Slashdot Mirror
Lawyers Say Hackers Are Sentenced Too Harshly
Bendebecker writes "Cnet is reporting: 'The nation's largest group of defense lawyers on Wednesday published a position paper arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.' Finally, someone is listening..." The document makes the points that most computer crime cases involve disputes between an employer and employee, and that the seriousness of the offense is generally comparable to white-collar fraud cases.
Quite frankly given the number of laywers who do their best to circumvent the true spirit of the law I don't want them making any public statements on my behalf...
All the best,
--Bob
I think it all depends on the crime committed.... stealing 8 million credit cards is a lot more serious than defacing a website for an hour, don't you think?
On the other hand I AM glad that computer crime is possibly going to be recognized as a white collar crime instead of a terrorist threat.
This one bombed a bus. That one stole a credit card. Kill 'em both!
Always going forward, 'cause we can't find reverse.
defacing a web page != stealing credit cards.
they shouldn't have equal sentences, but that isn't to say one of them isn't deserving of what they get...
There are some odd things afoot now, in the Villa Straylight.
In many cases, the victim would be ignored if s/he didn't over-state the actual damages. I've heard victim after victim (right here on slashdot) state that they've went to the FBI/local officials, and were denied help because the actual damages didn't add up to a certain amount.
No wonder victims are overstating the problem, it's because they don't like being ignored.
--sex
Very popular slashdot journal for adul
There's strength in numbers - and the lawyers finally realized that geeks are the only people as universally unpopular as they are.
Scenario A: man walks into a store with a gun, demands they empty the till, walks out with a hundred bucks.
Net effect: 100 bucks for the store + mental anguish for people in there.
Punishment: Ten years
Scenario B: Man defrauds investors, pension funds etc out of millions or billions
Net Effect: Pension funds slashed, thousands made unemployed
Punishment: 5 years
We all know that white collar crime gets punished a whole lot less, but is that right ? Why shouldn't execs from the likes of Enron, WorldCom et al be looking at life behind bars for the havoc they have reaked ? Well because there really is a different set of laws for the rich. Sure they might even get 15 years in the cases of these massive frauds, but is this enough given the damage they have caused ?
So maybe the problem is that white collar crime is punished too little, rather than hacking is punished too much. Maybe having sentences for theft, fraud etc (of any kind not involving actual violent which already has punishments) should be related to the amount of money stolen.
Maybe 1 year per $1000....
An Eye for an Eye will make the whole world blind - Gandhi
And the white collar fraudsters should be hit harder? I think I'd rather see that myself. Send Skilling, Lay, and their ilk up the river for an age and a day.
Stop by my site where I write about ERP systems & more
Quoth the Rave,,, err, Anonymous Coward:
"Oh, well, in that case, since it's ONLY fraud, might as well let them go free."
You didn't understand the argument, or didn't bother to read it, at least. They're not saying computer criminal should "go free," but that the harshness of their punishments should be similar to the punishments meted out for similar crimes not involving computers. Is that really so difficult to support?
I believe it would be better off to just go and steal stuff old school than to do it via hacking.
Hint Hint Your are more likely to get your Credit Card number stolen by giving your card to the waiter/waitress in a restaurant to have the bill paid than by having it stolen over the net!
That is fraud though. . . . maybe identity theft? A better defining line needs to be made up, not all that happens over a computer is "hacking", intent should be judged as well as actions. If a person goes into a bank pointing a gun it is not automaticaly a bank robbery, it could very well be a hostage situation. Intent, ya know?
Need help treating your acne? Come here!
sipthe seriousness of the offense is generally comparable to white-collar fraud cases.
Read: The fast-growing, little-punished type of crime that destroys the finances of thousands every year.
"Hacking" is no more the refuge of the geek. True criminals have embraced it as a way to siphon off lots of money with little risk.
Let's not charge people looking for CC#'s with terrorism, but let's not label it "annoying" and offer up slaps for people's wrists.
So close and yet so far from the world's perfect ID number
Are hackers sentenced too harshly, or are "comparable" criminals not sentenced harshly enough?
--
Think Green... Burn only 100% recycled dinosaurs in you car.
