Slashdot Mirror
Lawyers Say Hackers Are Sentenced Too Harshly
Bendebecker writes "Cnet is reporting: 'The nation's largest group of defense lawyers on Wednesday published a position paper arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.' Finally, someone is listening..." The document makes the points that most computer crime cases involve disputes between an employer and employee, and that the seriousness of the offense is generally comparable to white-collar fraud cases.
Quite frankly given the number of laywers who do their best to circumvent the true spirit of the law I don't want them making any public statements on my behalf...
All the best,
--Bob
On the other hand I AM glad that computer crime is possibly going to be recognized as a white collar crime instead of a terrorist threat.
This one bombed a bus. That one stole a credit card. Kill 'em both!
Always going forward, 'cause we can't find reverse.
Scenario A: man walks into a store with a gun, demands they empty the till, walks out with a hundred bucks.
Net effect: 100 bucks for the store + mental anguish for people in there.
Punishment: Ten years
Scenario B: Man defrauds investors, pension funds etc out of millions or billions
Net Effect: Pension funds slashed, thousands made unemployed
Punishment: 5 years
We all know that white collar crime gets punished a whole lot less, but is that right ? Why shouldn't execs from the likes of Enron, WorldCom et al be looking at life behind bars for the havoc they have reaked ? Well because there really is a different set of laws for the rich. Sure they might even get 15 years in the cases of these massive frauds, but is this enough given the damage they have caused ?
So maybe the problem is that white collar crime is punished too little, rather than hacking is punished too much. Maybe having sentences for theft, fraud etc (of any kind not involving actual violent which already has punishments) should be related to the amount of money stolen.
Maybe 1 year per $1000....
An Eye for an Eye will make the whole world blind - Gandhi
And the white collar fraudsters should be hit harder? I think I'd rather see that myself. Send Skilling, Lay, and their ilk up the river for an age and a day.
Stop by my site where I write about ERP systems & more
sipthe seriousness of the offense is generally comparable to white-collar fraud cases.
Read: The fast-growing, little-punished type of crime that destroys the finances of thousands every year.
"Hacking" is no more the refuge of the geek. True criminals have embraced it as a way to siphon off lots of money with little risk.
Let's not charge people looking for CC#'s with terrorism, but let's not label it "annoying" and offer up slaps for people's wrists.
So close and yet so far from the world's perfect ID number
Its the inability to impose proper sentences for violent criminals and drug offenders. I have no sympathy for people invading companies computers for whatever reason and they should be punished harshly. I have better things to do on my weekends then combat those assholes. But there is a need for reform in the way punishment is administered for violent criminals and longer sentences need to be handed out.
Worst. Sig. Ever.
If I break into someone's house, I'll be charged with breaking and entering, and with trespassing.
If I hack into someone's network and don't even do anything but look around, I'm charged with causing losses of millions. I'm charged with stealing any sensitive content I gained access to whether or not I even looked at it. Not to mention they'll slap all the cybercrime and terrorism laws they can find down on me too. It has nothing to do with the severity of the laws, just that you get pinned with so many of them.
I am a viral sig. Please help me spread.
If hacking isn't white-collar, then what is?
I can see that sometimes the claims of damage in online crimes can be ridiculously high. However, if the claims of damage is reasonable, I don't see why the punishment should be any lesser than any other crime.
I think white-collar criminals are already getting far less punishments than they should. How could someone who screws up the millions of dollars from their employees be subjected to punishment comparable to shoplifters or burglars?
geek page at KY speaks
Check this out:
Story (palmbeachpost.com)
An 11 year old snuck into his classroom during lunch and changed some of his grades on his teacher's computer. He was caught and is now facing FELONY computer fraud charges. Tell me that's not a bit ridiculous.
-Dan.
The issue isn't tough sentencing for hackers. The issue is that white collar criminals get off light.
Hacking is not a white collar crime. When I think of white collar crime I see millionaire executives spending stolen money for blow jobs by preteens in foreign countries. When I think of hacker crime I see a trail of empty Mountain Dew bottles and Cheetos bags. Hackers need to become filthy rich before they can play the courts like the big boys do.
Extreme cases aside, most hacking is like kids stealing cars to take 'em for joy rides. Sure, a few people get hurt by each crime, but it's not like you have a few hundred thousand stock holders who'll have to work 10 extra years before they retire because their portfolios are toast.
Kevin Mitnick, in his Slashdot interview, explained this in detail:
Suffice it to say, we need to find a compromise where we can accurately represent the loss of intellectual property without undually exaggerating its (non-material) worth.
