Slashdot Mirror
Appropriate Punishment For Crackers?
Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."
Cyber-crime is no different to ordinary crime. If the 15 year old 'cracker' writes his name all over a site (i.e. graffiti) he should get the same as a 15 year-old who scrawls all over his local shopping mall (i.e. fuck all or a safari or something).
If however he goes and steals 10000 credit card numbers and uses them to buy every back issue of playboy he should be locked up for a long time. With lubricant.
What if you leave the regular shopping part in-tact and just add "shout outz" at the top?
Murder ... life in prison or death (by state)
... 10 years
... 5 years
... 3 years ( -1 year for good behavior)
... 6 months - 2 years
... 20 years?????
... especially when the damage can easily be undone with last night's tape backup within an hour or two in most cases ....
... and take a little more responsibility for their Internet presence .... they spend tons of money on swipe cards, cameras, etc .... why should the think they are going to do less on the Internet???
... everyone else pretty much says "SHIT! ... then stomps their feet for a few minutes, laughes when they discover how the hacker got in, then rebuilds their system or patches it, and then moves on with life ...
...
Grand theft auto
Assult and battery
Theft
Throwing eggs or spray painting a building
Hacking a computer a defacing a web site
Does that make sence????
I don't want to encourage people to commit cyber crimes, but it seems as though our society's values are a little out of whack
Perhaps some of these coorporations that are so worried about this kind of stuff shold place a little more of the blame on themselves
BTW: I am pointing at the corps. because it is their lobbiests that are pushing for these rediculous sentences for cyber crimes
Just my $0.02 cents
HallmarkOrnaments.Com
Cyber-crime is no different to ordinary crime. If the 15 year old 'cracker' writes his name all over a site (i.e. graffiti) he should get the same as a 15 year-old who scrawls all over his local shopping mall (i.e. fuck all or a safari or something).
Hey, cleaning up a mall is expensive, cleaning up a web site should not take more than the time to restore a daily backup...
If you don't have one, then it's high time you started.
Trolling using another account since 2005.
Coming from a person who has both an interest in network security (me) and graffiti (again, me), I have to point out that graffiti and network intrusion don't really overlap and here is why:
When a person writes on a wall (or a "reach"), the owner of the shop might show up and go, "oh crap" and they might very well pay someone a few bucks to cover it up or perhaps do it themselves. The artists' intention is clear -- to throw up some paint and that's it. The paint isn't going to seep into the wall and ruin everything inside, however. It isn't going to pick up the cash register and run off. It isn't going to take every customer's credit information.
When someone breaks into a system -- regardless of their motivations -- the breakee does not know what the intruder has in mind. Maybe it is benign, maybe it isn't, but there is no room to "let it slide." It must be treated as a malicious attack and thus computers must be shut down, customers/students lose services, huge costs in time and effort can and will be expended to purge the system of the problem which often involves what might very well be overkill -- like reinstalling a system or a number of systems because you Don't Know and you can't afford to leave loose ends.
Graffiti and network intrusion would be analagous if and only if graffiti caused the same sort of response. It doesn't.
And in case you're curious as to why I'd be into graf, check out these sites.
My
Limekiller
If you spraypaint the outside of wal-mart, people can still go in and shop. If you hack walmart.com and replace it with "shout outz" then wal-mart will probably lose hundreds of sales per hour to their competitors.
Ah, I get it. So, if I put a front wall on my shop that is so flimsy that graffiti brings about its collapse, I can hold the punks responsible for the poor construction.
Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.
Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."
Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.
There is no sig, there is only Zuul.
The thing is with the widespread of software and the internet and technology in general always brings in a high punishment. I think it comes down to you doing whats right. Now I am guessing if most of you see a car with the keys in the ignition you aren't going to hop in and steal it, but if you saw a website with a big vunrability more of you may be inclined to take advantage of the situation. I think the point that doesn't come home to a lot of people is computers are a part of everyone's lives now, and if we don't respect them, we will be punished.
