Hacking Crime Victims to Remain Secret

outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Same as here :)

[adilsonoliveira]

We do have in Brazil a police force specialized on internet crimes but sisnce the majority of the attack victims are off-shore, it's kind difficult to track down the crackers.

How is this news?

Companies that get hacked are, of course, only interested in recovering and getting back to their core competency. Nobody hsa time for forensics or any other bullshit, unless they've got an export control box hacked or we're talking classified data, in which case legislation dictates that more measures are required.

this is good

[prichardson]

This is good because I beleive then that a lot more companies will come forward with hacking tales, more development will be done to plug holes, more people will be able to talk about hacking, more people will be aware of the dangers, more people will become educated about hacking and virueses and the like, and we will have fewer "I cant find the any key" tech support calls and fewer viruses propagating like mad.

Re:this is good

[vicviper]

RTFA

The accused will retian thier 'right to face their accusers'. Many of these types of cases are settled such that the criminal aggrees not to name his target.

Re:this is good

[Daniel+Dvorkin]

RTFA yourself. The accused retains the right to face his accuser -- if the case goes to trial. But as I understand it, a defendant could be pressured to accept a plea agreement without being informed of whom he'd allegedly hacked or what the hacking allegedly consisted of. I think the scenario goes something like this:

Defendant [angry]: "But who'd I hack? What did I do?"

Cop [toneless]: "You don't get that information until you go to trial."

D [self-righteous]: "Okay, then I'll go to trial."

C [smirking]: "You sure about that? See, if you go to trial, and you lose, you go to prison. And I hear skinny little geek boys like you are reeeaaal popular in prison ..."

D [defeated]: "And what if I take the plea bargain?"

C [toneless]: "$100,000 fine, confiscation of all your computer equipment, and a court order preventing you from being gainfully employed in the computer industry for ten years."

D [outraged]: "You people want to ruin my life!"

C [smirking again]: "Okay, we'll see what your cellmate Bubba the Axe Murderer says about that ..."

D [barely audible]: "I'll take the plea bargain."

Re:this is good

[vicviper]

What makes you think that a defendant can't be pressured *right now* to admit to any variety of crimes with out knowing his/her accuser? The article makes no claim that identity of the victom will be withheld until trial. From the article:

Another U.S. attorney, Roscoe Howard of the District of Columbia, said the Constitution requires that a criminal defendant be permitted to face the accuser at trial, but he noted that many computer-crime investigations culminate with a plea agreement, where the names of victim companies can be kept secret.

The article deals with the relationship between the victim corperation and the public. The idea here is that companies can come forward with knowledge that the govt. is sensitive to their concerns about public reaction to this type of crime.

Now with all this said, if you are accused of anything and plea guilty to some crime without knowing who you are accused of victimizing, I have no sympathy for you (or your brainded lawyer... you did ask for an attorney, right?)

Re:this is good

[Daniel+Dvorkin]

Have you been paying attention to the way suspects in the "War on Terrorism" are being treated? US citizens are being held indefinitely, right now, without access to an attorney, without being fully informed of the charges against them, and without any opportunity to face their accusers. This policy change is a major step toward weakening the protections of the rights of the accused so that hacking suspects can be treated the same way.

Re:this is good

[vicviper]

I cannot make the large leap in association between encouraging victims to come forward and crushing constitutional rights when there is no evidence of such in this case. This is about the public perception of the victims, and your slipperly slope doesn't come close to applying here.

Re:this is good

[killmenow]

I do not find his position alramist or "slippery" at all. A LOT of civil liberties in America have been usurped since Bush declared war (oddly though, I thought only congress could do that) on terrorism. This is FACT, not fiction or a statement made without evidence. As an example: It used to be that in order to get a wiretap, a JUDGE had to grant it and there had to be reasonable cause. Now, any state's attorney can grant one without a shred of any evidence required to prove WHY it's needed.

I do not think it unreasonable to assume our (s)elected president and his posse^H^H^H^H^Hcabinet might consider cracking a form of terrorism.

It takes little for a cracker to then be labeled as an "enemy combatant" and all this stuff to play out in closed military tribunals.

No constitution will stop The Whitehouse of Evil!

