only do like 100$ worth of damage in some cracking incident.

And lets acknowledge that not all damage can (or should) be given a financial value.

Then because of that you gotta start putting that on your job aplications and such. OUCH! Punishment should fit the crime.

And what punishment would, in your opinion, fit the crime?

Re:Damages?

[Phil+the+Canuck]

Fair enough, but in this specific case we're talking about a school. No customers to lose.

Re:Staying within the law

[Private+Essayist]

"Don't you feel there's a difference between intentionally breaking into someone's computer system, and slightly speeding?

Absolutely. I didn't mean to give the wrong impression. I was talking about trends, not current events. My point was that as laws and restrictions pile up, it becomes harder and harder to even be aware of every law, let alone keep them. It is at that point that you get the situation I was talking about.

I am not condoning breaking into computer systems, but I do have issues with that being a felony except in the most egregious of cases. And yes, it's an entirely different thing to be caught speeding. For one thing, you won't make national headlines for doing so. For another, it's not a felony.
________________

Crimes

[jesser]

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. The Internet, unfortunately, has become one more tool to pick the locks of companies across the country."

Thank you for not saying "a criminal using the same technology". They could have resorted to labeling everyone who commits crimes as a "criminal", but they chose a more responsible wording. (They still screwed up the sentence order, though, to make it seem like most of the crimes committed using computers involve cracking.)

--

Re:Don't know much about psychology, do you?

[Silver+A]

Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.

Not true. Malicious vadalism tends not to occur in public view, which proves that the vandals have some understanding of the risk levels involved. While imagining the consequences may be a bit fuzzy, even anti-social types do recognize levels of severity of punishment, and are able to relatively accurately assess risks.

The real benefit is that it's fun, if you're of the right mindset.

so what's your point?

[Captain+Pillbug]

Under the common law, it was permissible for police to use deadly force to apprehend any felon. Since then, felonies have been expanded to include nonviolent crimes, and such a categorical permission is no longer constitutional. How lives could be "in danger" from someone's cracking into a corporate website is uncertain.

Re:so what's your point?

[Lord+Kano]

Since then, felonies have been expanded to include nonviolent crimes, and such a categorical permission is no longer constitutional. How lives could be "in danger" from someone's cracking into a corporate website is uncertain.

Police must be prepared to use deadly force at any and all times, even traffic tickets can get them killed. If they police are serving a warrant, and you reach for some unknown object, you WILL get shot.

LK

Re:Anti-SPAM

[empesey]

Do what I have started doing. Type up a document all legal sounding, thanking them for choosing your Document Storage Company (give it a cool name) and invoice them for the storage space. Give them an address to send the money to, and explain about the your monthly fee (per document) and the processing fee for either returning their document to them or deleting it from your system.

I am not a lawyer, so don't take that as legal advice, but my theory is, you have the right to charge someone for storing their car in your garage, or boxes in your attic - this is no different.

--

Re:Harshness sometimes necessary

[Geccoman]

I didn't make any suggestions to punishment. I just think that deterrence works better than nothing. You are totally right regarding the severity, though. I think the punishment should fit the crime. What would you suggest as a penalty for someone who simply cracked into a computer and did nothing vs. someone who cracked in, stole users passwords and trashed the web page? Or credit card numbers and bought 50 new cars?

Re:Dangerous Laws

I'm suprised they (at least the guy over 18) weren't charged with a federal felony for this. They'd be facing a mandatory minimum 6 months' imprisonment. All it takes is causing damage in excess of $5,000 (including clean-up costs) to a computer connected to the internet.

Re:Anti-SPAM

[deefer]

Where does that end, though?
I mean, my email address is published on /. ,and several times other /. readers have mailed me in response to a what-should-I-use-post I have made. I'm grateful they have taken the time out to let me know about the company they work for, and the products they sell.
How are you going to make the legal distinction between emails I haven't directly solicited, but am grateful for, and the EARN MONEY FAST!!! NOT A PYRAMID SCHEME!!! spam I get so much of?

Strong data typing is for those with weak minds.

5 years in jail for graffiti?

[Lord+Ender]

From the article:

"A vandal is a vandal whether you are a virtual vandal putting graffiti on a web site or a real world vandal putting graffiti on a wall. Both are illegal."

But these kids are getting 5 years of jail if they are convicted! Surely this state doesn't fine tens of thousands of dollars and give jail time for people who spraypaint on bulidings!

The lack of necessity and need

[sips]

It's really interesting how people manage to compromise security on machines. It seems to be a hit and mis venture and not worth much really.

Also it's entirely out of proportion to what is happening hardly worth a felony.

Re:The lack of necessity and need

[Sygnus]

Isn't this what proactive security is intended to prevent? The cliche an ounce of prevention is worth more than a pound of cure comes to mind.
Any sysadmin worthy of his position will keep on top of security issues. If he doesn't do that and gets cracked, I have no sympathy whatsoever.

Re:The lack of necessity and need

[sansoo]

And if you live in a bad neighborhood and get mugged walking to work, I should have no sympathy for you? You should have lived in a gated community, and driven to work in a nice car...

It must be nice to work for an outfit with unlimited resources. I'm a sysadmin, and my daily routine involves: user/tech help; buying, configuring, and upgrading terminals and desktops; upgrading the compilers, servers, programming languages, *NIX apps, windows patches, and EDI software; troubleshooting routers; backing up databases and system files; salesmen; evaluating new software; writing perl scripts to interact with users & the SQL database *and* print out inventory barcode labels & tags; also maintain the printers & order or buy supplies. NO, there is no one else. No, I'm not a PhD - if I were, my employer couldn't afford me. I'm supposed to keep up with some acne-scarred punk kid who has nothing better to do than probe for known exploits?

BTW, I hacked kung fu & escrima for 13 years before I started on computers (no money in street fighting). But I would show sympathy for you if you ran afoul of some mugger who's been practicing *his* art for years. As a pedestrian, shouldn't you be training daily? Well, no; most people have other things to do.

Re:The lack of necessity and need

[Groundskeepr]

You're not making good sense. By your logic, the best way of proving a given sysadmin has not kept on top of security issues would be to prove that his (or her) network has been cracked. Don't let the PHB's get a hold of your theory; it will only lead to the summary dismissal of every sysadmin whose network has been compromised. Especially don't let *your* boss find out you feel this way, or you may find yourself out of a job when a new exploit has been invented while you were in the bathroom.

How do you think the db's of exploits get built, anyway? Do the script kiddies or their mentors register exploits just before they unleash them, to allow "any sysadmin worthy of his position" to "keep on top" of them? Or is part of the definition of "sysadmin worthy of his (sic) position" the ability to see the future? If so, I guess I can believe in the shortage of tech workers, as I have met some pretty clever sysadmins in my time, but so far not too many with prescient awareness.

Re:The lack of necessity and need

[adipocere]

Come now!

Let's apply this to other crimes for a second.

"You fool, you weren't wearing your Kevlar vest! Silly you! You have nobody but yourself to blame for your gaping chest wound!"

"I'm really shocked that you didn't have two security alarms. You only had one, and your trained attack dogs numbered a pitiful five. My blowtorch cut through your one inch thick steel door. How could you be so irresponsible? You deserve to be robbed!"

And so forth. Take other areas in the law, like doctors and confidentiality. Files about patients are, when not in use, required to be kept in a locked cabinet or drawer. Not one that requires your fingerprints and has a trained bobcat perching atop the cabinent who will scratch the eyes out of anyone who isn't the proper owner approaching it ... just a locked drawer.

Legally, and, rationally, you're expected at most to provide a token level of defense.

If a couple of bozos hack your site, yeah, it sucks, but if they are using a day zero exploit and you weren't there on Sunday, well ... if you think I should be at the office twenty-four seven, with BugTraq hitting my alphanumeric pager, and taking vast amounts of crystal meth to stay awake, that simply isn't rational or reasonable.

Nobody forces anyone to hack your site, carjack you, rob you, shoot you. These are crimes. You can apply some common sense ("don't go wandering through the ghetto with a fat wallet hanging out of your suit" "don't go stumbling around that DMZ wearing a bright orange clown suit"), but the fact of the matter is, a crime is a crime. Nobody is making these jerks attack. Blaming the victim is not useful or even particularly rational.

Re:The lack of necessity and need

[jmp100]

Yes it is. It's my property, and if I don't want people writing all over it in evaporating ink, that's my right. The fact that someone breaks into my system in the first place is a defilement of my rights.

Re:The lack of necessity and need

[Sygnus]

If a couple of bozos hack your site, yeah, it sucks, but if they are using a day zero exploit and you weren't there on Sunday,
Notice I said: If he doesn't do that and gets cracked. Checking for new security issues should be part of the sysadmin's daily routine, and it he's doing that, but gets hit before he's able to find out about the kiddies' new whiz-bang 'sploit, then it isn't his fault.

Yes, I will blame the sysadmin for poor security if he doesn't work at keeping his boxes safe from crackers - this is just plain common sense. Putting a computer onto a network entails responsibility that needs to be taken seriously. Would you have a child and not bother to educate him/her about the dangers present in society so that s/he will take common-sense precautions to remain safe?

No, this does not excuse the actions of the cracker - just like a pedophile who kidnaps your son because you didnt teach him about perverts can't use that as an excuse - but it also does not excuse the lack of responsibility on the part of the sysadmin.

Re:The lack of necessity and need

[Sygnus]

I think it is a sad sign of the decline of the internet when cracking activity is so omniprescient that we point fingers at the admins when security is compromised.

Scenario:
You own a company, and your network is connected to the internet. Your sysadmin checks for new security issues on a daily basis, and immediately applies any fixes that need to be made. Your network gets cracked by a new exploit. Obviously this would happen before your sysadmin would have a chance to fix the hole. Do you fire him?

Second scenario:
You own a company, and your network is connected to the internet. Your sysadmin does nothing except make sure that the boxes are powered on, and the site is live. Your network gets cracked. Do you fire your sysadmin?

If you said no to the first, but yes to the second, then tell me why. If the admin isn't to blame for lapses in security, then why would you answer in this manner?

Re:The lack of necessity and need

[Sygnus]

Labor expenses? I don't think so - a properly backed-up site takes only seconds to restore; and if it's only a defacement, repairing the defaced page takes a maximum of 5 minutes, depending on what system the site maintainers use to create the html. It takes me about 10 minutes to convert an entire directory structure to a new look and feel by hand, because I code templates; and all I have to do is drop the relevant information into the proper places in the code.

Re:The lack of necessity and need

[Open+Source+Sloth]

As opposed to your brilliant little addition to the conversation?

I know, I know, pot; kettle; black and all that rubbish.

I just find it humorous when someone goes out of their way to tell someone that they have wasted space when all they are doing is wasting space. Nothing wrong with wasting space. Just don't complaign when someone else does it, if you are going to do it yourself.


Behold the Open Source Sloth...

Re:NEW EQUIPMENT!

[rexroof]

I was going to comment on that, seeing as I was the one who did the recovery. There were quite a few reasons why m-net was down so long. The main one being that we're all volunteers. M-Net was recovered entirely in my free time, which I didn't have much of. M-Net's hardware was replaced simply because it was old. There was hardly any data lost during this time. I would have brought it right back up, but I really didn't have any idea what was used to do the break in, and modifications were made to the login procedure that I wasn't able to fix, or even track down. So, since we needed it anyway, we upgraded the OS and the hardware.

Breaking and Entering

[ripicheep]

If a company allows public access to some parts of it's office, then what stops you from just walking in and opening another door to someones office.

Many offices have employees only beyond this point signs, but if you delve deeper than a company wishes without seeing a sign, have you committed breaking and entering?

If I come to a login prompt and it does not specify who can and cannot enter, then am I free to assume that any password that lets me enter that I can come up with is fair to use? Should there be explicit statements about who may legaly enter a part of a system, or should we all just know not to poke around where people leave doors open.
Where is the line drawn between a publicly accessable palce and somewhere that the public is not invited? If I can access it and do not come across any warnings forbidding me to, have I broken and entered? Where does security through obscurity fit in here?

Real world examples rarely make perfect analogies for computer networks.

Re:Breaking and Entering

[BrianH]

There is already a legally simple way to decide this. Was there a door involved? If you enter a business and walk down an open hallway towards the back of the building, assuming that there are no "Keep Out" or "Employees Only" signs, then it is legally not a B&E. However, if you must open a closed door to enter that hallway, even if that door is unlocked, then you have broken the law. Since User/Pass prompts are analogous to doors, passing through one without authorization is (and should be) illegal.

How would you feel if you found someone in your living room, and the police couldn't arrest him because he found a key to your front door? Should everyone blame you and suggest better deadbolts?

Re:Make automatic nightly backups

[Sygnus]

kuro5hin's problem was not a break-in; it was someone flooding their story queue. Why do you think scoop is being redesigned?
Here's a snack, now go troll elsewhere :P

Re:Blowing things out of proportion

[empesey]

I have to agree with you. I'm constantly amazed that people in journalism either have no logical base or are masters of sensationalism. I think it's a little from column A and a little bit from column B. I've always wondered if they intentionally remain ignorant of issues, just so they can write such illogical remarks and get away with it. Statistics and technology seem to give them the hardest time.

--

The source is real

[Roast+Beef]

For some reason the links on www.ag.state.mi.us just use the IP. http://www.ag.state.m i.us/AGWebSite/press_release/pr10189.htm takes you to the same place.

Re:The source is real

[jesser]

Interestingly, http://www.ag.state.mi.us/ has a link to an "on-line computer complaint form". Somehow I can just see hordes of slashdotters complaining about unfair through that form without having read half the press release.

--

Re:Harshness sometimes necessary

[swb]

Murder is a really poor example. Most murders are committed as a one-time crime of passion. They're seldom committed as a deliberate planned act, and when they are committed this way its often ancillary to some other crime or criminal enterprise, demonstrating that the people involved really don't have any sense of ethics, morality or concern for outcomes.

Most people don't get the death penalty, and many murders are pleaded down to lesser homicides, manslaughter, and the perp gets 5-7 with time off for good behavior, and is actually back on the streets in 3 years. Given that the ACTUAL penalty is not the ADVERTISED penalty, is it any surprise that capital punishment isn't effective?

When I was in college I had an internship in our state senate and I worked on corrections issues -- the average time served for all offenses, including murder, kidnapping, rape, and assault was LESS THAN 5 YEARS. Committing serious crimes doesn't mean you will go to jail for very long if at all. Career criminals and those exposed to that lifestyle know this.

Except in the case of mentally ill people, cracking isn't a one-time act of passion. It's a deliberate, calculated behavior which has a great deal of forethought.

And the people involved in cracking, are, generally speaking, higher on the socioeconomic foodchain than many people involved in murder, and hence are presumed to have a better developed sense of ethics, personal responsibility, and should also have a greater fear of involvement with the criminal justice system and the costs involved.

I find it hard to believe that exposure to the criminal justice system, and the consequences of prison (it's a violent, dangerous place, in college the prison surgeon said he sewed 3 rectums up per month on average) would not have a very real, very significant impact on "crackers" if those that were caught were given manditory jail sentances, stiff fines and long probation periods.

Pretty lame...

While I'm not sure that _all_ unauthorized access to a computer system should be a felony, it's _really_ lame to hack a non-profit ISP.

Trespassing? How about that?

[rho]

I don't like new laws, and if we can avoid creating new ones for the Digital Revolution, that's a Good Thing.

I don't like the "vandalism" arguments. That implies a monetary damage, which is difficult to determine. So how about trespassing? We have property laws and private property rights, correct? (Okay, we don't, not really. But theoretically we do)

So why can't crackers be convicted on tresspassing laws?

Taco's Going to Jail??

[jheinen]

Gotta admit, when I first read the headline I thought Taco and CowboyNeal were headed for the slammer.

-Vercingetorix

Re:Taco's Going to Jail??

[Plan571]

I agree whole heartedly.

