Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Hacker loses Extradition Case

Posted by ryuzaki0 on from the stylish-orange-jumpsuit dept.

SnakeOil Steve writes to tell us that Gary McKinnon, the alleged hacker who broke into Army, Air Force, Navy, and NASA systems, has just lost his extradition case. From the article: "'My intention was never to disrupt security. The fact that I logged on and there were no passwords means that there was no security,' McKinnon said, outside the hearing at London's Bow Street Magistrates Court. 'I was looking for UFOs.'"

29 of 370 comments (clear)

  1. Nice Try by MBCook · · Score: 3, Insightful
    I was just looking in that guy's house for a nice new TV. It wasn't breaking in because he left the door open.

    You want to guess how well that flies? I agree it is stupid that there were no passwords on the system, but just like a yard without a fence, the fact the fence is there does not imply permission to run around there and dig up the flowers.

    And it's the military. You really think you can poke around in the military's systems without them coming after you?

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    1. Re:Nice Try by FireFury03 · · Score: 5, Insightful

      I agree it is stupid that there were no passwords on the system, but just like a yard without a fence, the fact the fence is there does not imply permission to run around there and dig up the flowers.

      What constitutes "permission" to access unpassworded network services? Do you need written permission? If so I guess everyone who accesses public web servers is guilty of cracking them since they didn't get written permission from the server owners.

      It may sound silly, but there really isn't a lot of difference between a public unpassworded service and a private service that's been left unpassworded on a public network. It's certainly impossible to tell if it's legitimately public before connecting to it and there's no guarantee you can tell that it's not supposed to be public once you have connected.

      Lets say you connect to a web server - how are you to know if that's a public web site or a private company's intranet site that they didn't bother to password protect?

      --
      http://blog.nexusuk.org
    2. Re:Nice Try by Anonymous+Crowhead · · Score: 3, Informative

      I don't think anyone questions that what the guy did was wrong. The question is, should he face extradition to the US and a possible 70 year jail sentance,

      You'll probably get modded for that. Of course how unjust it would be for that 70 year sentence. Oh my god - the US is so evil. 70 YEARS!

      Except it's a max of 5 years. Which I would say is lenient for stealing 950 passwords from military computers. He should get 10 years tacked on for the crime of being a fucking idiot.

    3. Re:Nice Try by finkployd · · Score: 5, Insightful

      was just looking in that guy's house for a nice new TV. It wasn't breaking in because he left the door open.


      What a horrible, totally irrelevant, and not remotely applicable analogy.

      I suppose you obtained permission from every contributor (read: copyright holder) on slashdot.org before you broke into port 80 and pirated all of this text and graphics to your computer, correct?

      I mean, just because there is not a lock on the door, what makes you think you can come in head and read everything......hey wait, did you POST data to this server too? Holy crap! Vandalism! That is just like spray painting on the inside of someone's house that you broke into! You are in for it now.

      Finkployd

    4. Re:Nice Try by dwandy · · Score: 5, Insightful
      I agree it is stupid that there were no passwords on the system, but just like a yard without a fence, the fact the fence is there does not imply permission to run around there and dig up the flowers.
      It's not quite so simple.
      The reason you know that a yard without a fence is still private property is because there is social history - first around property, and more recently around 'suburb property'. So now we have an acceptance of what is private and what is not, even if it's not marked.
      But, if you are in the middle of nowhere, and crossed no fence and passed no sign, you could be under the impression that you're still on public property. While you may still be trespassing, no judge is going to find you guilty. The rightful owner can certainly ask you to leave, but charges are never going to stick.
      So, by the same token, any computer system that has no password could easily be assumed to be open to the public.

      I'm strongly against computer owners who take no steps to mark the territory as private who then sue and/or lay charges. Anything I can access using a typical browser or ssh/telnet/ftp/whatever client is public property. As soon as it prompts me for a password, or even displays a notification that this is private, then anything beyond that is unauthorised access.

      Note that shopping centers are private property, and yet we assume we can enter and move about freely. Sure, they can ask us to leave, but we work under the assumption that since the door is open, we are free to enter.
      Once inside, there are often doors that are either locked or marked for no entry, and again, we assume that these areas are off-limits, but the rest of the area is 'public' (of course, not in the legal sense)
      So, if from my computer I can access a remote computer belonging to the US Army, am I breaking the law?
      Those who immediately say 'yes' forget that the US Army has a very public HTTP server which anyone can access freely.

      So now the questions are (much more correctly) how does one tell whether one is on 'private property' out in the wilderness? Because that is what the internet is - a giant otherwise unmarked wilderness. Sure, parts of it look like the burbs with the on-line shopping and home-pages, but there's a whole host of other computers out there performing tasks, responding to credit, time, stocks quote, system update and various other queries. Which of those is public? Which is private?
      It's only by putting up signs and locks that people can know which computers are public and which are not ... in my opinion the onus starts with the computers owner. If you attach a computer to the public network (aka the internet) and you fail to take a minimum of steps to state that this computer is private, than you should have no recourse if someone accesses it without your expressed permission.

      --
      If you think imaginary property and real property are the same, when does your house become public domain?
    5. Re:Nice Try by BoredWolf · · Score: 3, Insightful

      Actually, there is no presumption of privacy without protecting yourself. Lets say that you don't have a fence around your yard; whatever happens to persons in that yard is therefore your responsibility, because there is no restriction to trespassing. If the person destroys your property, they are liable. Conversely, if they slip on your front doorstep and break their neck, you are liable because they are technically not trespassing. No harm, no foul on either party. Why should computer systems be any different? If you make the mistake or choice not to protect your system from user-level access and harm, then you are responsible for any breach of security provided that the user does not destroy any of the information stored. However, the real issue is revealing national secrets (supposedly). Because the federal government has been caught with their pants down, they have to make a good show to cover-up their incompetence. He would be prosecuted similarly in the UK, and it is simply a show of good-faith toward the US to let him be prosecuted there.