Re:this is good

[iabervon]

Generally, if you're pleading guilty, you'd be presumed to know who accused you, since you presumably know who you attacked. In fact, you're only supposed to plead guilty if you actually committed the crime (if you didn't do it but think you'd be convicted anyway, you plead no contest), so your guilty plea is unlikely to be accepted unless you at least know the identity of the victem. On the other hand, you don't necessarily get to face your accuser, which would reveal the identity of the accuser to other people who aren't presumed to already know (such as the jury and spectators) and potentially be hard on the victem (who might prefer to think of the hacker as a criminal rather than some scruffy kid).

Re:this is good

[m0rph3us0]

This is bullshit, I only agree with this if the perpetrator is given the same conditions of anonimity, imagine sitting in a court room and being told that some unknown financial institution is accuseing you of breaking into their systems yet you cannot question them. This is on the same level of bullshit as the US trying to convict people of terrorism charges and not releaseing the evidence on grounds of nation security, they should really make up their fucking mind, either terrorist are "enemy combatants" and should be treated under the Geneva convention, or they should be regarded as terrorists and given the rights ordinary citizens have. If you call them enenmy combatants you cant charge them with terrorism laws because then they are fighting a war and in war you blow the shit out of the enemy.

Favorite Part

[bdesham]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Why is that? Because it's spelled wrong?

;)

Re:Favorite Part

[meringuoid]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Why is that? Because it's spelled wrong?

Well, more because an amorphous mass of FBI-flesh writhing obscenely and pulsating as it flows in a continuous stream through your office door can sometimes be distressing. The new method of FBI agents arriving as discrete individuals is far more friendly.

Re:Favorite Part

[ReelOddeeo]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

Why is that? Because it's spelled wrong?

No, because it means no black helicopters circling.

Agents will arrive discretely? Great!

[seldolivaw]

You mean they used to arrive all lumped together? No wonder people got upset!

Learn to spell, guys...

Re:Agents will arrive discretely? Great!

Well, it beats having them arrive continuously.

Re:Agents will arrive discretely? Great!

[bdesham]

Though the poster should have added a [sic] or something to avoid responses like this.

Sorry, but the /. editors have to know how to spell in the first place before they start correcting others' mistakes, and, well... look at them...

Re:Agents will arrive discretely? Great!

[seldolivaw]

I bow down to the greater pedant :-)

Re:Agents will arrive discretely? Great!

[Myco]

Hypocrisy does not invalidate a point. Besides, "discrete"/"discreet" is a particularly geek-friendly flub to make fun of.

FBI! THIS is a BUST

No...
THIS (o)(o)
is a bust

-Fedreral Breast Infect0rz

So...

[Pig+Hogger]

FBIs agents will have to undergo exterminator discretion training????

And snail-mail correspondance will arrive in plain brown wrappers????

Men in Black!

[Black+Parrot]

> My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

The guys in black trenchcoats? Uh, those are our network consultants. Yeah, network consultants.

Re:Men in Black!

[The+Dobber]

No, SEC investigators

Re:Men in Black!

[Reziac]

No, no, no. Everyone knows network consultants wear *yellow* trenchcoats!!

Protect the hackers, too!

[Devil's+BSD]

Maybe the courts should just start calling the parties H4X0R and H4X0R3D...

yep

[Sacarino]

Nothing beats security through denial.

"Uh, I wasn't hacked, nope. Must have been Corporation X."

And WTF is this?
Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

Re:yep

[FreeLinux]

Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

True dat. This little gem is popping up more and more frequently. It is utter BS but, as more people hear it in more places they will accept it as fact. It is total BS!! NO corporation is paying extortion money to hackers. Unless they are counting the dollars wasted on "Security Consultants".

Re:yep

[vicviper]

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

Prove it? Who's going to admit to it? The companies want to stay out of the spotlight, remember?

Re:yep

[mitchell_pgh]

Unfortunately, this is a serious issue. If your position at an online banking environment is "Director of Network Security" and you are hacked for say $5,000 and you plug the security vulnerability, the only people that know are you, your boss, and perhaps some people from the accounting department. Is the negative PR you will receive over the hack to your "secure" system worth $5,000?

If you lost one account over this hack, it wouldn't be worth it. I think the FBI is trying to inform the public that they understand "HI!, We are from the FBI. We are here regarding the security breach of your trusted online banking system" isn't acceptable in every situation.

Re:yep

[karlm]

I think it's often a grey issue. It's "Gee.. I found a hole in your site.. I can do the whole full disclosure thing, or you can hire me as a security consultant. Your call."

You're right in that it's stupid to pay script kiddies to un-deface sites, and Idon't think anyone does that.

