Appropriate Punishment For Crackers?

Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."

Depends...

If I'm the accused, I want a nice short probation...if someone cracking my website, then I want 'em hung, drawn and quartered...

Re:Depends...

[Cinnibar+CP]

They can pack up your AV gear and walk out, but you can't shoot them.

But you CAN smash them in the kneecap with a crowbar. I find it's an adequate, non-lethal deterrent in my homestead.

Trust me, they won't be doing much walking afterwards.

Re:Depends...

[composer777]

Actually, we are a Democracy, only in reverse. Take the war on Iraq, for example. In a real Democracy, the people of the US give a mandate to it's government to go to war with Iraq, sign petitions, start grass roots movements, and the politicians listen to the people and go to war with Iraq.

In the US version of democracy, the US government gives a mandate to the American people that they are going to war with Iraq. Over shouts of protest, the media begins the assault on the public mind to convince people that this is what they want to do and that the country of Iraq is of primary importance in their lives. After informing the American people, as well as Saddam Hussein, that he has weapons of mass destruction, a furious effort is made to find a pretext for invasion. Eventually, after months of campaigning, petitions start to circulate around the internet, so that the people of America can ratify the decision of their betters. So, it's a grass roots campaign, in reverse, of course.

The government gives it's mandate to the American people, and the American people automatically start discussing this issue. Granted, before the president gave his mandate, nobody was really concerned about Iraq, outside of a few oil companies, but that doesn't matter, and doesn't raise any doubts in our un-biased media about the president's honesty, despite the fact that several of his advisors are ex oil company executives.

The same thing happened with the War on Drugs that was increased by Bush I in 1989. Before the media campaign, the concern about drugs was only 4% in the gallup polls, and people were more concerned about the economy. Then Bush I gave a mandate to the American people, and immediately the "free" media started pumping out dramas about families being torn apart by drugs, despite the statiscally declining drug use in America. So, in spite of the fact that I nor anyone that I knew was on drugs, it was an important issue in my life because George Bush told me so. Another mandate by the government, and another assault on our freedoms. Yeh Bush!!

Re:Depends...

[bryanthompson]

Actually, we're a Republic.
True, in a real democracy every person would have a say in every decision made by the government, but this only works in classrooms. Even in classrooms it doesn't work well, so we elect leaders who make decisions. If you don't like the decisions, either become an elected leader and change it, or just vote for someone else the next time around.

Re:Depends...

[composer777]

A troll if I ever saw one.

1. There is no evidence linking Hussein to Al Queada or Bin Laden. Hussein and Bin Laden are bitter enemies, they absolutely despise each other. That hasn't stopped Bush and gang from trying in vain to link Iraq to 9-11. However, any insinuation that is made, upon further scrutiny falls apart, because that's all it is, is insinuation. Our government knows that Iraq had nothing to do with it.

2. The country that did participate quite a bit in the funding of Al Queada is Saudi Arabia. So, why doesn't our government attack them? Because they are our allies of course. They give us all the oil we want.

3. Our government put Hussein in power. Our government also looked the other way when Hussein "gassed his own people". Three words are missing, "with our support". Before 1991, 10 US corporations participated in the sale of arms to Iraq, even after he gassed his own people. That's part of why the dossier is kept out of the mainstream media.

4. Our government talks about creating democracy in Iraq, and we are to understand that the first step towards democracy is having a military dictatorship, much in the same way that we are to understand that "right to trial" means rounding up hundreds of "suspected terrorists" into concentration camps where they will eventually be tried by a military tribunal.

5. This war is about oil. That's all it is about. If we were out to have a "just war", there would be many other countries that have far worse human rights violations than Iraq.

graffiti?

[Lord+Ender]

Hacking a website is much more than graffiti. If you spraypaint the outside of wal-mart, people can still go in and shop. If you hack walmart.com and replace it with "shout outz" then wal-mart will probably lose hundreds of sales per hour to their competitors. That is very real money to these businesses. Hacking (cracking is breaking copy-protection) a website should not have the same punishment as violent crime, but it is definitely a more severe crime than graffiti, and deserves a much harsher punishment.

Re:graffiti?

[adamofgreyskull]

Of course most kids wouldn't break into the store and graffiti the inside of the doors, which is more to the point if you're going to make that comparison...