Re:Taco's Going to Jail??

[Sygnus]

heh. Don't you just love how the media and guv'mint distort the meaning of "hacking"?
Although, I must admit that it is sometimes fun to tell clueless people that I'm a hacker, and watch their heads fill with images of seedy underground websites and criminal acts :)

Re:Taco's Going to Jail??

[jheinen]

That's why I keep the latest issue of 2600 displayed on my desk. The funny thing is, most people who look at it end up wanting a subscription :)

-Vercingetorix

Re:Taco's Going to Jail??

[Sygnus]

I would do that, but my coworkers are geeks too, and understand the issues involved :)

Go figure, look at the rest of the AG's site

[ShaunC]

If this surprises you at all, just browse the rest of the AG's website and you'll get a feel for who's behind this stuff. Quoting from the bottom of website (http://167.240.254.37/),

Web sessions using "crawlers" or "spiders" are blocked on this site because they negatively effect the site performance for other users. If you are denied access it may be because a prior user of the temporary IP number assigned to your session by your Internet Service Provider had a crawler or spider running.

Give me a break. What kind of server are they running that they're severely impacted when Altavista stops by? And their robots.txt file is fucked up, so they aren't blocking crawlers or spiders to begin with.

Someone mail these people a clue.

Shaun

More security, not more laws is the solution

[e_n_d_o]

There will always be hacking. The fact that corporate and international espionage exist guarantees this. So preventing computers from being hacked by making really tough laws that imprison all the 31337 script kiddies may hurt more than help. Its kind of like fighting forest fires... good short term payoff, bad long term effects.

What we need is systems that are designed with security from the beginning. Awareness that security IS an issue. The software industry needs to work (as it has been) to make security easier for those who probably shouldn't be running a networked box in the first place!

I just don't want to see the first, last, and only line of defense being the law.

Re:we are all harmed

[HiredMan]

While I take your point about the sense that crime or anti-social behavior not happening in a vacuum I have to say that I'm more than a little disturbed by your characterization of someone "gone astray".

How far do we extend the idea of this "society" and how far are people allowed to "stray" before you think the need to "corrected"?
This treads dangerously close to a "one world/one people/one thought" philosophy. Is the small society of the computer harmed? Yes, somewhat, but I hesitate to say any "society" larger than that is damaged much and certainly not society at large.

As some one who carries at least half of the hacker gene and also holds a number of views that seem counter to where society seems to be heading - like I would rather have a murderer spend more time in jail than a pot user but mandatory minimum sentences for pot possession means violent criminals get set free earlier in a crowded prison - but there's little I can do about this. And if you make hacking a felony keep in mind that the "other" felon that doesn't get sent to prison or gets a lesser sentence has probably done something much worse to "society".

In a "free" society allowing freedom of speech means some people are going to say stupid, mean and hurtful things to other people but that's the price of the freedom.
Alot of the debate here centers on how much damage is actually done by this and the relative severity of the punishment and I think that's the appropriate place for the debate to be. Keeping the freedom of the internet allows the exploration and growth but allows stupid people the freedom to do bad things as well. Where we draw the line of crimiality in cases such as this and the severity of the punishment will determine where the degrees of freedom and the amount of "flex" in our on-line "society".

Given the position I feel as the underdog I have a certain sympathy for people who views may not always reflect those of the majority. I think more flex in society is better than less - even if that means life isn't as "safe" or "controlled" as it could be.

=tkk

Re:Don't know much about psychology, do you?

[d.valued]

You're dead-on.

The problem is not the law, it's the enforcement. If every speeder was ticketed every time they pulled 35 in a 20, then no one would.

The good - and bad - about a limited police force is that they can't be everywhere at once and they have to use their resources for headlines to convince people they need more powers anbd money.

The priorities of most major metro police forces are:
A. Solving Murders. Death sucks, and killers must needs be found.
B. Getting Narcotics. Those mega-million displays of guns, cash, and drugs make good PR.
C. Major Crimes. Major meaning felony, the higher the better.
D. Everything Else.

Re:Harder to attract tech workers?

[bmongar]

Maybe some, but I don't think it would be enough to cripple an industry or even exert any pressure on a state.

Most computer professionals I know work in the region they came from. (I live in Kansas City for those interested). Things like friends, family, money, and weather are more likely to determine where someone works than if a state has an anti-hacking law.

Re:a victim perspective

[bripeace]

This is exactly what a Civil Case is for, recovering damages. That includes your time and your fustrations etc..

Re:fp!

[Open+Source+Sloth]

Ah, a fan? Already?

OK, here's my response:

Actually, I am neither of the things you peg me as. While there is some general disdain for trolls involved in my decision to 'leave the anonymous collective' (as you so eloquently put it), it is more about the poor quality of troll posts. I wish to see trolls hold themselves to a higher standard. If I see a troll post that appears to have a fairly high quality I probably won't respond. But if someone 'trolls' with absolutely nothing to say, I will put in a 'bad word' or three.

At the moment I have only responded to other trolls. But I do hope in the future to develop some high quality trolls of my own (we all have to start somewhere).

Further, implying that ACs are cowardly is not only foolish, but more than a little redundant, don't you think? (you do this in a later post)

As to that, if Jon Katz can get paid to do exactly this same sort of thing, surely you can handle little old me doing it voluntarily?


Behold the Open Source Sloth...

Re:Handed In? Caught? Huh?

[Myself]

He's anything but a script kiddie, trust me. I know the guy. What bothers me is that the "meeting" with the M-net people doesn't sound anything like what he described. I'll post specifics when I get a chance to talk to him.

What bothers me is this line: On May 31, while Salcedo had access to the M-Net system, the system crashed and did not recover.

That's what they're charging him with. The hardware took a shit shortly after he got in, and they're using /that/ as the monetary basis for the charges. They're a nonprofit with essentially no budget. They had no way to fund new hardware, until this came along. Hey, let's blame it on the guy who /approached us/ and told us about a security hole!

Re:Odd reasoning, that

[mOdQuArK!]

Of course, the very definition of criminal trespass which you have quoted STILL says that the perpetrator has to be PHYSICALLY PRESENT in your property to be guilty of trespass.

That's going to be a little difficult to extend to hacking when said hacker is living 2000 miles away from you!

Suffice to say, using B&E to describe hacking is only suitable as a METAPHOR - and not as a particularly good one either, since the resultant damage is not the same. Making laws based on such a bad metaphor is a really bad idea, even if hacking my computer makes me more pissed off than finding out that somebody was checking through my sock drawer :)

Re:Before the knee-jerk reactions start...

[Bitter+Cup+O+Joe]

It's sorta like you said, but you walk into my house and take something like my remote control and leave, causing me roughly 20$ in damages. Then the state prosecutes you for a felony charges you a 10,000$ fine and throws you in jail for 10 years.

Not quite accurate. What I would more likely get charged on would be multiple misdemeanors, including petty theft (the remote), breaking and entering, trespassing, destruction of private property, and (in some states) use of criminal tools in commission of a crime (using the crowbar for breaking in). All together, the jail time, and possibly the fine, would add up to the same as a low grade felony count. Beyond that, it's more than twenty dollars in damages, after figuring in the amount of time invloved in finding and closing the security holes, as well as possible lawsuits that could be brought (in the second case) against the school for "allowing" objectionable images and phrases to be placed on the web site.

Death Penalty for Parking Violations

[Strela]

There are indeed too many lusers who get all vaklempt and take it out on admins if their ZoneAlarm hiccups. That type of situation is right up there with the cluebies who send scathing emails to the abuse coordinator at each hop in a traceroute. Idiocy happens - think of it as an opportunity to educate.

I have no problem with making cracking a felony in most cases IF it can be proven that the victim took even the most rudimentary steps to protect themselves. The punishments currently available to prosecutors in most jurisdictions do almost nothing to actually punish malicious crackers for the massive harm they can potentially do. Unless being a script kiddie pays a heckuva lot better than I think it does, how many are going to be able to come up with the scratch to pay a 5- or 6-digit fine? I think we need the hammer of some serious prison time in our legal quiver to hand out to deter J. Random Haxor from trashing fillintheblank.gov in a fit of pique.

Re:It's a felony to press our panic button!

[dirk]

Salens on the other hand is just a punk kid to did a little digital graffiti. It's ironic that Jennifer can make the connection to real world graffiti, but then go on to push for the digital version (which is cheaper and easier to clean up) to be a felony.

You seem to forget he didn't do this graffiti out in the open. HE first broke into someone's system, and then did the graffiti. If I spraypaint the outside of an office building, I get charged with vandalism. If I break into the office building and spray paint the CEO's office, I get charged with breaking and entering (and vandalism or whatever else I did while inside). It's not like the kid wrote a naughty note on a message board somewhere, he broke into a system and left the note all over.

Did you think of that?

[brokeninside]

When they are killing children for stealing lollipops, and the children start shooting back, the authoritarians will wonder, "What kind of monster would kill for a lollipop?"

That's one of the most succinct and insightful statements about society I've ever seen.

And to think I found it on /.

The noise doesn't totally overpower the signal

yet.

regards,

-l

Re:Did you think of that?

[Art+Popp]

Yup. It's mine. All the fluffy bunny insights about society, trees, children and kittens seemed to have been taken. :)

Art

Re:Staying within the law

[Private+Essayist]

"Eventually, they will have too many restrictions, and if they force people to break laws to do things that they are legally doing at this moment, what is to make these people not do other illegal things? "

There are some who contend that this is exactly what they want, and already have in the non-tech world. That if there are enough laws and restrictions in place, any time a law enforcer wants to harrass you, they can -- legally.

Most of the time, you break the laws (slightly speeding, jaywalking, and so on) without even thinking about it, and with no repercussions. The sheriff decides to keep his eye on you, however, and you get hauled in for something trivial. If tech laws keep piling on, we may see a similar phenomenon with our online activity, as you alluded.
________________

Re:Political Correctness "Cracking"

[madrone]

Based on the fact that my 17-year old step-brother was tried (and convicted) on something like 7 felonies in the state of Michigan and tried as an adult, I would guess this 17 year old would be tried as one as well. I think 17 = adult in the eyes of Michigan law. It's funny how even stories such as this kinda make me homesick.... :) (yes, there really IS a Kalamazoo)

Re:Odd reasoning, that

[Ravensfire]

It's possible that the threshold for a felony IS only a hundred dollars or so. It doesn't take much before shoplifting becomes a fairly significant crime.

I do think that this IS a punishment that fits the crime. So you've got to put on your resume that you hacked into a site, caused damage to it (physical or financial) and then got caught. And this is a bad thing to have disclosed?

If I'm an employer, I'm looking not at just your techinical skills, but what kind of person you are. ESPECIALLY if you are going to be coding for me. If you've hacked into a site before, I want to know that. If I hire you, I might want to check your code a bit more carefully. You've already demostrated that you might not have the strictest set of morals when is comes to other peoples property. You've already willingly destroyed someone else's stuff once. What will stop you from doing it again, this time to me? This would be a critical discussion that I, as am employer, would want to have with you, a potential employee.

-- Ravensfire

BTW - IANAE

Hacking in General..

[eViL+aSe]

Personally I'm "pro-hacking" and as well am a resident of Michigan.

Personally I feel that if your going to leave your system unsecure and you get hacked, so be it. However, in the case of DoS'ing where a "kiddie" with a fast connection and a script takes down major websites(or systems), believe should be a crime.

In the end the ignorance of the admin or owner of the system(s) should play a role in determining the amount of convenstation or legality of the act.

It's just my opinion and I may be wrong but, I sure as hell don't care. :)

- eViL aSe

Breaking and entering my ass! Think again.

[Myself]

Calm down. I see where you're coming from, but let's look at this logically:

Breaking and entering causes real damage. Someone has to pay to replace or repair what got broken during the entry. Trespassing, on the other hand, is just sneaking in through an existing hole. When someone cracks the security of a system, they haven't physically touched anything. They've just found a hole that was always there, and exploited it. The hole was caused by the software designer who didn't bounds-check, or the system admin who didn't secure something. The cracker didn't cause the hole, and if it gets fixed after the crack, then it needed fixing in the first place.

Follow me so far? That's Salcedo's case.

Now let's talk about what happens once someone's in. Malicious destruction of property is when you deliberately go break things just to break them, and it has a monetary value assigned to it. Vandalism is kid stuff, it's stupid, and it's usually trivial to clean up. So let's say some intruder changes some HTML. The sum total cleanup effort involves restoring the previous versions of the pages, which most vandals just rename in the first place.

Sounds like Salens is being charged with a FELONY, think about it, a felony, for defacing a web site from his own Earthlink account. Stupid, yes, but not a felony.

Re:Breaking and entering my ass! Think again.

[Babbster]

I hate to break it to you, but a felony is simply what the law says, and by extension what the people say through their legislatures. If people decide that cracking into a computer system is a crime deserving of being labelled a felony and having penalties commensurate with that title, then it *is* a felony.

It seems that because of the "underground" nature of computers, computer programming and the Internet before the last 10 years or so, there are a lot of long-time computer people who believe that we should go easy on people who break through security and do malicious (often petty) mischief to computers on the Internet. They want to blame software companies because their software isn't perfectly secure. They want to blame system administrators because they missed a spot on the security checklist. They want to blame everyone except the person who did the crime.

Why is it that it's a sysadmin's fault when someone breaks into their computer because of a lapse of security (which can be very tiny, difficult to detect and sometimes undocumented) on their system? Does that mean that if I have only a cheap lock on my door, it's my fault that someone picked the lock and stole my stuff? Did that person commit less of a crime because it was easier?

Punishing people who break the law is important. I don't think very many people disagree with that. It's likely, for better or worse, that the people who get jacked up for this over the next few years ARE going to be over-prosecuted. This isn't necessarily a bad thing. It will hopefully send a message to those who might do the same, and make them at least a little more reluctant. Frankly, I think these people should be punished MORE than, for example, a crack addict who breaks into my house and steals stuff to pay for their habit. At least they have a "reason" to be doing it (feeding their physical addiction). These punks who crack into computers are generally doing it just for the hell of it, and that mind-set seems more dangerous to me.

Judgement

[Mignon]

(Use your judgement in interpreting the source of this news, too.)

You don't have to tell me that; I'm reading this on Slashdot...

Re:Yes, a MONTH

[titus-g]

Umm yeah I wasn't meaning to criticise them at all, I kinda hinted at this in the post. It's just that when I first read hackers/prosecuted/felony I thought that the company hacked was commercial, and if they were then a month would be a long time. Given that it was not only a volunteer run service, but also a public access shell system (more complex to repair than just a web server) then it's not unreasonable at all.

I was actually considering taking the first para out before submitting, but then hey, probably no one would have actually read the post then.

I also missed out "...until the plates met" . "just to impress their little friends."

And nope, hope I never have to, it's bad enough rebuilding after a crash without worrying about what they've done to any custom software you might have.

"...any hacking...will be a felony"!?!?!?!?

[Blix+In+Space]

Here's what worries me:
One day I'm surfing some corp. web site and come accross a page that isn't hidden, passwd protected, etc.. but it's a page that said corp. doesn't want me to see.

What's to stop them from blaming the site's Sys Admin incompetence on me, which could end up making me a convicted felon??

ANY hacking = felony. Period.

...How can a judicial system that cleary doesn't have the slightest idea as to what 'hacking' really is determine that it's a felony??? Is trespassing a felony? I thought it was a misdemeanor... so why does electronic tresspassing so much worse?


- Blix In Space

Re:Staying within the law

[empesey]

Absolutely. I didn't mean to give the wrong impression. I was talking about trends, not current events. My point was that as laws and restrictions pile up, it becomes harder and harder to even be aware of every law, let alone keep them. It is at that point that you get the situation I was talking about.