I think it's most often extortion in the form of "security consulting fees" for unsolicited "security audits". Occasionally it's "We have your entire credit card databasebase and all of your loyal customers will never trust you again if we post them to usenet, so pay up." I heard ofsomeone trying to do this to a Minnesota comapny maybe 3 years ago, but the company basically said "screw you" and went to the FBI. Nobody knows how oftn companies pay up... It's like estimating the percentage of unreported rapes. It's just data that you don't ahve and isreally hard to estimate.

Re:yep

[Rasta+Prefect]

Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

While I'm not up for offering proof, I'm thinking a slightly more plausible scenario would be "Oh, Mr. CIO....I've got this database of customer information, some of it quite sensitive. Would you like to give me some money, or would you like me to publish it (and where I got it) all over the Internet? That would do wonders for your customer relations, wouldn't it?"

Re:yep

[commodoresloat]

It's just data that you don't ahve and isreally hard to estimate.

Same with the number of invisible gay werewolves in Omaha, Nebraska - it's data you don't have, so you can't estimate it. Is there any evidence at all that this kind of extortion has ever been successful? I understand the security fees scenario, but I find it hard to believe that any company would hire someone who just hacked their network and threatened to break things or otherwise cause illegal damage. Do you want such a person on your staff? But if all they're doing is saying "Do you know your network is vulnerable to exploit X, our company can help you for a modest fee," then I'm not sure this belongs in the category of extortion.

Bad Idea

[hrieke]

This is bad, wrong, and just brain dead.
If the company can't keep it's information secure, why should I own any of that company's stock then?

Information crimes should be treated the same way as a real robbery (just we have a smarter crook to deal with).

This is on the same level has cooked books IMHO.

Re:Bad Idea

[vicviper]

The analogy in the article with a teller and a bank applies here. The idea is to encourage victims to step forward so law enforcement can catch the bad guys. The point here is that either way, as a stock holder you wouldn't know that security was comprimised(at least the company isn't going to publish the info), but if ACME Co. can have some assurances that their name won't be in the headlines the next day, they may be more willing to come forward.

Well done

[Kragg]

This is an excellent idea. The amount of information that disappears down a black hole due to copmanies keeping quiet must be gigantic.

A good idea from the FBI..? Next thing you know, the CIA will start acting intelligently and the government will start governing...

Re:Well done

[kenthorvath]

You wanted the black hole? Here it is:

He cited congressional efforts, supported by the Bush administration, to exempt from the Freedom of Information Act any details that companies might disclose to the proposed Department of Homeland Security about vulnerabilities in their operations. He said amending the law could be helpful "in case there is a concern that reports of hacks or intrusions in federal records might find their way into the hands of those who would use that information against us."

This scares me....

How is secret victims going to work?

[The+Creator]

them: "Someone has testified against you, we wont tell you who it is, and we can't tell you what they said either".
you: "Umh ok".

Re:How is secret victims going to work?

[vicviper]

RTFA, this is not remvoing the rights of the accused at trial. Rather, it's probably more like gagging the criminal after a deal has been struck while at the same time law enforcement doing their best to keep the company's name out of the public.

Re:Jargon File

[mumblestheclown]

How is it possible for a word to be used wrongly? Communication happens when one party talks and the other understands the message. The correct picture has gone from the party that sent the message to the party (readers) receiving it. I venture to say that more people will have understood the article if it said "hackers" instead of "crackers."

I think those who pray to a talmudic god of vocabulary need to understand that language is a living thing.

Is this a good thing?

[skaffen42]

I agree that confidentiality is important in some crimes. For example a woman who has been raped shouldn't have to have her name splashed on the front page.

But... if my bank or credit card company has a habit of getting hacked (ie. lax securtity) I figure I have a right to know about it.

Just my $.02.

Re:Is this a good thing?

[BlueUnderwear]

In a case of mere theft, the bank would indeed (probably) reimburse you, they are not paypal after all ;-)

However, there are more things that a hacker could do than just stealing the money from your account. He could for instance reveal the data to the tax administration, and you could possibly get into lots of trouble over this.

Maybe not a big concern in the US, where the IRS has access to this information anyways, but here in Europe, this is a big issue: many countries' tax administration would pay huge amounts to get at customer lists of banks of neighboring countries, just to check that their own citizens don't have any secret stashes of dough there.

Double sceret arrest

[banzai51]

Hi. We're from the FBI. You're under arrest for hacking. We cannot disclose what you did or who you hacked. Just jump into our jail.

a bit hard for defaced web sites but..