Re:graffiti?

[nmg]

Then they would still lose a large percentage of customers. Would you buy from walmart.com if it had a "shout outz" at the top? Who knows what else the modified?

Re:graffiti?

No, moron, you hold the punks responsible for causing it to collapse.

Yeah, yeah, I know, breaking and entering vandals want to be free. It is the web site's fault for being able to be cracked. It is my fault for having my apartment robbed because I had glass windows that were broken when I clearly should have had the windows bricked up in the first place. If that woman didn't want to be raped she should have been better equiped to defend herself---hey, if she wasn't carrying pepper spray, then she was just asking for it, don't blame the poor punks that did it.

Oh, silly me, I forgot: computers are fundamentally different somehow, because the hypocrites that make those kind of arguments also use computers, so somehow these kind of things should be treated differently.

Re:graffiti?

[sedmonds]

This is the same moronic argument rapists used to use in court. 'She was dressed provacatively.' 'She didn't fight back, she must have wanted it.'

It didn't wash for them, it shouldn't wash for punks that feel compelled to commit computer crimes.

Re:graffiti?

[EvlOvrLrd]

The wall has nothing to do with it. Nor does the graffiti.

If someone circumvents your wall to get inside to do anything (regardless of the activity) it is breaking and entering. If someone does not have a legal means (hold the keys or expressed permission to 'jump the fence') then they have no right being there. Regardless of 'how high' and 'how wide' the wall may or may not be.

If you were to erect a wall and someone uses a bulldozer or stick of dynamite to circumvent the structure, then they have in fact damaged your property. No matter how strong (or week)your wall was.

The fact of the matter is that, the digital domain is being viewed upon as property. That is protected by the laws that protect real property.

Hmmmmm, I wonder if I catch a hacker on my site/server, that I cannot effectively 'kill' him (say by disabling his computer OS from loading again. Even if only for a short while.) just as I could if I caught him in my house, after he climbed through a window in the middle of the night....

Re:graffiti?

[GauteL]

This seems like the standard response of people trying to justify cracking.

The correct smart-ass statement would be:
"Ah, I get it. So if someone puts up a lock that can be broken by using a simple credit card, I can prosecute the punks for breaking and entering?"

Of course you can. Just because something is easy to break into does not justify breaking in.

If you break into a computer system, that system HAS to be taken down. It has to be ritually cleansed so that you are sure there are no backdoors inserted somewhere, and that the data is actually correct, which often involves restoring from backups. It might be the administrators fault that you actually succeeded in breaking in, it is NOT his fault that all this cleanup has to be done on a successful breakin.

If you break into a bank to take a leak, it is still a crime. The bank has to go over all of their routines, and they have to make sure all you did was take a leak. They surely cannot just take your word for it.

The bank should have improved their security, but what you did is still a crime.

Re:graffiti?

[The+Evil+Couch]

People shouldn't expect strangers not to visit their webservers and try to explore them, especially if strangers are not told what they should and shouldn't have access to!

Right, so running a brute force/dictionary routine is just an everyday normal part of browsing. I totally forgot that the vast majority of users out there have a "Obtain root/admin functions" button on the top of their Internet Explorer toolbar.

No, a better analogy for the internet marketplace would be a street full of vendors. You can buy from them, or if you're a sneaky bastard, you can break open their cart and make off with their earnings, or cripple their ability to perform business. Just how much common sense does it take to know that opening their cart (going someplace the html did not direct you to) whether or not it had a padlock on it, is not what they intended to do.

should hacker and defacers get treated as terrorists? probably not. should they get slapped with criminal charges. of course.

Cracking in self defense?

[Jeppe+Salvesen]

I wanna know something. If someone (attempts to) breaks into your home (in the USA), you are allowed to shoot that person in self defense. Are you likewise allowed to take out anyone attacking your network?

OF course

[yatest5]

it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti

Cyber-crime is no different to ordinary crime. If the 15 year old 'cracker' writes his name all over a site (i.e. graffiti) he should get the same as a 15 year-old who scrawls all over his local shopping mall (i.e. fuck all or a safari or something).

