Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Crime Victims to Remain Secret

Posted by CowboyNeal on from the security-through-obscurity dept.

outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

13 of 179 comments (clear)

  1. Same as here :) by adilsonoliveira · · Score: 5, Interesting

    We do have in Brazil a police force specialized on internet crimes but sisnce the majority of the attack victims are off-shore, it's kind difficult to track down the crackers.

    --
    Faith can move mountains. I prefer dynamite.
  2. this is good by prichardson · · Score: 5, Interesting

    This is good because I beleive then that a lot more companies will come forward with hacking tales, more development will be done to plug holes, more people will be able to talk about hacking, more people will be aware of the dangers, more people will become educated about hacking and virueses and the like, and we will have fewer "I cant find the any key" tech support calls and fewer viruses propagating like mad.

    --
    Help I'm a rock.
    1. Re:this is good by Anonymous Coward · · Score: 1, Interesting

      Yes, really good - how many false accusations are we going to see now that the identity of the 'victim' will not be made public.

      Why not go all the way and dispense with trials altogether.

    2. Re:this is good by Daniel+Dvorkin · · Score: 5, Interesting

      RTFA yourself. The accused retains the right to face his accuser -- if the case goes to trial. But as I understand it, a defendant could be pressured to accept a plea agreement without being informed of whom he'd allegedly hacked or what the hacking allegedly consisted of. I think the scenario goes something like this:

      Defendant [angry]: "But who'd I hack? What did I do?"

      Cop [toneless]: "You don't get that information until you go to trial."

      D [self-righteous]: "Okay, then I'll go to trial."

      C [smirking]: "You sure about that? See, if you go to trial, and you lose, you go to prison. And I hear skinny little geek boys like you are reeeaaal popular in prison ..."

      D [defeated]: "And what if I take the plea bargain?"

      C [toneless]: "$100,000 fine, confiscation of all your computer equipment, and a court order preventing you from being gainfully employed in the computer industry for ten years."

      D [outraged]: "You people want to ruin my life!"

      C [smirking again]: "Okay, we'll see what your cellmate Bubba the Axe Murderer says about that ..."

      D [barely audible]: "I'll take the plea bargain."

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
    3. Re:this is good by Daniel+Dvorkin · · Score: 3, Interesting

      Have you been paying attention to the way suspects in the "War on Terrorism" are being treated? US citizens are being held indefinitely, right now, without access to an attorney, without being fully informed of the charges against them, and without any opportunity to face their accusers. This policy change is a major step toward weakening the protections of the rights of the accused so that hacking suspects can be treated the same way.

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  3. FBI discretion by Triple+Helix · · Score: 4, Interesting

    My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

    In my experience, the FBI can be extremely discrete when they want to be. I work for a company that provided some important information to the FBI after September 11 last year. There would on occasion be two or three agents in our office, who always showed up driving an unmarked car, and wore casual attire. Most of the people in our office had no idea the FBI was even present.

  4. Right to face one's accuser...easy out at court by Nonac · · Score: 5, Interesting
    This steps all over your right to confront your accuser. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

    The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

    1. Re:Right to face one's accuser...easy out at court by incog8723 · · Score: 5, Interesting

      This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

      This is true. However:

      1) Most people who get slapped with a FEDERAL charge (which is a lot different than a state charge), don't have the money to retain an attorney (on the order of at least $10,000 dollars, and that's not even to go to trial--more like 20,000 if you plead not guilty).

      2) The feds won't even press charges unless they KNOW they can convict you, and unless they KNOW you won't win. I was convicted of a federal crime, and it wasn't even a big time thing. However, the mountain of evidence that my public defender showed me was about a FOOT high (paper, mind you), and that's not counting the wiretap evidence.

      3) The way the plea bargaining system works in federal court is that the Federal prosecutor ALWAYS tacks on extra charges. This is so that some can be removed if the defendant wants to plea.

      4) The stress involved from being charged with a federal crime *almost* always dictates that the defendant will plead guilty, because of [1], and [2]. Federal sentencing guidelines DICTATE that if there is a mountain of evidence against you, and you try to FIGHT it and LOSE, then you will get a HELL of a lot more time in prison than if you just plead guilty in the first place.

      Just my experience.