[SystematicPsycho]

There must be a dozen or so sites in each country that take a list of recentltly defaced web sites, I guess this isn't as severe as screwing up millions of credit card numbers.

Shouldn't the consumer be aware if someone who they gave there credit card details has been hacked and now they are exposed? It comes down to, if your a victim, you want to know.

Ahhh Security through Obsurity!

[Cytlid]

Isn't this sort of like the family who's teenage daughter gets pregnant and they don't want anyone to know because "what will the neighbors say?!?!"?

FBI discretion

[Triple+Helix]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

In my experience, the FBI can be extremely discrete when they want to be. I work for a company that provided some important information to the FBI after September 11 last year. There would on occasion be two or three agents in our office, who always showed up driving an unmarked car, and wore casual attire. Most of the people in our office had no idea the FBI was even present.

Right to face one's accuser...easy out at court

[Nonac]

This steps all over your right to confront your accuser. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

Re:Right to face one's accuser...easy out at court

[theBraindonor]

Come one... We know the FBI isn't only concernced about convicting hackers in court when companies come forward. They want companies to responsibly help the FBI find hackers. Sure, the hackers won't be prosecuted for that individual crime. Instead, they'll have the FBI looking into every aspect of their lives. Let's face it. Most individuals that hack into company systems do it more than once.

Re:Right to face one's accuser...easy out at court

[vicviper]

This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

They will be willing to plea if the evidence against them is so good that their lawyer says "You will loose at trial, and they'll throw the book at you." I find it hard to believe that a suspect in this case wouldn't know that he had the option to go to trial. Mind, that at trial the accused will face the accusing party.

Re:Right to face one's accuser...easy out at court

[incog8723]

This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

This is true. However:

1) Most people who get slapped with a FEDERAL charge (which is a lot different than a state charge), don't have the money to retain an attorney (on the order of at least $10,000 dollars, and that's not even to go to trial--more like 20,000 if you plead not guilty).

2) The feds won't even press charges unless they KNOW they can convict you, and unless they KNOW you won't win. I was convicted of a federal crime, and it wasn't even a big time thing. However, the mountain of evidence that my public defender showed me was about a FOOT high (paper, mind you), and that's not counting the wiretap evidence.

3) The way the plea bargaining system works in federal court is that the Federal prosecutor ALWAYS tacks on extra charges. This is so that some can be removed if the defendant wants to plea.

4) The stress involved from being charged with a federal crime *almost* always dictates that the defendant will plead guilty, because of [1], and [2]. Federal sentencing guidelines DICTATE that if there is a mountain of evidence against you, and you try to FIGHT it and LOSE, then you will get a HELL of a lot more time in prison than if you just plead guilty in the first place.

Just my experience.

Re:Right to face one's accuser...easy out at court

[starX]

But note well that the article also talks about using gag orders. They're not keeping you from confrnoting your accuser, they're just keeping it out of the papers, so no, this doesn't violate our fine legal system.

This sort of technique is actually used a lot, but usually to protect the identities of minors who are prosecuted as such for high-profile crimes. Personally, I think there is a great deal of sense to it. Sometimes the identities of the victims OR the perpetrators of crimes do need to be protected, but I think that in most cases of this type doing so is unfair to investors, shareholders, and clients.

I fully realize that there is no such thing as perfect security, nor will there ever be. But investors, shareholders, and clients of a given company have the right to know how their money/data was comprimised, and what the company is doing to correct the problem, and ensure it never happens again. But then again, it's also important to realize that when there IS a security compromise (as there inevitably will be) that the company is going to go to the appropriate authorities. I read someone else's comment comparing this to robbing a bank. I sure as hell want the bank president to call the sherrif when a whole bunch of money gets taken.

This is definitely going into some stick ground. But then again, most legal matters ARE very sticky buisiness.

How Convenient!

[ackthpt]

Won't this encourage companies to leave themselves vulnerable, if potential customers and investors are unaware of such lapses?

Case in point... AbiWord vs. PayPal.

I'd certainly like to know that the California State agency which kept my personal information had been hacked into. Same for anywhere I have or might be placing sensitive information.

Bad policy, bad! No treat for you!

Mixed feelings.

[JKConsult]

On one hand, I perfectly respect the need for anonymous reporting for publicly traded companies and/or companies that spend an appropriate amount on network security. It obviously can be very damaging to their reputations if they happen to be on the front end of the vulnerability cycle and get hit before the exploit has been disseminated to the masses. The average stockholder doesn't recognize that sometimes shit happens, and perfect network security is a pipe-dream (especially if those same stockholders want costs cut, meaning the infosec department is running on a shoestring.)