It's because lawmakers have no idea what hacking is. All they know is that the news and their handlers and their real constituents (donors) say it's very bad. It's just like way back in the day when people were put in institutions for being depressed. No one knew why they were depressed so they just put them away.
Now, I'm not saying that hacking others' equipment is good. I'm just saying that the punishment should fit the crime, not get 10 years in jail because you made the RIAA website say they love mp3s instead of money.
Note To Self: change plans from hacking to fraud.
-You're wasting your time. Alfador only likes me.
Its the inability to impose proper sentences for violent criminals and drug offenders. I have no sympathy for people invading companies computers for whatever reason and they should be punished harshly. I have better things to do on my weekends then combat those assholes. But there is a need for reform in the way punishment is administered for violent criminals and longer sentences need to be handed out.
Worst. Sig. Ever.
If I break into someone's house, I'll be charged with breaking and entering, and with trespassing.
If I hack into someone's network and don't even do anything but look around, I'm charged with causing losses of millions. I'm charged with stealing any sensitive content I gained access to whether or not I even looked at it. Not to mention they'll slap all the cybercrime and terrorism laws they can find down on me too. It has nothing to do with the severity of the laws, just that you get pinned with so many of them.
I am a viral sig. Please help me spread.
I remember when there weren`t any specific computer crime laws on the books in the U.K. and prosecutors tried to charge the accused with theft of electricity.
I can see that sometimes the claims of damage in online crimes can be ridiculously high. However, if the claims of damage is reasonable, I don't see why the punishment should be any lesser than any other crime.
I think white-collar criminals are already getting far less punishments than they should. How could someone who screws up the millions of dollars from their employees be subjected to punishment comparable to shoplifters or burglars?
geek page at KY speaks
arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.
Only in US. Convicted hacker Raphael Gray, who stole 23,000 credit card no. and sent Bill Gates boxes of Viagra, was only sentenced to three years of community rehabilitation. As he told BBC:
"...Kevin Mitnick was stopped from going near computers, even from working a cash register, but they can't do that in this country.
I've had two job offers - one from the guy who tracked me down..."
...are the hackers of today.
"... McOwen was charged under Georgia law with computer trespass. Facing up to 120 years in prison..."
A man installed a program that for all intent and purposes is a screen saver and he could have been forced to serve 120 years in prison had he not plea bargained. Clara Harris killed her husband with her Mercedes, was found guilty of 1st degree murder, and was only sentenced to 20 years (she'll get out in 10).
I think something is wrong with a system that gives you more time for installing a program that doesn't do any damage than it does for murdering a person in cold blood.
...more year in prison than the average raper ?
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
If that logic is pursued, just make every crime, from littering and jaywalking on up, a capital offence. That would deter ALL crime. Sounds idyllic, doesn't it?
The point the lawyers are making is that the penalty should be in relation to the harm caused, not multiplied merely because it somehow involved a computer. Whether you defraud using a fountain pen or a PC, the penalty should be the same.
So if I am distracted while I am driving and I accidently run over someone and they die, I should get the chair because "hey, the crime of killing a person is equal to the crime of killing a person"? Hacking into someone's webserver and adding the line to their webpage that I own their box should equal a punishment but that punnishment should not be the same as hacking into a computer and deleting their harddrive or changing the balance in my bank account. It's like saying that every theif should get ten years in prison regardless of what they stole; it sound nice on paper but do you really think anyone should go to jail for ten years for stealing a candybar?
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
Check this out:
Story (palmbeachpost.com)
An 11 year old snuck into his classroom during lunch and changed some of his grades on his teacher's computer. He was caught and is now facing FELONY computer fraud charges. Tell me that's not a bit ridiculous.
-Dan.
The issue isn't tough sentencing for hackers. The issue is that white collar criminals get off light.
Hacking is not a white collar crime. When I think of white collar crime I see millionaire executives spending stolen money for blow jobs by preteens in foreign countries. When I think of hacker crime I see a trail of empty Mountain Dew bottles and Cheetos bags. Hackers need to become filthy rich before they can play the courts like the big boys do.
Extreme cases aside, most hacking is like kids stealing cars to take 'em for joy rides. Sure, a few people get hurt by each crime, but it's not like you have a few hundred thousand stock holders who'll have to work 10 extra years before they retire because their portfolios are toast.