Someone made that point on slashdot a couple days back. The issue of ignorance of the law not being an excuse and how long ago, that might have been possible, but is impracticle today. I read somewhere a comparison between famous documents like The Constitition, The Declaration Of Independence, The Bible, etc and the tax code. The Bible had the most number of words (10,000 or some fairly low number). The tax code had over 7 million. Heck, there are laws on the books that no lawyer would convict you of. So, yea, it's hard to keep up.

I am not condoning breaking into computer systems, but I do have issues with that being a felony except in the most egregious of cases. And yes, it's an entirely different thing to be caught speeding. For one thing, you won't make national headlines for doing so. For another, it's not a felony.

Agreed. Like with any law, one would have to look at intent and consequences. Certainly a speeder could very well kill someone. But as others have mentioned, set up hacking contest between your friends or something. It's too easy to make a whoops that could cost people money, their career or even lives.

--

Re:Great! More useless legislation

[Kintanon]

Yer .sig is wrong, it's braindead AOLer.
>:)

Yay!

[Greyfox]

Now I can start prosecuting the fuckers who portscan me! Oooh baby look at me go! Except for the ones located abroad. There's always some wiseass in Brazil or Malaysia or somewhere. For them, I usually E-Mail the offending ISP demanding footage of the caning of the perpetrator (in the case of Malaysia) or the head of the perpetrator in a box (in the case of Brazil.) I offer not to declare war on them in return for this. Thus far I have not had any replies and am now at war with half the countries of the world.

Antibodies

[epcraig]

Ever notice the lack of cracks reported from China?

Taiwan has been hacking mainland boxes for years, and the reverse is true. Both nets are becoming more secure as a result.

Personally, I'd prefer being vandalised by script kiddies to having a serious crack from some offshore vandal who is protected by his government.

Sort of why I'd prefer cowpox to smallpox.

This is really evolution in action!

[human+bean]

They call themselves hackers, and they don't even know enough to bypass/edit-out on log files?

My friends, this is what's wrong with America. We are going to leave this country to a bunch of dweebs who havn't learned to avoid grief, even when they KNOW it is there.

To my mind, they simply didn't think about what they were doing. Of course, if they had been taught to think, then they may not have done it in the first place.

well duh

[bluwhired]

any admin who can't secure their machines are incompetent. anyone foolish enough to leave their house door unlocked is such. and any women walking down the street in a miniskirt (or for that matter, sweat shirt and pants) are inviting rapists. they should know better. admins should use openbsd, homeowners should install 10 deadbolt locks, and women should be accompanied by former NFL players when going to the supermarket.

Re:Anti-SPAM

[Kronovohr]

Nitpick (sorry)...POP3 = connections for reading mail already spooled on
a machine. SMTP is mail sending, as well as a few other not-so-often used
protocols.

Re:I agree.

[jmsaul]

The people at M-Net are pretty reasonable people, and will probably not overstate damages (unless one of their parent companies or sponsors makes them). Thanks for the kind words!We don't have any parent companies or corporate sponsors. M-Net is run by Arbornet, Inc, a non-profit with directors elected by the M-Net contributor base. We're a small, all-volunteer group, with virtually all of our income coming from donations by individual users. We operate on a shoestring. I don't know that any large corporations would really be willing to support us, given our extremely strong pro-free-speech stance. ;-) It would't be appropriate for me to comment on the case itself, but I wanted to clear that issue up.
Joe Saul, Executive VP, Arbornet seldon@arbornet.org

Re:Odd reasoning, that

[drteknikal]

I also find it odd that they don't include any specific allegation that the system crash or hardware damage was the result of his actions, only that it happened during a period of time where he had access to the system.

Re:If You're A Human, Michigan Sucks

[ibpooks]

Yes, we do have a ZERO-TOLERANCE law, and we're damn proud of it!

Re:Political Correctness "Cracking"

[(trb001)]

Eh...no, see, I disagree. We need the title cracker, though it will never be used correctly, to differentiate good and bad. Not to mention that a vast majority of 'evil hackers' are NOT hackers in the slightest. We know them as script kiddies and lamers, mostly. I don't really want these people called 'evil hackers' or having anything to do with hackers at all. They have their own classification, and it suits them fine.

--trb

Re:Harshness sometimes necessary

[frankie]

death penalty isn't supposed to be a deterent, it's a safety measure.

Life without parole would be an equally good safety measure, and it avoids the small drawback of killing innocent people.

Given the treatment of "hackers" in the US media, we should be almost as worried about unjust ramrod prosecutions as underprivileged murder suspects are now.

Uh oh, my SpiderKatz Sense is tingling. Jon could easily turn this topic into another epic, so I better stop now...

Re:Blowing things out of proportion

[Private+Essayist]

"I'm constantly amazed that people in journalism either have no logical base or are masters of sensationalism. I think it's a little from column A and a little bit from column B. "

I agree. For one thing, most people don't think through their words very carefully. It's easy to slip cliches into everyday speech. A journalist merely scribbles down the sloppy speech.

Something else that often plays a part is the lack of mathematical thinking among most folks. The Attorney General probably wasn't thinking what stating 'one half' of Net users really meant in real terms.

And, as you say, sensationalism can play a part in the news game. "Coming up next, your neighbor may be a criminal!"

sigh
________________

Re:Damages?

[BilldaCat]

Still, the penalty is too high. A lot of cases are vandalism. Kids wanting to show that they can hack a server, or get some sort of message out. But in the end, it's just vandalism, but it's being treated like it's something waaaay more serious.. spending years in jail for defacing a website is ludicrous, when vandalism is simply a fine.

Say I am looking to buy a Coke somewhere.. if I see 2 stores, one with graffiti all over it, and one clean and nice-looking, I'll probably head to the latter to get my coke.

Why do you guys suck?

[nconway]

No offence, but from what I can tell, the people @ M-Net are basically devoid of technical talent, despite being the 'first public-access unix machine'; if you've been running UNIX for so long, haven't you learned how to secure it yet? How were the M-Net systems hacked into? Apparently, you guys are running FreeBSD now - were you running it when the breakins occured?

The M-Net system remained down into July and became available only after M-Net replaced the system's equipment.

Why was this necessary? Why not just postmortem the box, whipe it, and start over?

Re:Cruiser Tune Up

[infodragon]

JohnKatz
Pros: Will bring a lot of attention even though it may be negative.
Cons: Will some how associate the Cruiser with somthing post-Columbine
Biggest Concern: Uses a lot of uber-tecnical terms and gets a few wrong. Resulting in a monkey-wrench used for a steering wheel.

Re:Nature of Crime

[Kakurenbo+Shogun]

I think that merely "accessing" a system illegally should not be a criminal offense, and should incur only minor civil damages. I am verydisturbed by the trend towards legislation that allows people to collect damages that were never actually incurred.

Unless a sysadmin is 100% irresponsible, there are damages, even when someone "merely accesses" a system illegally. If somebody hacks your system, can you just say "well, they didn't deface my web pages, so there was no damage"? How can you be sure they didn't steal some information? How can you be sure they didn't leave a root kit? How can you be sure they're not using your system to attack other systems? To be responsible, you pretty much have to do a complete reinstall of your system. You also have to be sure that when you restore your data, you don't restore their backdoor. I'd call that damages.

Also, I woudn't go too far in claiming that the person who doesn't make their system 100% secure is totally responsible. You may have good locks on the doors and windows in your house, motion detection systems in place, prickly plants under the windows, and guard dogs. But that's not going to do you much good when somebody starts firing a howitzer at your door. It won't even keep a kid with a bb-gun from being able to shoot a window out.

I don't think the vendors should be held completely responsible either. Software isn't perfect. That's just the way it is. If all software had to be perfect before being released, the only thing you'd be able to buy (or download) would be "hello world". Unless the manufacturer of your front door claims that it will protect you against cruise missles, don't expect it to survive a cruise missle attack. Pick your software carefully. Choose a vendor who has a good track record. Set it up correctly. Keep on top of bug fixes. Then hope for the best. Unless the vendor is criminally negligent, give it a rest.

Re:Political Correctness "Cracking"

[sansoo]

I note that the law has incorrectly been applying the term "narcotics" to marijuana for years, but doctors and pharmacologists still use the term correctly.

For those who don't know, narcotics are that class of drugs related to opium: opium, methadone, heroin, morphine, codeine. This has no value judgement attached; it's a medical definition.

"hacking" implies a certain level of expertise. A 14 year-old can call himself a "kung fu master" all he wants; but it's still incorrect. Some crackers are hackers, but most are not. Most are *boring*.

Re:Anti-SPAM

[deefer]

Heh! That sure put a smile on my face! :) Has it worked, so far?
The amount of spam I get is truly horrific; the only trouble is I am scared to reply to these emails, as I don't want to confirm that the email address is still valid...

Strong data typing is for those with weak minds.

Re:Two Sides

[Sygnus]

Ok, you can live in your fantasy world, and I'll live in the real world, where there are Bad Guys Who Don't Give A Damn.
Humans, by nature, are opportunists who will take advantage of weaknesses, regardless of the consequences.

Send criminals to jail fast! New in.felonyd!!

[ZZane]

Yes, you too can put those pesky "ping" and "e-mail" users where they belong - behind bars! Simply install our new in.felonyd and viola! In.felonyd listens on all ports and traces any incoming packets. It then automatically e-mails your local law enforcement, the secret service and the offender's mother with details of the violation.

[fineprint]Problems may arise if the offender is also running in.felonyd.[/fineprint]

Re:Make automatic nightly backups

[DrgnDancer]

Ok, I'll bite. How is replacing a program with a trojan on an open source system any easier than doing so on a close sourced system?

Determination

[Threed]

Really, there is no 100% effective lock. Read the MIT Building Hacker's guide some time to get an idea of exactly how sad some lock mechanisms are.

This applies to computers and software too. No net connected machine is 100% secure. Even disconnected, placed in a steel room, buried in a mountain, it's still not 100% secure. When you bring people (admins and users) into the picture you really shoot your security to shit.

I'm gonna put a foot down here and give an absolute: I refuse to believe that anyone should be held liable for the laws of the universe. If it's impossible to make a 100% secure lock then you shouldn't be able to sue the lockmaker unless they purposefully introduced a flaw into the mechanism.

Of course, that doesn't mean that you can't publicly deride a lockmaker or software house for bad security.

(Begs the question: Has a software house ever been sued for a security flaw?)

The real Threed's /. ID is lower than the real Bruce Perens'.

--Threed

Re:Determination

[Claudius]

I'm gonna put a foot down here and give an absolute: I refuse to believe that anyone should be held liable for the laws of the universe. If it's impossible to make a 100% secure lock then you shouldn't be able to sue the lockmaker unless they purposefully introduced a flaw into the mechanism.

I am not a lawyer (and I doubt you are one either) [IANALAIDYAOE], but I take issue with your pronouncement. Parties should, in principle, be held responsible for incompetence or negligence that harms others. The matter should not hinge on "intent to harm," as this would give carte blanche for corporations to produce most anything under any claims whatsoever provided you couldn't prove a willful introduction of deleterious flaws into the product. Most people would see no problem with holding responsible, say, a factory that inadvertantly contaminates a town's groundwater with heavy metals or a contractor who builds a bridge that falls down under a normal traffic load due to corners that were cut during the construction process. Neither is technically a purposeful introduction of a flaw nor a violation of physics, yet both are examples of negligence.

Begs the question: Has a software house ever been sued for a security flaw?)

Negligence itself in the U.S. has a curious definition. In essence (if I recall correctly--lawyers, please correct my errors), the criterion is the answer to "In hindsight, would you have done anything different to have prevented this from happening?" If the answer is "yes," then one is negligent. This, like many USian laws, seems to leave little room for common sense, and it is a system that can be easily abused: Of course McDonalds employees would warn a person of hot coffee if they knew she would later injure herself. Of course the soda machine company would warn people that it is dangerous to try tipping the machine over to get a free soda.

Software companies are different, however, since they have a shrink-wrap licensing agreement that disavows them of any responsibility for damages resulting from potential use or misuse of their products. If I'm not mistaken, one generally cannot even pose the negligence question to a software company since they make no claims whatsoever on the suitability of their products for any purpose, much less the purpose that led to damages to a party. This is yet another way that software differs from the "real world."

Re:Two Sides

[101010]

I don't know why this is so hard. Let's think about the lock a minute. All a lock does is keep your friends out. Unless you live in a vault, there are plenty of ways in your house. What good is a lock? So you can tell the insurance company you had your door locked and they will pay the damages.

As for the candy bar analogies, there are different ways to steal a candy bar. You can walk in a store, pick one up and walk out with it. That's called shop lifting. You could also wait until after hours, break in and take it. This is breaking and entering. It's not the theft of a candybar that will land you in jail, it's breaking and entering.

What this amounts to is being where you're not supposed to be. We can argue all day about how secure something is. Does that make a person who owns a convertible responsible if someone slashes the top and steals the radio cause the car is less secure? Hardly. Whether it's ms, Linux, BSD, if you're not authorized, you're not supposed to be in there.

It's time people started facing consequences for their own actions. It's just like DUI, if you're stupid enough to drink and drive you deserve to be put away forever.

Re:Don't know much about psychology, do you?

[ethereal]

I have to ask - what's a "senerco"? I've consulted my handy /. table of common misspellings, but I'm utterly at a loss to come up with an explanation for that one.

"century", "scenario" (actually, that one looks likely), "county"? Even with the help of context I don't get it.

Does the law apply when my Linux box gets h4x0r3d?

Oh that's right. I am not worthy.

This law no doubt only applies when CNN or Amazon or one of the big boys on the net gets hit.

When my Linux box on my cable modem gets cracked, files deleted, and then used to spam or crack other sites, *I* actually get reprimanded by local authorities for "wasting their time" when I try to file a complaint. Guess there's no laws to protect me, eh?

Yet if I hack back, the law may decide to swoop down on me!

Re:Odd reasoning, that

[mOdQuArK!]

There are few ways to describe (in the current, rather than classic, sense of the word) hacking as anything other than breaking into someone's "property" without leave.

Oh please, hacking is only similar to B&E as information is to physical presence.

Somebody who has hacked into your computer is hardly as physically dangerous (unless they've hacked into something controlling a life support system!) as if they're standing in your house ready to brain you with a crowbar.

This is exactly the kind of reasoning which equates copying a CD with stealing cargo from ships on the high seas.

I've never been able to speel.

[bluGill]

It took me 2 mintues to come up with that speelling, which was as close as I could get. It took me 5 minutes to find it in a dictionary (For starters because I was looking for sE, not sC.

Anyway, the proper spelling is scenario

Generally when someone asks me how to spell something I respond i-n-c-o-r-r-e-c-t-l-y. This just goes to prove I'm right there.

Re:I've never been able to speel.

[ethereal]

Sorry, I really didn't want to make a spelling flame, I just couldn't tell what you were getting at :) It makes much more sense now.

Wrong!

[Ungrounded+Lightning]

I have no idea who originally came up with "hacking" as being someone who codes, but they're way off base. Hackers are people who compromise security on other systems. Crackers remove rotection/limitations on software. That's the way it's always been. Quit trying to change it.

You're wrong, and YOU're the one trying to rewrite history. See Steven Levy's book "Hackers" for some of the documentation.

"Hacker" was MIT AI-lab slang for an exceptionally talented and persistent programmer - someone who could substitute that talent and persistence for a lack of tools and achieve impressive results. (This was particularly important at the time, beacuse to a large extent there WEREN'T any tools yet...)

One possible precursor was a Yiddish term meaning approximately "someone who builds furniture with an axe", and carrying the same positive connotation. (Contrast vs. a "hack" writer.)

To hack a problem was to attack it with all the skill you had and find a way to solve it. Yes, it could apply to hacking through a security barrier - but only to the extent that defeating a security barrier was a member of the set of all difficult software problems.

Saying "hacker" when you mean "(computer security) cracker" is like saying "sailor" when you mean "(sea) pirate" or "cowboy" when you mean "cattle rustler". Yes, crackers tended to be a subset of hackers, just as cattle rustlers were a subset of cowboys and sea pirates a subset of sailors. (Or at least that was true before the script-kiddie phenomenon lowered the bar on cracking.) But the misuse is exactly the same.

