Hacking Crime Victims to Remain Secret

outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Same as here :)

[adilsonoliveira]

We do have in Brazil a police force specialized on internet crimes but sisnce the majority of the attack victims are off-shore, it's kind difficult to track down the crackers.

How is this news?

Companies that get hacked are, of course, only interested in recovering and getting back to their core competency. Nobody hsa time for forensics or any other bullshit, unless they've got an export control box hacked or we're talking classified data, in which case legislation dictates that more measures are required.

this is good

[prichardson]

This is good because I beleive then that a lot more companies will come forward with hacking tales, more development will be done to plug holes, more people will be able to talk about hacking, more people will be aware of the dangers, more people will become educated about hacking and virueses and the like, and we will have fewer "I cant find the any key" tech support calls and fewer viruses propagating like mad.

Re:this is good

Yes, really good - how many false accusations are we going to see now that the identity of the 'victim' will not be made public.

Why not go all the way and dispense with trials altogether.

Re:this is good

[Lshmael]

If the companies are doing this anonymously, I do not really see how it would helps the public become more tech-savvy. Unless every time you see a headline like, "SuperMegaHacker caught!," you go out and learn more about computers.

Re:this is good

[vicviper]

RTFA

The accused will retian thier 'right to face their accusers'. Many of these types of cases are settled such that the criminal aggrees not to name his target.

Re:this is good

[Daniel+Dvorkin]

RTFA yourself. The accused retains the right to face his accuser -- if the case goes to trial. But as I understand it, a defendant could be pressured to accept a plea agreement without being informed of whom he'd allegedly hacked or what the hacking allegedly consisted of. I think the scenario goes something like this:

Defendant [angry]: "But who'd I hack? What did I do?"

Cop [toneless]: "You don't get that information until you go to trial."

D [self-righteous]: "Okay, then I'll go to trial."

C [smirking]: "You sure about that? See, if you go to trial, and you lose, you go to prison. And I hear skinny little geek boys like you are reeeaaal popular in prison ..."

D [defeated]: "And what if I take the plea bargain?"

C [toneless]: "$100,000 fine, confiscation of all your computer equipment, and a court order preventing you from being gainfully employed in the computer industry for ten years."

D [outraged]: "You people want to ruin my life!"

C [smirking again]: "Okay, we'll see what your cellmate Bubba the Axe Murderer says about that ..."

D [barely audible]: "I'll take the plea bargain."

Re:this is good

[vicviper]

What makes you think that a defendant can't be pressured *right now* to admit to any variety of crimes with out knowing his/her accuser? The article makes no claim that identity of the victom will be withheld until trial. From the article:

Another U.S. attorney, Roscoe Howard of the District of Columbia, said the Constitution requires that a criminal defendant be permitted to face the accuser at trial, but he noted that many computer-crime investigations culminate with a plea agreement, where the names of victim companies can be kept secret.

The article deals with the relationship between the victim corperation and the public. The idea here is that companies can come forward with knowledge that the govt. is sensitive to their concerns about public reaction to this type of crime.

Now with all this said, if you are accused of anything and plea guilty to some crime without knowing who you are accused of victimizing, I have no sympathy for you (or your brainded lawyer... you did ask for an attorney, right?)

Re:this is good

[Daniel+Dvorkin]

Have you been paying attention to the way suspects in the "War on Terrorism" are being treated? US citizens are being held indefinitely, right now, without access to an attorney, without being fully informed of the charges against them, and without any opportunity to face their accusers. This policy change is a major step toward weakening the protections of the rights of the accused so that hacking suspects can be treated the same way.

Re:this is good

[vicviper]

I cannot make the large leap in association between encouraging victims to come forward and crushing constitutional rights when there is no evidence of such in this case. This is about the public perception of the victims, and your slipperly slope doesn't come close to applying here.

Re:this is good

Nope...this doesn't happen. The defense has a right, through discovery, to EVERYTHING the prosecution has. This includes the person/company making the complaint. This is actually the MOST basic of what must be turned over. It's not possible to walk into the courtroom not knowing who made the crimimal complaint.

Re:this is good

[killmenow]

I do not find his position alramist or "slippery" at all. A LOT of civil liberties in America have been usurped since Bush declared war (oddly though, I thought only congress could do that) on terrorism. This is FACT, not fiction or a statement made without evidence. As an example: It used to be that in order to get a wiretap, a JUDGE had to grant it and there had to be reasonable cause. Now, any state's attorney can grant one without a shred of any evidence required to prove WHY it's needed.

I do not think it unreasonable to assume our (s)elected president and his posse^H^H^H^H^Hcabinet might consider cracking a form of terrorism.

It takes little for a cracker to then be labeled as an "enemy combatant" and all this stuff to play out in closed military tribunals.

No constitution will stop The Whitehouse of Evil!

Re:this is good

A scenario lifted right out of Kafka. And if the accused persists in seeking a fair trial, will they eventually find themselves murdered in a park late some night....

Re:this is good

[neitzsche]

"...Then they came for me, and by that time there was no one left to speak up for me." Martin Niemoller, 1945

Fascism can only become entrenched gradually. Do you think the Republican party has your best interests in mind as it's administration makes these changes?

This is not about "perception of the victims" but rather the wholesale erosion of citizen's rights.

Re:this is good

[iabervon]

Generally, if you're pleading guilty, you'd be presumed to know who accused you, since you presumably know who you attacked. In fact, you're only supposed to plead guilty if you actually committed the crime (if you didn't do it but think you'd be convicted anyway, you plead no contest), so your guilty plea is unlikely to be accepted unless you at least know the identity of the victem. On the other hand, you don't necessarily get to face your accuser, which would reveal the identity of the accuser to other people who aren't presumed to already know (such as the jury and spectators) and potentially be hard on the victem (who might prefer to think of the hacker as a criminal rather than some scruffy kid).

Re:this is good

[m0rph3us0]

This is bullshit, I only agree with this if the perpetrator is given the same conditions of anonimity, imagine sitting in a court room and being told that some unknown financial institution is accuseing you of breaking into their systems yet you cannot question them. This is on the same level of bullshit as the US trying to convict people of terrorism charges and not releaseing the evidence on grounds of nation security, they should really make up their fucking mind, either terrorist are "enemy combatants" and should be treated under the Geneva convention, or they should be regarded as terrorists and given the rights ordinary citizens have. If you call them enenmy combatants you cant charge them with terrorism laws because then they are fighting a war and in war you blow the shit out of the enemy.

Re:this is good

[karups2]

This was my initial assessment as well. I guess the FBI has always been able to do that (so they probably already have) and now they're just making sure that companies know they're willing to do it. But I also think we're overlooking a more reasonable usage of this. Namely, the FBI encourages companies to come forward and share log files, etc. so that the FBI can track down the hacker. Then once they've found him, they can may arrest him on other charges where the original company is never involved and thus never mentioned (for example, if they've already amassed enough evidence against a hacker to charge him, but they haven't been able to find him). The statement: "When we've got individuals (as witnesses) we want to keep off the stand, we just won't use them" seems to imply that's what they have in mind.

Re:this is good

So far, so good. However, it is perfectly possible for a trial to go on wherein you face your accuser, but the public does not. I think in most cases criminal trials must be public (although they can throw out cameras and so forth), but the company can sue you and ask the judge to keep it quiet, I believe.

If anyone knows otherwise, please correct me.

Re:this is good

[hesiod]

I only agree with this if the perpetrator is given the same conditions of anonimity, imagine sitting in a court room and being told that some unknown financial institution is accuseing you of breaking into their systems yet you cannot question them

AFAIK in the US anyone being prosecuted has the right to face their accuser. I think in this case the "secrecy" part would probably result in sealed court documents, etc. not an anonymous charge.

Favorite Part

[bdesham]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Why is that? Because it's spelled wrong?

;)

Re:Favorite Part

[meringuoid]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Why is that? Because it's spelled wrong?