  5. Mixed feelings. by JKConsult · · Score: 3, Interesting
    On one hand, I perfectly respect the need for anonymous reporting for publicly traded companies and/or companies that spend an appropriate amount on network security. It obviously can be very damaging to their reputations if they happen to be on the front end of the vulnerability cycle and get hit before the exploit has been disseminated to the masses. The average stockholder doesn't recognize that sometimes shit happens, and perfect network security is a pipe-dream (especially if those same stockholders want costs cut, meaning the infosec department is running on a shoestring.)

    However, in the case of companies that don't spend an appropriate amount on infosec, fear of public knowledge of their lack of security is often the only impetus to spend any money at all. Case in point: as the only "computer guy" (read:webmaster) at work, any problems with systems, be they internal or external, get blamed on me. I've fought tooth and nail for training (nope), a new network architecture (confidential documents, including employee data and customer financials, are stored on a Win2k box that has no firewall, no A/V, nothing), even just the ability to install freeware solutions (fuck spending an appropriate amount of money, just let me spend some time, please) have all gone by the wayside. The only time I can get approval for anything is when I lay out specific scenarios of stolen data being released publicly and the ensuing customer backlash over the lack of security. Without that hammer, I've got nothing. And since the only infosec experience I have is that which I can get for free, on my own time, I need all the hammers I can get.

  6. Re:yep by mitchell_pgh · · Score: 5, Interesting

    Unfortunately, this is a serious issue. If your position at an online banking environment is "Director of Network Security" and you are hacked for say $5,000 and you plug the security vulnerability, the only people that know are you, your boss, and perhaps some people from the accounting department. Is the negative PR you will receive over the hack to your "secure" system worth $5,000?

    If you lost one account over this hack, it wouldn't be worth it. I think the FBI is trying to inform the public that they understand "HI!, We are from the FBI. We are here regarding the security breach of your trusted online banking system" isn't acceptable in every situation.

  7. More Oppfortunity For Hacker by limekiller4 · · Score: 5, Interesting

    This is of marginal value because while it may keep things under wraps while the hack is occurring, if the hacker is caught (the goal, after all), then they have the right (in the U.S. at least) to face their accusers. Barring a rather broad-sweeping gag order, the press will get wind of it. And given that the bait here is for the company to remain anonymous permanently so users of that company to not lose trust in that company, this is of dubious value.

    Plus, IF the hacker (remember a lot of jobs are done from the inside) catches wind that the FBI has been contacted and is being asked to be discrete, this is a new weapon. They now know that they have brand new button to push that the company would, for whatever reason, really not want pushed.

    Just a thought.

    --
    My .02,
    Limekiller
  8. Is hacking now worse than rape and murder? by FearUncertaintyDoubt · · Score: 5, Interesting
    Often rape victims are reluctant to come forward, yet their name has to become public information if they want to see their rapist convicted. And news media love to provide pictures and information about victims of grisly murders. The only exception that is normally made is when the victim is a child. AFAIK, it's pretty much accepted that you can't make victims of these crimes a secret (and still prosecute the offenders), no matter how much people would want such a thing.

    So is this saying that hacking is even more humiliating, more personally damaging, more vicious than rape or murder (or any number of other violent and cruel acts) -- so much so that we have to shield its victims from any public knowledge of their being victims? Or maybe are we saying that corporations get whatever they want from our justice system? (*cough* Microsoft penalty judgement *cough*)

  9. Re:yep by karlm · · Score: 5, Interesting
    I think it's often a grey issue. It's "Gee.. I found a hole in your site.. I can do the whole full disclosure thing, or you can hire me as a security consultant. Your call."

    You're right in that it's stupid to pay script kiddies to un-deface sites, and Idon't think anyone does that.

    I think it's most often extortion in the form of "security consulting fees" for unsolicited "security audits". Occasionally it's "We have your entire credit card databasebase and all of your loyal customers will never trust you again if we post them to usenet, so pay up." I heard ofsomeone trying to do this to a Minnesota comapny maybe 3 years ago, but the company basically said "screw you" and went to the FBI. Nobody knows how oftn companies pay up... It's like estimating the percentage of unreported rapes. It's just data that you don't ahve and isreally hard to estimate.

    --
    Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.