The misuse apparently began with an early self-appoionted security expert's presentation to early information-system management. He went on a lecture circuit trying to alert MIS people to the dangers of crackers (and to drum up consulting business). He used "hackers" as a term for crackers - much to the confusion of the techies in the audience (who recognized the misuse but considered it a sign of the cluelessness of the presenter).

But for many of the MIS executives (and the members of the trade press) this was their first in-depth exposure to both the threat of crackers and the term "hacker". So the misuse quickly caught on among the suits, and from there spread to the general media.

To this day one of the most effective ways to separate the technically literate from the hangers-on is to determine how they use the term "hacker".

F***t pedantic cracker not hacker post

[Hairy_Potter]

Yeap, the AG used hacking when she should have used cracking.

Will the degeneration of the English langugae never stop?

Where is ESR when we need him?

Re:F***t pedantic cracker not hacker post

[c4thy]

i thought a hacker was someone who showed the signs of smoking for 20 years and a cracker was just your ordinary white guy, i think you all are wrong

crackers abound

[Geccoman]

I'm still blown away by how destructive people are. I'm setting up a company on the internet right now, and it really sucks that they have to be constantly monitored just to make sure some kid doesn't come in and destroy everything I have worked so hard on. On the bright side, it keeps me in a job and my wife and kid in a nice home. So, mabye it's not always so bad.

Damages?

[Sygnus]

How on earth do website defacements (in the Jesse Salens case) constitute monetary damages? I work as a web developer, and while fixing a website is work, it isn't that much work - a few minutes, max.

Re:Damages?

[Absimiliard]

Just because it's not that hard to change a tire, doesn't mean I easily dismiss the fact that someone took it upon themselves to slash it.

Man what a poor analogy. It's not like slashing the tire and thus forcing you to change it. It's more analogous to letting the air out of the tire and forcing you to re-inflate it.

Now I'm not defending the practice so everyone can point the flames elsewhere. I'm just pointing out a flawed analogy.

Absimiliard

Re:Damages?

[MarkKomus]

Easily, if someone defaces my webpage, and a bunch of customers see it they might not buy a product or service from me. If you want to strech it you could say that instead they buy from a competitor and end up recommending them to a friend who also doesn't then even look at my product/service.

Unfortuantly determining that cost is basically impossible.

Re:Damages?

[Nezumi-chan]

How on earth do website defacements (in the Jesse Salens case) constitute monetary damages?

I note that with the upcoming changes, all hacking will be considered a felony, regardless of damages. I wonder how many corporations are jumping for joy at the concept of no longer having to prove that attacks actually cost them anything.

Of course, they still have to do so for civil litigation, but for having the hackers criminally charged and serve as a lesson to others must be a powerful control high.

Re:Damages?

[AntiNorm]

How on earth do website defacements (in the Jesse Salens case) constitute monetary damages? I work as a web developer, and while fixing a website is work, it isn't that much work - a few minutes, max.

While the 'altered' web site is up, how many customers will read it, expecting to find the company's normal site? How much business will this cost the company? Not to mention the labor costs and lost productivity (however small) involved in having a web site maintainer repair the damage.

=================================

Re:Damages?

[empesey]

I work as a web developer, and while fixing a website is work, it isn't that much work - a few minutes, max.

I always find this argument baffling. Just because it's not that hard to change a tire, doesn't mean I easily dismiss the fact that someone took it upon themselves to slash it. If someone knowingly breaks the law, then they should pay the consequences. Pure and simple. Nowhere in any state of federal statutes do I read that small corrective action allows anyone a free pass.

--

Re:Damages?

[Malk-a-mite]

It's not just the site.
You also have to find how the defacement happened. What r00t kit was installed, what system has been tampered with while getting to the page.

If you see your web site has been defaced, it's a good sign something else was also changed also.

Malk-a-mite

Re:Odd reasoning, that

[theonetruekeebler]

Breaking and entering is a property crime; the presence or absence of a homeowner is irrelevant. B&E does, however, typically stipulate that damage ("breaking") was done pursuant to trespass ("entering").

Even if no damage was done, breaking into someone else's computer is sure as hell an act of criminal trespass.

Here's how the State of Georgia, for example, defines criminal trespass:

(b) A person commits the offense of criminal trespass when he or she knowingly and without authority:

(1) Enters upon the land or premises of another person or into any part of any vehicle, railroad car, aircraft, or watercraft of another person for an unlawful purpose;

(2) Enters upon the land or premises of another person or into any part of any vehicle, railroad car, aircraft, or watercraft of another person after receiving, prior to such entry, notice from the owner, rightful occupant, or, upon proper identification, an authorized representative of the owner or rightful occupant that such entry is forbidden; or

(3) Remains upon the land or premises of another person or within the vehicle, railroad car, aircraft, or watercraft of another person after receiving notice from the owner, rightful occupant, or, upon proper identification, an authorized representative of the owner or rightful occupant to depart.

If a computer is an extention of my premeses, this sounds like cracking to me; frankly I'd be much more upset with you if you were going through my computer files than my tool shed.

One important difference, though, between criminal tresspass and whatever tough-on-crime bullshit they've got going on in Michigan, is that criminal tresspass is a misdemeanor, not grounds for a five year prison term.

--

Re:can never think of anything to go here

[jorbettis]

Well my first thought was A MONTH???.

If I were to let any of my clients sites go down for more than a day, I'd be dead, I already suffer from telephone phobia from times when servers have crashed/email has gone weird. These days there is no excuse for not having backups and at least some idea of an alternative if you do lose a machine (he sez hypocritically).

Well, M-Net is run by volunteers. One of the biggest problems was that the admins could not find the free time required to do all of the work involved in bringing a new bbs box up.

They could not pull from backups because they did not know how long the box had been compromised. I would also like to point out that they bought new equipment because they have been wanting to upgrade for some time, they just used this as an excuse. The box that was hacked had no physical damage done to it (the admins said as much in the m-net bbs, where there is currently a lively discussion going on about this).

Arbornet does not have the funds for any sort of redundency, it is supported entirely by charitable donations from m-net users

The box being down for a month (I remember it being more like two) was a major inconvience, but I still think a felony charge is way too much for the kid.

Handed In? Caught? Huh?

[Hates]

Salcedo met with M-Net employees and admitted that he was "6122," that he had hacked into the system, and that he had stolen a number of passwords..

I'm interested to know what the consiquences of this meeting were. Was he handed over the police? Or did he do that himself at a later stage? Hmmm...

If I was M-NET I'd hire him and get him to make the network more secure :)

Re:Handed In? Caught? Huh?

[Chmarr]

For all we know, Salcedo could just be a script kiddie... hiring him would be more than useless.

re:what kind of comparison is this?

[eudas]

Granholm added: "In the future, any hacking, regardless of the amount of financial damage it causes, will be a felony. A vandal is a vandal whether you are a virtual vandal putting graffiti on a web site or a real world vandal putting graffiti on a wall. Both are illegal.

Uhh, I'm not sure, but is putting graffiti on a wall a felony offense? I would think something that minor would be a misdemeanor or something. If writing graffiti in rl is not a felony offense, then they seriously need to rethink their comparison, because it's flawed.

eudas

Down for a month ?!

[billcopc]

How can a system be down for an entire month ? Anybody with a pea-sized brain can crash a box, and it takes a few minutes to bring it back up. Now if a pair of "black hat security experts" damaged the system so severely, why didn't the admins just restore a backup the next day and fix their holes ? This just doesn't make any sense. Any more-or-less well organised team of admins should be able to at least put together a fallback server in an evening if they've been making regular backups. Heck, even if the infiltrators had some way to cause a hardware malfunction and fry the mobo, the admins just need to run down to the shop and get new hardware. Suspending user access for a month while you're trying to put everything back into place is absurd. A flock of geese could probably learn to speak esperanto in less time than that.

(this abhorringly exaggerated commentary is (c) Billco 2000)

Re:Down for a month ?!

[Darth_brooks]

abhorringly exaggerated is right. I've ben using M-net off and on for about 6 months now, and it wasn't just a matter of "go re-image the server(s)." If you haven't read rootprompt.org's "Cracked" section, please do so now as it mirrors what happened to m-net to a T. while the system was down the admins also decided that an upgrade was in order, so a new machine was purchased to add to the collective.

M-net is also all voulenteer, and the timing couldn't have been worse, as most of the admins were overloaded at their real jobs. Poor timing, a collection of ghod only know what kind of equipment, and admins who couldn't be pulled from their real jobs resulted in the month long downtime. fortunatly the community (grudgingly) understood and let the admins do their job when they could.

--

Re:we are all harmed

[josepha48]

Hmm maybe I was not clear in my point or maybe you missed it.

Alot of the debate here centers on how much damage is actually done by this and the relative severity of the punishment and I think that's the appropriate place for the debate to be.

When you ask how much damage is done, well think of it this way. If someone hacks into a computer system and then posts the credit cards of all the users to a web site, then ALL those users have to get new credit card numbers. There is nothing wrong with someone being different in society. That is nowhere near my point. Being different is fine. We have asian, african american, caucasion, hispanic, catholic, jew, hebrew, protestant, gay, straight, etc. or whatever. There is nothing wrong with being differnt in any way shape or form.

The problem arises when someone acts on out against society in a hurtful maner. Hacking systems is just as destructive as breaking into a bank or house. How would it feel if someone broke into your home. I'll tell you. I no longer felt safe in my old place. There is emotional damage. When someone hacks a computer system, the punishment shoudl probably be the same as breaking an entering. If they takes something the punishement shoudl prbably be theft.

Being different does not give you the right to harm others, and that is what you do when you hack systems. That was my point. You don't just hurt the corporation, you hurt everyone that uses that computer system. Hackers or maybe I should say "Crackers" which is the proper term should be punished.

I don't want a lot, I just want it all!
Flame away, I have a hose!

It seems to me...

[syf0n]

It seems to me that for all the hell people are catching about breaking into computers, they sure aren't doing a lot once they're in. I mean...if you're going to get blasted no matter what, why not screw some shit up?

Re:Odd reasoning, that

[cpt+kangarooski]

I can't believe no one seems to have done this before, but on the Openlaw list someone finally looked up the origins of 'piracy' in the OED. Evidently it's been used in the same sense as it is today since the 1700's.

So go figure - copying stuff was called piracy by people who lived in an age with the 'arr matey' sorts of pirates too.

But for Tennessee v. Garner

[Captain+Pillbug]

And if it weren't for Tennessee v. Garner , it'd be constitutional for police to use deadly force in the apprehension of such a 'hacker' felon. Scary stuff.

Re:But for Tennessee v. Garner

[Lord+Kano]

It's constitutional for police to use deadly force against ANYONE if they believe that lives are in danger.

LK

Re:Felony?

[Enormous+Cow+Turd]

Spraying graffiti on the outside of my house/business is not a felony. Breaking into my house/business and spraying graffiti most certainly is.

Re:Make automatic nightly backups

[void*]

Checking the dates on the binary isn't going to help at all, on closed or open source platforms. What you need is a list of hashes generated by something like tripwire, and keep it on read only media somewhere. Note that this requires pro-active action.

Also, closed source does not protect you from trojaned binaries. If you know enough about the executable format, you can patch the binary. Alternatively, you can get a patched binary from someone who knows what they're doing, if you don't know what you're doing yourself. Or, re-code the binary you're trojaning from scratch, which will range in difficulty based on what the program you're trojaning does.

Political Correctness "Cracking"

[Benjamin+Shniper]

It seems that this may give the term "hacking" a legal definition.

This could be bad for those who would define hacking as simply playing with advanced settings and programs on their own software and hardware.

-Ben

Re:Political Correctness "Cracking"

[dr_labrat]

not at all.

Some words have several meanings like:

duck
chip

scumbag lawyer

Re:Political Correctness "Cracking"

[HyperbolicParabaloid]

This can't set any kind of legal precedent; its only a press release.

Re:Political Correctness "Cracking"

[Naikrovek]

There are good doctors, and there are bad doctors.

There are good cops, and there are bad cops.

There are good lawyers, and there are bad lawyers.

There are good activists, and there are bad ones.

There are good hackers, and there are bad ones. There are no crackers. They do not need their own title.

Re:Political Correctness "Cracking"

[Kierthos]

Want to bet? It's the press that defines what the vast majority of the populace sees and hears. If they want to call the crime involved here 'hacking', then it's hacking to the vast herds of computer-clueless, no matter what we think it should be called. And since judges and lawyers routinely fall into this category of "computer-clueless", I'm afraid it will stick.

Interesting note though: Is the 17 year-old being charged as a minor? If he is, then his parents or guardians are legally responsible for any civil damages that occured. Criminally, I think he's going to Boys-Town for a while.

Also, I don't like the concept of removing the $1,000 dollar cap on the damages. It means that even if you do nothing but break into a site that you do not have lawful access to (password cracking, for example), then you can be charges under this law, at least in Michigan. Might cut down on the number of minors hacking for porn-site passwords, but I rather doubt it.

Kierthos

Re:Political Correctness "Cracking"

[ConceptJunkie]

More specifically, there are good hackers and there are _evil_ hackers.

I've known plenty of bad hackers, like one guy who I would often find tracing deep into OS calls in an attempt to diagnose a problem that was almost invariably caused by not compiling with the right version of the header files for the libraries he was using. That was a bad hacker. :)

Rick

Re:Don't know much about psychology, do you?

[metis]

There is no need for armchair psychology since there has been some research about it. It seems that not only vandals, but actually most people are deterred by the probability of being caught and usually unimpressed by stiffer penalties. Hence increasing the penalty for everything that scares people is worthless public policy and just serves to make the US the world leader in incarceration rate. An enlightened justice system would persue particularly problematic crime by turning on the heat of enforcement and increasing the probability of getting caught, leaving penalties to be dermined by other criteria ( damage, moral obrobium, etc.)

( If anybody finds such a justice system please call the White House )

The penalty should be inversly proportional to probability of getting caught only when the penalty is a fine, since then every offender will pay the same amount over time.

Odd reasoning, that

[Nezumi-chan]

Perhaps despite having worked for lawyers for several years I still don't have an astute legal mind, but Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

Yet another case of saying the net is like the real world as a justification for not treating it like the real world, I guess.

Re:Odd reasoning, that

[billcopc]

Simple. Every internet-related crime is either fraud or a miscellaneous felony. Either way you get prosecuted as if you had anally raped 13 goat fetuses in front of a church. The legal system just isn't prepared or educated for electronic crime, because most of the people who create and sign laws have never touched a PC, never cared about them, and will probably drop dead of old age before anybody comes back to blame them for such atrocities.

Re:Odd reasoning, that

[Nezumi-chan]

Somebody who has hacked into your computer is hardly as physically dangerous (unless they've hacked into something controlling a life support system!) as if they're standing in your house ready to brain you with a crowbar.

I must admit, you are right. B&E is only a good description of most hacking actions. The remainder fall into the similar, but different, category of trespassing.

The two are quite analagous. Hackers who break into someone's commercial site, or a government site, or something similar, are essentially B&E's. But hackers who break into someone's personal machine, or wander around (but do nothing else) are more similar to some idiot scrambling over your back fence and hanging out in your backyard for a while. Much less severe, but no less invasive. Regardless, both are crimes.

Re:Odd reasoning, that

[theonetruekeebler]

Well, the cost of damage is typically said to be the cost of your property to its original state, or the fair market price of any property which was destroyed. This is a difficult thing to assess WRT data.

Appraisable or not, I emphatically believe that a computer's data is property. It can be stolen or vandalized, and an attempt to access it without the owner's express or implied consent is indeed trespassing. The metaphor extends quite nicely and allows existing laws to be applied in a novel situation. This suits me a lot better than creating new felonies for acts that in the real world are only misdemeanors.