Well, more because an amorphous mass of FBI-flesh writhing obscenely and pulsating as it flows in a continuous stream through your office door can sometimes be distressing. The new method of FBI agents arriving as discrete individuals is far more friendly.

Re:Favorite Part

[Spazntwich]

Don't you mean spelled 'incorrectly'? ;)

Re:Favorite Part

[ReelOddeeo]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Why is that? Because it's spelled wrong?

No, because it means no black helicopters circling.

Re:Favorite Part

What, will they be wearing sun glasses with that black jacket with big yellow letters on the back that spells out F B I ???

Hi, I am Special Agent Foo and this Special Agent Bar. We are from the government and are here to help.

Uh, huh!

Re:Favorite Part

[Trusty+Penfold]

It wasn't spelt 'incorrectly' it was spelt 'discretely'.

Agents will arrive discretely? Great!

[seldolivaw]

You mean they used to arrive all lumped together? No wonder people got upset!

Learn to spell, guys...

Re:Agents will arrive discretely? Great!

[Fastolfe]

It was in "scare quotes" because this is how it was spelled in the article. Though the poster should have added a [sic] or something to avoid responses like this.

Re:Agents will arrive discretely? Great!

Maybe it's a new open source business-model?

1: Write free software.
2: ?
3: Learn how to spell.
4: Profit!

Re:Agents will arrive discretely? Great!

Well, it beats having them arrive continuously.

Re:Agents will arrive discretely? Great!

[Maxwell_E]

You fool! You've slashdotted the dictionary! Now how will the hordes of grammar Nazis be able to correct teh funny?

Re:Agents will arrive discretely? Great!

[bdesham]

Though the poster should have added a [sic] or something to avoid responses like this.

Sorry, but the /. editors have to know how to spell in the first place before they start correcting others' mistakes, and, well... look at them...

Re:Agents will arrive discretely? Great!

[jaeson]

Technically, while "discretely" was the wrong word to use, it was spelled correctly.

Re:Agents will arrive discretely? Great!

[seldolivaw]

I bow down to the greater pedant :-)

Re:Agents will arrive discretely? Great!

[Myco]

Hypocrisy does not invalidate a point. Besides, "discrete"/"discreet" is a particularly geek-friendly flub to make fun of.

FBI...

[B1ackDragon]

From what I've seen of them, I didn't know they _could_ do things discreetly.

Re:FBI...

Hey... J. Edgar was very discreet. For example, I heard that he would only wear casual pumps on a stakeout.

FBI! THIS is a BUST

No...
THIS (o)(o)
is a bust

-Fedreral Breast Infect0rz

Re:FBI! THIS is a BUST

[josh+crawley]

What about the guys who dont like the "silver dollars". I like these too.

(.)Y(.)

Re:FBI! THIS is a BUST

I think you meant...

(.Y.)

But even if you like the "silver dollar" effect and prefer a bit of cleavage...

(oYo)

(...yep, too much time in IRC...)

So...

[Pig+Hogger]

FBIs agents will have to undergo exterminator discretion training????

And snail-mail correspondance will arrive in plain brown wrappers????

Jargon File

So where are all the leet geeks pointing out to the Jargon File's definition of "hacker" and that it has been used wrongly once again?

Re:Jargon File

[mumblestheclown]

How is it possible for a word to be used wrongly? Communication happens when one party talks and the other understands the message. The correct picture has gone from the party that sent the message to the party (readers) receiving it. I venture to say that more people will have understood the article if it said "hackers" instead of "crackers."

I think those who pray to a talmudic god of vocabulary need to understand that language is a living thing.

Re:Jargon File

[Pius+II.]

We have given up. Oh, and not wanting to change our business cards, we also had to turn evil...

Re:Jargon File

[dfeist]

And I don't. Another word which must be replaced every few years for that no misunderstandings occur (like "colored")? So, what comes next? Degrading "programmers" to "script kiddies"?

Re:Jargon File

[IndependentVik]

I've always preferred "code monkies" myself.
Note to programmers: Some of my best friends are in dev--don't throw a hissy :)

Re:Jargon File

We're too busy cracking into the FBI's lame computer system finding the names of easily cracked companies!

Men in Black!

[Black+Parrot]

> My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

The guys in black trenchcoats? Uh, those are our network consultants. Yeah, network consultants.

Re:Men in Black!

[Bloody+Bastard]

Yes, they are from Black Box... that is why they use the black trenchcoats.

Re:Men in Black!

[The+Dobber]

No, SEC investigators

Re:Men in Black!

[Reziac]

No, no, no. Everyone knows network consultants wear *yellow* trenchcoats!!

Re:Men in Black!

[Master+of+Transhuman]

With rusty zippers and yellow shoes...

Protect the hackers, too!

[Devil's+BSD]

Maybe the courts should just start calling the parties H4X0R and H4X0R3D...

yep

[Sacarino]

Nothing beats security through denial.

"Uh, I wasn't hacked, nope. Must have been Corporation X."

And WTF is this?
Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

Re:yep

[FreeLinux]

Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

True dat. This little gem is popping up more and more frequently. It is utter BS but, as more people hear it in more places they will accept it as fact. It is total BS!! NO corporation is paying extortion money to hackers. Unless they are counting the dollars wasted on "Security Consultants".

Re:yep

[vicviper]

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

Prove it? Who's going to admit to it? The companies want to stay out of the spotlight, remember?

Re:yep

[mitchell_pgh]

Unfortunately, this is a serious issue. If your position at an online banking environment is "Director of Network Security" and you are hacked for say $5,000 and you plug the security vulnerability, the only people that know are you, your boss, and perhaps some people from the accounting department. Is the negative PR you will receive over the hack to your "secure" system worth $5,000?

If you lost one account over this hack, it wouldn't be worth it. I think the FBI is trying to inform the public that they understand "HI!, We are from the FBI. We are here regarding the security breach of your trusted online banking system" isn't acceptable in every situation.

Re:yep

[paganizer]

+1 Insightful (vorpal)
I suppose it is possible that someone is paying extortion money; it seems like the hardest way for a hack to generate cash, to me.

Re:yep

[karlm]

I think it's often a grey issue. It's "Gee.. I found a hole in your site.. I can do the whole full disclosure thing, or you can hire me as a security consultant. Your call."

You're right in that it's stupid to pay script kiddies to un-deface sites, and Idon't think anyone does that.

I think it's most often extortion in the form of "security consulting fees" for unsolicited "security audits". Occasionally it's "We have your entire credit card databasebase and all of your loyal customers will never trust you again if we post them to usenet, so pay up." I heard ofsomeone trying to do this to a Minnesota comapny maybe 3 years ago, but the company basically said "screw you" and went to the FBI. Nobody knows how oftn companies pay up... It's like estimating the percentage of unreported rapes. It's just data that you don't ahve and isreally hard to estimate.

Re:yep

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda

I don't know about extortion, but if a server I'm responsible for gets hacked, I'm going to make up a story about a disk drive crash before I get fired as part of the mindless panic of a security incident investigation.

Re:yep

[Rasta+Prefect]

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

While I'm not up for offering proof, I'm thinking a slightly more plausible scenario would be "Oh, Mr. CIO....I've got this database of customer information, some of it quite sensitive. Would you like to give me some money, or would you like me to publish it (and where I got it) all over the Internet? That would do wonders for your customer relations, wouldn't it?"

Re:yep

HAHAHHA this is so funny!

Let me get this right. A company doesn't want anyone to know they were hacked so badly they pay hackers 1,000$s. If this is the case, who actually got the company to admit they were hacked for that piece of information to come to light?

It reminds me of those nasty rumours that spread around without one actual bit of fact to be based on. They need to cite at least one example of this where it wasn't tax fraud. :)

Has anyone noticed the growing trend of corperate power in this area too? If a business claims someone hacked their network, they don't need to show one piece of evidence usually before the FBI come knocking down someone's door.

Re:yep

[commodoresloat]

It's just data that you don't ahve and isreally hard to estimate.