But in general, technologists have always been risky with the law. If I created a nuclear device for the sake of doing it, even though I have good intentions and no feelings of using it, I would probably be jailed for a LONG time.
"cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."
Why has this site become a quasi-political action group that doesn't have anything to do with technology? (considering those at guantanamo are NOT cyber-terrorists, they are the REAL kind). The above statement sends a clear political message about the author's leanings. That is the last thing I need on a tech site, not that I necessarily disagree with his point of view...but isn't this a tech site?
Damn Right!
/. just went way, way down.
The links to 911 detainees has NOTHING to do with hacker cases. Why is Hemos looking for an opportunity to lash out at the U.S. government?
If you are pissed about anti-terrorism, then post an opinion piece or at least make it a separate post. You harm your case by trying to link it something related to hacking and computers.
What kind of muddled thinking leads to this kind of front page post?
My opinion of Hemos and
The *real* problem of the little guy having a global reach is that very quickly, it's possible to create costs to others that *far* outstrip a single person's ability to compensate everyone involved (given reasonable, non-Gatesian amounts of personal wealth). The Radicati Group estimates that "malicious code" will cost more than $54 billion in economic damage by 2006: this is not inconsequential activity.
Of course, graffiti isn't, either. The US costs are around $15 billion a year, which doesn't count things like lowered property values for folks in graffiti-filled neighborhoods. Both forms of expression are anti-democratic and exploitive, much as those of pseudo-anarchist bent would like to think otherwise.
Bring charges appropriately. Note that you might need to legislate to clarify the scale of the offense in the new setting. As others have already pointed out, defacing a web site in a way that stops it being usable is not just graffiti, it's (probably) nearer breaking and entering followed by deliberate (albeit relatively easily repaired) vandalism.
This can affect charges and sentencing.
If yes, charge those people, too.
I know some of the laws are unballanced, but let's look it from a different side. You don't punish someone only for the fun of punishing. The background of punishing someone is:
1. To isolate the person so he cannot do any more harm (if there is suspicion that the person could do). Most times this thing is not really quntifiable and definitely cannot be generalized, so it is the least probable factor in deciding the punishment.
2. Give them a punishment harsh enough that they will remember for all their life. This way you'll make sure the chances of him breaking the law (even if under strong temptation pressure) are pretty low (in acceptable statistical values).
3. Give an example for the other ones which might be inclined to break the law in a similar way. And this example must be harsh enough so even if he is not dealing with the punishment himself, he will still be able to imagine it as harsh enough not to be worth even trying to break the law (unless he is some sort of a nutcase or adrenaline addictive).
4. Also it must also not be too harsh as to break human rights or be incarcerated with criminals which could lessen the chances of rehabilitating the individual.
The 2 and 3 are the decisive factors in deciding a punishment for a crime. You want to make sure the crime is not commited anymore by anyone and not really that you have a very nicely balance of punishments.
For example, in a country where there was no homicide commited (or in very low numbers), you might find that laws which specify the punishment for such a case are missing altogether or have such small punishment that it would make anyone laugh.
For me it looks like it is similar to the Offer/Demand thing from economy. The more crimes you have to deal with, the higher penalty needed to make the numbers go down.
And let's face it. In IT crimes (hacking and the kind) each one hacker feels pretty safe behind his keyboard and anonymous. Therefore the number of people hacking something in one way or the other is almost higher than stealing. Only harsher laws will have any chance of making this thing slow down in pace.
Just leaving your "mark" still shows that site itself isn't secure and most, if not all, potential customers wouldn't want to give their credit card information to a site that isn't secure.
I remember the first Christmas that had mass online shopping available - they asked people at malls and other brick and mortar stores why they wouldn't shop online and the number one reason was the fear of their Credit Card numbers or bank information getting stolen.
Support bacteria! It's the only culture most people seem to get.
If they're only breaking into your home, then you do not have the right to "shoot in self defense". Your home would need to have the right to shoot in self defense (which we don't recognise for inanimate objects), and it would have to fire the shot itself (which is, I suppose, at least possible). Neither of these really make make much sense.