The only question I have is one of jurisdiction: Did the crime happen at the location of the cracker or the cracked? What happens if I fire a gun across a state line to kill someone? I have a supicion that the murder happened where the victim was killed, not where the killer was standing.

--

Re:Odd reasoning, that

[bripeace]

To me this seems like cruel and unusual punishment.
I mean lets say you steal a candy bar at a store. They're not gonna throw you in jail for 10 years and charge you 10,000$ in fines, because of a 60|cent candy bar. Thats just cruel. So lets say you only do like 100$ worth of damage in some cracking incident. Then because of that you gotta start putting that on your job aplications and such. OUCH! Punishment should fit the crime.

Re:Odd reasoning, that

[dirk]

Perhaps despite having worked for lawyers for several years I still don't have an astute legal mind, but Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

I think vandalism is a really poor comparison. It may be good for when a hacker actually defaces a website, but the actualy hack itself is much more akin to breaking and entering. B&E is (I think) a felony, no matter what you are breaking into. Anything else you do while you are there is a seperate crime, with it's own charges. I think this is the same approach that should be taken to hacking. Hacking into a system is a crime. Anything you do while you are there may be another. If you just look around, all you get is hacking. If you deface a website, you might get the electronic equivalent of vandalism. If you destroy files, that's another charge. But the hacking into a system is a crime unto itself. Unlawful entry is unlawful entry, no matter if it's a house, business, or a computer system.

Re:Odd reasoning, that

[_Sprocket_]

Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

That really stuck out to me too. To quote:

Granholm added: "In the future, any hacking, regardless of the amount of financial damage it causes, will be a felony. A vandal is a vandal whether you are a virtual vandal putting graffiti on a web site or a real world vandal putting graffiti on a wall. Both are illegal. And using a computer to break into a company from the comfort of your living room is just as illegal as using a hammer to break down that company's front door. Because the Internet makes the crime easier doesn't mean that it makes it right. These are the first hacking charges in this state; you can bet that they won't be the last."

So then the question becomes - when does vandalism constitute a felony (and I expect there IS a point that it does)? If vanalism in the physical world does not constitute an immediate felony charge, why should it in digital form? Once again, we have existing laws that can easily apply without writing up a new mess of digital laws.

Granted, that doesn't allow for the political "get tough" and Internet buzzphrase newsbites.

Re:Odd reasoning, that

[bmacy]

Actually it happens a lot... some activity that is particularly annoying to the Politically Correct or Large business is labelled a felony to deter it. In a state like CA where 3 felonies means life that can be a real big deterrent.

Brian Macy

Re:Odd reasoning, that

[Nezumi-chan]

Hacking into a system is a crime. Anything you do while you are there may be another.

I agree heartily. There are few ways to describe (in the current, rather than classic, sense of the word) hacking as anything other than breaking into someone's "property" without leave. Often, the door is left open by doing so, which presents a present danger, so a hacker bragging to others about his/her methods is very much analagous to committing a B&E and leaving the door open when you leave.

If Granholm had wanted to draw a parallel to reality, she really should have thought about the analogy she used.

Re:Before the knee-jerk reactions start...

[carlos_benj]

Whoa, dude. You need to borrow my sawzall root kit.

Dang. Nobody's gonna believe I'm a house-script kiddie. I know how to spell.

Damages: Community Network vs. Corporate Network?

[lwagner]

My concern is this: how will owners of small systems be "compensated" for having been hacked? For instance, a non-profit community network probably has few really sensitive documents, while a corporate network has many. What happens when a small network (or its users) want damages, like large companies?

--
Spindletop Blackbird, the GNU/Linux Cube.

The Internet makes crimes easier??

[llzackll]

On the bottom of that page, Granholm says:

"In the future, any hacking, regardless of the amount of financial damage it causes, will be a felony. A vandal is a vandal whether you are a virtual vandal putting graffiti on a web site or a real world vandal putting graffiti on a wall. Both are illegal. And using a computer to break into a company from the comfort of your living room is just as illegal as using a hammer to break down that company's front door. Because the Internet makes the crime easier doesn't mean that it makes it right. These are the first hacking charges in this state; you can bet that they won't be the last."

Uh, it would seem that spray painting a wall is a lot easier than breaking into a web site.

Re:Two Sides - ITS a UNIX Server!

[Fishstick]

Well, I wasn't "bashing" Microsoft because of M-Net.

The poster made an anology on insecure servers to crappy doorlocks. I just took it to an off-topic tangent that you probably can't sue Stanley corporation for lock failures any more than you could sue Microsoft for server security failures.

Sorry if that offended you.

i told you all...

[MoldyZero]

I told all of you how bad michigan is...i told you... but you wouldn't believe me...

Re:OR....

[TobyWong]

only an AC could make the jump from computer security to rape.

Good call buddy, you get a shiny gold star for effort. Now please stop thinking so hard because I can see the veins sticking out of your neck and your head looks like it's about to explode.

Could you comment on the hardware?

[Myself]

The Attorney General's release was entirely devoid of facts surrounding the hardware failure. I'm curious why it was mentioned at all. Is it being implied that the attack caused the hardware to fail, or anything similar?

I'm also interested, if you can comment at this time, in exactly what transpired at the "meeting" that was mentioned. I can't speak for the accused, but I think it'd be pretty stupid to meet with the admin of a box I'd just compromised. I'd only do so in good faith, perhaps to help the admin patch the hole, etc. Can you tell us whether Salcedo was summoned to the meeting by legal means, or whether he came forth on his own? This is crucial, I think, to the public's understanding of the case.

Re:Could you comment on the hardware?

[JanWolter]

My understanding is that the system was sufficiently compromised that they felt they needeed to rebuild the software from scratch. As long as you're going to do that, you might as well do it with newer versions of things, in this case, a new computer and a new operating system. Recovery would have been faster if they had just rebuilt the old system, but then all their time would have put them right back where they were when they started. Instead they invested more time and ended up with a better system.

Obviously, if the AG attempts to claim that the hacker forced them to buy a new computer, they will be ripped apart in court. I expect the AG will be a bit more careful in making their case then they are in writing their press releases.

Two Sides

[Auckerman]

If you bought a deadbolt for your front door and it had a defects in it so often you had to buy a new lock every other day to prevent some kid with a stick of gum from getting in your house and steal all your stuff, what would you do?

Buy a different lock.

There are two parts to this. The server maker is responsible for not being as carefull as OpenBSD has proven that you can, the Admin is responsible for not doing his job right, and the script kiddie is responsible for breaking in.

Admins are unsaveable at this point, any fool can install a server and set up shop these days. Companies and kiddies should be punished. If you sold me a shit lock and some kid broken in my house, I would have the kid arrested and you, the lock seller, would be sued for any damage the kid did to my house.

If only our legislators could see that. But, noooo, MS is an 'innovator', Macs are 'toys', and Unix is for 'hobbists'. Great.

Re:Two Sides

[Joe+Pulcinella]

If I break into your house, even if I didn't take anything, wouldn't you want me to be arrested?

Re:Two Sides

[Sygnus]

So don't give us this crap that 'we are all bad and there's nothing that can be done about it.'
What crap? I didn't say that humans are bad. I merely stated that it is in our nature to take advantage of opportunities.
I challenge you to come up with any instance of any type of opportunity that has come up that won't get taken advantage of. This could be a "good" opportunity, or a "bad" opportunity. I guarantee you'll fail in this challenge.
Humans are opportunistic - deal with it.

Re:Two Sides

[Sygnus]

Ok then, remove all the locks from your residence, and leave it for several hours. Perhaps nothing will happen the first time, or the second time, or the third, but you will be robbed eventually. Good security is important, and if whoever has root doesn't take measures to improve his servers' security, then he is an idiot and deserves whatever happens.

Re:Two Sides

[Fishstick]

>you, the lock seller, would be sued for any damage the kid did to my house.

Ah, but you implicity agreed to the End User Locksmith Agreement when you opened the shrink-wrapped package for the Micro-lock Deadbolt 2000 product you used and are now claiming to be defective.

The EULA clearly states that Deadbolt 2000 is not guaranteed to be fit for any particular purpose and that Micro-lock cannot be held liable for damages resulting from improper installation or or use of the product. Deabbolt 2000 uses Java technology, and as such should not be used in any critical application such as medical devices, manufacturer processing control or securing your front door.

(sorry, I'm bored at work. Moderators, please help me bleed off excess karma!)

Re:OR....

[TobyWong]

If you live in a bad neighbourhood and leave your windows and doors open while you go out, then don't be surprised when you get unwelcome guests.

Yes the perp should go to jail but it doesnt change the fact that you are a fucking moron for leaving your doors open.

The problem with your logic is you are assuming that the finger can only be pointed at one person where in reality many times the admin holds some amount of responsibility.

Now if you are the admin and you are actually putting some time and effort into security and STILL get broken into with a previously unknown exploit, then hey... shit happens, there's not much you can do about that. Unfortunatley for every one well-secured box that gets compromised there must be hundreds of misconfigured boxes that fall prey.

down for a month

[JanWolter]

It was more than a month, nearer two. But the downtime cannot be entirely blamed on the hacker. The admins weren't by any means taking the shortest route getting the system back up fast. Not only did they get new hardware (actually, I think they had already bought the new hardware before the crash), but they changed operating systems (from BSDI to FreeBSD, I think) which took a lot of time because they use a lot of custom software that didn't all port easily.

So you can't blame this guy for a month of down time.

However, I've been doing admin work on public access systems like M-Net for over 15 years, and I can't say I'm very sorry to see this person charged. How much damage this person actually did is debatable. But the cummulative damage done by people like him is substantial. More than half of the admin work we do is either cleaning up after or hardening our system against people like this. If we didn't have to play juvenile games with them, we could expend a lot more effort on improving our services. We are volunteers, offering a free, non-profit service. Why are we spending most of our time beating off literally thousands of people who are trying to damage or abuse our system sheerly for entertainment?

We've got a large class of people on the net who think breaking random things is a fun game. Individually they do inconsequential damage. Collectively, they are a real problem. I'm not sure what I think of these cases, but I do understand the social need to send signals discouraging this kind of stuff.

Great! More useless legislation

[jaysonsch]

The worst part about this is that I live in Michigan!

Blowing things out of proportion

[Private+Essayist]

Theft is wrong regardless of the medium used. However, I found Michigan's Attorny General stated matters in the usual exaggerated tone that the government uses to smear technology users:

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. '

She probably didn't mean that literally (how stupid would she have to be in order for that to be the case), but using such inflammatory language is wrong. Does she really mean to give the impression that half of the Net users are legitimate, and half are criminals? That would mean hundreds of millions of criminals!

(sarcasm)No wonder law enforcement has to work so hard to make the Net safe for us!(/sarcasm)
________________

Re:Blowing things out of proportion

[Fishstick]

>That would mean hundreds of millions of criminals!

Well of course! How else are these law-enforcement political types going to throw a big enough scare into the legislature to get the nice, fat budget appropriation they need next year to beef up their 'cyber-crime prevention office'?

Felony?

[Hard_Code]

Vandalism is a felony? I didn't know that. I thought it was a midemeanor or something...

Re:Felony?

[Sygnus]

...as long as damages exceeding $1,000 occurred.
Not for long:
Under current Michigan law, the unauthorized alteration, damage, destruction or use of a computer system resulting in at least $1,000 in damage is a felony punishable by 5 years in jail and/or a fine of $10,000 or three times the aggregate amount involved, whichever is greater. An amendment to the law, however, which takes effect September 19, will remove the $1,000 damage threshold.

Re:Felony?

[ucblockhead]

Damn! Anybody want to buy some spraypaint?

Anti-Hacker Law???

[fenix+down]

Webster says:
hacker \Hack"er\, n. One who, or that which, hacks. Specifically: A cutting instrument for making notches; esp., one used for notching pine trees in collecting turpentine; a hack.

What's wrong with these fascists! I have a right to collect turpentine from my trees! Isn't that somewhere in the 18th Ammendment?

Harshness sometimes necessary

[swb]

I think harsh penalties -- perhaps harsher than any individual crime may call for -- are sometimes necessary to bring under control a problem that's really widespread.

For example, if breaking windows on houses was so widespread to be considered a real problem but so easy to get away with due to the sheer number of houses and the inability of law enforcement to track the criminals to their crimes then maybe a harsh law against window breaking will provide some kind of deterrant effect in the minds of those breaking windows.

The same may be true about cracking -- the odds of getting caught may not be that great, but if the penalty is really severe and people are getting charged and convicted then it might make some people think twice about it.

I also don't have any sympathy for crackers caught in someone else's system who didn't want them there -- you're breaking the law. You might find safecracking a challenge, too, but if its not your safe you're going to jail. A common criminal is a common criminal, and intellectual justification doesn't make it ethical.

Re:Harshness sometimes necessary

[Geccoman]

agreed. I don't think that computers are "free game" just because they're on the internet. The window analogy is perfect. If there's a problem, you have to be harsher with the penalties. I didn't feel sorry for my uncle when he wasnt' allowed to drive after 4 DWIs. I was just glad that he didn't kill anyone when he drove off a cliff drunk and killed himself.

Re:Harshness sometimes necessary

[theonetruekeebler]

the average time served for all offenses, including murder, kidnapping, rape, and assault was LESS THAN 5 YEARS.

I met a former public defender once, who told me that rapists in her state served an average of four and a half years, out of an average seven year sentence. Then she told me about having to defend kids who were facing a mandatory ten for holding five grams of crack. I remember her exact words: "How do I tell someone that their five grams of crack is worse than raping a woman?"

--

Re:Harshness sometimes necessary

[swb]

This story is probably too old to reply to, but the sentence is not necessarily directly correlated with the ethical weight of the crime.

I won't pretend to argue in favor of the drug laws but society at large has decided that crack is a serious, widespread problem and that extremely harsh measures are necessary to bring the problem under control. Posession of crack cocaine is probably seen as contributing financially to the drug trade as a whole, which is an extremely violent business.

In other words, the social calculus which determines sentencing includes other variables beyond the actual ethics of the crime.

Why the prosecutor was unable to explain the the more sophisticated analysis to a young man in posession of 5g of crack is left as a lesson to the reader.

Re:Harshness sometimes necessary

[caver]

I think harsh penalties -- perhaps harsher than any individual crime may call for -- are sometimes necessary to bring under control a problem that's really widespread.

Do some research before you fix your mind in this state. Murder carries the harshest of penalties, and numerous studies have shown that the death penalty is not a deterent.

If you want to keep them from commiting a crime, the chance that you are caught doing it has to be very great.

Re:Harshness sometimes necessary

[bripeace]

Are you saying it should be a felony with a 10,000$ fine with minimum sentance of 20 years in prison if you are found to know/link/distrbute Decss point being. Law Enforcement will NEVER prevent this 'problem'. Taking an idividual and making an example of them because they happened to get caught and it's hard to catch others is not a basis for extreme punishment. Plus i don't think extreme RARE punishments are an effective deterant for hard to catch crimes. People break windows cause it's hard to prove who did it if noone was around to see you. So even if they did up the penalty for breaking windows people would be like "it's too easy to do this, and too hard to catch so it will never happen to me". Why do you think theres so much pirating of software. I do believe the penalties are pretty tough but WHO is going to catch you.

-Brian Peace

Re:Harshness sometimes necessary

[FascDot+Killed+My+Pr]

"...numerous studies have shown that the death penalty is not a deterent."

Really? Imagine that, dead convicts rising from their graves to commit crimes. Scary stuff.

To me, the death penalty isn't supposed to be a deterent, it's a safety measure. Replacing a blown tire doesn't deter the others from blowing--but it makes driving the car a lot safer.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/

New Denial of Service Attack found

[TWX_the_Linux_Zealot]

In other news today, a new Denial of Service attack, The Slashdot Effect was announced. To activate the DoS, the malicious user sends a story to the popular Slashdot web site, who posts this story, containing links to a web site that the story references. Slashdot users try to access the site with such frequency that the load causes general use of the site to be unavailable. This can effectively cripple the site for hours or days on end.