Same with the number of invisible gay werewolves in Omaha, Nebraska - it's data you don't have, so you can't estimate it. Is there any evidence at all that this kind of extortion has ever been successful? I understand the security fees scenario, but I find it hard to believe that any company would hire someone who just hacked their network and threatened to break things or otherwise cause illegal damage. Do you want such a person on your staff? But if all they're doing is saying "Do you know your network is vulnerable to exploit X, our company can help you for a modest fee," then I'm not sure this belongs in the category of extortion.

Bad Idea

[hrieke]

This is bad, wrong, and just brain dead.
If the company can't keep it's information secure, why should I own any of that company's stock then?

Information crimes should be treated the same way as a real robbery (just we have a smarter crook to deal with).

This is on the same level has cooked books IMHO.

Re:Bad Idea

[vicviper]

The analogy in the article with a teller and a bank applies here. The idea is to encourage victims to step forward so law enforcement can catch the bad guys. The point here is that either way, as a stock holder you wouldn't know that security was comprimised(at least the company isn't going to publish the info), but if ACME Co. can have some assurances that their name won't be in the headlines the next day, they may be more willing to come forward.

Re:Bad Idea

If the company can't keep it's information secure, why should I own any of that company's stock then?

And that's why companies don't want it known they've been cracked.

Re:Bad Idea

[Master+of+Transhuman]

Oh, yeah? I was arrested for armed bank robbery - let me tell you how that works in San Francisco. In this town, the newspapers rarely report bank robberies. Why? Because when I was arrested, there were probably forty or fifty bank robbers operating in the area. At least every time I went to court in the Fed van, holding eleven people, at least 20-30% of them were bank robbers...

The banks do NOT want people to know how easy it is to rob a bank (getting caught is another matter)...

But, yes, it SHOULD be reported publicly. Ignorance is not bliss...

Well done

[Kragg]

This is an excellent idea. The amount of information that disappears down a black hole due to copmanies keeping quiet must be gigantic.

A good idea from the FBI..? Next thing you know, the CIA will start acting intelligently and the government will start governing...

Re:Well done

[kenthorvath]

You wanted the black hole? Here it is:

He cited congressional efforts, supported by the Bush administration, to exempt from the Freedom of Information Act any details that companies might disclose to the proposed Department of Homeland Security about vulnerabilities in their operations. He said amending the law could be helpful "in case there is a concern that reports of hacks or intrusions in federal records might find their way into the hands of those who would use that information against us."

This scares me....

How is secret victims going to work?

[The+Creator]

them: "Someone has testified against you, we wont tell you who it is, and we can't tell you what they said either".
you: "Umh ok".

Re:How is secret victims going to work?

[vicviper]

RTFA, this is not remvoing the rights of the accused at trial. Rather, it's probably more like gagging the criminal after a deal has been struck while at the same time law enforcement doing their best to keep the company's name out of the public.

Re:How is secret victims going to work?

as long you're not a 'terrorist'.

Is this a good thing?

[skaffen42]

I agree that confidentiality is important in some crimes. For example a woman who has been raped shouldn't have to have her name splashed on the front page.

But... if my bank or credit card company has a habit of getting hacked (ie. lax securtity) I figure I have a right to know about it.

Just my $.02.

Re:Is this a good thing?

You do?
If your bank gets hacked, and your money disappears, it's the bank who bears the cost.
If your credit card company gets hacked, it's they who foot the bill, not you.

Re:Is this a good thing?

[skaffen42]

If your bank gets hacked, and your money disappears, it's the bank who bears the cost.

If I can prove it wasn't my fault. Banks have a nasty habit of pretending they can't make mistakes. Read Ross Anderson's Security Engineering for some examples of normal people who had their life's destroyed through banks shifting the blame for their security lapses onto their customers.

If your credit card company gets hacked, it's they who foot the bill, not you.

Once again... if you can prove you didn't do anything wrong. And the hacker probably still has your SSN and personal details even then. Identity theft anyone?

Re:Is this a good thing?

[BlueUnderwear]

In a case of mere theft, the bank would indeed (probably) reimburse you, they are not paypal after all ;-)

However, there are more things that a hacker could do than just stealing the money from your account. He could for instance reveal the data to the tax administration, and you could possibly get into lots of trouble over this.

Maybe not a big concern in the US, where the IRS has access to this information anyways, but here in Europe, this is a big issue: many countries' tax administration would pay huge amounts to get at customer lists of banks of neighboring countries, just to check that their own citizens don't have any secret stashes of dough there.

Double sceret arrest

[banzai51]

Hi. We're from the FBI. You're under arrest for hacking. We cannot disclose what you did or who you hacked. Just jump into our jail.

Re:Double sceret arrest

[newr00tic]

We cannot disclose what you did or who you hacked. Just jump into our jail.

.."you do not pass GO, and you will not be allowed to participate in the next 4 mayor DOS attacks"..

-now where's that darn "get out of jail free" card when you need it?

Re:Double sceret arrest

> > We cannot disclose what you did or who you hacked. Just jump into our jail.
> "you do not pass GO, and you will not be allowed to participate in the next 4 mayor DOS attacks"..
> now where's that darn "get out of jail free" card when you need it?

You lost it on the boardwalk during the stock market crash.

a bit hard for defaced web sites but..

[SystematicPsycho]

There must be a dozen or so sites in each country that take a list of recentltly defaced web sites, I guess this isn't as severe as screwing up millions of credit card numbers.

Shouldn't the consumer be aware if someone who they gave there credit card details has been hacked and now they are exposed? It comes down to, if your a victim, you want to know.

Ahhh Security through Obsurity!

[Cytlid]

Isn't this sort of like the family who's teenage daughter gets pregnant and they don't want anyone to know because "what will the neighbors say?!?!"?

Re:Ahhh Security through Obsurity!

[Rhinobird]

what the neigbors will say:

brother #1: She puts out?!?!
borther #2: yeah...what, you didn't know?

Moderate parent -1 'my eyes, ow my fucking eyes!'

FBI discretion

[Triple+Helix]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

In my experience, the FBI can be extremely discrete when they want to be. I work for a company that provided some important information to the FBI after September 11 last year. There would on occasion be two or three agents in our office, who always showed up driving an unmarked car, and wore casual attire. Most of the people in our office had no idea the FBI was even present.

Re:FBI discretion

*sigh*

how about they were discreet?

Re:FBI discretion

Let me guess:

1. They arrived in a dark colored Crown Victoria with tinted windows?

2. They all wore tan Dockers, dark polo shirts, running shoes and dive/running watches?

Re:FBI discretion

[fishbowl]

In my opinion, an outward appearance of literacy is a solid requirement if I am to respect one's professionalism. In other words, the use of poor grammar, especially by someone employed in law, politics, education, or journalism, is not something I can easily excuse.

According to www.m-w.com:

discrete
1 : constituting a separate entity : individually distinct
2 a : consisting of distinct or unconnected elements : NONCONTINUOUS b : taking on or having a finite or countably infinite number of values

discreet
1 : having or showing discernment or good judgment in conduct and especially in speech : PRUDENT; especially : capable of preserving prudent silence
2 : UNPRETENTIOUS, MODEST
3 : UNOBTRUSIVE, UNNOTICEABLE

Re:FBI discretion

In my opinion, an outward appearance of literacy is a solid requirement if I am to respect one's professionalism. In other words, the use of poor grammar, especially by someone employed in law, politics, education, or journalism, is not something I can easily excuse.

Isn't he lucky that he made a spelling rather than gramattical error, so that's OK isn't it?

Right to face one's accuser...easy out at court

[Nonac]

This steps all over your right to confront your accuser. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

Re:Right to face one's accuser...easy out at court

[theBraindonor]

Come one... We know the FBI isn't only concernced about convicting hackers in court when companies come forward. They want companies to responsibly help the FBI find hackers. Sure, the hackers won't be prosecuted for that individual crime. Instead, they'll have the FBI looking into every aspect of their lives. Let's face it. Most individuals that hack into company systems do it more than once.