If however he goes and steals 10000 credit card numbers and uses them to buy every back issue of playboy he should be locked up for a long time. With lubricant.

Re:OF course

[tacocat]

He's old enough to know better.

He should be held responsible for the real consequences of his actions.

Anything less simply permits the activities to go further. The amount of work involved in recovering from a Cracker is far more extensive than physical graffiti.

Talk about flame-bait lead-ins

[MyNameIsFred]

The article summary is obvious flame-bait. While there is room for legitimate discussion of U.S. actions in Guantánamo, it has ABSOLUTELY nothing to do with appropriate prison sentences for black-hatters.

How about referencing recent hacker cases, and the sentences that were imposed. How about some information on the ages of the black-hatters. No, that would be relevant to the discussion...

Re:Talk about flame-bait lead-ins

[kevin+lyda]

there is no room for legitimate discussion about those cases. they are bad men. the bush administration has identified them as evildoers. questioning their imprisonment is not ony wrong it is unpatriotic and hurts america's national security.

in fact, i'd like a little more detail about you mynameisfred. just post up your name and where we can contact you.

(btw, in case anyone was confused the above wasn't sarcasm. it was "your likely future.")

Lets think about this ...

[mustangdavis]

Murder ... life in prison or death (by state)

Grand theft auto ... 10 years

Assult and battery ... 5 years

Theft ... 3 years ( -1 year for good behavior)

Throwing eggs or spray painting a building ... 6 months - 2 years


Hacking a computer a defacing a web site ... 20 years?????


Does that make sence????

I don't want to encourage people to commit cyber crimes, but it seems as though our society's values are a little out of whack ... especially when the damage can easily be undone with last night's tape backup within an hour or two in most cases ....

Perhaps some of these coorporations that are so worried about this kind of stuff shold place a little more of the blame on themselves ... and take a little more responsibility for their Internet presence .... they spend tons of money on swipe cards, cameras, etc .... why should the think they are going to do less on the Internet???


BTW: I am pointing at the corps. because it is their lobbiests that are pushing for these rediculous sentences for cyber crimes ... everyone else pretty much says "SHIT! ... then stomps their feet for a few minutes, laughes when they discover how the hacker got in, then rebuilds their system or patches it, and then moves on with life ...


Just my $0.02 cents ...

Cyber Crime and other crime

[salesgeek]

I'm not sure why you need new sentencing guidelines for old crimes (theft, extortion, fraud, embezelment, etc...) committed using new technology. Why is a crime different because a computer is involved?

$G

IANAL...

[Greyfox]

But I seem to recall that the criminal justice system is geared towards not ruining the lives of 15 year olds by (usually) erasing their criminal history when they turn 18. The usual exception for this is in murder cases where the kids are often tried as adults.

Personally I think we should take a page from Singapore's book and explore the latest options in caning. Nothing drives a lesson in ethics home more quickly than being beaten severely with a bamboo stick by a martial arts master. I would also view caning as an appropriate remedy for spammers violating anti-spam laws, telemarketers ignoring do-not-call lists, as part of a comprehensive package for the last round of fraud-perpitrating corporate CEOs and companies who file frivolous patent lawsuits based on laughable patents.

Graffiti != Network Intrusion, Here's Why

[limekiller4]

Coming from a person who has both an interest in network security (me) and graffiti (again, me), I have to point out that graffiti and network intrusion don't really overlap and here is why:

When a person writes on a wall (or a "reach"), the owner of the shop might show up and go, "oh crap" and they might very well pay someone a few bucks to cover it up or perhaps do it themselves. The artists' intention is clear -- to throw up some paint and that's it. The paint isn't going to seep into the wall and ruin everything inside, however. It isn't going to pick up the cash register and run off. It isn't going to take every customer's credit information.

When someone breaks into a system -- regardless of their motivations -- the breakee does not know what the intruder has in mind. Maybe it is benign, maybe it isn't, but there is no room to "let it slide." It must be treated as a malicious attack and thus computers must be shut down, customers/students lose services, huge costs in time and effort can and will be expended to purge the system of the problem which often involves what might very well be overkill -- like reinstalling a system or a number of systems because you Don't Know and you can't afford to leave loose ends.

Graffiti and network intrusion would be analagous if and only if graffiti caused the same sort of response. It doesn't.