Fixes/Workarounds:
To prevent The Slashdot Effect, avoid doing anything noteworthy to "Nerds" or any technological group. Avoid getting into legal trouble with the Motion Picture Association of America, and most definitely, avoid anything to do with Linux, FreeBSD, X Windows, or Distributed File Sharing. Also, avoid interacting with the following companies professionally:

IBM
Micron
RedHat
Rambus
NEC
Compaq
Amazon
Yahoo
Google
id Software
AMD
Intel

Doing such could be hazardous, and increase the potential of being hit with this crippling DoS attack.

A couple of corrections

[wide-eyed]

1st.. What he did. He destroyed most of the user
password files and caused other small problems.

2nd.. He deleted many many things.

After that he wanted to brag. They set him up in a sting (friend was in on it) He went on and on about how cool he was and my friend was wired.

After they tried to recover the password files most of the user data was saved from a backup. But the rest of the system was toast.

They had plans to upgrade the system anyways and decided to do exactly that. Insted of putting the system back on the old freebsd box they put it on a newer system and reloaded everything and eventually got all of the accounts back on. Some of the delay was due to the police and an investigation.

m-net isn't into pulling silly pranks to get cash. the system is put together from donations and volunteers.

off and out

If this were a public warehouse...

[GMontag]

If this were a public warehouse that was only giving the appearance of some level of security, but in fact was leaving it's doors open all night with nobody bothering to check for intrusions, over months, they would be heald to some level of culpability themselves (along with the intruders).
EVEN if they had a piece of paper saying that they were not responsible.

Same goes with a mechanic that lets someone else drive off with your car (even if strangers just "borrow" it for a little while and you get it back).

Why does this have to be any different?

Until both the person messing with someone else's public server AND the owner of the server itself are heald accountable for their actions, this activity will not even begin to slow down.

Caviat: there is no telling if anybody accused even did anything in this story because the FBI is involved and they seem to skip over or invent "facts" as it suits them, ref. Kevin Mitnick damage assessment.

Visit DC2600

Nature of Crime

[LaNMaN2000]

I think that merely "accessing" a system illegally should not be a criminal offense, and should incur only minor civil damages. I am very disturbed by the trend towards legislation that allows people to collect damages that were never actually incurred. Giving a punitive award in addition to a actual award is one thing; allowing a plaintiff to collect damages when none were actually suffered is another. Since they did take m-net down, there were damages suffered in this case, however I think that the vague language used in the applicable law leaves it open to abuse.

Re:Reactionary Politics?

[Mtgman]

Felonys are things like Grand Larceny, and Killing Grandma. Serious repercussions and lots of damages are required for something to be a Felony, right?

Nope, not in the US. You forgot the national motto. A Government by the People in the Corporation's pockets, of the People in the Corporations Pockets and for the Corporations.

Why do you think the line denoting dollar totals is the _Bottom_ line. It has the final word in any debate. Period.

Steven

Re:Don't know much about psychology, do you?

[theonetruekeebler]

Window breaker gets 10 years. Sub-headlines: Police cracking down on window breaking problem

This will have as much an effect as those "Police cracking down on teen marijuana use" headlines. The police issue that press release almost as often as they issue the one about "Police cracking down on speeders." Most speeders don't even know how big the fines are, or care. Focus on not getting caught; worry about the consequences when the time comes.

Sometimes the crime is the motivation. And it's not the severity of punishment, but its certainty that is the deterrent.

--

Re:A note from m-net's sysop:

[jetson123]

I find it a highly unlikely contention that M-NET is the first public access UNIX systems. I remember public access UNIX systems in the early 80's. And, incidentally, they weren't protected by computer trespassing laws.

From what has transpired so far, I'd stay away from M-NET. I'd worry that they might misinterpret even more benign activity as "trespassing". What they should have done is learned their lesson, made their system more secure, and left it at that. There was no need to get the police involved.

Re:can never think of anything to go here

[numberVI]

And as for the people who hacked it (and kuro5hin) they really have to rank in the intelligence stakes with people who would put their own balls in a vice and slowly turn the wheel until the plates met. You don't attack people who are helping the net remain open, and a community, many of whome may previously have had some sympathy for (h|cr)ackers, or at least draw from the same knowledge base.

One of the philosophies that I have heard many of the RECREATIONAL cracker/script kiddie types espouse is the "j00r 4dm|n iz uh 1am3r s0 j00 d3s3rv3 2B h4x0red 4nd 4ny d4mag3 eye d00 70 j00r syztum iz j00r f4u1t!" diatribe. It seems to be the "groupthink" for recreational cracker types. They see a target system and go for it. Initially with the purpose of gaining acceptance and status within their peer group. Very little thought is given to the victim; Who they are, what they stand for or whatever. The victim is simply a means to and end, chosen at random, and vulnerable to the latest exploit-du-jour. Even less thought is given to any consequences that their actions might carry. Harsher punishment is not an effective deturrent for this type of behaviour. The cracker cites preceived lameness on the part of the victim as the reason for the attack (i.e. "its the victims's fault").

Also stupid acts like this are just making it so much easier for various governments to sneak in with legislation that is inthe end just going to make it harder for everyone, and turn the internet into little more than a commercial, monitored service (anyone ever used aol?).

People who would tyrannize other people commonly cite flaws in human nature as a valid reason for their tyranny. Its called Funadamental Attribution Error: the behaviour of others is attributed to dispositional factors, while situational factors are underemphasized. From there you go on to appointing a czar, declaring a war, and telling the world how you are "getting tough" on whatever media hyped problem you think will get you the most votes/campaign $$.

this approach is bad for consumers

[jetson123]

Unlike the physical world, where making secure homes and cars is very expensive and very difficult, computers are neither hard nor expensive to secure if you pick the right tools.

If companies can avoid responsibility for making their systems secure, they won't bother. They'll keep using outdated software and intrinsically insecure infrastructure. If there is a break-in, they just point the finger at the guy who broke in. The consumer is still at a high risk from the theft of their data, but the company is free and clear.

Yes, breaking into someone's computer system is wrong and should be punishable in serious cases. But more important is that companies should face stiff fines and criminal charges if they expose personal or private data through insufficient security. On balance, companies don't have to be protected from crackers--they can easily protect themselves if they have half a clue. People need to be protected from companies that venture out into the Internet without the technical competency to protect their customers' data.

hacking, cracking, who cares?

[h4x0r-3l337]

Of course with this being slashdot, this is going to degenerate into an endless list of postings complaining that "hacking" and "cracking" are two different things, instead of focusing on the real issue at hand.

Re:hacking, cracking, who cares?

[cwebster]

if only i had some moderator points right now, i would moderate you down as off topic and taking my focus away from the discussion at hand with your bicker over "hacking" and "cracking".....

Re:Cruiser Tune Up

[onion2k]

Larry Wall
Pros: Will use open techniques and innovative solutions to solve problems.
Cons: Might decide to rebuild it from the ground up after a while regardless of any problems.
Biggest Concern: Probably have to get a picture of a camel on your driving license.

I was going to write a 'Bill Gates' one of these.. but I couldn't think of any Pros.

Who is that IP anyways (The Answer)

[Damien+Vryce]

Name: www.ag.state.mi.us

Address: 167.240.254.37

According to ARIN, it's in the Michigan State Government's net block. Unless this is someone having a happy time on the State's servers, or an trigger happy State person, it's legit.

Re:here comes the drug war

[phutureboy]

Hacking is not a consentual crime! The drug war comparison is specious.

True, true. Good point, AC.

There is a similarity, however, in that mandatory minimum sentencing is being applied to both.

--

Yes, a MONTH

[oni]

Well my first thought was A MONTH???.

There is an explanation of why it took so long to bring m-net back up somewhere on the site, but the story goes something like this:

- The main admin guy has a real job, and couldn't get to it right away.
- The servers had recently been moved to a location that was pretty far away and only accessable during the day.
- They needed new hardware anyway, so before they began any kind of fix, they went out purchased a new server.
- And of course, they didn't want to bring up a new system that had the same security flaw in it.

Have you ever had to recover a hacked system? Not a flame. Just curious.

Before the knee-jerk reactions start...

[Bitter+Cup+O+Joe]

I know a lot of folks are going to defend what was done here as just "showing where there are holes in a system" or "kids just playing around." I'll tell you what, why don't you just give me your address and I'll wander down to your house and see what security holes you have. Oh, it's a deadbolt. Well, with my trusty Cro-bar Mk. 1 , I can get around that. You need a stronger lock. Hrm, still got the other lock on the door. I'll just borrow that key under the mat (hey it's a security hole, and someone needs to show you that) and let myself in. Now, while I'm here, just to show you how easy it was and to show what coulkd happen if someone truly malicious (not me, oh Heavens no, I'm just showing you where there might be problems in your security), I'll trash your stereo or some other nonessential component of your living space and borrow your credit cards.
But I'm not a criminal, oh no. I'm just a more 733+ home security expert than you. You should thank me.

I say that if they've got proof beyond a reasonable doubt here that these little twits should be sent away for a few years to cool their heels. I'm so sick of people going "Well, I mean, I did these same things when I was a kid and I wasn't a criminal." No, you weren't, because there wasn't a law in place before. If you did some of the same things today, you would be. And don't give me the "well, they were just curious, kids are" line. There are plenty of legal ways to learn more about computers and systems security. Hell, do what we did. Have your friends set up a system hey think is secure and try to crack it. Learn. Repeat. But don't try to tell me that these kids aren't little thugs, because they are. Screw 'em, and I hope they get along with their new cellmates.

Re:Before the knee-jerk reactions start...

[bripeace]

Nice knee jerk post. The discussion really hasn't leaned torwards what you state. It's mostly been on the nature and language of this law, which does not take in account monetary damages. It's sorta like you said, but you walk into my house and take something like my remote control and leave, causing me roughly 20$ in damages. Then the state prosecutes you for a felony charges you a 10,000$ fine and throws you in jail for 10 years.

Re:Reactionary Politics?

[naught]

Everyone who has replied has forgotten one important fact about law enforcement in the US -- if the officer who arrives decides it's not a crime, or the judge decides it's not a crime, it's not, regardless of what the books say.

Having experienced these things firsthand, I can attest to the fact that most crimes that the arriving officer thinks are minor, even felony crimes, breaking and entering, and destruction of property, will NOT get prosecuted. Discretion is put first into the hands of an officer, then into the hands of a judge.

How does this apply to the current argument? Because if a crime is sexy enough it'll be given a newsline, and THOSE crimes are the ones that the public sees, not the date rapes, vandalisms, and death threats in the US.

Make automatic nightly backups

[sips]

Or better after you do a site change make sure it's backuped by you personally then you pull out the files and just redo the directory tree couple seconds.

Re:Make automatic nightly backups

[irksome]

M-Net is a non profit, run by an all volunteer staff. Nobody makes any money, the people doing this also have real jobs. They probably don't have the budget to afford a comprehensive backup system. Sure, if you're at a big corp, you can afford it. Not if you're an all-volunteer organization, that is run on donations by it's users.

-

Re:Make automatic nightly backups

[DrgnDancer]

What if I just replace the proprietary executeable with a perl script that does whatever the Hell I want it to, then calls the proprietary binary (Which I moved to a differnt directory) and replaces itself with the old binary destroying all the evidence? I could even pack the script with enough data to make it the same size as th original binary. Of course doing a hash would reveal the difference, but that would work with a replaced open source binary too./P.

Re:Make automatic nightly backups

[Sygnus]

Exactly. A tar ycf site.tar.bz2 html/ is a very simple backup method, and can save your ass if you don't have other backup strategies at your disposal.
MarkKomus brought up a good point in his reply up above; but seriously - how long does it take to restore a webpage/site? Not that long at all; unless your site admin was an idiot and didn't make regular backups. Untar the backup and you're back in business within seconds. When people claim that it took them hours/days/weeks/whatever to restore a website, all I do is laugh at their incompetence.

Re:Make automatic nightly backups

[streetlawyer]

Well why don't you just buzz on over to kuro5hin and tell them that .....

we are all harmed

[josepha48]

To answer the question " Who is harmed?", I'd say we all are. We are a society and when member go astray like this it hurts the whole society.

In this particular case it hurts all the users of the system that was hacked and had there passwords stolen. It also hurts the people running the system. No not just the admins the whole organization is affected. Why? The admins are affected, cause they were not on top of there job, securing the system and maintenance and all that stuff (at least that is how some will percieve it). The owner looses his credibility to run a secure operation. Uses loose there passwords and possibly the system. Well we know it is not necessarily the admins fault. There is no perfectly secure system. Alsost all systems can or do get hacked weather by DDOS or what not somebody with nothing else to do trys to screw up someone else's life, cause they can and they are pissed off at the world for no real reason.

Someone recently told me that there will always be security breaches in software cause software today has so many lines of code. THere will always be hackers too.

I don't want a lot, I just want it all!
Flame away, I have a hose!

Re:we are all harmed

[Amokscience]

Additionally, the nature of the system that is compromised is a key factor. For instance (from one of my computer ethics books) an individual used a Boeing computer system as a stepping stone on his 'travels'. After noticing that their system had been compromised Boeing spent over $300,000 verifying that no damage had occured to any of their data. Why? Because the system compromised was part of the development of Boeing planes.

And don't forget that the *only* sure way to secure a box after being cracked is to reinstall the whole system. That means restoring all accounts (with new passwords), restoring backups, downtime for reinstall, etc.

Re:Damages: Community Network vs. Corporate Networ

[mindstrm]

Then they go to court and state their case.

As you said, a large company may have much more to lose, and the damage done may be much more costly than if a small non-profit site is hacked.

Are you implying they should receive the same in damages? That all depends on what happens.

can never think of anything to go here

[titus-g]

Well my first thought was A MONTH???.

If I were to let any of my clients sites go down for more than a day, I'd be dead, I already suffer from telephone phobia from times when servers have crashed/email has gone weird. These days there is no excuse for not having backups and at least some idea of an alternative if you do lose a machine (he sez hypocritically).

Having said that this was a public access system run by volunteers, and given it's nature pretty hard to recover.

And as for the people who hacked it (and kuro5hin) they really have to rank in the intelligence stakes with people who would put their own balls in a vice and slowly turn the wheel until the plates met. You don't attack people who are helping the net remain open, and a community, many of whome may previously have had some sympathy for (h|cr)ackers, or at least draw from the same knowledge base.

Also stupid acts like this are just making it so much easier for various governments to sneak in with legislation that is inthe end just going to make it harder for everyone, and turn the internet into little more than a commercial, monitored service (anyone ever used aol?).

Re:New Denial of Service Attack found (OT)

[Sygnus]

I'm waiting for the day when some clueless suit brings a suit against /. for "DDoS" attacks when his company's site gets slashdotted - you know it'll happen :)

Why the shock and indignation?

[discHead]

Computer "trespass" laws have been on the books in other states for years--Oregon, for one (see ORS 164.377).

Perspective!!

[Bennu]

We have really got to get a handle on what qualifies for felony credit in this country. Now grafitti and cracking are felony crimes? Let's remember that felony convicts are forever forbidden fromholding public office, or more importanty VOTING! We're to deprive someone of their sacred rights to vote just because they hacked their high school? I can see doing it for causing bodily harm, but for a little computer security issue?

All metaphors and analogies aside, is cracking really a felony offense? Will we put people in jail for 10 years, effectively ending any chance they had to be productive (if a bit subversive) members of society, simply because they pissed AT&T off? Waving a gun at old people, abusing little kids. That's really despicable stuff. But breaking someone's precious computer? Put them in the can for 3 months, fine them good, and put them back out on probation. Get them a computer security job where they can play their security games in a supervised environment and get them back in to life. A 17 year-old kid, prosecuted for felony hacking? Give me a break... They fear what they can not begin to understand.