If they are breaking into your home and you fear for your life then you have the right to kill in self defense. Thus, it depends on what you were feeling, or perhaps on what you claim you were feeling, or by extension, what you can convince the jury you were feeling. Thus, in a way, it could be said that while you may or may not have the right to shoot an intruder, the U.S. Second Amendment (right to bear arms) guarantees you have the power to shoot an intruder. And while the former is what matters to the Courts, the latter is what's likely to keep me out of your house, because even if you don't have the right to shoot me, I'll be just as dead.
(Contrast this with the DMCA, where the law guarantees you the right to fair use, but denies you the power to exercise your right.)
It does pose an interesting question, though. Our roadside mailbox has recently become a favorite target for vandalism of the "mailbox baseball" variety. (drive by, hit the box with a baseball bat, drive off...) I wonder what my liability would be for replacing my aluminum mailbox with one specially constructed from cast iron and concrete. Would I be liable for the broken bones of someone attempting to commit vandalism on my property and failing to understand the...um...consequences of their actions?
The thing about things we don't know is we often don't know we don't know them.
People shouldn't expect strangers not to visit their webservers and try to explore them, especially if strangers are not told what they should and shouldn't have access to!
Right, so running a brute force/dictionary routine is just an everyday normal part of browsing. I totally forgot that the vast majority of users out there have a "Obtain root/admin functions" button on the top of their Internet Explorer toolbar.
No, a better analogy for the internet marketplace would be a street full of vendors. You can buy from them, or if you're a sneaky bastard, you can break open their cart and make off with their earnings, or cripple their ability to perform business. Just how much common sense does it take to know that opening their cart (going someplace the html did not direct you to) whether or not it had a padlock on it, is not what they intended to do.
should hacker and defacers get treated as terrorists? probably not. should they get slapped with criminal charges. of course.
The World's Worst Webcomic!
What about setting up a work program? After you are proven guilty and a short punishment (short jail, heavy fine, some sort of very strict probation, house arrest, etc) you enter into a "half-way" house with a mentor sysadmin who can put your cracking skills to good use, but also keep an eye on what you are doing. That way, you can crack legally (get your thrills) and positively affect society. Of course, this wouldn't work for every script kiddie, but for the few crackers that actually have and display true talent, it wouldn't be wasted in some jail cell. Do Poulsen and Mitnick do internships, or take volunteers? Maybe they should. They are heroes to a lot of people.
Several states, including Texas, Oklahoma and Louisiana, have controversial laws that allow persons to use deadly force to protect property against unwanted intruders
Don't leave out Arizona! We have such laws. It is legal to shoot someone committing first degree burglary (burglary of an occupied residence) and first degree arson (arson of an occupied structure). There isn't anything controversial about it... here. About once every three months I read an article about some septugenarian widow who blows away a punk who came into her house.
BTW... it is also legal to carry a concealed weapon on your property or place of business, without a permit.
The reason for these laws is to remove from the homeowner the (very dangerous) requirement to determine if the intruder is a physical danger/ The very act of intrusion into an occupied structure is construed as life threatening.
As a result of these laws, burglary of unoccupied residences is pretty rare. Most Arizonans don't need to fear intruders in their homes (except in some neighborhoods where massive armed invasions occasionally happen - usually with drug transactions involved).
The only good weather is bad weather.
Like many people, I don't want to see new laws created to cover every time someone uses a computer for some $CRIMINAL_ACTIVITY which was already illegal by itself.
However, there's a real limit to how far analogies can take you. We can't just say "it's like vandalism / theft / graffiti / spying / workplace disruption / copyright infringment" and expect applying the equivalent punishments to produce the best results for our society. There are ways that internet-based activities are completely unlike anything that's come before.
Lets focus on just one of the most important differences between "cyber-crimes" and the old-fashioned physical variety: it's now possible (and easy) for the victim and perpetrator to be in different jurisdictions when the offense is committed.