"The (majority) of the offenses are generally disgruntled employees getting back at the employer or trying to make money."
And how is this not serious? Destruction and blackmail are extremely serious and should not be tolerated in society.
Prison is not just rehabilitation. It is a deterrent. If there were little or no consequences to, say, wiping out a server just because you are mad you got fired then many many more people would do it. Consequentially companies would crack down hard on everyone and treat all employees like assumed criminals.
Most of the world we live in is based on trust. Most homes and businesses are relatively easy to break into. And if the consequences for such actions were light then more people would be trying it just for fun. And then home owners would have to put bars on their windows and constantly worry about keeping their house secure.
In fact, this is essentially what Slashdotters are recommending people do to their computers. Most people have better things to do with their lives than worrying about locking down their computer from hackers. How about the hackers say on their own boxes and stay the heck away from everyone elses!! If someone breaks into my computer, it is not MY fault the computer was easy to crack. It is the hackers fault for doing something they weren't supposed to do. And the hacker should go to jail for it, just as they would go to jail for breaking into my house and checking out all my stuff. I don't care if they steal anything or not, it is an invasion of my life and privacy!
I am sick of the hypocrisy Slashdot getting all up in arms about the Patriot Act and then worshipping Kevin Mitnick. At least I can vote against the Congressmen who supported the Patriot Act. I can't vote to keep Mitnick wannabes off my computer, except to vote to put them in jail where they belong.
Brian Ellenberger
People have always tended to be hysterical about that which they fear and don't understand. They see this "hacking" (it should be called "cracking" in this context, but that's a lost cause) as a vaguely defined but fearsome threat, regardless of the actual reality of harm, and clamor for the modern equivalent of witch burnings.
A truly excellent pizza parlor is a delight unto the heavens. Treasure the sauce and the toppings!
Kevin Mitnick, in his Slashdot interview, explained this in detail:
Suffice it to say, we need to find a compromise where we can accurately represent the loss of intellectual property without undually exaggerating its (non-material) worth.
Its not like it takes an order from the president with full access codes to launch a strike or anything. Just a dialtone and a modem from the computer that lauches the strikes.
Also he could of obstructed justice by using a walkman or radio because he could of turned it into a hacking device. The fbi needed to take these priveldges away as well so he can stare at the walls and do nothing in his solitary confiment for 7 months while still technically inocent I may add. I mean screw John Gotti. This man is clearly more dangerous to our whole American way of life.
Also look at economic sabatoge and espianage caused by Jon Johnson from reading his own personal dvd's? The RIAA and the BSA claimed they lost over 9 billion a year because of piracy. Its a shame and we all know that these kids and college students can easily afford adobe photoshop, 3dStudioMax and all of Nsync's and britney spears artistic masterpieces of great music which is worth every penny of the price so it must be piracy! We need to stop these so called terrorists before they kill every man woman and child on earth. Hopefully some hardware based solution will be the salvation towards the problem.
Do we want the whole ecomomy to fall apart and lose millions of jobs because of lenient sentancing? Somebody please think about our children.
http://saveie6.com/
Well this is really quite simple.
/usr/bin/perl
Computers are for "smart" people
People feel marginalized when they don't understand even the basic concepts of what has happened
Therefore when a CEO realizes they have been hacked/cracked (you fight that out) they feel even more violated since they don't even understand how someone could get past all the hardware they bought and all those 45-100K+ people they have running around purporting to be computer experts.
Their anguish is then felt by atrtorneys who can't understand the crime, the criminals or why everyone is so upset. The one thing they do know is that THAT FAT GUY WITH THE UNKEMPT BEARD AND THE WIERD SHIRT THAT HAS THE FORMULA FOR HELL ON EARTH:
#!
ON HIS SHIRT IS DEFINITELY GUILTY!
And that's pretty much what happens.
This
Too harshly? Why, in my day, after Prometheus stole fire and gave it to mankind, we chained the guy to a rock and had a giant bird eat out his liver every day. Now that's punishment!
-kgj
That a lot of the problem here is due to double standards and lack of accountability.