However, in the case of companies that don't spend an appropriate amount on infosec, fear of public knowledge of their lack of security is often the only impetus to spend any money at all. Case in point: as the only "computer guy" (read:webmaster) at work, any problems with systems, be they internal or external, get blamed on me. I've fought tooth and nail for training (nope), a new network architecture (confidential documents, including employee data and customer financials, are stored on a Win2k box that has no firewall, no A/V, nothing), even just the ability to install freeware solutions (fuck spending an appropriate amount of money, just let me spend some time, please) have all gone by the wayside. The only time I can get approval for anything is when I lay out specific scenarios of stolen data being released publicly and the ensuing customer backlash over the lack of security. Without that hammer, I've got nothing. And since the only infosec experience I have is that which I can get for free, on my own time, I need all the hammers I can get.

Double standard.

[FrankieBoy]

Wait a minute, I'm confused here. The government is doing everything it can to protect the names of companies that have deployed inadequate network security practices from getting out but they're also making it their mission to expose companies that have employed deceptive accounting practices like Enron and MCI. The bottom line is that they both point to problems with the running of the company and if the company is publicly held then this information should be exposed and the incompetence dealt with.

Triple Sceret Arrest

[ackthpt]

"Hi. We're from an agency of a government

don't tell them that!

What, the bit about an agency or a government?

any of it!

Right. You're under arrest for hacking.

don't tell them what they're under arrest for!

We can't just arrest them, can we?

we do it all the time!

But that's what morally corrupt dictatorships do and we're not one of those, we're from a democracy, right?

oh, great, next you'll give the whole thing about where we are from away, just why don't you wave the flag, show 'em a picture of your mom and ask if they'd like some apple pie! fer chrissake!

Ok, we cannot disclose who you are, what you did or who you did it to, who we are, what we are here for, what you may or may not be charged with, where we are taking you or anything else. We're not even sure if we are at the right address, but just come with us.

quietly.

The Men in Black

[pommaq]

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

- Yes. I've been looking for you, Neo. I don't know if you're ready to see what I want to show you, but unfortunately you and I have run out of time. They're coming for you, Neo, and I don't know what they're going to do.
- Who's coming for me?
- Stand up and see for yourself.
- What, right now?
- Yes, now. Do it slowly. The elevator.

More Oppfortunity For Hacker

[limekiller4]

This is of marginal value because while it may keep things under wraps while the hack is occurring, if the hacker is caught (the goal, after all), then they have the right (in the U.S. at least) to face their accusers. Barring a rather broad-sweeping gag order, the press will get wind of it. And given that the bait here is for the company to remain anonymous permanently so users of that company to not lose trust in that company, this is of dubious value.

Plus, IF the hacker (remember a lot of jobs are done from the inside) catches wind that the FBI has been contacted and is being asked to be discrete, this is a new weapon. They now know that they have brand new button to push that the company would, for whatever reason, really not want pushed.

Just a thought.

Re:More Oppfortunity For Hacker

[limekiller4]

My tagline reads:
It's much easier to mod me down than to post an intelligent reply.

An Anonymous Coward (aren't they all) wrote:
"Hmm, good point. I'll remember that next time i have mod points."

Well thank god you posted anonymously! Preserving those all-important karma points!!

The point is that it is much more useful to have dialogue than a knee-jerk "oh, I don't agree with you" moderation system because it gets abused. -1 no longer means "this is a bad post" so much as "I don't like what you had to say." I'm not sure it was ever anything else, really.

And really, at least try for the appearance of self-respect and just post as yourself. Is karma that important to you? It shouldn't be. Observe:

Hey! Someone with mod points! Here is a big fat link to some guy's torn-up asshole. Please mod this post down to prove that people should be more worried about saying what is on their mind than karmawhoring. Metamoderators, please disregard any -1 modding done to this post. It was requested.

And to the original AC, you're a nitwit. People like you are the reason the signal-to-noise ratio on Slash went to complete shit years ago. Thanks, much obliged.

Re:A rubber hose, a pair of dikes, and a nailgun.

[Cyno01]

I remember reading in some book about internet security that some corporations dont want to deal with the hassle and the wait and the apathy of the feds for cyber crimes. They have a private jet and some big guys with baseball bats. Vigilantism is illegal, but if more crackers knew about this i'm sure the number of large scale attacks would decrease. Does anybody know anything more about these private computer crime 'investigators'?