And in case you're curious as to why I'd be into graf, check out these sites.

Why not treat it like real life?

[jdreed1024]

Here's a novel idea - let the punishment be the same as in real life.

• If you deface a website, you get the same punishment as you would for spray-painting the front of an office building.
• If racial epithets or offensive slogans are involved, it becomes a hate crime.
• Delete some data or system files? The same as if you broke into an office and started smashing desks.
• Steal some data? The same as if you broke into an office and walked out with some file cabinets.

Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.

Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."

Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.

Interesting choice in misleading links.

[GMontag]

The Amnesty "illegally imprisoned" link reguards a pare-military group as common burgulars, the Rense.com link invents another class. Both have been addressed by the US courts and neither is addressed in Kevin Poulsen's article.

All that aside, hell no a non-violent criminal should not be locked up. Some other punishment is much more appropriate, like restitution of *real* losses (no making the defendant buy a new security team) and community service, etc.

Jail *should* be for the people that are a physical threat to society, not a theoretical or financial one.

Before the thread runs off the topic, see my website for my position on the death penalty before assigning one to me.

Give them a fitting sentence.

[jerrytcow]

I don't have a problem with locking them up, but it seems that non-violent offenders are often getting the same or more jail time than violent offenders.

Here's a story about a man who kidnapped, tortured and abused a girl then tried to kill her by injecting her with bleach. His sentence? 10 years - he'll be out in half that time.

Sure, give crackers jail time but make it appropriate for the crime. Maybe 3 months in jail, or probation. When I see someone like Kevin Mitnick get 7 years, and violent criminals who, in my opinion, should never be allowed out of prison get the same sentences, it pisses me off.

Script Kiddies

[LiquidAsphalt]

Wasn't that kid from vietnam or something that made some malicious code that exploited Outlook? I heard the US busted in there and took him and prosecuted him, I am imagining for a very long time.

The thing is with the widespread of software and the internet and technology in general always brings in a high punishment. I think it comes down to you doing whats right. Now I am guessing if most of you see a car with the keys in the ignition you aren't going to hop in and steal it, but if you saw a website with a big vunrability more of you may be inclined to take advantage of the situation. I think the point that doesn't come home to a lot of people is computers are a part of everyone's lives now, and if we don't respect them, we will be punished.

But in general, technologists have always been risky with the law. If I created a nuclear device for the sake of doing it, even though I have good intentions and no feelings of using it, I would probably be jailed for a LONG time.

Easy...

[YuppieScum]

Hack Microsoft? Rewards and adulation...

Hack me? Nail the fucker to a tree...

NO NEW LAWS

[Lumpy]

If you Break into a website and vandalize it you already have laws to deal with that... if you break into a website and STEAL confidential information we already have theft laws for that.

why we have to treat it any different than in the real world I dont understand...

if a bunch of no-brain-punks smash in the front doors of saxs 5th ave. and spraypainted all over the interior... there are a nice set of laws in place to nail the little idiot bastards.. the same happens when you B&E a website and put your no-skills drivel in place of index.html.. and the same laws need to apply.

the hard part is when the punk is in Guana and the website that was vandalized is in Alaska.. how do you prosecute the little turd without acting like a global government enforcer?

if it happens in your state with a victim and victimizer in the same state... it's easy to prosecute... but 90% of these cases are never that way.

Illegal or Unconstitutional

[milktoastman]

Illegal imprisonment? Nay, for they did pass laws allowing indefinite detainment. It is merely unconstitutional

Depends on the state

[anthony_dipierro]

Several states, including Texas, Oklahoma and Louisiana, have controversial laws that allow persons to use deadly force to protect property against unwanted intruders (whether or not the property owner is confronted with deadly force). These are also known informally as "make my day" laws.

http://www.courttv.com/choices/curriculum/homicide /lesson4.html

Why do we need special laws for "cyber crime?"

[Ivan+Raikov]

I still don't understand why we need some kind of special legislation for the so called "cyber crime." Don't the states already have laws punishing crimes of trespassing and/or fraud?