Joe Schmoe embezzles from his S&L firm for ten years, gets caught, and it is realized that he made off with 500K. He is slapped on the wrist, fired, made to "pay it back" on time deferred payments, or maybe stuck in a white collar prison/country club for a few years.
Mike, the l337 hacker from down the street, defaces Stuff-Marts web page, pointing out that Stuff-Mart buys 80% of its stuff from china, where it is made in forced child labor camps at gunpoint, and it is repaired in an hour.
Now.. Stuff Mart's lawyers tell the jury that they *potentially* lost MILLIONS due to the damage, (when in fact, they did not "lose" anything.. and there is no way to prove how many people would have bought during that time anyway). The SM lawyers also point out that it cost "an estimated 100K dollars to repair the damage!".. which means they just budgeted in A) the new server and colocation company to handle the site, B) the three person team who maintains and handles the site already, and C) all of their IT staff who received an Email about the "hack" and therefore were "working" on it.
Its all about what the jury wants to hear, and all about language.. "potential" is used ahead of "we could have potentially lost BILLIONS in sales!" but the judge/jury does not hear the "potential". Nor do they realize that 99% of that IT staff was already working there, doing their routine jobs, and had nothing to do with the repair anyway.
(Same reason a procedure at the hospital that took all of 15 minutes costs your insurance company as much as your house did.. funky accounting and everyone wanting to be "in" on the action.)
I think a lot of "hacking" is a no harm no foul problem anyway.
Maeryk
Feminine Protection? What is that? A chartreuse flame thrower?
From http://www.savage.net/public_html/net/phrack.html:
This guy was accused of stealing 80 grand when in reality it was worth 13 dollars!!!Also see Kevin mitnick answers if you missed it.
the solution would be a requirement of PROVING damages. an invoice from "overpriced security fixer-uppers" for $21,985.31 to install W2K sp3 to fix that hole that script-kiddie4 used to get in are proveable damages... the "we lost $295,997,667,342.87 because he MAY HAVE copied a file" needs to be called bullcrap by everyone involved.
if you cannot produce an invoice or legitimate quote for repair/losses then you are told to shut up would fix every bit of this.
Do not look at laser with remaining good eye.
If they suffered a loss, let them document it and then charge the "hacker" with criminal damage, fraud, or whatever. Why should "hacking a corporate network" be such a heinous crime in itself?
My (ex-)girlfriend works at a bank. Her bank branch has never been robbed before, but take the following into account:
a) Most Bank robbers wouldn't know what bait/dyepacks would look like if it was sitting in front of their face
b) If the tellers just grab their bait, the robber's getting away with ~$83 per teller
c) Some Bank Tellers have their own 'valuts' (Bank tellers buy and sell money from the bank vaults to their cash drawers. Some banks differ in how much money they're permitted to have in their drawer, or don't permit their tellers to have locked valuts.
Let's say I'm Jon-BankRobber. I walk in with my gun, flash it around, walk out with ~$300 bucks (~$80 x 4 bank tellers), caused some bank tellers to quit their jobs/go into therapy/become really depressed. I go to Court, visit the Judge, who gives me ten years.
Now, let's look at Joe-31337h4x0rd00d. I break into my bank's tellering system, create an account, and either blatently (to the fact that it comes up on the next day's report) or sneakily (penny-slicing) steal money. I can get away with much much more, but for the sake of keeping things same, I only take $300.
When Joe-Hacker goes to the judge, he's going to get a max of 6 months. Non Violent Crime, Under $500 (no felony), no gun. (this is assuming that they don't get him with electronic tresspass)
If they're looking to give hackers/crackers a free ride, it won't happen. If they're trying to equal things...just make the same crime punishable by the same punishment. Rob a bank or Crack a bank, go to jail for up to ten years.
I know some of you will poke holes in this, but the average white-collar-criminal just doesn't go to prison, unless you've pissed someone really off, or really f*cked up.
Replies will be answered.
ONUCSGeek
I disable sigs...do you?
figuring for both files lost, cleaning it from systems, and a prorated amount
for the effort/energy/and money poured into the creation of patches/antivirus software.. can we apply the death penalty to the virus author?
