Slashdot Mirror

← Back to Stories (view on slashdot.org)

Appropriate Punishment For Crackers?

Posted by Hemos on from the what-are-the-consequences dept.

Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."

30 of 633 comments (clear)

  1. Depends... by Anonymous Coward · · Score: 5, Funny

    If I'm the accused, I want a nice short probation...if someone cracking my website, then I want 'em hung, drawn and quartered...

    1. Re:Depends... by Cinnibar+CP · · Score: 5, Funny

      They can pack up your AV gear and walk out, but you can't shoot them.

      But you CAN smash them in the kneecap with a crowbar. I find it's an adequate, non-lethal deterrent in my homestead.

      Trust me, they won't be doing much walking afterwards.

    2. Re:Depends... by composer777 · · Score: 5, Insightful

      Actually, we are a Democracy, only in reverse. Take the war on Iraq, for example. In a real Democracy, the people of the US give a mandate to it's government to go to war with Iraq, sign petitions, start grass roots movements, and the politicians listen to the people and go to war with Iraq.

      In the US version of democracy, the US government gives a mandate to the American people that they are going to war with Iraq. Over shouts of protest, the media begins the assault on the public mind to convince people that this is what they want to do and that the country of Iraq is of primary importance in their lives. After informing the American people, as well as Saddam Hussein, that he has weapons of mass destruction, a furious effort is made to find a pretext for invasion. Eventually, after months of campaigning, petitions start to circulate around the internet, so that the people of America can ratify the decision of their betters. So, it's a grass roots campaign, in reverse, of course.

      The government gives it's mandate to the American people, and the American people automatically start discussing this issue. Granted, before the president gave his mandate, nobody was really concerned about Iraq, outside of a few oil companies, but that doesn't matter, and doesn't raise any doubts in our un-biased media about the president's honesty, despite the fact that several of his advisors are ex oil company executives.

      The same thing happened with the War on Drugs that was increased by Bush I in 1989. Before the media campaign, the concern about drugs was only 4% in the gallup polls, and people were more concerned about the economy. Then Bush I gave a mandate to the American people, and immediately the "free" media started pumping out dramas about families being torn apart by drugs, despite the statiscally declining drug use in America. So, in spite of the fact that I nor anyone that I knew was on drugs, it was an important issue in my life because George Bush told me so. Another mandate by the government, and another assault on our freedoms. Yeh Bush!!

  2. graffiti? by Lord+Ender · · Score: 5, Insightful

    Hacking a website is much more than graffiti. If you spraypaint the outside of wal-mart, people can still go in and shop. If you hack walmart.com and replace it with "shout outz" then wal-mart will probably lose hundreds of sales per hour to their competitors. That is very real money to these businesses. Hacking (cracking is breaking copy-protection) a website should not have the same punishment as violent crime, but it is definitely a more severe crime than graffiti, and deserves a much harsher punishment.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:graffiti? by adamofgreyskull · · Score: 5, Insightful

      Of course most kids wouldn't break into the store and graffiti the inside of the doors, which is more to the point if you're going to make that comparison...

    2. Re:graffiti? by sedmonds · · Score: 5, Insightful

      This is the same moronic argument rapists used to use in court. 'She was dressed provacatively.' 'She didn't fight back, she must have wanted it.'

      It didn't wash for them, it shouldn't wash for punks that feel compelled to commit computer crimes.

    3. Re:graffiti? by EvlOvrLrd · · Score: 5, Insightful

      The wall has nothing to do with it. Nor does the graffiti.

      If someone circumvents your wall to get inside to do anything (regardless of the activity) it is breaking and entering. If someone does not have a legal means (hold the keys or expressed permission to 'jump the fence') then they have no right being there. Regardless of 'how high' and 'how wide' the wall may or may not be.

      If you were to erect a wall and someone uses a bulldozer or stick of dynamite to circumvent the structure, then they have in fact damaged your property. No matter how strong (or week)your wall was.