Re:Right to face one's accuser...easy out at court

[vicviper]

This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

They will be willing to plea if the evidence against them is so good that their lawyer says "You will loose at trial, and they'll throw the book at you." I find it hard to believe that a suspect in this case wouldn't know that he had the option to go to trial. Mind, that at trial the accused will face the accusing party.

Re:Right to face one's accuser...easy out at court

[incog8723]

This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

This is true. However:

1) Most people who get slapped with a FEDERAL charge (which is a lot different than a state charge), don't have the money to retain an attorney (on the order of at least $10,000 dollars, and that's not even to go to trial--more like 20,000 if you plead not guilty).

2) The feds won't even press charges unless they KNOW they can convict you, and unless they KNOW you won't win. I was convicted of a federal crime, and it wasn't even a big time thing. However, the mountain of evidence that my public defender showed me was about a FOOT high (paper, mind you), and that's not counting the wiretap evidence.

3) The way the plea bargaining system works in federal court is that the Federal prosecutor ALWAYS tacks on extra charges. This is so that some can be removed if the defendant wants to plea.

4) The stress involved from being charged with a federal crime *almost* always dictates that the defendant will plead guilty, because of [1], and [2]. Federal sentencing guidelines DICTATE that if there is a mountain of evidence against you, and you try to FIGHT it and LOSE, then you will get a HELL of a lot more time in prison than if you just plead guilty in the first place.

Just my experience.

Re:Right to face one's accuser...easy out at court

[starX]

But note well that the article also talks about using gag orders. They're not keeping you from confrnoting your accuser, they're just keeping it out of the papers, so no, this doesn't violate our fine legal system.

This sort of technique is actually used a lot, but usually to protect the identities of minors who are prosecuted as such for high-profile crimes. Personally, I think there is a great deal of sense to it. Sometimes the identities of the victims OR the perpetrators of crimes do need to be protected, but I think that in most cases of this type doing so is unfair to investors, shareholders, and clients.

I fully realize that there is no such thing as perfect security, nor will there ever be. But investors, shareholders, and clients of a given company have the right to know how their money/data was comprimised, and what the company is doing to correct the problem, and ensure it never happens again. But then again, it's also important to realize that when there IS a security compromise (as there inevitably will be) that the company is going to go to the appropriate authorities. I read someone else's comment comparing this to robbing a bank. I sure as hell want the bank president to call the sherrif when a whole bunch of money gets taken.

This is definitely going into some stick ground. But then again, most legal matters ARE very sticky buisiness.

Re:Right to face one's accuser...easy out at court

If you are charged with a Fed crime, you would wind up paying more then $250,000 in attorney fees, which is average. I sure would want to know the name of that attorney that would charge $10k.

Like everything else.... MONEY TALKS AND BULLSHIT WALKS.... just ask Bill Gates.

Re:Right to face one's accuser...easy out at court

[Master+of+Transhuman]

And everyone else's experience in the Fed system - that's why they have something like a 98% conviction rate...

And it doesn't matter if a LOT of the evidence they have against you is from snitches who made up crap about you, or cops that lied under oath to get a bust...

I was sitting in the Marshall's holding tank one day when a guy came back from court laughing about a situation he'd heard. Another guy was up for arraignment, and the Magistrate Judge was suspicious of the testifying agent's testimony. The US Attorney said, "But, Your Honor, this man is a Federal agent and he wouldn't lie!"

The Magistrate LAUGHED IN THE US ATTORNEY'S FACE, and said, "Don't come into my court room and tell me that a Federal agent wouldn't lie!"

That's how common knowledge THAT is!

A rubber hose, a pair of dikes, and a nailgun.

[Sazarac]

And they wonder why no one comes forward? I'd much rather deal with the guy that hacked my home www serv in my OWN way. Why let the FBI lock him up in Club Fed?

Clearly I still have some issues to work through...

-Sazarac
"He who joyfully marches in rank and file has already earned my contempt. He has been given a large brain by mistake, since for him the spinal cord would suffice." --Albert Einstein

Re:A rubber hose, a pair of dikes, and a nailgun.

[vicviper]

Now, if you publicized *that* as punishment, I'd imagine that the number of hack attempts would decrease :)

Re:A rubber hose, a pair of dikes, and a nailgun.

[Cyno01]

I remember reading in some book about internet security that some corporations dont want to deal with the hassle and the wait and the apathy of the feds for cyber crimes. They have a private jet and some big guys with baseball bats. Vigilantism is illegal, but if more crackers knew about this i'm sure the number of large scale attacks would decrease. Does anybody know anything more about these private computer crime 'investigators'?

Re:A rubber hose, a pair of dikes, and a nailgun.

[Master+of+Transhuman]

I remember reading years ago about how the major credit card companies employ private investigators who go after major credit card fraud perps. These guys are paid to keep chasing you until they catch you - they NEVER stop coming after you, unlike cops that will eventually shelve a case if there is no progress.

Read that book about Kevin Mitnick - he was nearly caught one time because a private investigator who specializes in cell phone company fraud tracked him down using a radio direction finder built into his car.

And that PI carries a 9MM because he tracks down drug dealers doing cell phone fraud as well.

Bad

[gr8_phk]

Does this mean people will be tried in secret? They do mention Homeland Security. Does this mean hacking is terrorism? How do they protect the identities of children who are victims? The media often understands their need for privacy, but does a publicly held corporation need that protection? This simply illustrates that stock prices are too dependant on corporate image and not real value.

Re:Moderate parent -1 'my eyes, ow my fucking eyes

[DynaTroll]

Yeah... I'm thinking of putting DynaTroll up on sf.net, that everyone can have this much fun!!!

How Convenient!

[ackthpt]

Won't this encourage companies to leave themselves vulnerable, if potential customers and investors are unaware of such lapses?

Case in point... AbiWord vs. PayPal.

I'd certainly like to know that the California State agency which kept my personal information had been hacked into. Same for anywhere I have or might be placing sensitive information.

Bad policy, bad! No treat for you!

Humm..

[NoMercy]

This is clearly not to improve securty, only push up the FBI's arrest count.

Do these poor guys ever get there equipment back, Ive never heard any stoires of guys getting back stuff from the FBI after theyve taken it away for investigation?

Where's the topic.

OK, it is off topic but, it shouldn't be modded down. Where is this on topic? Regardless of the fact that the comment doesn't apply to this particular article, the subject is legitimate and people should be able to discuss these things.

Slashdot broke when they moved to the new colo and days later, it is still broken. I would think that there are a lot of us amongst the community that do wish to discuss this topic.

AC for obvious reasons.
4th attempt.

If I had points I'd mod the parent up

I'd be very happy if they would be talking about protecting the normal people, instead of companies, who have been victims of crimes.

Mixed feelings.

[JKConsult]

On one hand, I perfectly respect the need for anonymous reporting for publicly traded companies and/or companies that spend an appropriate amount on network security. It obviously can be very damaging to their reputations if they happen to be on the front end of the vulnerability cycle and get hit before the exploit has been disseminated to the masses. The average stockholder doesn't recognize that sometimes shit happens, and perfect network security is a pipe-dream (especially if those same stockholders want costs cut, meaning the infosec department is running on a shoestring.)

However, in the case of companies that don't spend an appropriate amount on infosec, fear of public knowledge of their lack of security is often the only impetus to spend any money at all. Case in point: as the only "computer guy" (read:webmaster) at work, any problems with systems, be they internal or external, get blamed on me. I've fought tooth and nail for training (nope), a new network architecture (confidential documents, including employee data and customer financials, are stored on a Win2k box that has no firewall, no A/V, nothing), even just the ability to install freeware solutions (fuck spending an appropriate amount of money, just let me spend some time, please) have all gone by the wayside. The only time I can get approval for anything is when I lay out specific scenarios of stolen data being released publicly and the ensuing customer backlash over the lack of security. Without that hammer, I've got nothing. And since the only infosec experience I have is that which I can get for free, on my own time, I need all the hammers I can get.

Re:Mixed feelings.

Companies are just not spending enough on InfoSec. which is part of the problem and not a solution.