Bennu

Cruiser Tune Up

[Slashdot+Cruiser]

The Slashdot Cruiser is due for a tune-up. I need a mechanic.

Who should work on the Crusier?

Richard M. Stallman
Pros: Works for free (specifically, for contributions and government grants)
Cons: Long-winded politically-charged explanations of any problems.
Biggest Concern: If he does anything to the Cruiser, I have to let anyone drive it who wants to.

Eric S. Raymond
Pros: Does same work as RMS, but calls parts by different names.
Cons: Wants to own a piece of the Cruiser when he's done working on it.
Biggest Concern: Liable to use the Cruiser for target practice and put several .45 caliber holes in my ride.

Bruce Perens
Pros: Will try to calm me down if he finds anything wrong with the Cruiser.
Cons: Needs someone to calm him down.
Biggest Concern: Will want to file lawsuit against oil companies and auto makers if the Cruiser is out of gas.

Rob (CmdrTaco) Malda
Pros: Will get Cruiser running eventually.
Cons: May continue to add parts until problem is fixed or nobody cares anymore.
Biggest Concern: Wiring mistakes may cause radio to change stations whenever I turn on the wipers.

What is unauthorized use?

[Kostya]

My question is simple: what is unauthorized use? Does authorized mean "written permission"? Or is it implied?

I ask because of a simple case of sendmail: if it is running, is that an implicit authorization to send email to the owner via that port? I saw an article over at rootprompt where a sysadmin tried to contact the owner of a box by sending him email via the sendmail port of the box (the box was apparently on a DSL line). The owner got all pissed because he didn't "authorize" the sysadmin to use that machine. The sysadmin argued that sendmail was PRECISELY for doing exactly what he did--sending email.

This may seem stupid to most of you, but remember that many people do not understand the technology they use, let alone legislate about. Could this law be used for suing people who connect to your machine? If you have sendmail up, and someone connects to it, is it their fault or yours? What about FTP and HTTP? If you do a base install of RedHat, you get FTP, HTTPd, Sendmail and a bunch of others. If someone connects to your web page or your FTP server, is that unauthorized?

There are obviously two sides to this issue. I personally get all paranoid when people connect to my box--it is a firewall with nothing running but ssh and ident. If someone tries to connect to my RPC port (i.e. NFS), I am a bit suspicious of their intentions. So this is unauthorized? But what about someone who gets hacked and my machine's address is used as a decoy (or in the case of ADSL with PPPoE, I'm now at the address that was used to attack them, but I'm a different person) and they run a port scan in an attempt to figure out if I am hostile. Does a port scan count as "unauthorized"?

The issue is pretty simple: the techniques used by crackers are legitmate techniques used by security concscious sysadmins every day. Will clueless legislation start to put honest, hardworking sysadmins at risk?

My feeling is "yes". And that bothers me. Sigh.

Re:What is unauthorized use?

[StenD]

how I became a triple-felon while doing my job

Randal, was it your job to secure the systems whose password files you ran Crack against? Was it your job to audit the security of those systems? Were all of the systems whose password files you ran Crack against a threat to the security of the systems you were responsible for? What Intel and the State of Oregon did to you is outrageous, but you weren't just "doing your job". (If anyone is interested, here's another view of the story.)

Re:What is unauthorized use?

[titus-g]

I think http is already by some considered to be unauthorised in some cases, e.g. where the big bad hacker deletes the htm file name, gets a directory listing, complete with dat files of credit card/personal details.

Stupid of course, but there ya go.

Re:What is unauthorized use?

[PhilHibbs]

I'd imagine it means bypassing an obvious access mechanism, like trying out passwords on default accounts, sending obvious buffer overrun packets, and other known and/or obvious script kiddie attacks. I can't imagine anyone getting done for a innocuous sendmail or http packet. Not even in Michigan.

Re:What is unauthorized use?

[ethereal]

But that was authorized - the hacker sent an HTTP request for a listing, and your server granted the request and sent the requested information. If you don't want people to get that information, and they ask for it, the correct thing to do is not give it to them.

I'm not defending most types of evil hacking (especially the case of the article above, which I only glanced at), but I feel the same way as I do about "deep linking" in the "web server directory" case: if you don't want people to have certain information, the perfectly correct (and easy to implement) solution is to not give it to them. If this situation were in Real Life (tm), that would be the way things would be expected to work, and any legal representations to the contrary would be laughed out of court.

Or, in other words, "ya can't blame a guy for asking" :)

Re:A note from m-net's sysop:

[DC+AirBag]

Why do you find it a "highly unlikely contention"? I was on M-Net in the mid to late 80's, and it was already firmly established by then. Of course, they only had modem/UUCP connectivity at the time. Not nearly as easy to hack as today's technologies.

Can't speak to their recent security practices, since I haven't been on in years (like, for instance, the entire decade of the 90's!)

Reactionary Politics?

[naught]

What's the real story here? Beats me. Felonys are things like Grand Larceny, and Killing Grandma. Serious repercussions and lots of damages are required for something to be a Felony, right?

Or it may be that any crime which is so unknown that its damages may not be easily talliable becomes a felony as a deterrent. It may be that making laws banning data theft and hacking become 'cutting edge politics', and all the street savvy politicians want their name on that bill.

Probably, the severity of the law is caused by the blinding fear the average luser has about his machine being hacked, or all the dirty emails he sends his mistress being looked at by someone.

Theft is theft -- and if its information, how that information is used should determine the crime, or how much the (unrecoverably) destroyed data is worth.

Consider this: If someone broke into your house, while you were watching TV, romped through the kitchen naked, and left out the back door, but didn't take anything, would the courts care? No -- the police officer who showed up would say that since nothing was stolen, and no one was hurt, it's probably not worth the hassle to take it to court. But if someone were to enter your computer system it's a felony?

Case of sexy politics here, methinks. I could be wrong, but everyone runs that risk. Bugs me, though that while I can't get a guy who threatens to kill me sent to jail when I provide the officers with his name and address, as well as a witness to the event, laws exists that state unauthorized access to a system is a felony.

I don't dispute that charges should be brought -- it's the severity that gets me down.

Re:NEW EQUIPMENT!

[DC+AirBag]

The article didn't actually say that the cracker caused a month of downtime. From what I've seen posted here, it appears that M-Net just seized the occasion to implement some overdue upgrades.

Perhaps the author of the article could have made this a little more clear...

Re:If You're A Human, Michigan Sucks

[ToddN]

Hey - watch it now. I work a block from the tunnel - Detroit may suck but I just work in it. The rest of the state is great. I came back after 15 years in LA. But I don't know where you got your "no sales tax" info, it's 6 percent here.

If You're A Human, Michigan Sucks

[d.valued]

I passed through Michigan when I went to H2K this past july. I was supposed to meet a rideshare in Detroit, but cutting through Canada and visiting a casino (and actually winning!) wasn't too shabby.

Michigan has a ZERO-TOLERANCE law for minors. Doesn't matter if you're driving; if you are under 21 and you test positive for alcohol, you lose your license and/or are disqualified for one.

This sort of law isn't too surprising to me; the state has been actively courting corps to come to the land of no sales tax.

And from what I saw of detroit in three hours of local driving, most of Detroit sucks too. The only good thing about Detroit is the tunnel and the bridge to Windsor, Ontario, a land with a lower drinking (and higher smoking) age.

Re:If You're A Human, Michigan Sucks

[smblion]

The zero tolerance law is just fine. Minor's shouldn't drink. The law is in place because a kid who will blatantly break the law in the sense that he's drinking underage, then he has no respect for the law. Someone who has no respect for the law has no right on the road. We aren't talking about what they do to themselves, we're talking about them killing other people. Whether they drive drunk or not, they've showed a complete lack of responsibility, and responsibility is a very important thing before someone gets behind a wheel. I've lived in michigan for 21 years, the zero tolerance law is probably one of the few good laws we got :P Talk about fighting the wrong battle.

Re:If You're A Human, Michigan Sucks

[irksome]

Land of no sales tax? Umm ... when was the last time you bought anything in Michigan. There's a 6% sales tax on everything except food, and then only certain kinds of food are tax-exempt.

-

Re:If You're A Human, Michigan Sucks

[Rakarra]

Someone who has no respect for the law has no right on the road.

Someone who has no "respect" for the law has every right to be on the road. But if they're a hazard, they can be taken off. Here's what I disagree with: removing the license of a person for a non-traffic offense. If they get a DUI, then fine, they should lose their license. But this has nothing to do with how they drive!

I don't find having a drink if you're under the age of 21 as being completely irresponsible. It might be illegal of course, and illegality is the only thing the government can decide. The government cannot make "underage" drinking immoral or irresponsible, they can only make it illegal.

Re:If You're A Human, Michigan Sucks

[the+Man+in+Black]

Not generally one to respond to flamebait such as this, but being a native Michigander (that's DETROIT, Michigan), I have to say kiss our furry little Wolverine arses.

Oh...and you obviously didn't notice that Malda and Co. started this whole shebang in Holland, Michigan. Jeesh, get a clue.

Re:If You're A Human, Michigan Sucks

[dynamo_mikey]

But Michigan brought us cmdrtaco and hemos! Besides, my grandma lives in michigan, and she makes good pies.

dynamo

Some Issues that Come Up

[zpengo]

• The word "hacker" will probably now acquire a legal definition, which is just going to make life difficult for the programmers, beta testers, overclockers and other misfits such as ourselves. I think that the law should use the world "1337 h4x0r" instead.
• There is now a precedent for busting low-level crackers. This means that the little guys have to watch out, because the law isn't going to ignore them as much as they have in the past (when only 1337est had to worry).
• What counts as unauthorized access to a computer? Technically speaking, if you falsify your name or address when setting up a Hotmail account, you are providing fraudulent information and you could technically be busted for unauthorized access to the Hotmail servers. They got Al Capone for taxes; How are they going to get you?

Re:Some Issues that Come Up

[Erasmus+Darwin]

The word "hacker" will probably now acquire a legal definition,

From the Attorney General's press release:

The charges are the first under a Michigan law which makes the unauthorized alteration, damage or use of a computer system a felony.

While I did dislike the AG's misuse of the term, I don't think "hacker" is going to acquire any sort of a legal definition. Rather, I suspect it'll be somewhat akin to the term "drugs", which depending on context can refer to any medication or to "illegal drugs". However, when it comes to legalese, it gets referred to as a "controlled substance".

Re:Some Issues that Come Up

[Hrothgar+The+Great]

But if they don't know your name, then how are they going to bust you? Track your IP address to your computer, and then prove you were the one sitting at it when the account was set up? Oh, well maybe that's exactly what they could do. Never mind. (now deleting 5 false hotmail accounts :)

Moderators?!?! This belogs at the top of the list

[Auckerman]

Ahh....well put

Breaking and entering

[empesey]

It'll be interesting to see if other states follow suit. Maybe making the penalty the same as breaking and entering/theft/destruction of property. I'm not sure how the current laws are, but if the law is written in such a way, then one might face multiple breaking and entering charges for destruction done by viruses. It would definitely send a message that attempting to expose the vulnerabilities of a system or just learning how the system works are not valid justifications for these actions. Who knows how this will all play out, in lieu of all the activity that is happening in technology law.

If someone broke into someone's home, I don't think the judge would accept, "They left their front door unlocked, so I wanted to show them their house was not secure."

--

Re:Anti-SPAM

[www.sorehands.com]

We could always start with the guys who try to use fake email addresses and put at the bottom of the message: According to the proposed bill, this is not SPAM. They know a bill is not law, until after signed by the president, or the president's veto is overidden.

Granholm's record

[flem]

The part that scares me about this article isn't the charges themselves, but the fact that it's Granholm behind them. Jennifer Granholm's record with regards to the internet is not exactly spectacular. I'm thinking in particular of Michigan Public Act 33, Michigan's attempt at keeping porn away from kids. It was, of course, so ridiculously broad as to be obviously unconstitutional, and the ACLU got a preliminary injunction. (Incidentally, Arbornet was one of the plaintiffs in that case.) Granholm was, I understand, one of the proponents of that law. I'm not entirely sure this is the kind of person I want going after "hackers".

Re:I agree.

[irksome]

I may be misremembering here, but isn't M-Net/Arbornet a part of the lawsuit to overturn some Michigan law about Online Protection or something?

Isn't it slightly wrong to be suing the state and asking for assistance from them at the same time? Or is it two totally unreleated issues? (I admit my ignorance here, don't remember any of the details of the lawsuit, just remembered seeing it on /. a while ago)

OOps, NOT FBI

[GMontag]

But the Attourney's General office in Michigan.

The same office that gave us the Michigan State Riot Tip Website "hack".

In that case, the State of Michigan had a website up for folks to give anonymous tips on who was rioting. However, all of the information was wide open to the public because the webmaster set it up that way.

BUT, the State said the site was "hacked" and were going to prosecute anybody that passed along the URL to the info.

Sorry, my bad, not an FBI thing this time.

Visit DC2600

Ok....

[mincus]

I think that if he did something wrong, cracked into a system or what have you, he should be punished, and the punisment should fit the crime, but.. I have just a few things to point out...

The company offered free or low-cost Internet service to customers around the world through a public access system called "M-Net."

This sentence just seemed to stick out like a sore thumb to me, like "They were giving handouts to blind, disabled, homeless children, and that HACKER (who is presumed innocent until proven guilty, as stated at the end of the articly, yeah, right.) Made it so that we cant do that any more. puh-lease.

On May 31, while Salcedo had access to the M-Net system, the system crashed and did not recover...The M-Net system remained down into July and became available only after M-Net replaced the system's equipment.

So he created a software program that destroyed thier hardware? And it took them 3 months to figure out that it was a hardware problem and that it needed to be replaced?

Now, again, like I said in the beggining, if he did this, he should be punished, BUT, he should have a FAIR trial, and get a JUST punishment. To me, it looks as if this has all be decided.

.mincus

a victim perspective

[sillysally]

I run a webserver that hosts a number of domains, some for friends, some for non-profits, some slightly e-commercial. I do it mostly for myself, but since I'm already doing it adding the extra ips and domains is no big deal.

My server has been compromised twice. Once trojans are installed, it's pointless to try to figure out what's safe and what's compromised. That sort of analysis takes a day or more, a day which could be spent reinstalling, which course is guaranteed to get finished. All of this activity takes place uncomfortably hunched among the racks in a closet during which time I and a bunch of other people can't get our mail. Dealing with the emergency takes place at some random time the black hats choose, and I have to immediately take several days out of my schedule fixing things.

So, my feeling is: death penalty is not harsh enough. People are doing it on purpose, and they're fucking up my life. The commercial losses are not measurably large, which is what gets the authorities involved, but the stress and disruption to me is huge.

Yeah, I know that teenagers are prank-prone, I was, but that's why their heads need to be put on stakes outside the gates of every town, so the other little twerps will see what they'll get too. It's not funny, it's not even a challenge, and the punishments should be very harsh.

Re:a victim perspective

[sillysally]

This is exactly what a Civil Case is for, recovering damages. That includes your time and your fustrations etc.

but the *not* the time spent pursuing the civil case :) nor the cost adjusted for the risk that you might lose the case.

However, there's nothing to stop a civil case from being pursued on top of a criminal one. What hinders me is that if there is no criminal case, there is no investigation to determine who the hackers were. I don't know who they were. I'm not saying there should be a criminal case in this instance since I don't know who did it and damage was small compared to the other crimes that should be pursued. What I am saying is that in the cases where some someone is caught, the punishment should be very harsh to make the expected value come out right. Since geeks are good at math, they'll have no trouble sensing the deterrant if we make punishment sporadically extremely harsh.

cutting in

[zeus_tfc]

I wonder if this trend in MI will continue.
Might this lead to techno-courts like in Maryland? I think there needs to be more information on the laws, though. There could be a great deal of ambiguity on the limits of the laws.

