Slashdot Mirror
Appropriate Punishment For Crackers?
Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."
Hacking a website is much more than graffiti. If you spraypaint the outside of wal-mart, people can still go in and shop. If you hack walmart.com and replace it with "shout outz" then wal-mart will probably lose hundreds of sales per hour to their competitors. That is very real money to these businesses. Hacking (cracking is breaking copy-protection) a website should not have the same punishment as violent crime, but it is definitely a more severe crime than graffiti, and deserves a much harsher punishment.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I wanna know something. If someone (attempts to) breaks into your home (in the USA), you are allowed to shoot that person in self defense. Are you likewise allowed to take out anyone attacking your network?
Stop the brainwash
How about referencing recent hacker cases, and the sentences that were imposed. How about some information on the ages of the black-hatters. No, that would be relevant to the discussion...
I'm not sure why you need new sentencing guidelines for old crimes (theft, extortion, fraud, embezelment, etc...) committed using new technology. Why is a crime different because a computer is involved?
$G
-- $G
The Amnesty "illegally imprisoned" link reguards a pare-military group as common burgulars, the Rense.com link invents another class. Both have been addressed by the US courts and neither is addressed in Kevin Poulsen's article.
All that aside, hell no a non-violent criminal should not be locked up. Some other punishment is much more appropriate, like restitution of *real* losses (no making the defendant buy a new security team) and community service, etc.
Jail *should* be for the people that are a physical threat to society, not a theoretical or financial one.
Before the thread runs off the topic, see my website for my position on the death penalty before assigning one to me.
Eve Fairbanks says I drive a hybrid!LOL
Here's a story about a man who kidnapped, tortured and abused a girl then tried to kill her by injecting her with bleach. His sentence? 10 years - he'll be out in half that time.
Sure, give crackers jail time but make it appropriate for the crime. Maybe 3 months in jail, or probation. When I see someone like Kevin Mitnick get 7 years, and violent criminals who, in my opinion, should never be allowed out of prison get the same sentences, it pisses me off.
Illegal imprisonment? Nay, for they did pass laws allowing indefinite detainment. It is merely unconstitutional
He's old enough to know better.
He should be held responsible for the real consequences of his actions.
Anything less simply permits the activities to go further. The amount of work involved in recovering from a Cracker is far more extensive than physical graffiti.
I still don't understand why we need some kind of special legislation for the so called "cyber crime." Don't the states already have laws punishing crimes of trespassing and/or fraud?
Bush Lies Watch
A crime is a crime is a crime. Aren't there plenty of existing standards to base this on? Tie it to the harm done. Some will be misdemeanors, some will be felonies. If some 'graffiitti' splattered over a commercial site causes a relatively small financial loss, call it a misdemeanor and sentence accordingly. If the financial loss is large enough, call it a felony and give an appropriate sentence. E.g., defacing the brochure page of your local shoe store might cause them little or no measurable loss of revenue and be repairable within a single work day. Doing the same thing to Amazon or Yahoo is a different matter and calls for a much stronger sentence.
The important thing is to prevent and punish people who act criminally, and to counter the popular impression that many "geeks" don't take the issue seriously.
-- Slashdot: When Public Access TV Says "No"
An international corporate website with a secure ordering component is slightly more complicated than "Insert tape, click Restore". There are distributed database servers that need to be examined, several web servers with load balancers in multiple geographically diverse locations, they need to investigate all involved servers and networking components to determine the possibility of a back door; and on top of all this, they have to leave the 'crime scene' untarnished so that security experts can determine a) how they got in, and b) how to prevent them from doing it again.
We're not just talking about somebody editing index.html here. Restoring from tape/CD-R may work for your home vanity domain website, but it falls slightly short in the real world.
I'd also like to echo the sentiments made by other posters;
As usual, the vast majority of analogies posted are flagrantly off-key, so I'll pose one; Breaking into a web server and defacing the content is like breaking into a webserver and defacing the content. Come on, people, we're a technical group and should be able to talk about these incidents without resorting to brick wall, spray paint, bomb-threats, or other wild analogies.
These crimes should be treated in context, and the lawmakers should be told, repeatedly, that the Internet is not a direct analogy to real life. Servers are not brick and mortar establishments. Components of a website do not have to physically reside in the same country, letalone the same building.
When a person violates a website, they shuold be charged as such. The more intricate and harmful their intrusion, the more harsh the punishment. They should be given rehabilitative sentences including community service if they're young, or prison time if they're age of majority.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti
More like breaking into your office to erase every whiteboard in the place and replace them with poorly spelled tags, changing the locks, or jus took the door off it's hinges, smashing the alarm system, and taking/destroying the gods know what else in the process.