63 years, times 365 days, times 24 hours, means 551,880 hours
every day http://en.wikipedia.org/wiki/Special:Random
>> The guy who hacked me should face at a minimum the legal penalty for breaking into my house and rifling through my file cabinet.
I agree he should be punished, but it isnt the same as breaking ito your house and rifling through your file cabinet. Break and enter is generally treated by cops and DA's as a violent crime - because burglars very often have every intent on harming someone who may be at home at the time.
A better analogy would be the clerk at the gas station who lifts your Visa number, or the guy who looks over your shoulder at a payphone or ATM to get your calling card/pin numbers. But hackers also have an element of trespassing and harassment. So maybe mix in a little of the guy who makes obscene phone calls in the middle of the night, or dumps his garbage on your lawn. Or maybe a postman who reads your mail (thats a big federal no-no as well)
In any case, saying the sentences are 'too harsh' or 'too light' is wrong IMO. This is what judges are for, to decide what punishment is appropriate on a case by case basis. Thats their job.
I don't need no instructions to know how to rock!!!!
100 years ago before the automobile became dominant, society & the economy depended quite a bit on horses. As such, you would be hung for stealing a horse, not because it's such a horrible offense, but because if the punishment wasn't really stiff excess horse theivery would probably have actually undermined the stability of society. Who would want that!
The same forces are probably in effect here.
Keep passing the open windows...
The real question is whether justice is state-surrogate revenge or to keep the public order.
The entire legal system is grappling with this new world. Too many lawyers are luddites who can barely program their phones, much less comprehend what "hacking" (sic) is all about. And, worse, so are the judges who oversee their trials. And the juries that weigh the evidence. And the media that covers the trials.
I dunno, it's a little disheartening to be an aspiring lawyer when I've heard of a firm that prides itself on defending those accused of computer crimes has a password policy that mandates a particular format for your network passwords, and that your password always be provided to your assistant.
I'd look at it this way; you broke into the house to steal a TV, but on your way out you slipped into the china cupboard and accidently broke a Han Dynasty era vace worth 1.2 million.
I suggest you actually READ the PDF. Your $1.2 million vase is NOT broken. The entire point of the article is that computer related law is broken.
If some kid sneaks in, watches some TV and leaves. he does NOT berak your vase. The crime is a misdemeanor. The economic damage is zero. This is sentenced as a "Base Offense Level" 6 misdemeanor. Perfectly reasonable.
Now lets look at what computer law does:
The kid didn't touch your cupboard or vase, but you decided you needed a cupboard with a lock for $5000. This counts against the kid and he gets +2 on the base offense level for $5000 in "damages". It now becomes a FELONY.
Then there is a +2 on the offence level for using a "special skill".
Then there is a +2 on the offence level for using "sophisticated means".
The kid did he not intend to cause any harm. The kid in fact did not cause any harm. So now a harmless prank that is supposed to be a level 6 misdemeanor is actually treated as a level 12 felony. THAT is the point they are making.
They also want to make sure this harmless prank doesn't get sentenced as TERRORISM. They don't go deeply into this topic, but they are also opposing certain "computer-terrorism" laws and proposed laws. They essentially make it terrorism for a kid to throw a snowball across state lines at a supermarket. The DOJ claims this is acceptable because they promise it will only be used in "appropriate cases". Pardon me, but I don't think a misdemeanor harmless prank should EVER be within the scope of a terrorism law.
Another problem they mention is one that came up in the Mitnick case. The kid takes a photo of your vase. The kid never shows the photo to anyone. Here's how computer law meaures this "vase theft": You paid $1000 for the vase, but you bought it on a $50,000 vacation. You later realize the vase is worthless and give it to the salvation army for free. According to computer-law taking the photo caused $51,000 in economic damages.
In the Mitnick case he copied software. If they had to spend money repairing damage Mitnick had done then there would be economic damage. If Mitnick had sold or given the software away then there would be economic damage from last sales. Yes, Mitnick broke the law, but the fact that he was charged and punnished based on tens or hundreds of millions in economic damages when the actual figure was zero damage was absurd.
And yes, one of the companies did in fact decide to give the software away for free (and it had nothing to do with Mitnick). Care to explain how he caused millions of dollars of damage by making a single copy of $0 software?
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.