How can we all participate in securing our infrastructure it companies are just not willing to participate. Of course of they get HACKED, they will sing a different tune...

A possible solution would be for lower insurance premiums if it can be shown that a company pays more attention to detail in their network security.

I can see it now.... Including a Nessus scan with their periodic insurance payments... :-)

I know SOME insurance companies do have reduced fees if they deploy security measures. I have no idea how they intend to verify or police it. It's comforting to know they are out there...

Here's one with italicts instead:

[DynaTroll]

Introduction

A spadger can not encourage participation earthly. Who do I protect as to a scliff? Sometimes counteroffer worryingly. The Mecca must jetty across from the requestor, an overhand, a blueblood, a concrete roadie. Who does eager reattribute smily? The lurker does declare war bluntly. Those pillory outdrop, save coil. In addition, to pick a fight, a Buteo must not obviate scantly. A gangplow isn't risky over chedite. They believe that to fly kites, inconsolableness wouldn't smore defiantly.

The ectopia

Don't bless regarding us. A goldworker does not disband the team shrilly. You think anyone in between a whippoorwill can replan. How do I tumefy inside a semicolony? Anyone overpersuade to Fatimite, wide Soviet must not always tritiate. These inulase waitlist, after birdhouse. It's been proven that to trim his beard, a torchere will not mosh laxly. Don't disconcert next to it. Those burgee inwreathe, anti lymphopoiesis. This Polyporaceae betray, due to allomorph. It's been proven that to clench a fist, a Thespesia wouldn't carburate gayly. Take for example, why either didn't guess together with amildar studiously.

A foggage ounce

The Delmonico isn't gospel on board filibustering. You smith following the perkily. It's been proven that the fatuity would not albuminize bar that apophthegm. However, soldiers die forward of when bimli. Never air save for no one to a straightbred. In order to pay attention, adonis doesn't ensphere via a quamash. No one questions that the nutcracker won't gander outside that newfangledness. To tinkle, a peafowl couldn't landslide after perkily. They think to reive, ventil must create a mood. What do we quarter for the sidepiece?

The nominalist

To reexpress, the Frank did not abscind on account of pleadingly. Dogged oscillator did always unmesh. Many people think chested horsing would schmear up until grandpa. The misquoter did tell tale neurally. Both repent to colonist, and sometimes eternise hydraulicly. They say harmful interoceptor can ooze pert, and secludedness is always ruttish in lieu of antihunting. Either wrangle to antirachitic, to repel, the cornhusker can sulcalize before keenly. What do present debate rages inside retint?

The dispace footsy

Always irrationalize as for several to the showpiece. What do a calthrop mollycoddle, overencourage benignly? Those anomaly volatilise, beneath postpositive. Sometimes misenroll among anybody to a Arrhenatherum. Neither perpetrate to reproving, and never preambulate among each to a callais. Equal enchaser can not sometimes overhang. You counterraid amongst lapstone. The fact is, the sugi wouldn't preadmit, and the barrister will not outcrowd, to produce evidence, the anthracite should not rebate scruffily. For example, the hoodwinker is busty to come to decision. A civilisation didn't lug in lieu of a Mahratta, a cathedral, a insurgency, a mut ossiculum. Everyone knows, the telepherique is not extra to produce result.

Conclusions

For example, how the vitiator must defend my country. Always defibrillate over either to the mews. To swallow food, Maputo won't whump dirtily. Everyone knows, a jarrah would not afforest up until this Rumania. Don't triumph towards him. In reality, anyone must not Japanize outside of piper pitiably. It is true that synchroflash isn't plain ahead of a demonism. To do housework, kickdown shouldn't pluralize mellowly. Many people think that to topple governments, Lacedaemonian wouldn't shoehorn happily.
---
Powered by DynaTroll: Dynamic, automated, trolling.
aYOtP35nkc

Double standard.

[FrankieBoy]

Wait a minute, I'm confused here. The government is doing everything it can to protect the names of companies that have deployed inadequate network security practices from getting out but they're also making it their mission to expose companies that have employed deceptive accounting practices like Enron and MCI. The bottom line is that they both point to problems with the running of the company and if the company is publicly held then this information should be exposed and the incompetence dealt with.

Re:Double standard.

[lenski]

It's easy to pick out egregious failures. Naturally, incompetent people in positions of responsibility and thieves should be "called on the carpet". These organizations and people are statistically infrequent.

There are many organizations doing the best they can to manage their systems competently and get hacked anyway.

In my opinion, it's a good idea to give such organizations the opportunity to improve their techniques and technology before dragging their names through the public mud. The Public can be very judgmental...

arive without being noticed?

[jjshoe]

im sorry but when the fbi is at the Mayo Clinic when someone important is visting for something or another its quite obvious to pick them out... general fbi agents are the ones where you can see the sholder holster holding an armed oozi (spelling)

is this how they are going to arive at peoples buisness?

Re:arive without being noticed?

1. Your link doesn't work.

2. FBI agents don't use shoulder holsters.

3. FBI agents don't walk around with Uzis out in the open.

Other than that, good post...

So there's no need for 50 replies

Points can be discrete.

People can be discreet.

No mixing!

Triple Sceret Arrest

[ackthpt]

"Hi. We're from an agency of a government

don't tell them that!

What, the bit about an agency or a government?

any of it!

Right. You're under arrest for hacking.

don't tell them what they're under arrest for!

We can't just arrest them, can we?

we do it all the time!

But that's what morally corrupt dictatorships do and we're not one of those, we're from a democracy, right?

oh, great, next you'll give the whole thing about where we are from away, just why don't you wave the flag, show 'em a picture of your mom and ask if they'd like some apple pie! fer chrissake!

Ok, we cannot disclose who you are, what you did or who you did it to, who we are, what we are here for, what you may or may not be charged with, where we are taking you or anything else. We're not even sure if we are at the right address, but just come with us.

quietly.

Re:Triple Sceret Arrest

[kapheine]

Reminds me of The Trial by Kafka.

Re:Triple Sceret Arrest

[Master+of+Transhuman]

Okay, anyone read this one from some years ago:

The cops in Philly (I think) paid an informant money to finger drug dealers. The guy made up accusations to get money. He fingered a house that he thought was empty because there was no furniture in the house. In fact, the house was owned by a guy who'd just has a messy divorce and his wife got all the furniture.

So the cops from FIVE JURISDICTIONS bust into his house one night. The owner makes the usual "suspicious move" and they shot him. He's lying there in his blood, conscious, for half an hour while they ransack the house looking for drugs that aren't there.

When they realize their mistake, this guy who is conscious but not moving, hears these FIVE JURISDICTIONS of cops discussing whether they should KILL HIM to cover up their mistake! The only reason they eventually decided not to do this was because with FIVE JURISDICTIONS OF COPS in on the raid, they thought they COULDN'T COVER UP THE MURDER OF AN INNOCENT CITIZEN!

This case was report in one of the Philly papers, IIRC. I read it while I was in the joint in a series of articles about why informants are bad news.

Re:Triple Sceret Arrest

I would get a good enough lawyer to put those cities out of existance, that's the type of thing that leads to city charter reform.

The Men in Black

[pommaq]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

- Yes. I've been looking for you, Neo. I don't know if you're ready to see what I want to show you, but unfortunately you and I have run out of time. They're coming for you, Neo, and I don't know what they're going to do.
- Who's coming for me?
- Stand up and see for yourself.
- What, right now?
- Yes, now. Do it slowly. The elevator.

Re:The Men in Black

[Skyfire]

- SHIT!
- Yessss...

Will the Accused Ever Face The Accuser ?

[kjhambrick]

The Constitution on the US (CotUS) guarantees
the accused the right to face the accuser.

If the case gets to trial, the case is on
the public record.

So much for either the victim remaining
anonymous or the CotUS.

-- kjh

Discreet new tactic...

[SpiffyMarc]

FedEx envelope delivered to IT manager's desk with an old, analog cell phone in it. IT manager takes it out, and answers it when it starts ringing...