      The fact of the matter is that, the digital domain is being viewed upon as property. That is protected by the laws that protect real property.

      Hmmmmm, I wonder if I catch a hacker on my site/server, that I cannot effectively 'kill' him (say by disabling his computer OS from loading again. Even if only for a short while.) just as I could if I caught him in my house, after he climbed through a window in the middle of the night....

      --


      Light travels faster than sound. This is why some people appear to be bright. Until you hear them speak.
    4. Re:graffiti? by GauteL · · Score: 5, Insightful

      This seems like the standard response of people trying to justify cracking.

      The correct smart-ass statement would be:
      "Ah, I get it. So if someone puts up a lock that can be broken by using a simple credit card, I can prosecute the punks for breaking and entering?"

      Of course you can. Just because something is easy to break into does not justify breaking in.

      If you break into a computer system, that system HAS to be taken down. It has to be ritually cleansed so that you are sure there are no backdoors inserted somewhere, and that the data is actually correct, which often involves restoring from backups. It might be the administrators fault that you actually succeeded in breaking in, it is NOT his fault that all this cleanup has to be done on a successful breakin.

      If you break into a bank to take a leak, it is still a crime. The bank has to go over all of their routines, and they have to make sure all you did was take a leak. They surely cannot just take your word for it.

      The bank should have improved their security, but what you did is still a crime.

    5. Re:graffiti? by The+Evil+Couch · · Score: 5, Interesting

      People shouldn't expect strangers not to visit their webservers and try to explore them, especially if strangers are not told what they should and shouldn't have access to!

      Right, so running a brute force/dictionary routine is just an everyday normal part of browsing. I totally forgot that the vast majority of users out there have a "Obtain root/admin functions" button on the top of their Internet Explorer toolbar.

      No, a better analogy for the internet marketplace would be a street full of vendors. You can buy from them, or if you're a sneaky bastard, you can break open their cart and make off with their earnings, or cripple their ability to perform business. Just how much common sense does it take to know that opening their cart (going someplace the html did not direct you to) whether or not it had a padlock on it, is not what they intended to do.

      should hacker and defacers get treated as terrorists? probably not. should they get slapped with criminal charges. of course.

      --
      The World's Worst Webcomic!
  3. Cracking in self defense? by Jeppe+Salvesen · · Score: 5, Insightful

    I wanna know something. If someone (attempts to) breaks into your home (in the USA), you are allowed to shoot that person in self defense. Are you likewise allowed to take out anyone attacking your network?

    --

    Stop the brainwash

  4. OF course by yatest5 · · Score: 5, Interesting
    it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti


    Cyber-crime is no different to ordinary crime. If the 15 year old 'cracker' writes his name all over a site (i.e. graffiti) he should get the same as a 15 year-old who scrawls all over his local shopping mall (i.e. fuck all or a safari or something).


    If however he goes and steals 10000 credit card numbers and uses them to buy every back issue of playboy he should be locked up for a long time. With lubricant.

    --
    • Mod parent up! [a] by Anonymous Coward (Score:5) Thurs, June 31, @13:37
    1. Re:OF course by tacocat · · Score: 5, Insightful

      He's old enough to know better.

      He should be held responsible for the real consequences of his actions.

      Anything less simply permits the activities to go further. The amount of work involved in recovering from a Cracker is far more extensive than physical graffiti.

  5. Talk about flame-bait lead-ins by MyNameIsFred · · Score: 5, Insightful
    The article summary is obvious flame-bait. While there is room for legitimate discussion of U.S. actions in Guantánamo, it has ABSOLUTELY nothing to do with appropriate prison sentences for black-hatters.

    How about referencing recent hacker cases, and the sentences that were imposed. How about some information on the ages of the black-hatters. No, that would be relevant to the discussion...