During the early popularization of the internet, most users were in the US (or its servant-states like the UK), so often enough the vic & perp were under the same set of laws. The FBI was able to haul in domestic hackers like of Cpt. Crunch, Bob Morris, Mitnick, and later Mafiaboy. (I think Jaegar was a notable exception)
But is arresting those guys really the best way to protect the US economy? The US government is using guns and handcuffs to protect US businesses' computers from tampering- can we expect that defense to remain viable in the future?
Physical force is not a lasting solution to an electronic threat
(It's like "security through obscurity"- it will work at first, and is easy to implement. But someday the enemies become experienced enough to circumvent that defense, and by then you need real protection)
Threat of arrest only works on perpetrators inside your jurisdiction. "Cyber-Crimes" can be performed by anyone with a PPP stack- which is everyplace with reliable electricity. The US has a powerful law-enforcement/military presence, and with extradition treaties can bump up their effective jurisdiction to cover a majority of the earth's landmass. (Although with reduced precision in the less-friendly or less-developed nations, or where local cops are too busy with violent crimes to go hunting down script-kiddies)
What about nations that are downright non-friendly?
If a Canadian teen can inflict billions of dollars of economic damage in 3 days (and only be caught after public bragging), what about government-sponsored agents in "The Axis of Evil"? Suppose China takes offense at "US imperialists", and assigned 200 CS PhDs to build innovative DOS strategies for e-commerce sites?
Unless we can rely on forming a durable "Pax Americana", with a single organization enforcing a uniform law code across the entire planet, there will always be places for hackers to hide beyond your reach. (The Bush administration wants to create such an empire, but they will fail.)
I would argue that so-called "cyber-terrorism" hasn't happened yet, and will never be a major concern (the small number of computer-operated systems capable of producing enough violent damage to evoke "terror" will be heavily protected, with much redundancy and human oversight).
But "cyber-economic-warfare" is a real risk in next 20 years, and so far the US government has been allocating serious funds to make the problem worse when it starts to hit.
All of the FBI efforts to strongarm and incarcerate computer pranksters is just reducing our resisitance to the eventual onslaught. The government subsidizes insecure software by arresting people who break it, relieving the developers from fixing their own products. Microsoft might not publish such dangerously insecure systems if they faced the traditional punishments that the free market unleases on inferior products.
Let's privatize computer security! Save tax dollars, and increase effectiveness at the same time. We could reduce the penalty for "hacking" type crimes (or DOS) to the magnitude of a traffic ticket. (Teens cannot commit them with impunity, but companies can't rely on arresting offenders as their sole defense).
(Naturally, using "hacking" perform any real crime- unauthorized fund transfer for instance, or copyright infringment- should be punishable just like that crime by itself)
Disclaimer: as it happens, I'm an info-sec professional myself - as a matter of fact, I'm a pen-tester
Firstly, apologies for the needlessly trollish Guantanamo refs... I was so sure it wouldn't get posted anyway, and I was casting around for the other end of the spectrum from the punishment for graffiti, and the Amnesty report was just in the news over here in the UK, so...
That said, I find it quite depressing the number of people saying "These people are evil!! We must execute them all!!" Yes, having a site cracked costs a lot of money, as does preventing it from happening in the first place. Yes, you'll have to pull the box, reformat the disks and restore from backups, and check out anythign else the cracker might have wormed his way into at the same time (you HAVE got those MD5 checksums burned to CD, right?) And this is a serious PITA, especially if you, the admin, have been trying to get management attention for the fact that your site is an accident waiting to happen. And now you get to work all night/weekend, because some PHB couldn't see the point of putting resources into proactive security measures.