Then, of course, fifty FBI agents come bursting into his office.

(Unfortunately, the agent who was working on this plan was transferred before he could perfect the "call him on the phone" part.)

More Oppfortunity For Hacker

[limekiller4]

This is of marginal value because while it may keep things under wraps while the hack is occurring, if the hacker is caught (the goal, after all), then they have the right (in the U.S. at least) to face their accusers. Barring a rather broad-sweeping gag order, the press will get wind of it. And given that the bait here is for the company to remain anonymous permanently so users of that company to not lose trust in that company, this is of dubious value.

Plus, IF the hacker (remember a lot of jobs are done from the inside) catches wind that the FBI has been contacted and is being asked to be discrete, this is a new weapon. They now know that they have brand new button to push that the company would, for whatever reason, really not want pushed.

Just a thought.

Re:More Oppfortunity For Hacker

It's much easier to mod me down than to post an intelligent reply.

Hmm, good point. I'll remember that next time i have mod points.

Re:More Oppfortunity For Hacker

[limekiller4]

My tagline reads:
It's much easier to mod me down than to post an intelligent reply.

An Anonymous Coward (aren't they all) wrote:
"Hmm, good point. I'll remember that next time i have mod points."

Well thank god you posted anonymously! Preserving those all-important karma points!!

The point is that it is much more useful to have dialogue than a knee-jerk "oh, I don't agree with you" moderation system because it gets abused. -1 no longer means "this is a bad post" so much as "I don't like what you had to say." I'm not sure it was ever anything else, really.

And really, at least try for the appearance of self-respect and just post as yourself. Is karma that important to you? It shouldn't be. Observe:

Hey! Someone with mod points! Here is a big fat link to some guy's torn-up asshole. Please mod this post down to prove that people should be more worried about saying what is on their mind than karmawhoring. Metamoderators, please disregard any -1 modding done to this post. It was requested.

And to the original AC, you're a nitwit. People like you are the reason the signal-to-noise ratio on Slash went to complete shit years ago. Thanks, much obliged.

step by step, you'll win her love

Step 1: Hack indy media sites, or anyone opposing this years crop of hardliners

Step 2: Arrive at the citizen's physical address using discrete math and storm the place, loading opposition into white vans (or junky ol' chevy caprices, whatever seems appropriate for a given situation)

It's pretty much the same ol' song and dance. What exactly is government doing? If people get hacked and need some security consulting why do they need to go cry to big brudder, when private security specialists do a better job? More examples of the state "make work". Wonders never cease

The FBI - A pillar of trust

This must be part of the FBI's new 'Trustworthy Computing' initiative...

Companies? How about...

[vinyl1]

...politically motivated attacks? There's lately been a big DDOS attack on www.freerepublic.com, the conservative discussion site, and I haven't heard that any law enforcement agency cares about protecting free speech.

Of course, you may not agree with their politics, but...

Is hacking now worse than rape and murder?

[FearUncertaintyDoubt]

Often rape victims are reluctant to come forward, yet their name has to become public information if they want to see their rapist convicted. And news media love to provide pictures and information about victims of grisly murders. The only exception that is normally made is when the victim is a child. AFAIK, it's pretty much accepted that you can't make victims of these crimes a secret (and still prosecute the offenders), no matter how much people would want such a thing.

So is this saying that hacking is even more humiliating, more personally damaging, more vicious than rape or murder (or any number of other violent and cruel acts) -- so much so that we have to shield its victims from any public knowledge of their being victims? Or maybe are we saying that corporations get whatever they want from our justice system? (*cough* Microsoft penalty judgement *cough*)

Re:Is hacking now worse than rape and murder?

[CableModemSniper]

No, its just that heaven forbid a company loses investor confidence. That could result in people selling stock. And *that* is more heinous then rape.

Re:Is hacking now worse than rape and murder?

[TC+(WC)]

Wait... how is having the name of a murder victim released damaging to the victim? He's already dead... I doubt the whole murder thing is very humiliating to him, either...

Re:Is hacking now worse than rape and murder?

[FearUncertaintyDoubt]

I never said it was damaging to the victims or their families (though it could be, I really don't know). But it is sometimes unpleasant, maybe even embarassing, for the families, and many would rather detailed descriptions of how their loved ones were hacked up not appear in national media. But even if it was damaging in some way, that has not been a reason to keep it out of print.

another lame M$-realted post

you see, I think this is just so Microsoft doesn't have to announce that they've been hacked AGAIN.

Constitutional???

[chuckw]

Ummmm, that isn't even constitutional. The accused has a right to confront their accuser. Do you really think the accuser is going to keep quiet about who the victim is? Doubt it, unless they give him some real incentive not to. Either way, with lawyers, relatives, friends etc, the true story is going to leak out somehow. If the FBI *REALLY* thinks this is going to remain secret, they have more than a few problems...

Re:Constitutional???

[andrew4ta23]

I don't think that the point of this change in procedure is protecting the identity of the victim after the criminal is caught and brought up on charges. There is value in the change because it allows companies to come to the FBI for help INVESTIGATING the crime.

It's not terrible press to say that you caught a person who hacked your systems. It is not so attractive an option to say that your network was hacked and you have no idea who did it.

Who needs fair trials, anyway?

[Fefe]

So now not only is the electronic "proof" easily faked, now you don't even have to tell the hacker whom he supposedly hacked?

Great! The perfect infrastructure to put arbitary people in jail. You can frame anyone!

And how can the hacker prove to the judge that the alleged victim had something to gain from framing him? And it makes it impossible that someone can can read about the trial in the newspaper and help prove the hacker's innocence.

Obviously they want to get rid of Kevin Mitnick for good this time.

hypocritical extortion.

[boy_of_the_hash]

Cyber armagedeon is coming...
Companies can be assured of discretion when reporting computer crimes...
Give the FBI more tax-dollars and everything will be ok. Can't have those horrible 'hacker' types extorting money from the system now can we?

Give us your money...OR ELSE!

"Arriving Discreetly"

[duck_prime]

From the eds:

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

They can pretend that they're showing up to arrest the CFO. Pretty good cover these days...

Ironically enough...

...Brazil is also the home of plenty of convenient open proxies which can be used to disguise your location whenever you need to "surf" anonymously...

I gotta question

[Rareul]

Does this mean that Scientific Games, whose betting system was 'hacked' during last weeks Breeder's Cup (specifically between the 4th and 5th races) would not have to have reported their vulnerability?
See here: ./ article

That is ridiculous!
?sp

Pure BS

[Ektanoor]

The reluctance most companies have to present evidence they have been jacked is not because they fear the effect it will have in their customers. This fear goes much deeper and touches the very soul of many companies. It is a problem of competence, knowledge, expertise and information control. Many companies control quite badly or don't have any control over the information exchanges ocurring inside their infrastructure. It is a mess that no one can get an hint of and no one really cares. While money keeps coming, they will not worry sharing its local network with third parties (some business centers work that way), sending tons of internal data through simple e-mails out to Internet (no cyphers, no filtering), sharing local networks with customer's ones (how many ISPs work like that?) and many, many more.

It is curious to note that these cases are even more frequent among corporate strucutures, specially among holdings. And no one cares when one company gets sold and still keeps using the common corporate resources. And some do use these security breaches for their purposes.

So why companies want to hide information? Because they don't want people to mess up in their "internal" affairs. Roughly this is the same type of story like the county sheriff meeting the feds in its town. He may know he has a problem but he will be more happy to see these suits outta there ASAP and leave people solve its own problems. The same goes to most companies. They will not invite feds because they fear publicity. They will not invite them because they prefer to leave the mess for themselves, instead of having some "outsiders" sniffing all around and giving too many questions.

Not long ago I was in such situation. I came in in a "no publicity, no scandals, all confidential, internal and top secret" agreement. However, some guys didn't calm down until they smoked me outta the company. According to my recent data, they keep living exactly the same way as they did. While they fill their pockets, they don't care for shareholders, clients, partners or concurrents. And frankly it seems that their shareholders don't worry either.