    1. Re:Talk about flame-bait lead-ins by kevin+lyda · · Score: 5, Insightful

      there is no room for legitimate discussion about those cases. they are bad men. the bush administration has identified them as evildoers. questioning their imprisonment is not ony wrong it is unpatriotic and hurts america's national security.

      in fact, i'd like a little more detail about you mynameisfred. just post up your name and where we can contact you.

      (btw, in case anyone was confused the above wasn't sarcasm. it was "your likely future.")

      --
      US Citizen living abroad? Register to vote!
  6. Lets think about this ... by mustangdavis · · Score: 5, Interesting

    Murder ... life in prison or death (by state)

    Grand theft auto ... 10 years

    Assult and battery ... 5 years

    Theft ... 3 years ( -1 year for good behavior)

    Throwing eggs or spray painting a building ... 6 months - 2 years


    Hacking a computer a defacing a web site ... 20 years?????


    Does that make sence????

    I don't want to encourage people to commit cyber crimes, but it seems as though our society's values are a little out of whack ... especially when the damage can easily be undone with last night's tape backup within an hour or two in most cases ....

    Perhaps some of these coorporations that are so worried about this kind of stuff shold place a little more of the blame on themselves ... and take a little more responsibility for their Internet presence .... they spend tons of money on swipe cards, cameras, etc .... why should the think they are going to do less on the Internet???


    BTW: I am pointing at the corps. because it is their lobbiests that are pushing for these rediculous sentences for cyber crimes ... everyone else pretty much says "SHIT! ... then stomps their feet for a few minutes, laughes when they discover how the hacker got in, then rebuilds their system or patches it, and then moves on with life ...


    Just my $0.02 cents ...

    --
    HallmarkOrnaments.Com
  7. Cyber Crime and other crime by salesgeek · · Score: 5, Insightful

    I'm not sure why you need new sentencing guidelines for old crimes (theft, extortion, fraud, embezelment, etc...) committed using new technology. Why is a crime different because a computer is involved?

    $G

    --
    -- $G
  8. Graffiti != Network Intrusion, Here's Why by limekiller4 · · Score: 5, Interesting

    Coming from a person who has both an interest in network security (me) and graffiti (again, me), I have to point out that graffiti and network intrusion don't really overlap and here is why:

    When a person writes on a wall (or a "reach"), the owner of the shop might show up and go, "oh crap" and they might very well pay someone a few bucks to cover it up or perhaps do it themselves. The artists' intention is clear -- to throw up some paint and that's it. The paint isn't going to seep into the wall and ruin everything inside, however. It isn't going to pick up the cash register and run off. It isn't going to take every customer's credit information.

    When someone breaks into a system -- regardless of their motivations -- the breakee does not know what the intruder has in mind. Maybe it is benign, maybe it isn't, but there is no room to "let it slide." It must be treated as a malicious attack and thus computers must be shut down, customers/students lose services, huge costs in time and effort can and will be expended to purge the system of the problem which often involves what might very well be overkill -- like reinstalling a system or a number of systems because you Don't Know and you can't afford to leave loose ends.

    Graffiti and network intrusion would be analagous if and only if graffiti caused the same sort of response. It doesn't.

    And in case you're curious as to why I'd be into graf, check out these sites.

    --
    My .02,
    Limekiller
  9. Why not treat it like real life? by jdreed1024 · · Score: 5, Interesting
    Here's a novel idea - let the punishment be the same as in real life.
    • If you deface a website, you get the same punishment as you would for spray-painting the front of an office building.
    • If racial epithets or offensive slogans are involved, it becomes a hate crime.
    • Delete some data or system files? The same as if you broke into an office and started smashing desks.
    • Steal some data? The same as if you broke into an office and walked out with some file cabinets.

    Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.

    Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."

    Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.

    --
    There is no sig, there is only Zuul.
  10. Interesting choice in misleading links. by GMontag · · Score: 5, Insightful

    The Amnesty "illegally imprisoned" link reguards a pare-military group as common burgulars, the Rense.com link invents another class. Both have been addressed by the US courts and neither is addressed in Kevin Poulsen's article.