Web Changes Nothing: Follow Existing Standards

[reallocate]

A crime is a crime is a crime. Aren't there plenty of existing standards to base this on? Tie it to the harm done. Some will be misdemeanors, some will be felonies. If some 'graffiitti' splattered over a commercial site causes a relatively small financial loss, call it a misdemeanor and sentence accordingly. If the financial loss is large enough, call it a felony and give an appropriate sentence. E.g., defacing the brochure page of your local shoe store might cause them little or no measurable loss of revenue and be repairable within a single work day. Doing the same thing to Amazon or Yahoo is a different matter and calls for a much stronger sentence.

The important thing is to prevent and punish people who act criminally, and to counter the popular impression that many "geeks" don't take the issue seriously.

Re:the prejudice ain't the same...

[Blkdeath]

Hey, cleaning up a mall is expensive, cleaning up a web site should not take more than the time to restore a daily backup...

An international corporate website with a secure ordering component is slightly more complicated than "Insert tape, click Restore". There are distributed database servers that need to be examined, several web servers with load balancers in multiple geographically diverse locations, they need to investigate all involved servers and networking components to determine the possibility of a back door; and on top of all this, they have to leave the 'crime scene' untarnished so that security experts can determine a) how they got in, and b) how to prevent them from doing it again.

We're not just talking about somebody editing index.html here. Restoring from tape/CD-R may work for your home vanity domain website, but it falls slightly short in the real world.

I'd also like to echo the sentiments made by other posters;

• A corporate website does garner sales, which equates to revenue. When someone is wholly responsible for removing public access to this medium, revenue is lost, the company's reputation sullied. This is more than 'grafitti' - so much more, that the term should cease to be used. It is not valid in this context.
• The notion of blaming the store for not implementing air-tight security is patently ridiculous. Let's not forget that breaknig and entering is still a crime even if they only 'break' through a $5 door-handle lock. They're the criminals, they're in the wrong.

As usual, the vast majority of analogies posted are flagrantly off-key, so I'll pose one; Breaking into a web server and defacing the content is like breaking into a webserver and defacing the content. Come on, people, we're a technical group and should be able to talk about these incidents without resorting to brick wall, spray paint, bomb-threats, or other wild analogies.

These crimes should be treated in context, and the lawmakers should be told, repeatedly, that the Internet is not a direct analogy to real life. Servers are not brick and mortar establishments. Components of a website do not have to physically reside in the same country, letalone the same building.

When a person violates a website, they shuold be charged as such. The more intricate and harmful their intrusion, the more harsh the punishment. They should be given rehabilitative sentences including community service if they're young, or prison time if they're age of majority.

More than just graffiti

[analog_line]

On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti

More like breaking into your office to erase every whiteboard in the place and replace them with poorly spelled tags, changing the locks, or jus took the door off it's hinges, smashing the alarm system, and taking/destroying the gods know what else in the process.

Hacking a website doesn't just mean that the site was changed. Anyone with a lick of sense after an intrusion needs to take a hell of a lot of time and take stock of what they still have, what they might have copied or deleted, and if they left any backdoors so they could get back in and have their little fun. Calling is "just graffiti" shows a complete lack of understanding of information security. There is real damage done when someone "just" defaces a website. It can't just be painted over.

Re:Please, think better analogies

[dillon_rinker]

Banks have safes and armored cars for pragmatic reasons, not legal ones. It is just as illegal to take $100,000 from a shopping cart as it is from an armored car. On a practical level, it is obviously safer in the armored car.

The responsibility you indicate mention is real, but it is the responsibility to the shareholders. If a bank transports money in a shopping cart and it's stolen, the thieves will go to jail. The directors who authorized the insecure transport will probably be fired, and might be sued by shareholders.

Crackers should go to jail. Incompetent admins should be fired. These are two separate problems.

Digital != Different

[Quixadhal]

Why do all the lawyers insist on creating new versions of every law and crime just because they happen to occur in the "digital" realm?

Let's see... hax0r kid defaces web-site.

1. Trespassing.
2. Breaking-and-Entering.
3. (possible) malicious destruction of private property.

If someone logs into your (wide-open, no password root shell) server without your permission, that's trespass.

If someone hacks your server to get in, that's trespass and breaking-and-entering.

If someone changes your web-site, etc., while they're there... that's destruction of property.