Is hacking now worse than rape and murder?

[FearUncertaintyDoubt]

Often rape victims are reluctant to come forward, yet their name has to become public information if they want to see their rapist convicted. And news media love to provide pictures and information about victims of grisly murders. The only exception that is normally made is when the victim is a child. AFAIK, it's pretty much accepted that you can't make victims of these crimes a secret (and still prosecute the offenders), no matter how much people would want such a thing.

So is this saying that hacking is even more humiliating, more personally damaging, more vicious than rape or murder (or any number of other violent and cruel acts) -- so much so that we have to shield its victims from any public knowledge of their being victims? Or maybe are we saying that corporations get whatever they want from our justice system? (*cough* Microsoft penalty judgement *cough*)

Constitutional???

[chuckw]

Ummmm, that isn't even constitutional. The accused has a right to confront their accuser. Do you really think the accuser is going to keep quiet about who the victim is? Doubt it, unless they give him some real incentive not to. Either way, with lawyers, relatives, friends etc, the true story is going to leak out somehow. If the FBI *REALLY* thinks this is going to remain secret, they have more than a few problems...

Who needs fair trials, anyway?

[Fefe]

So now not only is the electronic "proof" easily faked, now you don't even have to tell the hacker whom he supposedly hacked?

Great! The perfect infrastructure to put arbitary people in jail. You can frame anyone!

And how can the hacker prove to the judge that the alleged victim had something to gain from framing him? And it makes it impossible that someone can can read about the trial in the newspaper and help prove the hacker's innocence.

Obviously they want to get rid of Kevin Mitnick for good this time.

"Arriving Discreetly"

[duck_prime]

From the eds:

My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

They can pretend that they're showing up to arrest the CFO. Pretty good cover these days...

Pure BS

[Ektanoor]

The reluctance most companies have to present evidence they have been jacked is not because they fear the effect it will have in their customers. This fear goes much deeper and touches the very soul of many companies. It is a problem of competence, knowledge, expertise and information control. Many companies control quite badly or don't have any control over the information exchanges ocurring inside their infrastructure. It is a mess that no one can get an hint of and no one really cares. While money keeps coming, they will not worry sharing its local network with third parties (some business centers work that way), sending tons of internal data through simple e-mails out to Internet (no cyphers, no filtering), sharing local networks with customer's ones (how many ISPs work like that?) and many, many more.

It is curious to note that these cases are even more frequent among corporate strucutures, specially among holdings. And no one cares when one company gets sold and still keeps using the common corporate resources. And some do use these security breaches for their purposes.

So why companies want to hide information? Because they don't want people to mess up in their "internal" affairs. Roughly this is the same type of story like the county sheriff meeting the feds in its town. He may know he has a problem but he will be more happy to see these suits outta there ASAP and leave people solve its own problems. The same goes to most companies. They will not invite feds because they fear publicity. They will not invite them because they prefer to leave the mess for themselves, instead of having some "outsiders" sniffing all around and giving too many questions.

Not long ago I was in such situation. I came in in a "no publicity, no scandals, all confidential, internal and top secret" agreement. However, some guys didn't calm down until they smoked me outta the company. According to my recent data, they keep living exactly the same way as they did. While they fill their pockets, they don't care for shareholders, clients, partners or concurrents. And frankly it seems that their shareholders don't worry either.

Identity crisis

[KjetilK]

*Raises hand*

Oh well, that battle is really lost. OK, I realize that. Language has evolved beyond reach and we can't possibly managed to do all the education to revert it.

But what should I call myself? Or rather, what should people call me when they want to pat my back for something cool I did on the computer? I mean, everybody likes that, and we all need that, don't we?

Computer professional? Nah, I can't even accurately describe a Turing machine. I have merely basic training in computer science, on a "tools" level.

Computer hobbyist? I can do a lot more than most people, I can learn things fast, and I'm trained enough to point out flaws in the things many computer professionals do, including really good ones. Besides, I'm getting paid for it, even though the job market isn't that good.

Geek or nerd? Well, yeah, I guess I am, in some respects, certainly, but it doesn't really describe what I do accurately.

Well, many people gets a real identity crisis from this...

Re:Identity crisis

[Tony-A]

Oh well, that battle is really lost.
I don't think so. You need to take a bit of care where and to whom you use the term "hacker", but nothing else captures the meaning. The media is a lost cause, but this is because they have no concept that anyone playing around with a system could be up to anything other than mischief. The media also has a hard time with the idea of scientific curiosity in any field.