Hacking a website doesn't just mean that the site was changed. Anyone with a lick of sense after an intrusion needs to take a hell of a lot of time and take stock of what they still have, what they might have copied or deleted, and if they left any backdoors so they could get back in and have their little fun. Calling is "just graffiti" shows a complete lack of understanding of information security. There is real damage done when someone "just" defaces a website. It can't just be painted over.
Banks have safes and armored cars for pragmatic reasons, not legal ones. It is just as illegal to take $100,000 from a shopping cart as it is from an armored car. On a practical level, it is obviously safer in the armored car.
The responsibility you indicate mention is real, but it is the responsibility to the shareholders. If a bank transports money in a shopping cart and it's stolen, the thieves will go to jail. The directors who authorized the insecure transport will probably be fired, and might be sued by shareholders.
Crackers should go to jail. Incompetent admins should be fired. These are two separate problems.
Why do all the lawyers insist on creating new versions of every law and crime just because they happen to occur in the "digital" realm?
Let's see... hax0r kid defaces web-site.
1. Trespassing.
2. Breaking-and-Entering.
3. (possible) malicious destruction of private property.
If someone logs into your (wide-open, no password root shell) server without your permission, that's trespass.
If someone hacks your server to get in, that's trespass and breaking-and-entering.
If someone changes your web-site, etc., while they're there... that's destruction of property.
There are already well-established laws to deal with these crimes, and those laws have ranges of punishments appropriate for the severity of the offense. Why should special "digital" versions be created when existing laws already work?
This country needs fewer laws, and better enforcement of the ones it already has. More laws simply make more money for lawyers, and more loopholes for the rich and powerful.
The mildest is the person who breaks into a system, just because he can. He (or she, after all) breaks in, looks around, and leaves before doing any damage, changing anything, or "taking" anything. It doesn't impact any services that the target is providing. True, after any break-in that is discovered, the admins of the site will spend time cleaning it up and making it more secure. And I wouldn't like it if someone broke into my house just to look around. But I don't think that the punishment should be too harsh in this case, perhaps on the same scale as graffiti, maybe a little harsher because of the more expensive "cleanup".
The worst case is the cracker who breaks into a system to destroy or deface it. He changes the way external sites look and destroys information that is vital to those systems and may not be able to be rebuilt. Even a DoS could fall into this category if it leaves the site offline long enough, and is clearly deliberate. These guys should get harsher sentences, both for the public nature of their crime and the potential for data to be lost without hope of recovery.
The middle case is the cracker who breaks into a site and doesn't change anything, but just copies information from the site. In this case, the nature of the information itself and the mindset of the cracker must be taken into account. If the information was something that the cracker would have no way of using, and doesn't pass it on, then that would fall under the "curiosity" end of the spectrum. If the information was something that the hacker could directly use or sell, like credit card numbers or confidential documents sold to competitors, that would fall under the "malicious" end of the spectrum and be punished more harshly. I don't think the cracker should have to actually use the data to qualify for harsher punishment, as long as he had plans to use it. Notice that in this case, it is not necessarily the object that is copied that dictates the severity, it is the cracker's intentions.
The main problem with the way computer crime is punished right now is that whenever an item is copied/stolen, there is the tendency to assign the highest possible value to that item, without taking what the cracker plans on doing with it into account. After all, a confidential document could be worth lots of money to the company it is taken from. But nobody takes the capabilities and intent of the cracker into question; if he doesn't know how to capitalize on the value of the document, how could he be liable for "stealing" that much value?
Yes, I know that someone who steals jewelery in real life and then hocks it for a tenth of its value still stole the jewelery, not 1/10th of it. But when physical objects are stolen, the victim doesn't possess it anymore. When documents are "stolen" but not deleted, the victim still has access to it. Therefore, I think it is proper to assign the "value" of the theft to be how much the value of the document is reduced, not the value of the document itself. And if the cracker doesn't know how to use the document or who to sell it to, how can its value be reduced?
The punishment should be in accordance to the damage they caused, and if they stole or hurt anyone.
I believe that the penalties for merely defacing a website, or cracking into a machine and not actually doing much damage or "stealing" anything should be light. Sure, it is annoying, but it isn't that major.
If someone cracks into a database server and steals credit card information, that is another thing altogether. They should be charged with theft of credit cards (or whatever the actual crime is).