There are already well-established laws to deal with these crimes, and those laws have ranges of punishments appropriate for the severity of the offense. Why should special "digital" versions be created when existing laws already work?

This country needs fewer laws, and better enforcement of the ones it already has. More laws simply make more money for lawyers, and more loopholes for the rich and powerful.

Crackers?

[sielwolf]

Well I think white folks should get the same sentences as minorities commiting the same crime. What makes you think that honkeys have the-

Wait... what are we talking about again?

Cracker spectrum

[imadork]

The way I see it, there should be a cracking "spectrum", from "curious" to "Malicious":

The mildest is the person who breaks into a system, just because he can. He (or she, after all) breaks in, looks around, and leaves before doing any damage, changing anything, or "taking" anything. It doesn't impact any services that the target is providing. True, after any break-in that is discovered, the admins of the site will spend time cleaning it up and making it more secure. And I wouldn't like it if someone broke into my house just to look around. But I don't think that the punishment should be too harsh in this case, perhaps on the same scale as graffiti, maybe a little harsher because of the more expensive "cleanup".

The worst case is the cracker who breaks into a system to destroy or deface it. He changes the way external sites look and destroys information that is vital to those systems and may not be able to be rebuilt. Even a DoS could fall into this category if it leaves the site offline long enough, and is clearly deliberate. These guys should get harsher sentences, both for the public nature of their crime and the potential for data to be lost without hope of recovery.

The middle case is the cracker who breaks into a site and doesn't change anything, but just copies information from the site. In this case, the nature of the information itself and the mindset of the cracker must be taken into account. If the information was something that the cracker would have no way of using, and doesn't pass it on, then that would fall under the "curiosity" end of the spectrum. If the information was something that the hacker could directly use or sell, like credit card numbers or confidential documents sold to competitors, that would fall under the "malicious" end of the spectrum and be punished more harshly. I don't think the cracker should have to actually use the data to qualify for harsher punishment, as long as he had plans to use it. Notice that in this case, it is not necessarily the object that is copied that dictates the severity, it is the cracker's intentions.

The main problem with the way computer crime is punished right now is that whenever an item is copied/stolen, there is the tendency to assign the highest possible value to that item, without taking what the cracker plans on doing with it into account. After all, a confidential document could be worth lots of money to the company it is taken from. But nobody takes the capabilities and intent of the cracker into question; if he doesn't know how to capitalize on the value of the document, how could he be liable for "stealing" that much value?

Yes, I know that someone who steals jewelery in real life and then hocks it for a tenth of its value still stole the jewelery, not 1/10th of it. But when physical objects are stolen, the victim doesn't possess it anymore. When documents are "stolen" but not deleted, the victim still has access to it. Therefore, I think it is proper to assign the "value" of the theft to be how much the value of the document is reduced, not the value of the document itself. And if the cracker doesn't know how to use the document or who to sell it to, how can its value be reduced?

Punishment according to damage.

[Maul]

The punishment should be in accordance to the damage they caused, and if they stole or hurt anyone.

I believe that the penalties for merely defacing a website, or cracking into a machine and not actually doing much damage or "stealing" anything should be light. Sure, it is annoying, but it isn't that major.

If someone cracks into a database server and steals credit card information, that is another thing altogether. They should be charged with theft of credit cards (or whatever the actual crime is).

If someone (hypothetically) manages to crack into a computer that controls air traffic radar, and planes end up crashing because of it, they should be locked away for mass murder.

Some of the proposed punishments for computer crimes are quite harsh, treating the perpetrator like a terrorist or violent criminal.
However, someone who simply defaces a web site and writes "I 0wn j00!" on it doesn't deserve to be given more time than a rapist.

What a stupid post!

[nlinecomputers]

Sorry if I am trolling a bit here.

In society we all have an expectation of privacy. That right is supported in common law.

For example if your neighbor puts up 15 ft solid brick fence and then sunbathes nude behind it and you put up a tower with a camera on it you can be arrested/sued for being a "peeping tom". A local TV station had an employee get busted for using the "skycam" weather camera to do just that. The courts held that the woman had a reasonable expectation of privacy and that it was violated by the man using the TV towers camera.