There are several reasons why I do NOT think this justifies locking the kid up and throwing away the key. Firstly, YES, if you run a major site on a shoestring, don't bother patching your server, running an IDS and firewall, or even scanning yourself with Nessus or nmap, then YOU WILL BE OWNED. You might say that you don't deserve it. Well you don't deserved to be mugged if you go touring crackhouses with a $2000 camcorder and laptop, but what the fsck do you EXPECT to happen? Secondly, assuming the attackers are the proverbial greenhaired 15 yo's from Buttfuck, Nebraska, a disproportionate sentence is destroying someone's life for a foolish mistake. Anyone male here who didn't do something bloody stupid at some point during their childhood or adolescence? Hell I went through a brief stage of shoplifting. Got caught, had my arse paddled and a serious bollocking, didn't do it again. Testing boundaries and trying alternative identities out is part of growing up. Thirdly, you're destroying the potential for good in later life. The fact is that many of the leading lights of the security scene wouldn't be around if they'd been caught & gaoled for ten years in earlier life. I'm not mentioning names, but they know who they are ;) All you're doing is getting "revenge" - which is no kind of justice - by destroying the life of someone who was probably too young to know any better. No doubt many people reading this are thinking, "Ah, but I didn't go out and 0wn cnn.com!" No, but I bet you swapped games at school, or taped CDs from friends, huh? Right, but I'm sure you can see that the IP mafia want to make sharing == piracy == cracking == terrorism... and that in a few years time, you're going to have kids of your own. Want to bet they'll do something out of order at some point whilst growing up? Whaddya going to do, chain them up in the cellar?
The final reason not to throw the 15 yo's in gaol is that it'll achieve sweet F.A.. No matter how many American kids get slung in gaol, the scans and DoSes and script kiddies will keep on coming and you know what? that's a GOOD thing. It keeps sites secure, it keeps people pushing software to be more secure, and that all makes it harder for the real villains - the ID thieves, the industrial espionage and extortion types and so on. Oh yeah, and it pays my rent ;)
Of course, I'm specifically talking about under-age malcontents here. If you're, say, 25, and know what the consequences of your actions are, the difference between right and wrong , etc, and you sneak into a creditcard database for the purpose of id theft or extortion from the company , then hell yes, you're going to do some time and quite right too. And you'll never get work as a sysadmin again. Hmmmm, perhaps there's some cultural relativism at work here... in the UK, if you (genuinely) can't distinguish right and wrong, you're a sociopath, and you belong in a secure hospital. If you're underage, though, you're given the benefit of the doubt. Eg there was a cause celebre perhaps 6 or 8 years ago where two boys, aged 13 or 14, bullied a 4 year old kid, threw rocks at him and eventually murdered him. They're eligible for release soon - quite right in my view.
:( )
Oh yeah, and the US are rapidly burning through the goodwill we hold towards you, in Europe at least - the illegal incarceration at Guantanamo, the Bush/Cheney/Ashcroft junta's blatant wars of aggression against people who look at you funny, the willful destruction of human rights in your own country,.. the good news is that, I think and hope, most of us in Europe can distinguish between the actions of your corporations, government and corrupted legal system, and individual people who just happen to be citizens of the country. (If Bush gets re-elected, though... this might change
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Yeah, and when you look at your server and you see someone's added "shout outz" at the top you're really likely to just leave it at that, right? And if they don't disable your website but just kill your bandwidth attempting to DoS other sites?
Skiddies are a really big nuisance simply because of the time everyone has to spend either defending against them or cleaning up after them. Case in point, recently one of our servers got hacked into and the skiddie installed some stupid script called "evilbot.exe" and left it running in the task manager. Now that server doesn't hold any sensitive information (apart from, maybe the emails of our members...). However, the skiddie used our nice 10mbit connection to go and DoS ppl. We noticed the server was cracked because we had connectivity problems when he sent out those packets at max bw, and he vnc'ed in through the same display as us so we knew when he was in and when he wasn't. We still haven't figured out how he got in exactly (though it was likely due to some undocumented vulnerability in IIS. The server is fully patched up but IIS was not meant to be running on this db server...).