If someone (hypothetically) manages to crack into a computer that controls air traffic radar, and planes end up crashing because of it, they should be locked away for mass murder.
Some of the proposed punishments for computer crimes are quite harsh, treating the perpetrator like a terrorist or violent criminal.
However, someone who simply defaces a web site and writes "I 0wn j00!" on it doesn't deserve to be given more time than a rapist.
"You spoony bard!" -Tellah
Sorry if I am trolling a bit here.
In society we all have an expectation of privacy. That right is supported in common law.
For example if your neighbor puts up 15 ft solid brick fence and then sunbathes nude behind it and you put up a tower with a camera on it you can be arrested/sued for being a "peeping tom". A local TV station had an employee get busted for using the "skycam" weather camera to do just that. The courts held that the woman had a reasonable expectation of privacy and that it was violated by the man using the TV towers camera.
When someone puts up website they have a reasonable expectation that the back office parts of the site are to be private. Just because you CAN peer into the site (on into the backyard) doesn't mean you are allowed too!
The amount of effort required to circumvent them is irrelevant. The expectations still exist and are legally protected.
I don't consider break-ins, especially to insecure machines or business computers (but maybe I just value individuals more than businesses?), to be a very high crime.
That was the most stupid of your statements. Well I don't consider your dead-bolted door to be adequate security for your home. So by that logic I am free to break in and clean out the house. By God, you should have had a steel vaulted door.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Actually, we are a Democracy, only in reverse. Take the war on Iraq, for example. In a real Democracy, the people of the US give a mandate to it's government to go to war with Iraq, sign petitions, start grass roots movements, and the politicians listen to the people and go to war with Iraq.
In the US version of democracy, the US government gives a mandate to the American people that they are going to war with Iraq. Over shouts of protest, the media begins the assault on the public mind to convince people that this is what they want to do and that the country of Iraq is of primary importance in their lives. After informing the American people, as well as Saddam Hussein, that he has weapons of mass destruction, a furious effort is made to find a pretext for invasion. Eventually, after months of campaigning, petitions start to circulate around the internet, so that the people of America can ratify the decision of their betters. So, it's a grass roots campaign, in reverse, of course.
The government gives it's mandate to the American people, and the American people automatically start discussing this issue. Granted, before the president gave his mandate, nobody was really concerned about Iraq, outside of a few oil companies, but that doesn't matter, and doesn't raise any doubts in our un-biased media about the president's honesty, despite the fact that several of his advisors are ex oil company executives.
The same thing happened with the War on Drugs that was increased by Bush I in 1989. Before the media campaign, the concern about drugs was only 4% in the gallup polls, and people were more concerned about the economy. Then Bush I gave a mandate to the American people, and immediately the "free" media started pumping out dramas about families being torn apart by drugs, despite the statiscally declining drug use in America. So, in spite of the fact that I nor anyone that I knew was on drugs, it was an important issue in my life because George Bush told me so. Another mandate by the government, and another assault on our freedoms. Yeh Bush!!
If he/she is a minor, however, I think state of mind should have some sway over the consequences. You'd be surprised just how effective a simple visit by law enforcement personnel can be in "adjusting" the cracker's attitude.
In 1997 I was caught dorking around in school district systems. In my adolescent mind I thought it was all fun and games. Until I was hauled into a room by several very serious looking detectives and interrogated. Bad-cop-good-cop games, the whole works. This was quite possibly the fastest attitude readjustment I've ever experienced.
The detectives, I think, had some sympathy for my plight. His boss wanted to bust me hard and basically ruin my life. I was hauled before the head honcho (don't know exactly who he was or what his title was) and was given a stern lecture. I was asked if I'd ever used drugs or done anything violent. In the end, I was let go with 40 hours of community service to the school district and a warning to not get caught "so much as pinging" the district machines.
When my computer was returned to me from evidence, an entire year later, I found that the detective had upgraded the CPU and put 16 megs of RAM into it. I guess I made an impact on him, as well.
Now, on the other hand, if you've got a script kiddie, and he's whining and bitching and making life hard for investigators, and basically has a "fuck you copper" attitude, then I say... Bust him, throw him in the lockup, and let him think about how much of an asshole he is for a few months. Let him out, and if he does it again, hit him with the full force of adult penalties. Breaking-and-entering, defacement of property, theft of property, the whole works. Fuck up his life and let him figure out why it happened.
I was given a wonderful second chance, and I haven't wasted it. I was just being a stupid kid. People who scoff at the opportunities that law enforcement is trying to give them deserve prison.