Hothouse Flowers

[crucini]

Criminalizing hacking is probably a mistake. It's a natural impulse to explore networks and work past barriers. It's no coincidence that the word "hacking" describes both creative programming and "malicious" network connections. They both stem from the impulse to explore systems.

The Government is now voicing concern about our "National Information Infrastructure" and its vulnerability. Passing tough laws and increasing enforcement is exactly the worst thing we could do for that cause. It will merely grow "hothouse flowers" - vulnerable networks that will not be probed by ordinary people (because they're scared) and will remain vulnerable for cyber-terrorists or organized crime.

Indulging the weakness of our corporate information security will be a never-ending spiral. Instead we should drag these hothouse flowers out into the real world and let natural selection take its course. In fact, the government could help most by offering bounties to people who hack into important facilities. Of course these bounties would be added to the tax bill of the corporation responsible for the security weakness. If most of the malicious hackers were reporting to the government, there'd be no way for "victims" to hide the incidents, and they could be publicized so customers and shareholders can react appropriately. That's how free markets are supposed to work - people buy and sell based on information.

Small scale hackers and script kiddies are like the constant barrage of viruses that keeps our immune systems on their toes. If we manage to scare them all away, we become the "boy in the bubble".

Re:Hothouse Flowers

[crucini]

There's no way to completely secure a system short of making it entirely useless.

Granting that for the sake of argument, what's the most effective way to increase security? I'd say, ensure that a talented adversarial force is constantly looking for holes in the security. Since that force already exists, why not try to harness it?

While one can quite legitimately explore a network and report vulnerabilities to the proper authorities...

Just to be clear, one cannot legally do that under current law. In fact, an Oklahoma techie was charged under a wire fraud statute after demonstrating weaknesses in a customer's security to FBI agents.

That would be like getting people to break into stores and then paying them off at the expense of the people who got broken into.

Here are some differences:

1. The Government has articulated a national interest in the "National Information Infrastructure". In other words, keeping an insecure server on the internet contributes to the potential impact of a cyber-terrorist attack. Failing to adequately secure a store does not threaten US national security. Therefore, it makes sense to test the security of Internet hosts and penalize those who maintain insecure hosts.
   
2. Due to the global nature of the Internet, and the replayable nature of computer exploits, every Internet host is subject to best-of-breed attacks initiated from anywhere on the globe, including info-warfare units of hostile countries. In contrast, a retail store is physically vulnerable only to people who live nearby or make a special journey to reach it. Attacks are generally not replayable - skill and risk are required for each attack. To be concrete, a security flaw in IIS resulted in Code Red rapidly swarming across the internet. It could have been much worse. However, the fact that most retail stores can be broken into by throwing a cinder block through the plate glass will probably not be utilized by a US adversary. It's not high-leverage enough.
   
3. Computers are much more likely to be used as bases for further attacks than are retail stores. Therefore the negligence of maintaing an insecure Internet host is much more harmful to the community than the negligence of maintaining an insecure retail store.
   
4. Physical barriers merely present a known time delay to best-of-breed attacks. In other words, you don't need a flaw in a physical barrier in order to break it; you just apply an appropriate attack for a known period of time and the barrier is defeated.
   The barrier should be chosen so that its penetration time exceeds the response time of responding personnel. To increase the penetration time, the barrier must generally be more expensive. Therefore, selection of such barriers is a tradeoff between penetration time and cost.
   Internet host security is completely different. There is generally no such thing as penetration time; almost any conceivable attack is either a) nearly instantaneous or b) impossible in a realistic time frame. If someone breaks into an Internet host, it's not because the owner skimped on the armor plating. It's because there is an actual logical flaw in some of the code running on that host. (Taking code to include relevant configuration files.) If it's "new" flaw, we the public need to find out ASAP, because the "bad guys" may already know. If it's an old flaw, the owner of that computer is negligent.
   

PS: This post made Lynx coredump. Fortunately I found the post in the core file and pasted it into Netscape.

true, unless....

[commodoresloat]

you're an immigrant charged with a crime with "national security" implications.

good point

[commodoresloat]

The SEC is pretty clear that a company must report significant losses to stockholders. If a company is hacked and has millions of dollars in damages, aren't they committing a crime by not reporting that to their stockholders? (reminds me of the Mitnick trial).

Note Title and storyline...

