Appropriate Punishment For Crackers?

Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."

OF course

[yatest5]

it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti

Cyber-crime is no different to ordinary crime. If the 15 year old 'cracker' writes his name all over a site (i.e. graffiti) he should get the same as a 15 year-old who scrawls all over his local shopping mall (i.e. fuck all or a safari or something).

If however he goes and steals 10000 credit card numbers and uses them to buy every back issue of playboy he should be locked up for a long time. With lubricant.

Lets think about this ...

[mustangdavis]

Murder ... life in prison or death (by state)

Grand theft auto ... 10 years

Assult and battery ... 5 years

Theft ... 3 years ( -1 year for good behavior)

Throwing eggs or spray painting a building ... 6 months - 2 years


Hacking a computer a defacing a web site ... 20 years?????


Does that make sence????

I don't want to encourage people to commit cyber crimes, but it seems as though our society's values are a little out of whack ... especially when the damage can easily be undone with last night's tape backup within an hour or two in most cases ....

Perhaps some of these coorporations that are so worried about this kind of stuff shold place a little more of the blame on themselves ... and take a little more responsibility for their Internet presence .... they spend tons of money on swipe cards, cameras, etc .... why should the think they are going to do less on the Internet???


BTW: I am pointing at the corps. because it is their lobbiests that are pushing for these rediculous sentences for cyber crimes ... everyone else pretty much says "SHIT! ... then stomps their feet for a few minutes, laughes when they discover how the hacker got in, then rebuilds their system or patches it, and then moves on with life ...


Just my $0.02 cents ...

Graffiti != Network Intrusion, Here's Why

[limekiller4]

Coming from a person who has both an interest in network security (me) and graffiti (again, me), I have to point out that graffiti and network intrusion don't really overlap and here is why:

When a person writes on a wall (or a "reach"), the owner of the shop might show up and go, "oh crap" and they might very well pay someone a few bucks to cover it up or perhaps do it themselves. The artists' intention is clear -- to throw up some paint and that's it. The paint isn't going to seep into the wall and ruin everything inside, however. It isn't going to pick up the cash register and run off. It isn't going to take every customer's credit information.

When someone breaks into a system -- regardless of their motivations -- the breakee does not know what the intruder has in mind. Maybe it is benign, maybe it isn't, but there is no room to "let it slide." It must be treated as a malicious attack and thus computers must be shut down, customers/students lose services, huge costs in time and effort can and will be expended to purge the system of the problem which often involves what might very well be overkill -- like reinstalling a system or a number of systems because you Don't Know and you can't afford to leave loose ends.

Graffiti and network intrusion would be analagous if and only if graffiti caused the same sort of response. It doesn't.

And in case you're curious as to why I'd be into graf, check out these sites.

Why not treat it like real life?

[jdreed1024]

Here's a novel idea - let the punishment be the same as in real life.

• If you deface a website, you get the same punishment as you would for spray-painting the front of an office building.
• If racial epithets or offensive slogans are involved, it becomes a hate crime.
• Delete some data or system files? The same as if you broke into an office and started smashing desks.
• Steal some data? The same as if you broke into an office and walked out with some file cabinets.

Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.

Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."

Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.

Re:graffiti?

[The+Evil+Couch]

People shouldn't expect strangers not to visit their webservers and try to explore them, especially if strangers are not told what they should and shouldn't have access to!

Right, so running a brute force/dictionary routine is just an everyday normal part of browsing. I totally forgot that the vast majority of users out there have a "Obtain root/admin functions" button on the top of their Internet Explorer toolbar.

No, a better analogy for the internet marketplace would be a street full of vendors. You can buy from them, or if you're a sneaky bastard, you can break open their cart and make off with their earnings, or cripple their ability to perform business. Just how much common sense does it take to know that opening their cart (going someplace the html did not direct you to) whether or not it had a padlock on it, is not what they intended to do.

should hacker and defacers get treated as terrorists? probably not. should they get slapped with criminal charges. of course.

Ah, honesty... versus federal sentencing

[MacAndrew]

Your sentiment is pleasantly honest and common to most people, though maybe not consciously or quite as extreme (for example, to be drawn and quartered after hanging is unnecessary :).

"The punishment should fit the crime." Equally important, someone neutral (not indifferent) should pick the punishment.

*

However, few are aware that the federal judge actually has extremely little discretion in sentencing. In a nonviolent crime against strangers such as destructive hacking, setting aside criminal history, the amount of the losses essentially determines the sentence. Said damages are notoriously difficult to estimate and easy to inflate, as in the cases of Kevin Mitnick or Robert Morris, who were clearly culpable, but for what? State courts remain more flexible, but with the growth of federal law and the wire fraud aspect of computer crime, more cases are swept into federal court where the sentences are typically heavier.

Current federal sentencing guidelines, dating from Reagan era reforms designed to crack down on crime by constraining "soft" judges, and created by the Sentencing Commission, are purposefully wooden and mathematical in their determination of sentences. You literally add and subtract points based on different factors, then consult a chart to find the mandatory sentencing range. (In some cases, I think a minority, defendants do benefit from protection from excessively harsh sentences.) In certain drug cases, mere grams of a substance such as crack can add years to your sentence

At sentencing, the judge is given a presentencing report recommending a sentence plus or minus, say, 5% of a given fine or imprisonment or probation, a range from which it is very difficult to depart without breaking the law. What effectively happens -- and I hope this was foreseen -- is that sentencing authority is passed to prosecutor, whose decisions as to which offenses to charge or to drop, and amenability to plea agreements, set the outcome. If you believe the sentence unfair, it is the prosecutor or Congress, author of the ill-conceived guidelines, that needs influencing. The Guidelines long ago survived constitutional challenege.

I can tell you firsthand that many federal judges don't like the Guidelines, but if they depart from the prescribed sentences they are reversed on appeal.