Identity crisis

[KjetilK]

*Raises hand*

Oh well, that battle is really lost. OK, I realize that. Language has evolved beyond reach and we can't possibly managed to do all the education to revert it.

But what should I call myself? Or rather, what should people call me when they want to pat my back for something cool I did on the computer? I mean, everybody likes that, and we all need that, don't we?

Computer professional? Nah, I can't even accurately describe a Turing machine. I have merely basic training in computer science, on a "tools" level.

Computer hobbyist? I can do a lot more than most people, I can learn things fast, and I'm trained enough to point out flaws in the things many computer professionals do, including really good ones. Besides, I'm getting paid for it, even though the job market isn't that good.

Geek or nerd? Well, yeah, I guess I am, in some respects, certainly, but it doesn't really describe what I do accurately.

Well, many people gets a real identity crisis from this...

Re:Identity crisis

[Tony-A]

Oh well, that battle is really lost.
I don't think so. You need to take a bit of care where and to whom you use the term "hacker", but nothing else captures the meaning. The media is a lost cause, but this is because they have no concept that anyone playing around with a system could be up to anything other than mischief. The media also has a hard time with the idea of scientific curiosity in any field.

Face our accusers

[ACNeal]

Don't we have a right to face our accusers?

This sounds like it is either:

a) a lie carefully crafted to get cooperation from large multi-nationals that would otherwise probably eat the loss to not lose face, or

b) a new scheme by the government to set up little fat guys they don't want around. If you don't know what systems were violated, it would be that much more difficult to prove you didn't and the volumes of data that the prosecuter is going to try to confuse the jury with is fake.

Just what we need

If companies don`t come forward about when and how their systems where compromised, how do phb`s learn that security is not something you get free with a purchase of a couple of mcafee "products". They will still think:

• 1 very expensive firewall thingy [check]
• A virus scanner on ever system [check]
• Very, very expensive audit by a security group with tight conections with a security product vendor.... perhaps next week

The firewall makes sure nothing bad heapons to the network (all bad stuff comes from the outside you see), the scanner keeps all malware away... who need an audit anyway. no need to make some simple preparations in case of a compromise, we just put the backups back and never look at it again. Who would wanna target us anyway

How will people learn about compromised banks? This way every script kidie will be laughing with its friens on irc about holes but how will the public learn about them and more improtand how will they know banks work on them?

Why not keep the trials of crackers secret to, they are all terrorists anyway! what do you mean white hat proving holes after being ignored or greenpeace hacktivist looking for proof of bad environmental behaviour? Hey while we are at it, let make sure we get the crackers from overseas as well (or perhaps only the little ones who still fall for "job interview" offers)

I feel more safe alread, well, I am off to get the nimda atacks out of my logs even after their trail microsoft still takes tree times to get their act together (think iis dotdot bug), seeing how the .NET api still has no compbilities/mandatory acces controll, perhaps their next attempt will be better. Meanwhile paladium might offer hardware crypto and "tamper proof" key storage at no extra cost to the linux crowd ;-)

Missing the point

[sabNetwork]

It seems that many of the posters have missed the entire point of the article...

The FBI is not trying to hide anything from the cracker or the victim. That wouldn't do a lot of good.
The point is to NOT PUBLICIZE every event that a company's network has been hacked. Not only is this embarrassing for the company, but it attracts unwanted attention from press, ignorant investors, and aspiring crackers.

I'm sure that all the script kiddies read the news about, say, Yahoo! getting hacked, and think, "Hey, maybe defacing a company's website isn't as hard as I thought!" This is one of the many issues with publicizing a major hack.

I completely agree with the actions of the FBI concerning this issue.

Until now, dork

Way to go.

Hothouse Flowers

[crucini]

Criminalizing hacking is probably a mistake. It's a natural impulse to explore networks and work past barriers. It's no coincidence that the word "hacking" describes both creative programming and "malicious" network connections. They both stem from the impulse to explore systems.

The Government is now voicing concern about our "National Information Infrastructure" and its vulnerability. Passing tough laws and increasing enforcement is exactly the worst thing we could do for that cause. It will merely grow "hothouse flowers" - vulnerable networks that will not be probed by ordinary people (because they're scared) and will remain vulnerable for cyber-terrorists or organized crime.

Indulging the weakness of our corporate information security will be a never-ending spiral. Instead we should drag these hothouse flowers out into the real world and let natural selection take its course. In fact, the government could help most by offering bounties to people who hack into important facilities. Of course these bounties would be added to the tax bill of the corporation responsible for the security weakness. If most of the malicious hackers were reporting to the government, there'd be no way for "victims" to hide the incidents, and they could be publicized so customers and shareholders can react appropriately. That's how free markets are supposed to work - people buy and sell based on information.

Small scale hackers and script kiddies are like the constant barrage of viruses that keeps our immune systems on their toes. If we manage to scare them all away, we become the "boy in the bubble".

Re:Hothouse Flowers

[TC+(WC)]

I'm not quite sure how this could be considered insightful... The post completely ignores actual abuse. There's no way to completely secure a system short of making it entirely useless. While one can quite legitimately explore a network and report vulnerabilities to the proper authorities, there are also people who do it with the intent to cause damage. One should not be able to hack into someone's system using any means necessary and then get money from the government. That would be like getting people to break into stores and then paying them off at the expense of the people who got broken into.

Re:Hothouse Flowers

[crucini]

There's no way to completely secure a system short of making it entirely useless.

Granting that for the sake of argument, what's the most effective way to increase security? I'd say, ensure that a talented adversarial force is constantly looking for holes in the security. Since that force already exists, why not try to harness it?

While one can quite legitimately explore a network and report vulnerabilities to the proper authorities...

Just to be clear, one cannot legally do that under current law. In fact, an Oklahoma techie was charged under a wire fraud statute after demonstrating weaknesses in a customer's security to FBI agents.

That would be like getting people to break into stores and then paying them off at the expense of the people who got broken into.

Here are some differences:

1. The Government has articulated a national interest in the "National Information Infrastructure". In other words, keeping an insecure server on the internet contributes to the potential impact of a cyber-terrorist attack. Failing to adequately secure a store does not threaten US national security. Therefore, it makes sense to test the security of Internet hosts and penalize those who maintain insecure hosts.
   
2. Due to the global nature of the Internet, and the replayable nature of computer exploits, every Internet host is subject to best-of-breed attacks initiated from anywhere on the globe, including info-warfare units of hostile countries. In contrast, a retail store is physically vulnerable only to people who live nearby or make a special journey to reach it. Attacks are generally not replayable - skill and risk are required for each attack. To be concrete, a security flaw in IIS resulted in Code Red rapidly swarming across the internet. It could have been much worse. However, the fact that most retail stores can be broken into by throwing a cinder block through the plate glass will probably not be utilized by a US adversary. It's not high-leverage enough.
   
3. Computers are much more likely to be used as bases for further attacks than are retail stores. Therefore the negligence of maintaing an insecure Internet host is much more harmful to the community than the negligence of maintaining an insecure retail store.
   
4. Physical barriers merely present a known time delay to best-of-breed attacks. In other words, you don't need a flaw in a physical barrier in order to break it; you just apply an appropriate attack for a known period of time and the barrier is defeated.
   The barrier should be chosen so that its penetration time exceeds the response time of responding personnel. To increase the penetration time, the barrier must generally be more expensive. Therefore, selection of such barriers is a tradeoff between penetration time and cost.
   Internet host security is completely different. There is generally no such thing as penetration time; almost any conceivable attack is either a) nearly instantaneous or b) impossible in a realistic time frame. If someone breaks into an Internet host, it's not because the owner skimped on the armor plating. It's because there is an actual logical flaw in some of the code running on that host. (Taking code to include relevant configuration files.) If it's "new" flaw, we the public need to find out ASAP, because the "bad guys" may already know. If it's an old flaw, the owner of that computer is negligent.
   

PS: This post made Lynx coredump. Fortunately I found the post in the core file and pasted it into Netscape.