Well this is really quite simple.
/usr/bin/perl
Computers are for "smart" people
People feel marginalized when they don't understand even the basic concepts of what has happened
Therefore when a CEO realizes they have been hacked/cracked (you fight that out) they feel even more violated since they don't even understand how someone could get past all the hardware they bought and all those 45-100K+ people they have running around purporting to be computer experts.
Their anguish is then felt by atrtorneys who can't understand the crime, the criminals or why everyone is so upset. The one thing they do know is that THAT FAT GUY WITH THE UNKEMPT BEARD AND THE WIERD SHIRT THAT HAS THE FORMULA FOR HELL ON EARTH:
#!
ON HIS SHIRT IS DEFINITELY GUILTY!
And that's pretty much what happens.
This
That a lot of the problem here is due to double standards and lack of accountability.
Joe Schmoe embezzles from his S&L firm for ten years, gets caught, and it is realized that he made off with 500K. He is slapped on the wrist, fired, made to "pay it back" on time deferred payments, or maybe stuck in a white collar prison/country club for a few years.
Mike, the l337 hacker from down the street, defaces Stuff-Marts web page, pointing out that Stuff-Mart buys 80% of its stuff from china, where it is made in forced child labor camps at gunpoint, and it is repaired in an hour.
Now.. Stuff Mart's lawyers tell the jury that they *potentially* lost MILLIONS due to the damage, (when in fact, they did not "lose" anything.. and there is no way to prove how many people would have bought during that time anyway). The SM lawyers also point out that it cost "an estimated 100K dollars to repair the damage!".. which means they just budgeted in A) the new server and colocation company to handle the site, B) the three person team who maintains and handles the site already, and C) all of their IT staff who received an Email about the "hack" and therefore were "working" on it.
Its all about what the jury wants to hear, and all about language.. "potential" is used ahead of "we could have potentially lost BILLIONS in sales!" but the judge/jury does not hear the "potential". Nor do they realize that 99% of that IT staff was already working there, doing their routine jobs, and had nothing to do with the repair anyway.
(Same reason a procedure at the hospital that took all of 15 minutes costs your insurance company as much as your house did.. funky accounting and everyone wanting to be "in" on the action.)
I think a lot of "hacking" is a no harm no foul problem anyway.
Maeryk
Feminine Protection? What is that? A chartreuse flame thrower?
...are the terrorists of tomorrow.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
people get off far to lightly for white-collar fraud crimes.
1: Open a Swiss bank account.
2: put money from xyz white-collar fraud into account, get a few mill
3: goto jail (not for that long)
4: take money out account.
5: Enough profit to retire.
or
1: Open a Swiss bank account.
2: Rob a bank for a few thousand
3: goto jail (for a long time)
4: take money out account.
5: umm... well you've got a bit of cash, but was it worth the time?
thank God the internet isn't a human right.
From http://www.savage.net/public_html/net/phrack.html:
This guy was accused of stealing 80 grand when in reality it was worth 13 dollars!!!Also see Kevin mitnick answers if you missed it.
the solution would be a requirement of PROVING damages. an invoice from "overpriced security fixer-uppers" for $21,985.31 to install W2K sp3 to fix that hole that script-kiddie4 used to get in are proveable damages... the "we lost $295,997,667,342.87 because he MAY HAVE copied a file" needs to be called bullcrap by everyone involved.
if you cannot produce an invoice or legitimate quote for repair/losses then you are told to shut up would fix every bit of this.
Do not look at laser with remaining good eye.
That's true! In fact, most societies would forgive you if you shot and killed someone who was busy carving up their friend with a knife. Do you know of any that would do the same for someone who shot a hacker? So why is it that hackers can be held for five years without being charged as KM was?
Punishment should fit crime, and ordinary rules of presumed innocence need to be applied in cases of suspected computer crime. As things are, any with-it employer could be frighfully abusive if they wanted.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Yeah. No harm no foul. I was harmed, and I was fouled.
Yes.. but you have demonstrated he caused harm, therefore there *is* a foul. I wasnt saying that Cracking is always harmless.. but in some cases (defacing a web page) the cost of repair is as simple as bringing up the cached copy, re-installing it, and fixing the exploit (if known.)
There is no way that cost a million dollars.