    All that aside, hell no a non-violent criminal should not be locked up. Some other punishment is much more appropriate, like restitution of *real* losses (no making the defendant buy a new security team) and community service, etc.

    Jail *should* be for the people that are a physical threat to society, not a theoretical or financial one.

    Before the thread runs off the topic, see my website for my position on the death penalty before assigning one to me.

    --
    Eve Fairbanks says I drive a hybrid!LOL
  11. Give them a fitting sentence. by jerrytcow · · Score: 5, Insightful
    I don't have a problem with locking them up, but it seems that non-violent offenders are often getting the same or more jail time than violent offenders.

    Here's a story about a man who kidnapped, tortured and abused a girl then tried to kill her by injecting her with bleach. His sentence? 10 years - he'll be out in half that time.

    Sure, give crackers jail time but make it appropriate for the crime. Maybe 3 months in jail, or probation. When I see someone like Kevin Mitnick get 7 years, and violent criminals who, in my opinion, should never be allowed out of prison get the same sentences, it pisses me off.

  12. Easy... by YuppieScum · · Score: 5, Funny

    Hack Microsoft? Rewards and adulation...

    Hack me? Nail the fucker to a tree...

    --
    This sig left unintentionally blank.
  13. NO NEW LAWS by Lumpy · · Score: 5, Informative

    If you Break into a website and vandalize it you already have laws to deal with that... if you break into a website and STEAL confidential information we already have theft laws for that.

    why we have to treat it any different than in the real world I dont understand...

    if a bunch of no-brain-punks smash in the front doors of saxs 5th ave. and spraypainted all over the interior... there are a nice set of laws in place to nail the little idiot bastards.. the same happens when you B&E a website and put your no-skills drivel in place of index.html.. and the same laws need to apply.

    the hard part is when the punk is in Guana and the website that was vandalized is in Alaska.. how do you prosecute the little turd without acting like a global government enforcer?

    if it happens in your state with a victim and victimizer in the same state... it's easy to prosecute... but 90% of these cases are never that way.

    --
    Do not look at laser with remaining good eye.
  14. Why do we need special laws for "cyber crime?" by Ivan+Raikov · · Score: 5, Insightful

    I still don't understand why we need some kind of special legislation for the so called "cyber crime." Don't the states already have laws punishing crimes of trespassing and/or fraud?

    --
    Bush Lies Watch
  15. Web Changes Nothing: Follow Existing Standards by reallocate · · Score: 5, Insightful

    A crime is a crime is a crime. Aren't there plenty of existing standards to base this on? Tie it to the harm done. Some will be misdemeanors, some will be felonies. If some 'graffiitti' splattered over a commercial site causes a relatively small financial loss, call it a misdemeanor and sentence accordingly. If the financial loss is large enough, call it a felony and give an appropriate sentence. E.g., defacing the brochure page of your local shoe store might cause them little or no measurable loss of revenue and be repairable within a single work day. Doing the same thing to Amazon or Yahoo is a different matter and calls for a much stronger sentence.

    The important thing is to prevent and punish people who act criminally, and to counter the popular impression that many "geeks" don't take the issue seriously.

    --
    -- Slashdot: When Public Access TV Says "No"
  16. More than just graffiti by analog_line · · Score: 5, Insightful

    On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti

    More like breaking into your office to erase every whiteboard in the place and replace them with poorly spelled tags, changing the locks, or jus took the door off it's hinges, smashing the alarm system, and taking/destroying the gods know what else in the process.

    Hacking a website doesn't just mean that the site was changed. Anyone with a lick of sense after an intrusion needs to take a hell of a lot of time and take stock of what they still have, what they might have copied or deleted, and if they left any backdoors so they could get back in and have their little fun. Calling is "just graffiti" shows a complete lack of understanding of information security. There is real damage done when someone "just" defaces a website. It can't just be painted over.