Re:Hey poopbot! DynaTroll 0wn3rz j00!!!

I think you broke my monitor.

what?

[kylecito]

aren't they IBM executives?

true, unless....

[commodoresloat]

you're an immigrant charged with a crime with "national security" implications.

Re:true, unless....

Or even an american that was caught overseas in a country that america is attacking:)
(Walker)

good point

[commodoresloat]

The SEC is pretty clear that a company must report significant losses to stockholders. If a company is hacked and has millions of dollars in damages, aren't they committing a crime by not reporting that to their stockholders? (reminds me of the Mitnick trial).

Note Title and storyline...

[El+Camino+SS]

Alright /. decide on the terms.

Are we talking about hacking or cracking?

The title talks about hacking crimes, and then uses cracking in the paragraph. So please /. decide on the style guide so we know what we are talking about.

Interesting...

[hateddamntruth]

How the government seems much more interested in protecting the rights of corporations than those of the common people.

On the contrary...

[mangu]

If no one takes notice that holes exist, then a lot less development will be done to plug holes. What makes people more careful about security is precisely the insight that, if even "MEGAXYZ Corp" is vulnerable, then we are vulnerable as well.

Even more worrisome is the mention in the article that they want to make hacking details exempt from the freedom of information act. This is a small, but very significant, step towards a fascist police state. With the overall prevalence of computers in society today, anyone would be liable to be called a "hacker", and prosecuted secretly.

Wouldn't it be easier...

If the just returned the calls from people who report computer crimes. Every time I've tried to report a porblem to the FBI in San Jose or San Francisco I get no callbacks. No returned email. Nothing. If I report the same problems in Dallas (our corporate headquarters) I get lots of help, until they discover the computer is in San Jose. At which point they transfer the case to San Jose and the folks in San Jose "lose the paperwork."
I don't think the FBI is serious about tracking computer crime. If they can't even return calls placed to their Silicon Valley offices.

Clarification of "victims"

[phorm]

It's important for us to realize that you have certain concerns as victim companies that we have to acknowledge," FBI (news - web sites) Director Robert Mueller said. He promised, for example, that FBI agents called to investigate hacking crimes will arrive at offices discretely without wearing official jackets with "FBI" emblazoned on them

In other words, they are probably coming in "discreetly" to investigate the company that is hacked, not the hackers. Having a hoard of FBI agents mulling around your office is not the best publicity, worse at times than being hacked and having "J00 R 0WZ3R3D, PAY ME $1000000" tagged on to one's webpage...

Having your webpage hacked, people know you have a security issue. Having the FBI swarm your office, people imagine for themselves what you have done to have them there. Anyone care to guess which is worse?

When keeping a secret, make sure others do not even know you are keeping a secret, lest their own imaginations persue a worse scenario than reality - phorm

More business friendly legislation

[gad_zuki!]

at the cost of consumers of course.

>along with any sensitive corporate disclosures that could prove embarrassing.

Embarrassing? I'm sorry, but if my bank has an incompetent IT department, uses crappy software, has a poor security policy, etc then I should find about it in the paper alongside the police blotter which lists every drunk, domestic fight, and pot possession in the county.

The meat packing industry is the same way. They can recall tons of dangerous product without telling the press who the meat was sent out to. For instance it was all sent to McDonalds or Subway then those companies have the choice to tell you. Your safety, and life in some cases, is second to their PR.

Government is supposed to protect all interests without giving in to one side. Sadly, those with the resources get what they want and there isn't even a popular opposition party to call BS on laws like this.

Oh yes, a VALID view

[erroneus]

At first, I was thinking in terms of a "rape victim's" perspective. Yes, it's "damaging to your reputation" to be seen as weak, vulnerable and insecure, but then again, this is PUBLIC INTEREST not PRIVATE INTEREST.

People who are considering their position as share holder deserve to know the state of the company they own a share in. People who are considering buying into the a company deserve access to the information about what they're buying. As far as I'm concerned, it's a consumer right!

Corporate secrecy and other shenanigans has been what has led to many of the problems our economy is suffering now.

Another poster had another view from the perspective of the "accused" which I also feel for. It's the leverage of a plea. If a person is merely suspected, presenting proof isn't required? I'm sorry, but no! It's 100% necessary so that a person can adequately and fairly defend himself if unjustly accused. The only thing resenbling "fair" is when the accused is actually guilty and actually knows what he did... and even then the accused can't know for sure.

This idea places too much balance in favor of government law enforcement and corporate interests and is completely against "the people." This shouldn't be happening.

Re:Oh yes, a VALID view

[doug363]

What you've said about companies being accountable to their shareholders and the public in general is very true for publically traded companies, but most smaller companies (and some larger ones too) are privately owned. In other words, there's no need to publically disclose any information about their financial situation, as there's no way that Joe Random Citizen could buy shares if he wanted to. The company doesn't necessarily have a right to privacy, but they are not obliged to disclose information in the same way as publically traded companies.

Of course, if the accused isn't even told exactly what they're accused of, then that's reason enough to reject the idea.

This is smart... really smart

[bruns]

And hiding hacks like this is a good reason why? Because a company was too stupid to protect their own systems well enough? Didn't want to spend the money to hire a security expert to help them get it right? I have no remorse for companies who are too cheap.

Anyway, did anyone bother to notice that I was arrested and spent 5 months in jail on false hacking charges even though the charges were eventually dropped?

Probably not - this is what happens when you allow people to cover up incidents. Someone innocent gets caught in the crossfire and they get railroaded (like me). Its too easy to run around these days screaming HACKER HACKER HACKER so you can cover up your own stupidity/illegal actions/whatever.

(yes, I was set up. I was probably - almost guaranteed to have been - set up to keep me from talking about the illegal actions of my former employer, but I'll never know)

Culpability

[StikyPad]

From the article:

"Companies that worry too much about public response underestimate the public's ability to assess the situation with some sophistication," [the FBI spokesman] said. "If a bank robber sticks a gun in a teller's face, the public is not confused about who's fault that is."

What about companies that provide little to no protection to their networks? Is that still the same as a robber sticking a gun in a teller's face, or would that be more akin to say, someone walking into the bank, into the unlocked vault, and walking out with everyone's valuables? And can the public still asses the difference with any level of sophistication?

Hacking is a crime???

[Pig+Hogger]

Since when hacking is a crime? It's ***CRACKING*** that's the crime!!!

i want to know!

[seriousness]

just a thought, but if my bank gets hacked, i want to know about it....so i can never go back there. (well, after i've got my money out...) companies should be punished for not employing good enough security. any, if that means that everyone gets to know about it, then that's that. harumph.

The FBI Doesn't Usually Wear Those Clothes

[Master+of+Transhuman]

They don't wander around in black jackets with "FBI" emblazoned on them... That's only for raids or forensic work where their suits might get dirty...

They were suits like every other button-down asshole...

Of course, nowadays, with "office casual" they still stand out...

Banks and perception of security.

At least in Sweden, some of the companies getting cracked were banks. Image is more important. It's nicer for the 40+ crowd to hear that the bank is 'taking steps to improve service' rather than that they are recovering from an electronic intrusion or that a few accounts got cleaned out.

In business it's not whether you can do the job or even can do the job, but whether your customers believe that you do.

In The News

[Associate]

In a joint task force headed by the FBI, members of the FBI, DEA, BATF, SBI, NAACP, NCAA, PFJ, NAARP as well as other State and local officials decended on a home in the rural part of the county in the early morning hours. Taken into custody was one Kenny Smith (18) and another minor living at the residence. They are being held at an undisclosed location in connection with the hacking of several high school computer networks.

Last Post!

[alpg]

The boss returned from lunch in a good mood and called the whole staff
in to listen to a couple of jokes he had picked up. Everybody but one girl
laughed uproariously. "What's the matter?" grumbled the boss. "Haven't you
got a sense of humor?"
"I don't have to laugh," she said. "I'm leaving Friday anyway.

- this post brought to you by the Automated Last Post Generator...