When someone puts up website they have a reasonable expectation that the back office parts of the site are to be private. Just because you CAN peer into the site (on into the backyard) doesn't mean you are allowed too!

The amount of effort required to circumvent them is irrelevant. The expectations still exist and are legally protected.

I don't consider break-ins, especially to insecure machines or business computers (but maybe I just value individuals more than businesses?), to be a very high crime.

That was the most stupid of your statements. Well I don't consider your dead-bolted door to be adequate security for your home. So by that logic I am free to break in and clean out the house. By God, you should have had a steel vaulted door.

Depends on the attitude of the cracker

[pclminion]

Is the cracker an adult? Full force of law should be brought to bear.

If he/she is a minor, however, I think state of mind should have some sway over the consequences. You'd be surprised just how effective a simple visit by law enforcement personnel can be in "adjusting" the cracker's attitude.

In 1997 I was caught dorking around in school district systems. In my adolescent mind I thought it was all fun and games. Until I was hauled into a room by several very serious looking detectives and interrogated. Bad-cop-good-cop games, the whole works. This was quite possibly the fastest attitude readjustment I've ever experienced.

The detectives, I think, had some sympathy for my plight. His boss wanted to bust me hard and basically ruin my life. I was hauled before the head honcho (don't know exactly who he was or what his title was) and was given a stern lecture. I was asked if I'd ever used drugs or done anything violent. In the end, I was let go with 40 hours of community service to the school district and a warning to not get caught "so much as pinging" the district machines.

When my computer was returned to me from evidence, an entire year later, I found that the detective had upgraded the CPU and put 16 megs of RAM into it. I guess I made an impact on him, as well.

Now, on the other hand, if you've got a script kiddie, and he's whining and bitching and making life hard for investigators, and basically has a "fuck you copper" attitude, then I say... Bust him, throw him in the lockup, and let him think about how much of an asshole he is for a few months. Let him out, and if he does it again, hit him with the full force of adult penalties. Breaking-and-entering, defacement of property, theft of property, the whole works. Fuck up his life and let him figure out why it happened.

I was given a wonderful second chance, and I haven't wasted it. I was just being a stupid kid. People who scoff at the opportunities that law enforcement is trying to give them deserve prison.

Ah, honesty... versus federal sentencing

[MacAndrew]

Your sentiment is pleasantly honest and common to most people, though maybe not consciously or quite as extreme (for example, to be drawn and quartered after hanging is unnecessary :).

"The punishment should fit the crime." Equally important, someone neutral (not indifferent) should pick the punishment.

*

However, few are aware that the federal judge actually has extremely little discretion in sentencing. In a nonviolent crime against strangers such as destructive hacking, setting aside criminal history, the amount of the losses essentially determines the sentence. Said damages are notoriously difficult to estimate and easy to inflate, as in the cases of Kevin Mitnick or Robert Morris, who were clearly culpable, but for what? State courts remain more flexible, but with the growth of federal law and the wire fraud aspect of computer crime, more cases are swept into federal court where the sentences are typically heavier.

Current federal sentencing guidelines, dating from Reagan era reforms designed to crack down on crime by constraining "soft" judges, and created by the Sentencing Commission, are purposefully wooden and mathematical in their determination of sentences. You literally add and subtract points based on different factors, then consult a chart to find the mandatory sentencing range. (In some cases, I think a minority, defendants do benefit from protection from excessively harsh sentences.) In certain drug cases, mere grams of a substance such as crack can add years to your sentence

At sentencing, the judge is given a presentencing report recommending a sentence plus or minus, say, 5% of a given fine or imprisonment or probation, a range from which it is very difficult to depart without breaking the law. What effectively happens -- and I hope this was foreseen -- is that sentencing authority is passed to prosecutor, whose decisions as to which offenses to charge or to drop, and amenability to plea agreements, set the outcome. If you believe the sentence unfair, it is the prosecutor or Congress, author of the ill-conceived guidelines, that needs influencing. The Guidelines long ago survived constitutional challenege.

I can tell you firsthand that many federal judges don't like the Guidelines, but if they depart from the prescribed sentences they are reversed on appeal.

Forget Graffiti

[commodoresloat]

Haven't you guys heard? Graffiti is dead. You're going to have to do your hacking with a keyboard from here on out.