  17. Re:Please, think better analogies by dillon_rinker · · Score: 5, Insightful

    Banks have safes and armored cars for pragmatic reasons, not legal ones. It is just as illegal to take $100,000 from a shopping cart as it is from an armored car. On a practical level, it is obviously safer in the armored car.

    The responsibility you indicate mention is real, but it is the responsibility to the shareholders. If a bank transports money in a shopping cart and it's stolen, the thieves will go to jail. The directors who authorized the insecure transport will probably be fired, and might be sued by shareholders.

    Crackers should go to jail. Incompetent admins should be fired. These are two separate problems.

  18. Digital != Different by Quixadhal · · Score: 5, Insightful

    Why do all the lawyers insist on creating new versions of every law and crime just because they happen to occur in the "digital" realm?

    Let's see... hax0r kid defaces web-site.

    1. Trespassing.
    2. Breaking-and-Entering.
    3. (possible) malicious destruction of private property.

    If someone logs into your (wide-open, no password root shell) server without your permission, that's trespass.

    If someone hacks your server to get in, that's trespass and breaking-and-entering.

    If someone changes your web-site, etc., while they're there... that's destruction of property.

    There are already well-established laws to deal with these crimes, and those laws have ranges of punishments appropriate for the severity of the offense. Why should special "digital" versions be created when existing laws already work?

    This country needs fewer laws, and better enforcement of the ones it already has. More laws simply make more money for lawyers, and more loopholes for the rich and powerful.

  19. Crackers? by sielwolf · · Score: 5, Funny

    Well I think white folks should get the same sentences as minorities commiting the same crime. What makes you think that honkeys have the-

    Wait... what are we talking about again?

    --
    What is music when you despise all sound?
  20. Ah, honesty... versus federal sentencing by MacAndrew · · Score: 5, Interesting

    Your sentiment is pleasantly honest and common to most people, though maybe not consciously or quite as extreme (for example, to be drawn and quartered after hanging is unnecessary :).

    "The punishment should fit the crime." Equally important, someone neutral (not indifferent) should pick the punishment.

    *

    However, few are aware that the federal judge actually has extremely little discretion in sentencing. In a nonviolent crime against strangers such as destructive hacking, setting aside criminal history, the amount of the losses essentially determines the sentence. Said damages are notoriously difficult to estimate and easy to inflate, as in the cases of Kevin Mitnick or Robert Morris, who were clearly culpable, but for what? State courts remain more flexible, but with the growth of federal law and the wire fraud aspect of computer crime, more cases are swept into federal court where the sentences are typically heavier.

    Current federal sentencing guidelines, dating from Reagan era reforms designed to crack down on crime by constraining "soft" judges, and created by the Sentencing Commission, are purposefully wooden and mathematical in their determination of sentences. You literally add and subtract points based on different factors, then consult a chart to find the mandatory sentencing range. (In some cases, I think a minority, defendants do benefit from protection from excessively harsh sentences.) In certain drug cases, mere grams of a substance such as crack can add years to your sentence

    At sentencing, the judge is given a presentencing report recommending a sentence plus or minus, say, 5% of a given fine or imprisonment or probation, a range from which it is very difficult to depart without breaking the law. What effectively happens -- and I hope this was foreseen -- is that sentencing authority is passed to prosecutor, whose decisions as to which offenses to charge or to drop, and amenability to plea agreements, set the outcome. If you believe the sentence unfair, it is the prosecutor or Congress, author of the ill-conceived guidelines, that needs influencing. The Guidelines long ago survived constitutional challenege.

    I can tell you firsthand that many federal judges don't like the Guidelines, but if they depart from the prescribed sentences they are reversed on appeal.

  21. Forget Graffiti by commodoresloat · · Score: 5, Funny

    Haven't you guys heard? Graffiti is dead. You're going to have to do your hacking with a keyboard from here on out.