Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Crime Victims to Remain Secret

Posted by CowboyNeal on from the security-through-obscurity dept.

outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

20 of 179 comments (clear)

  1. Same as here :) by adilsonoliveira · · Score: 5, Interesting

    We do have in Brazil a police force specialized on internet crimes but sisnce the majority of the attack victims are off-shore, it's kind difficult to track down the crackers.

    --
    Faith can move mountains. I prefer dynamite.
  2. this is good by prichardson · · Score: 5, Interesting

    This is good because I beleive then that a lot more companies will come forward with hacking tales, more development will be done to plug holes, more people will be able to talk about hacking, more people will be aware of the dangers, more people will become educated about hacking and virueses and the like, and we will have fewer "I cant find the any key" tech support calls and fewer viruses propagating like mad.

    --
    Help I'm a rock.
    1. Re:this is good by Daniel+Dvorkin · · Score: 5, Interesting

      RTFA yourself. The accused retains the right to face his accuser -- if the case goes to trial. But as I understand it, a defendant could be pressured to accept a plea agreement without being informed of whom he'd allegedly hacked or what the hacking allegedly consisted of. I think the scenario goes something like this:

      Defendant [angry]: "But who'd I hack? What did I do?"

      Cop [toneless]: "You don't get that information until you go to trial."

      D [self-righteous]: "Okay, then I'll go to trial."

      C [smirking]: "You sure about that? See, if you go to trial, and you lose, you go to prison. And I hear skinny little geek boys like you are reeeaaal popular in prison ..."

      D [defeated]: "And what if I take the plea bargain?"

      C [toneless]: "$100,000 fine, confiscation of all your computer equipment, and a court order preventing you from being gainfully employed in the computer industry for ten years."

      D [outraged]: "You people want to ruin my life!"

      C [smirking again]: "Okay, we'll see what your cellmate Bubba the Axe Murderer says about that ..."

      D [barely audible]: "I'll take the plea bargain."

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  3. Favorite Part by bdesham · · Score: 5, Funny
    My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
    Why is that? Because it's spelled wrong?

    ;)
    --
    Alcohol and Calculus don't mix. Don't drink and derive.
    1. Re:Favorite Part by meringuoid · · Score: 5, Funny
      My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

      Why is that? Because it's spelled wrong?

      Well, more because an amorphous mass of FBI-flesh writhing obscenely and pulsating as it flows in a continuous stream through your office door can sometimes be distressing. The new method of FBI agents arriving as discrete individuals is far more friendly.

      --
      Real Daleks don't climb stairs - they level the building.
  4. Agents will arrive discretely? Great! by seldolivaw · · Score: 5, Funny

    You mean they used to arrive all lumped together? No wonder people got upset!

    Learn to spell, guys...

  5. Men in Black! by Black+Parrot · · Score: 5, Funny


    > My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

    The guys in black trenchcoats? Uh, those are our network consultants. Yeah, network consultants.

    --
    Sheesh, evil *and* a jerk. -- Jade
  6. yep by Sacarino · · Score: 5, Insightful

    Nothing beats security through denial.

    "Uh, I wasn't hacked, nope. Must have been Corporation X."

    And WTF is this?
    Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

    Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

    --
    -- El Sacarino tiene gusto de la chocha
    1. Re:yep by mitchell_pgh · · Score: 5, Interesting

      Unfortunately, this is a serious issue. If your position at an online banking environment is "Director of Network Security" and you are hacked for say $5,000 and you plug the security vulnerability, the only people that know are you, your boss, and perhaps some people from the accounting department. Is the negative PR you will receive over the hack to your "secure" system worth $5,000?

      If you lost one account over this hack, it wouldn't be worth it. I think the FBI is trying to inform the public that they understand "HI!, We are from the FBI. We are here regarding the security breach of your trusted online banking system" isn't acceptable in every situation.

    2. Re:yep by karlm · · Score: 5, Interesting
      I think it's often a grey issue. It's "Gee.. I found a hole in your site.. I can do the whole full disclosure thing, or you can hire me as a security consultant. Your call."

      You're right in that it's stupid to pay script kiddies to un-deface sites, and Idon't think anyone does that.

      I think it's most often extortion in the form of "security consulting fees" for unsolicited "security audits". Occasionally it's "We have your entire credit card databasebase and all of your loyal customers will never trust you again if we post them to usenet, so pay up." I heard ofsomeone trying to do this to a Minnesota comapny maybe 3 years ago, but the company basically said "screw you" and went to the FBI. Nobody knows how oftn companies pay up... It's like estimating the percentage of unreported rapes. It's just data that you don't ahve and isreally hard to estimate.

      --
      Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
  7. Is this a good thing? by skaffen42 · · Score: 5, Insightful

    I agree that confidentiality is important in some crimes. For example a woman who has been raped shouldn't have to have her name splashed on the front page.

    But... if my bank or credit card company has a habit of getting hacked (ie. lax securtity) I figure I have a right to know about it.

    Just my $.02.

    --
    People couldn't type. We realized: Death would eventually take care of this.
  8. Double sceret arrest by banzai51 · · Score: 5, Funny

    Hi. We're from the FBI. You're under arrest for hacking. We cannot disclose what you did or who you hacked. Just jump into our jail.

