Michigan "Anti-Hacker" Law's First Felony Charges

styles writes: "According to this article, two young men have been accused of gaining unauthorized access to third party computer systems. "The charges are the first under a Michigan law which makes the unauthorized alteration, damage or use of a computer system a felony." I have been a user on m-net (one of the two systems compromised) for a year and some change, and the fact that someone went and took the machine down for at least a month (more? I forget...), and that someone also hacked sshd to steal my password just kills me." And this raises the ever-sticky question of determining who is harmed, how much -- and then the stickier issue of what to do about the first. (Use your judgement in interpreting the source of this news, too.)

[Updated 19:00 GMT by timothy] As several readers have pointed out in comments, and as reader Conan Ford e-mailed, if that funny address sets your nose twitching suspiciously, note that http://www.ag.state.mi.us/AGWebSite/press_release/pr10189.htm does get you to the same place.

Odd reasoning, that

[Nezumi-chan]

Perhaps despite having worked for lawyers for several years I still don't have an astute legal mind, but Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

Yet another case of saying the net is like the real world as a justification for not treating it like the real world, I guess.

New Denial of Service Attack found

[TWX_the_Linux_Zealot]

In other news today, a new Denial of Service attack, The Slashdot Effect was announced. To activate the DoS, the malicious user sends a story to the popular Slashdot web site, who posts this story, containing links to a web site that the story references. Slashdot users try to access the site with such frequency that the load causes general use of the site to be unavailable. This can effectively cripple the site for hours or days on end.

Fixes/Workarounds:
To prevent The Slashdot Effect, avoid doing anything noteworthy to "Nerds" or any technological group. Avoid getting into legal trouble with the Motion Picture Association of America, and most definitely, avoid anything to do with Linux, FreeBSD, X Windows, or Distributed File Sharing. Also, avoid interacting with the following companies professionally:

IBM
Micron
RedHat
Rambus
NEC
Compaq
Amazon
Yahoo
Google
id Software
AMD
Intel

Doing such could be hazardous, and increase the potential of being hit with this crippling DoS attack.

A note from m-net's sysop:

[rexroof]

M-Net isn't an ISP, we're a conferencing system. M-Net is the first public-access unix machine, or so some people claim. We give out free firewalled shell accounts with our primary focus being on our YAPP bbs conferencing system. If newuser was up, which it's not, due to some password locking issues with FreeBSD's pw command, you could create an account and be dropped into a shell. I'd encourage you all to drop by once we have it back up, and if you want to support a public access unix machine, use paypal to give us money at treasure@arbornet.org. Also, you can send us a check here:

• Arbornet Accounting Department P. O. Box 7938 Ann Arbor, MI 48107-7938

Dangerous Laws

[MattW]

These laws can be as dangerous as they are helpful, however. I'm in the network security business, and I've been running boxes on the net for 4 years now, and in this time I've seen a lot of complaints which go something like:

Dear root, I received the following ping packet at 13:13:13 on Jan 30. Per USC blah blah, unauthorized access to a computer system is a felony....

And it goes like that. In the past, these ignorant people would cite the US law which applies to unauthorized access to government systems. It didn't apply either way, but the point of the stupid email is this: "unauthorized use" and "unauthorized access" do not take into account the implicit permission for connections when you hook a box to the net. Knowing people in ISP/NSP abuse departments, I've seen way too many complaints along the lines of: "Someone connected to my webserver and this isn't a public server!" Could you call it unauthorized? Technically, yes. But shouldn't connecting a machine to the net be implicit authorization if you don't take steps with a tcpd, ipfilter, ipchains, firewall, etc? Absolutely. Or a password on your web pages. The same goes for pings -- people will get a single ping packet, and complain that they are "being hacked".

This brings me to an even stickier anecdote: someone has a box on the net running an irc server. Someone hacks a box at a government agency, connects to their irc server. The irc server, as many do, autoconnects to the client box on port 1080, maybe port 23, looking for (1) Wingate and (2) stupidity. Not much later, someone (maybe Nasa, maybe the SS) manages to unlink and postmortem the box, seeing the auto connects logged, and goes after THAT person. Thankfully, they were never dragged into court or anything, but the government actually believed that the person had a hand in the hacking of the box, and that even if not the mere autoconnects were a violation of the law.

That said, I think the "uproar" over hacking is causing laws that also may be too harsh. Removing the $1000 cap on the michigan law is irrelevent -- any hacked system can easily generate a $10k tab, just by citing expert recovery time for dozens of hours at >$100/hr. The simplest 1-machine hacks of companies have generated 6+ figure "damages" in the past.

Even as a security professional, and agreeing that cracking a system when not invited should be a crime, cracking should be a reparation case. If someone spends $5k in time and loses $10k in business because of your crack, you should pay that back, do a few hundred hours community service. It's rough, but it is a crime. It should remain a misdemeanor, unless things are done to multiple systems, with malicious intent to cause harm to the system(s), etc. I'm sure there's a lot of room for discussion, but felonizing script kiddies is not, in my opinion, what we need to do. At least the original bill seems to allow for _10 year_ sentences for "damages" of >20k. Sending some 18 yr old to jail for 10 years over a hacked box is absolutely insane. As a network security professional, I'm also fully cognizant about how easily most of these boxes ARE compromised, and replacing security precautions on shared machines with draconian laws with absurd sentences is absolutely unacceptable.

Don't know much about psychology, do you?

[FascDot+Killed+My+Pr]

"...maybe a harsh law against window breaking will provide some kind of deterrant effect in the minds of those breaking windows."

Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.

Making a stiffer penalty will not lower the crime rate--the few people put off by the increased danger will be more than offset by the people turned on by the increased danger.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/

only to protect companies?

[Shotgun]

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. The Internet, unfortunately, has become one more tool to pick the locks of companies
across the country."

And long license agreements full of mumbo-jumbo legalese has become one more tool to pick the locks of the average computer user across the country.

If I install a program, say a graphics program, would this law cover behavior that sereptiously sends valuable personal information to the company that wrote the program? We know the info is valuable (the company plans to sell it), but they haven't paid me for it and I haven't given it to them. Isn't this crime analogous to workplace theft? ie, I gave you permission to work here, but I didn't give you permission to take what you wanted home with you.

How can digital graffiti be a felony, but digital theft is winked at?