This "cracker" was obviously an idiot. He made no attempt whatsoever at hiding his trail, and we detected that the machine had been compromised, and fixed it, within about 60 hours of him getting in. Now during most of that time, our database was up and down like a yoyo while we figured out what was happening, and as the server is hosted remotely in a data centre we couldn't just yank it offline, clean it up and put it back online, we had to do everything through VNC (how I hate windows...). The result is that during this day and a half we were losing money every time the database was down and we wasted a lot of time dealing with this when we have plenty other stuff on our plates.
Should this kid be prosecuted and put in prison? No, probably not. Should he be fined some fee commensurable to the loss of business we encurred through his actions? YES. Sure, there should be a limit to the amount, so that we don't indebt him for the rest of his life, but I'm sure there'd be a lot less script kiddies about if every time they cracked into a server they (or their parents) got fined a few thousand dollars. There's a very good rationale behind that: they're breaking into our property, they're unauthorized and they cause us to waste time and money. I can't see any way you can argue that this should be legal, and if it's illegal, why shouldn't infractions be punished commensurably?
Daniel
Carpe Diem
Your sentiment is pleasantly honest and common to most people, though maybe not consciously or quite as extreme (for example, to be drawn and quartered after hanging is unnecessary :).
"The punishment should fit the crime." Equally important, someone neutral (not indifferent) should pick the punishment.
*
However, few are aware that the federal judge actually has extremely little discretion in sentencing. In a nonviolent crime against strangers such as destructive hacking, setting aside criminal history, the amount of the losses essentially determines the sentence. Said damages are notoriously difficult to estimate and easy to inflate, as in the cases of Kevin Mitnick or Robert Morris, who were clearly culpable, but for what? State courts remain more flexible, but with the growth of federal law and the wire fraud aspect of computer crime, more cases are swept into federal court where the sentences are typically heavier.
Current federal sentencing guidelines, dating from Reagan era reforms designed to crack down on crime by constraining "soft" judges, and created by the Sentencing Commission, are purposefully wooden and mathematical in their determination of sentences. You literally add and subtract points based on different factors, then consult a chart to find the mandatory sentencing range. (In some cases, I think a minority, defendants do benefit from protection from excessively harsh sentences.) In certain drug cases, mere grams of a substance such as crack can add years to your sentence
At sentencing, the judge is given a presentencing report recommending a sentence plus or minus, say, 5% of a given fine or imprisonment or probation, a range from which it is very difficult to depart without breaking the law. What effectively happens -- and I hope this was foreseen -- is that sentencing authority is passed to prosecutor, whose decisions as to which offenses to charge or to drop, and amenability to plea agreements, set the outcome. If you believe the sentence unfair, it is the prosecutor or Congress, author of the ill-conceived guidelines, that needs influencing. The Guidelines long ago survived constitutional challenege.
I can tell you firsthand that many federal judges don't like the Guidelines, but if they depart from the prescribed sentences they are reversed on appeal.
A troll if I ever saw one.
1. There is no evidence linking Hussein to Al Queada or Bin Laden. Hussein and Bin Laden are bitter enemies, they absolutely despise each other. That hasn't stopped Bush and gang from trying in vain to link Iraq to 9-11. However, any insinuation that is made, upon further scrutiny falls apart, because that's all it is, is insinuation. Our government knows that Iraq had nothing to do with it.
2. The country that did participate quite a bit in the funding of Al Queada is Saudi Arabia. So, why doesn't our government attack them? Because they are our allies of course. They give us all the oil we want.
3. Our government put Hussein in power. Our government also looked the other way when Hussein "gassed his own people". Three words are missing, "with our support". Before 1991, 10 US corporations participated in the sale of arms to Iraq, even after he gassed his own people. That's part of why the dossier is kept out of the mainstream media.
4. Our government talks about creating democracy in Iraq, and we are to understand that the first step towards democracy is having a military dictatorship, much in the same way that we are to understand that "right to trial" means rounding up hundreds of "suspected terrorists" into concentration camps where they will eventually be tried by a military tribunal.
5. This war is about oil. That's all it is about. If we were out to have a "just war", there would be many other countries that have far worse human rights violations than Iraq.