  9. Right to face one's accuser...easy out at court by Nonac · · Score: 5, Interesting
    This steps all over your right to confront your accuser. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

    The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

    1. Re:Right to face one's accuser...easy out at court by incog8723 · · Score: 5, Interesting

      This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

      This is true. However:

      1) Most people who get slapped with a FEDERAL charge (which is a lot different than a state charge), don't have the money to retain an attorney (on the order of at least $10,000 dollars, and that's not even to go to trial--more like 20,000 if you plead not guilty).

      2) The feds won't even press charges unless they KNOW they can convict you, and unless they KNOW you won't win. I was convicted of a federal crime, and it wasn't even a big time thing. However, the mountain of evidence that my public defender showed me was about a FOOT high (paper, mind you), and that's not counting the wiretap evidence.

      3) The way the plea bargaining system works in federal court is that the Federal prosecutor ALWAYS tacks on extra charges. This is so that some can be removed if the defendant wants to plea.

      4) The stress involved from being charged with a federal crime *almost* always dictates that the defendant will plead guilty, because of [1], and [2]. Federal sentencing guidelines DICTATE that if there is a mountain of evidence against you, and you try to FIGHT it and LOSE, then you will get a HELL of a lot more time in prison than if you just plead guilty in the first place.

      Just my experience.

  10. Double standard. by FrankieBoy · · Score: 5, Insightful

    Wait a minute, I'm confused here. The government is doing everything it can to protect the names of companies that have deployed inadequate network security practices from getting out but they're also making it their mission to expose companies that have employed deceptive accounting practices like Enron and MCI. The bottom line is that they both point to problems with the running of the company and if the company is publicly held then this information should be exposed and the incompetence dealt with.

  11. Triple Sceret Arrest by ackthpt · · Score: 5, Funny
    "Hi. We're from an agency of a government

    don't tell them that!

    What, the bit about an agency or a government?

    any of it!

    Right. You're under arrest for hacking.

    don't tell them what they're under arrest for!

    We can't just arrest them, can we?

    we do it all the time!

    But that's what morally corrupt dictatorships do and we're not one of those, we're from a democracy, right?

    oh, great, next you'll give the whole thing about where we are from away, just why don't you wave the flag, show 'em a picture of your mom and ask if they'd like some apple pie! fer chrissake!

    Ok, we cannot disclose who you are, what you did or who you did it to, who we are, what we are here for, what you may or may not be charged with, where we are taking you or anything else. We're not even sure if we are at the right address, but just come with us.

    quietly.

    --

    A feeling of having made the same mistake before: Deja Foobar
  12. More Oppfortunity For Hacker by limekiller4 · · Score: 5, Interesting

    This is of marginal value because while it may keep things under wraps while the hack is occurring, if the hacker is caught (the goal, after all), then they have the right (in the U.S. at least) to face their accusers. Barring a rather broad-sweeping gag order, the press will get wind of it. And given that the bait here is for the company to remain anonymous permanently so users of that company to not lose trust in that company, this is of dubious value.

    Plus, IF the hacker (remember a lot of jobs are done from the inside) catches wind that the FBI has been contacted and is being asked to be discrete, this is a new weapon. They now know that they have brand new button to push that the company would, for whatever reason, really not want pushed.

    Just a thought.

    --
    My .02,
    Limekiller
  13. Is hacking now worse than rape and murder? by FearUncertaintyDoubt · · Score: 5, Interesting
    Often rape victims are reluctant to come forward, yet their name has to become public information if they want to see their rapist convicted. And news media love to provide pictures and information about victims of grisly murders. The only exception that is normally made is when the victim is a child. AFAIK, it's pretty much accepted that you can't make victims of these crimes a secret (and still prosecute the offenders), no matter how much people would want such a thing.

    So is this saying that hacking is even more humiliating, more personally damaging, more vicious than rape or murder (or any number of other violent and cruel acts) -- so much so that we have to shield its victims from any public knowledge of their being victims? Or maybe are we saying that corporations get whatever they want from our justice system? (*cough* Microsoft penalty judgement *cough*)

  14. "Arriving Discreetly" by duck_prime · · Score: 5, Funny
    From the eds:
    My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
    They can pretend that they're showing up to arrest the CFO. Pretty good cover these days...
  15. More business friendly legislation by gad_zuki! · · Score: 5, Informative

    at the cost of consumers of course.

    >along with any sensitive corporate disclosures that could prove embarrassing.

    Embarrassing? I'm sorry, but if my bank has an incompetent IT department, uses crappy software, has a poor security policy, etc then I should find about it in the paper alongside the police blotter which lists every drunk, domestic fight, and pot possession in the county.

    The meat packing industry is the same way. They can recall tons of dangerous product without telling the press who the meat was sent out to. For instance it was all sent to McDonalds or Subway then those companies have the choice to tell you. Your safety, and life in some cases, is second to their PR.

    Government is supposed to protect all interests without giving in to one side. Sadly, those with the resources get what they want and there isn't even a popular opposition party to call BS on laws like this.