Cracking is tresspass at the least and theft at the most. It deserves jail time. The issue is how much jail time. The guy who hacked me should face at a minimum the legal penalty for breaking into my house and rifling through my file cabinet
No argument. Define trespass though. SOmeone walks across my yard, its "trespassing". Refusing to leave when I ask them too, is "Defiant trespass". Coming into my house after I tell them to leave is anything from Breaking and Entering to Forced Entry (depending on whether I am trying to stop them or not, I think) and theft is another layer on top of that. (Hence the laundry list of charges usually piled on a burglar).
Breaking into your house and rifling your file cabinet would probably NOT net me jail time for a first time offense. Especially if nothing was taken, and none of the information gained was used against you. Its more likely a fine, time served, probation kind of thing.
Maeryk
Feminine Protection? What is that? A chartreuse flame thrower?
I've had the unfortunate opportunity to learn a little about how federal penalties work. It's all based on a point system. A certain number points for the crime, points if you have a prior record of anything in the past 10 years (state or federal), subtracted points for taking a plea, etc. Then they add them all up and use a chart to determine the range of sentences they can give you.
And for copyright cases, they automatically tack on 4 points if a computer was involved.
Depending on exactly what the hacker does, we're talking about vandalism, or thief, or trepassing using a new technique. When bank robbers moved from horses to cars was it important that lawmakers have a detailed understanding of cars before writing applicable laws? When copyright laws moved from covering just books to motion pictures, did lawmakers require a detailed understanding of how motion pictures are created? Does it really matter the exact technical approach used to commit the crime? I don't think so. Vandalism is vandalism. It doesn't matter whether I use can of spraypaint or I hack into the web server. It costs the company money to fix. The dollar value of the damage should drive the punishment.
I'm going up in front of a judicial review board for a small prank I pulled. After the whole Fake CNN news generator, our school set out a public e-mail to everyone saying that the Olson Twins were not going to come to my college. Me and my roomates thought it would be funny if "they" sent out an e-mail saying that it wasn't a fake. So I went thought the trouble of photoshopping the Olson twins on campus. Then I made up a short reply, "We're sorry about our previous e-mail. We're proud to say that the Olson twins are going to be joining us for the class of 2007." I found the MAC address of an institute computer (Only .institute. computers cand send out mass e-mails to all students) and used a fake e-mail program to send it from the same person that sent us the first e-mail.
Well it didn't go through. (COMPRESS YOUR JPG's) and I got called in for it, right now I'm pending the review board decision.
At the same time in an unrelated matter my roomates and I went and talked to the head of housing about a guy that wanted to move into our suite that liked to drink. Directly from the head of housing: "Oh, we don't care if you have alcohol in the building, as long as we don't see it." First off only probably 10 people in my dorm are over 21, Second this school advertises themselves as a DRY campus to high schoolers.
I pulled a prank that hurt no one and didn't actually get pulled and I'm up to get kicked out of school. But if you're drunk and underage on campus who cares?
Moral of the story: we need to get everyone to crack/hack. If it's the majority of the public then it'll start getting over looked, you can't put everyone away for 100 years can you? If we can get more websites hacked than people murdered then the punishment will go down.
So many people posting here appear to be jumping to take sides one way or another about whether or not hacking is good or not good. The point isn't about hacking, it's about the punishment directed against people convicted of computer crimes as compared to other crimes - and that the punishment is disproportional. I agree with that. I have little sympathy for people that are actually guilty of any of the crimes - computer or otherwise - but feel that punishment should be consistent (and here I'm also not arguing on the effectiveness of punishment as a deterrant - different discussion). There is a knee-jerk reaction to the word 'computer' appearing in any judgement that appears to result in a much harsher sentence than when that word is replaced with 'gun', even. The sentence for any crime should be reasonable and consistent for the damages of that crime; "piling on" because that crime is today's buzzword is not appropriate.
"The bigger the lie, the more they believe." - Det. Bunk
One thing that just jumped out at me as being a prime source of inflated punishments for these case seemed to be in the estimation of damages. Perhaps a requirement that the complaintant be required to file his losses in his SEC filing (for publicly traded companies) and in any apropriate IRS paperwork. This would criminalise the over-inflating of damages and provide the stock market with much-needed insight into the security abilities and practices of publicly traded companies.
The entire legal system is grappling with this new world. Too many lawyers are luddites who can barely program their phones, much less comprehend what "hacking" (sic) is all about. And, worse, so are the judges who oversee their trials. And the juries that weigh the evidence. And the media that covers the trials.
I dunno, it's a little disheartening to be an aspiring lawyer when I've heard of a firm that prides itself on defending those accused of computer crimes has a password policy that mandates a particular format for your network passwords, and that your password always be provided to your assistant.