I find it sad that people are destructive like this for no apparent reason.

OT:
I don't like the term "hacking." If you've ever read the Hyperion series, they use the term "slicing." Slicers dodge AI watchdogs, and physical harm in a virtual setting. I think the term implies a great deal more finesse.

Re:2nd

[Open+Source+Sloth]

Sloppy seconds is never something to brag about.

Is that why you are posting anonymously? Have some guts.


Behold the Open Source Sloth...

what a moron

[austad]

Why would he tell them he did it? I'm not a criminal, but if I were, I sure as hell wouldn't go telling people that I did it. Especially the people I commited the crime against. He deserves to beaten for just his shear stupidity.

Re:what a moron

[Talsin]

Morals and a conscience? Maybe he got one.

is vandalism a felony?

[myc]

Granholm added: "In the future, any hacking, regardless of the amount of financial damage it causes, will be a felony. A vandal is a vandal whether you are a virtual vandal putting graffiti on a web site or a real world vandal putting graffiti on a wall. Both are illegal. And using a computer to break into a company from the comfort of your living room is just as illegal as using a hammer to break down that company's front door. Because the Internet makes the crime easier doesn't mean that it makes it right. These are the first hacking charges in this state; you can bet that they won't be the last."

This is an honest question: is vandalism a felony or misdemeanor? If it is the latter, you'd think that based on this prosecutor's line of logic that "virtual vandalism" ought to be a misdemeanor, too. OTOH, if it's a felony, then why are there specific resources devoted to "virtual vandalism" when physical vandalism is still a real problem in many areas?

Not to say this isn't a good thing, however.

Staying within the law

[TWX_the_Linux_Zealot]

(rant)

Well, Something that I doubt they are thinking about, and they _really_ should, is that many people in computing are staying within the current laws because there are some things that they can still do legally, or they can work around the restrictions. Eventually, they will have too many restrictions, and if they force people to break laws to do things that they are legally doing at this moment, what is to make these people not do other illegal things? I try to think that I do a pretty good job with not breaking laws; I run all open source software, so I'm not pirating, I don't go intentionally knocking people's PCs and servers out, I don't destroy property. What happens if they start restricting based on content, or other things? What happens when more commercial products are reverse engineered in GPL, and more companies start chopping down forests to send enough cease and desist orders? what happens when these are upheld in court as IP when all the reverse engineering people did was the _SAME THING_ that compaq did to IBM's bios back in the '80s? I don't think many of us will really care what the laws are, we'll do what we want anyway. Obviously, the MPAA's rabid enforcement of their faulty product's restrictions aren't affecting Joe User, who probably has the DeCSS code. Back before Linux was really an option, and we were all running (shudder) DOS, did we care if we made many systems boot if whe had only one copy of the OS? I doubt it... We generally seem to do what we want, and the more difficult they make it to do this legally, the harder they'll have to enforce. It may become almost impossible.

(/rant)

A note from m-net's sysop:

[rexroof]

M-Net isn't an ISP, we're a conferencing system. M-Net is the first public-access unix machine, or so some people claim. We give out free firewalled shell accounts with our primary focus being on our YAPP bbs conferencing system. If newuser was up, which it's not, due to some password locking issues with FreeBSD's pw command, you could create an account and be dropped into a shell. I'd encourage you all to drop by once we have it back up, and if you want to support a public access unix machine, use paypal to give us money at treasure@arbornet.org. Also, you can send us a check here:

• Arbornet Accounting Department P. O. Box 7938 Ann Arbor, MI 48107-7938

Re:FP?

[Open+Source+Sloth]

Aside from my previously stated feelings about the homosexual nature of first posting (see above in re: the actual first post), I would like to point out something.

You are like the inmate that follows around the big boy that has the right to scream first post, and says, "Yeah, yeah, the boss got first post! Yeah, now I'm gonna get first post too!"

Please remember that if the boss catches you in the act, you will no longer have a hand left to 'take care of yourself' when posting is no longer allowed.


Behold the Open Source Sloth...

I agree.

[nharmon]

For anyone interested, here is the law straight from the horse's mouth.

But the strange thing is, the laws were effective March of 1980. And Michigan finds the use of a computer as a way to enhance the sentence through this law.

I'm also a community member of Grex (finger nharmon@grex.cyberspace.org), and used to frequent M-Net quite a bit. These are UNIX-based community systems, and I find it extremely disturbing that someone would take advantage of free system like this.

The people at M-Net are pretty reasonable people, and will probably not overstate damages (unless one of their parent companies or sponsors makes them).

I think the most important thing to remember, is that these kids were malicious and weren't just "exploring the system". Personally, I think "exploring the system" should also be illegal, because accidents can happen,... but that's not the case here. These kids are criminals, and should not be made into heros like Mitnick.

Uh oh. Is my TiVo a 'third party' system?

[Vassily+Overveight]

After all, I only 'license' the software, I don't own it. Since I hacked my TiVo by cracking the sealed case, added a 75GB second drive, and modified the boot files, am I going to have to stay out of Michigan? Man, there goes my vacation!

Dangerous Laws

[MattW]

These laws can be as dangerous as they are helpful, however. I'm in the network security business, and I've been running boxes on the net for 4 years now, and in this time I've seen a lot of complaints which go something like:

Dear root, I received the following ping packet at 13:13:13 on Jan 30. Per USC blah blah, unauthorized access to a computer system is a felony....

And it goes like that. In the past, these ignorant people would cite the US law which applies to unauthorized access to government systems. It didn't apply either way, but the point of the stupid email is this: "unauthorized use" and "unauthorized access" do not take into account the implicit permission for connections when you hook a box to the net. Knowing people in ISP/NSP abuse departments, I've seen way too many complaints along the lines of: "Someone connected to my webserver and this isn't a public server!" Could you call it unauthorized? Technically, yes. But shouldn't connecting a machine to the net be implicit authorization if you don't take steps with a tcpd, ipfilter, ipchains, firewall, etc? Absolutely. Or a password on your web pages. The same goes for pings -- people will get a single ping packet, and complain that they are "being hacked".

This brings me to an even stickier anecdote: someone has a box on the net running an irc server. Someone hacks a box at a government agency, connects to their irc server. The irc server, as many do, autoconnects to the client box on port 1080, maybe port 23, looking for (1) Wingate and (2) stupidity. Not much later, someone (maybe Nasa, maybe the SS) manages to unlink and postmortem the box, seeing the auto connects logged, and goes after THAT person. Thankfully, they were never dragged into court or anything, but the government actually believed that the person had a hand in the hacking of the box, and that even if not the mere autoconnects were a violation of the law.

That said, I think the "uproar" over hacking is causing laws that also may be too harsh. Removing the $1000 cap on the michigan law is irrelevent -- any hacked system can easily generate a $10k tab, just by citing expert recovery time for dozens of hours at >$100/hr. The simplest 1-machine hacks of companies have generated 6+ figure "damages" in the past.

Even as a security professional, and agreeing that cracking a system when not invited should be a crime, cracking should be a reparation case. If someone spends $5k in time and loses $10k in business because of your crack, you should pay that back, do a few hundred hours community service. It's rough, but it is a crime. It should remain a misdemeanor, unless things are done to multiple systems, with malicious intent to cause harm to the system(s), etc. I'm sure there's a lot of room for discussion, but felonizing script kiddies is not, in my opinion, what we need to do. At least the original bill seems to allow for _10 year_ sentences for "damages" of >20k. Sending some 18 yr old to jail for 10 years over a hacked box is absolutely insane. As a network security professional, I'm also fully cognizant about how easily most of these boxes ARE compromised, and replacing security precautions on shared machines with draconian laws with absurd sentences is absolutely unacceptable.

Don't know much about psychology, do you?

[FascDot+Killed+My+Pr]

"...maybe a harsh law against window breaking will provide some kind of deterrant effect in the minds of those breaking windows."

Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.

Making a stiffer penalty will not lower the crime rate--the few people put off by the increased danger will be more than offset by the people turned on by the increased danger.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/

anti-hacker?

[jafuser]

If it's an anti-hacker law, then I guess that means that it's illegal to make changes to your Linux kernel, however it is quite OK to break into your bank's computer and transfer other people's money to your account...

--

anti-hacking laws

[toddstock]

As a Michigan Resident, the thig that scares me the most about this is that they are removing any monetary damage limit.. From what I can see the infamous /. effect could be construed as hacking.... I am also wondering how they would enforce the law in a case like that

Re:New Shoes!

[Open+Source+Sloth]

If you believe you are a man for having new shoes, perhaps you would care to put your karma on the line and actually post us a story regarding your most excellent new shoes from your account. Or would that be too risky for you there, biatch?


Behold the Open Source Sloth...

Uh oh

[mholve]

Look out Taco, they're onto you...

OR....

[TobyWong]

...we could put your head on a stake with a sign below saying "incompetent admins beware!".

BTW i'm not sure if you know about this yet, but there is an entire cult devoted to making your life miserable. They call themselves the "lets fuck up sillysallys life cult" and devote every waking hour to thinking of new ways to torment you. Your best bet in fighting these ruffians is to go outside and shake your fist at the sky yelling "DAMN KIDS!" afterwhich you can head back inside, put your teeth in a glass of water and enjoy a nice tall glass of prune juice.

Cr/Hackers = Horse Thieves

[64.28.67.48]

The penalty for cracking seems to be way out of proporion to the damage. Government seems to go after crackers with abandon, though many do less real damage than your average spraypaint-enabled vandal. Why is this? Partly, it is out of the fact that it is hard to catch and prove cracking. "We shoot horse thieves out here." In a frontier society, with a lot of space and not much law presence, justice is swift and brutal. Things that would get a fine in the city would get you executed on the frontier. I think this reaction is what we are seeing in law enforcement for cracking. The net is like the frontier. It's really hard to catch anyone doing something illegal. Even if the damage is slight, it's treated like a major offense. This is an attempt to limit behavior that the government recognizes it has no real way to monitor or control. It's acting in order to preserve society as it sees it from the threat of complete lawlessness.

I really don't think that 1) persecuting crackers who do minimal damage is right or 2) that it will really stop the problem. But that is where we are at.



-------------

Harder to attract tech workers?

[killer_pelican]

Not that Michigan is known for its booming tech industry, but will people in tech fields discriminate against states with anti-privacy, anti-hacking, anti-whatever laws by not taking jobs there? All issues of cracking/hacking aside, are there enough people out there who will consider this sort of thing so that it will actually hinder tech growth in a state?

Re:second

[Open+Source+Sloth]

I believe one of my compatriarts said it best, "Try for last post, now there's a challenge."

I believe until we quit playing the numbers game, and trying to see who can be the next to the gaping ass-end of the posting sheet, we will have no progress in the trolling community.

What ever happened to the wonderful stories as told by some of the great off-topic and trollish posters? Alas, they have all disappeared. Gone down the drain.

Here's hoping for better.


Behold the Open Source Sloth...

It's a felony to press our panic button!

[Art+Popp]

These are two very different cases that should have two very different treatments.

First I would like to point out Jennifer's poor sense of perspective:

For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime.

The suggestion that there "may be" one "criminal user" out there for every legitimate user is nothing less than retarded. If there were 10 million+ hackers out there it seems unlikely that Jennifer's toaster would remain unhacked after a display of such blatant prejudice.

But reactionary posturing aside, the ugly part of this mess is that these two people can be mentioned on the same page.

Salcedo is likely a criminal under non-computer law. And additionally, he's an idiot. If he's responsible for intentionally, irrecoverably (to the novice of course) crashing a business system, there is no need for computer-oriented law to prosecute him.

Salens on the other hand is just a punk kid to did a little digital graffiti. It's ironic that Jennifer can make the connection to real world graffiti, but then go on to push for the digital version (which is cheaper and easier to clean up) to be a felony.

Obviously to people with so little sense of the spirit of the law, anything their afraid of should be a felony.

When they are killing children for stealing lollipops, and the children start shooting back, the authoritarians will wonder, "What kind of monster would kill for a lollipop?" The bell tolls for thee.

Re:hi rex!

[Open+Source+Sloth]

SHUT UP!

If you have nothing de-constructive to say, then by all means, say nothing at all.


Behold the Open Source Sloth...

here comes the drug war

[MillMan]

now being applied to the internet. Wonderful. "Hacking" crimes should charged based on the actual damage done. Creating a law that states any "hacking" is automatically a felony is not a good implementation. Sounds a lot like the drug laws where you can be put away for a good long time just for possestion.

It probably won't be too many years now before some "hacking" task force has a budget along the lines on the drug war. I've seen more than a few "between the lines" suggestions by politicians that this is exactly what we need. With a mostly ignoranat public, the politicians will probably get what they want.

I wonder how much it will take to piss off the public though. Seeing a 13 year old skinny white kid from the suburbs being hauled off to jail for "hacking" might have a different effect on the public than some poor hippie or black pot smoker being thrown into jail on drug charges.

NEW EQUIPMENT!

[arete]

" The M-Net system remained down into July and became available only after M-Net replaced the
system's equipment. "

What in the hell did they do to make it require NEW EQUIPMENT to recover from a crack? I understand lost data, etc. I know it used to be possible to spin a HD until it blew up or set a monitor resolution that burned it out, but I haven't heard anything of the sort in a long, long time. What's up with this? Is the AG wrong? Did M-Net not know how to reinstall a system? Or is this kid really lucky or some kind of jedi master and made all the chips explode in a fiery blaze destorying the MBs?

I agree that unathorized cracking is wrong; there are also ample ways to set up practice if you really want. Cracking free sites is not only wrong and illegal, it's evil and stupid.

I was going to moderate this dicussion, but no one brought up my first point, and I'm really curious.

Re:NEW EQUIPMENT!

[British]

I look at it this way. Companies can seem to make more money being cracke and sue in the billions of dollars(in damage claims) than to have business as usual.

Expect this to be the future's new form of insurance fraud.

Agreed

[PrimalChrome]

I think the breaking windows comparison is handling cracking with kid gloves.

Think of it like this, someone walks up, breaks the window. Walks through the broken window and commences rifling through your corporate files. Before this k1dd1e is done, he paints grafitti all over the inside of your offices.

Breaking and entering, Vandalism, and Theft of IP are just the first three things to come to mind. Tough measures are what we need....maybe if more script kiddies get their asses beaten with billyclubs and serve as bubba's love slave in the pen we'll see a drop in the 'cool' factor of cracking.

Though I'm sure that the Clintons and the JonKatz of the world would rather support these poor misdirected children with social programs.

PrimalChrome

Anti-SPAM

[www.sorehands.com]

Maybe this can be used to stop SPAM.

You do not authorized SPAMMERS to put spam on your system. You do not authorize SPAMMERs to take use your POP3 server. Now, a SPAMMER used your POP3 to send data to your POP3 client without your authorization.

A stretch, yes.

They Deserve Whatever They Get

[skyrytow]

They deserve whatever punishment they get, I have no sympathy for them at all. Breaking into someone elses computer is no different than breaking into their house.

Re:New Shoes!

[Open+Source+Sloth]

Dork? Maybe.

Idiot that gets excited because of a new pair of shoes? Oh, most definitely.

Of course, it goes without saying that your brilliant and well crafted response will do much to enlighten the idiotic masses regarding the wonder known as Linux.


Behold the Open Source Sloth...

only to protect companies?

[Shotgun]

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. The Internet, unfortunately, has become one more tool to pick the locks of companies
across the country."

And long license agreements full of mumbo-jumbo legalese has become one more tool to pick the locks of the average computer user across the country.

If I install a program, say a graphics program, would this law cover behavior that sereptiously sends valuable personal information to the company that wrote the program? We know the info is valuable (the company plans to sell it), but they haven't paid me for it and I haven't given it to them. Isn't this crime analogous to workplace theft? ie, I gave you permission to work here, but I didn't give you permission to take what you wanted home with you.

How can digital graffiti be a felony, but digital theft is winked at?