[El+Camino+SS]

Alright /. decide on the terms.

Are we talking about hacking or cracking?

The title talks about hacking crimes, and then uses cracking in the paragraph. So please /. decide on the style guide so we know what we are talking about.

On the contrary...

[mangu]

If no one takes notice that holes exist, then a lot less development will be done to plug holes. What makes people more careful about security is precisely the insight that, if even "MEGAXYZ Corp" is vulnerable, then we are vulnerable as well.

Even more worrisome is the mention in the article that they want to make hacking details exempt from the freedom of information act. This is a small, but very significant, step towards a fascist police state. With the overall prevalence of computers in society today, anyone would be liable to be called a "hacker", and prosecuted secretly.

Clarification of "victims"

[phorm]

It's important for us to realize that you have certain concerns as victim companies that we have to acknowledge," FBI (news - web sites) Director Robert Mueller said. He promised, for example, that FBI agents called to investigate hacking crimes will arrive at offices discretely without wearing official jackets with "FBI" emblazoned on them

In other words, they are probably coming in "discreetly" to investigate the company that is hacked, not the hackers. Having a hoard of FBI agents mulling around your office is not the best publicity, worse at times than being hacked and having "J00 R 0WZ3R3D, PAY ME $1000000" tagged on to one's webpage...

Having your webpage hacked, people know you have a security issue. Having the FBI swarm your office, people imagine for themselves what you have done to have them there. Anyone care to guess which is worse?

When keeping a secret, make sure others do not even know you are keeping a secret, lest their own imaginations persue a worse scenario than reality - phorm

More business friendly legislation

[gad_zuki!]

at the cost of consumers of course.

>along with any sensitive corporate disclosures that could prove embarrassing.

Embarrassing? I'm sorry, but if my bank has an incompetent IT department, uses crappy software, has a poor security policy, etc then I should find about it in the paper alongside the police blotter which lists every drunk, domestic fight, and pot possession in the county.

The meat packing industry is the same way. They can recall tons of dangerous product without telling the press who the meat was sent out to. For instance it was all sent to McDonalds or Subway then those companies have the choice to tell you. Your safety, and life in some cases, is second to their PR.

Government is supposed to protect all interests without giving in to one side. Sadly, those with the resources get what they want and there isn't even a popular opposition party to call BS on laws like this.

Oh yes, a VALID view

[erroneus]

At first, I was thinking in terms of a "rape victim's" perspective. Yes, it's "damaging to your reputation" to be seen as weak, vulnerable and insecure, but then again, this is PUBLIC INTEREST not PRIVATE INTEREST.

People who are considering their position as share holder deserve to know the state of the company they own a share in. People who are considering buying into the a company deserve access to the information about what they're buying. As far as I'm concerned, it's a consumer right!

Corporate secrecy and other shenanigans has been what has led to many of the problems our economy is suffering now.

Another poster had another view from the perspective of the "accused" which I also feel for. It's the leverage of a plea. If a person is merely suspected, presenting proof isn't required? I'm sorry, but no! It's 100% necessary so that a person can adequately and fairly defend himself if unjustly accused. The only thing resenbling "fair" is when the accused is actually guilty and actually knows what he did... and even then the accused can't know for sure.

This idea places too much balance in favor of government law enforcement and corporate interests and is completely against "the people." This shouldn't be happening.

Re:Oh yes, a VALID view

[doug363]

What you've said about companies being accountable to their shareholders and the public in general is very true for publically traded companies, but most smaller companies (and some larger ones too) are privately owned. In other words, there's no need to publically disclose any information about their financial situation, as there's no way that Joe Random Citizen could buy shares if he wanted to. The company doesn't necessarily have a right to privacy, but they are not obliged to disclose information in the same way as publically traded companies.

Of course, if the accused isn't even told exactly what they're accused of, then that's reason enough to reject the idea.

Culpability

[StikyPad]

From the article:

"Companies that worry too much about public response underestimate the public's ability to assess the situation with some sophistication," [the FBI spokesman] said. "If a bank robber sticks a gun in a teller's face, the public is not confused about who's fault that is."

What about companies that provide little to no protection to their networks? Is that still the same as a robber sticking a gun in a teller's face, or would that be more akin to say, someone walking into the bank, into the unlocked vault, and walking out with everyone's valuables? And can the public still asses the difference with any level of sophistication?

Hacking is a crime???

[Pig+Hogger]

Since when hacking is a crime? It's ***CRACKING*** that's the crime!!!