      --
      "Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
    6. Re:Nice Try by ergo98 · · Score: 3, Insightful

      It's still not very clear why he ought to be extradited though.

      He committed a crime against resources not only in another country, but of another country's government. If you mail a bomb to the president of another country, that country will ask for you to be sent over -- even though you began the crime in your country.

      Does the US ever ship anyone overseas for trial ?

      That's why the UK is extraditing him -- they have a reciprocal extradition treaty. If they refuse to, then the next time they want a cyberhacker from the US to be extradited, the US would refuse.

    7. Re:Nice Try by Ironsides · · Score: 3, Informative

      Does the US ever ship anyone overseas for trial ?

      Yes. http://seoul.usembassy.gov/december_24_2002.html

      --
      Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
    8. Re:Nice Try by plague3106 · · Score: 3, Insightful

      Why not ship him off to Russia to face their computer laws? Its not pick and choose... he broke into a US military computer, he needs to face US law. It was not the UK that was harmed by his actions, it was the US.

    9. Re:Nice Try by Schraegstrichpunkt · · Score: 4, Insightful
      Replace "home" with "store" or other place of business. Homes are treated specially under the law (at least in some jurisdictions) precisely because they are special. Computers providing services on a public network are hardly akin to private dwellings.

      What I'd like to know is, with all this talk about "security" and "9/11" and crap, why is it that the military can be -- even arguably -- accidentally cracked? What if the alleged "hacker" wasn't from a friendly country?

      I don't care how good this "hacker" guy was. Yes, perhaps he should be punished, but if he was able to get at systems that are critical to national security at all, regardless of the means he used, then clearly someone in the military isn't doing his job. I think the people in charge in the military, who have a duty (unlike this UK civilian) to safeguard the American public, should be punished more severely.

      --
      http://outcampaign.org/
    10. Re:Nice Try by rwven · · Score: 4, Insightful

      Per answers.com dictionary:

      Stealing: The act of taking feloniously the personal property of another without his consent and knowledge; theft; larceny.
      http://www.answers.com/stealing

      Steal: To take (the property of another) without right or permission.
      http://www.answers.com/steal

      I'm sorry but I see nothing about deprivation. You're welcome to look at the other definitions at those links and you'll see the same.

      If you get your car worked on and then drive off without paying...that's stealing. You didn't actually take a physical object from that person though.

  2. Title is not quite true by mustafap · · Score: 3, Informative


    The judgement opens up the option for his extradition.

    The decision is now with our Home Secretary.

    --
    Open Source Drum Kit, LPLC deve board - mjhdesigns.com
    1. Re:Title is not quite true by purple_cobra · · Score: 5, Insightful

      Sadly, Reid will happily extradite him. Bush will *tell* Blair, and Reid would never think of opposing The Anointed One.
      Much as I think McKinnon is an idiot he should be tried and, if found guilty, punished in the UK: he stands some tiny chance of a fair trial here, along with a proportionate sentence. All that crap about causing so much damage to a network that it "took more than a month to repair" (quote taken from the BBC News story) has the strong smell of bullshit. I suspect this is more concerned with the US military being shown, once again, to be incompetent and entirely incapable of securing anything than with the alleged damage this plonker caused.
      Shame he didn't want anything from our own MoD: if he'd hung around long enough I'm sure he could have picked-up one of the many laptops they've left lying around over the years.

    2. Re:Title is not quite true by mpcooke3 · · Score: 3, Funny

      "took more than a month to repair" (quote taken from the BBC News story) has the strong smell of bullshit

      They probably included the time it took to set up that security system called "passwords". so as to make sure no other leet hackers could break in.

  3. I really hope... by joe+155 · · Score: 4, Insightful

    that the Home Secretary does not let this one go forward... as someone mentioned previously in a discussion a few days ago; we all break laws in countries which we're not in, that's ok, we shouldn't be able to be prosectued for it (I know he also broke UK law - but he should only be prosecuted under that). How would Bush feel if someone tried to prosectue an American for saying that Iran's leadership was being foolish and that they are wrong - that's illegal in Iran - where's the extradition to Iran - you can't have it both ways

    --
    *''I can't believe it's not a hyperlink.''
    1. Re:I really hope... by Mike+Buddha · · Score: 5, Informative

      How would Bush feel if someone tried to prosectue an American for saying that Iran's leadership was being foolish and that they are wrong - that's illegal in Iran - where's the extradition to Iran - you can't have it both ways

      Your understanding of International Law is woefully inadequate/misinformed. The US has extradition treaties with countries they determine are lawful, like the UK. The US does not consider Iran a country that would respect American Law, and therefore have not agreed to an extradition treaty with them. Yes, in fact you can have it both ways.

      If you'd checked, you'd know that in fact Iran has in the past issued warrants calling for the arrest of foreign citizens. Those warrants carry no weight outside of Iran and the countries (if any) that have extradition treaties with it.

      --
      by Mike Buddha -- Someday the mountain might get him, but the law never will.
    2. Re:I really hope... by pla · · Score: 4, Informative

      Your understanding of International Law is woefully inadequate/misinformed.

      And yours appears woefully naive. International law means "The US gets what it wants, everyone else can go pound sand".

      Not saying I consider it right, just callin' it as I see it.



      The US has extradition treaties with countries they determine are lawful, like the UK.

      Or, say, Italy? Oh, but we just can't let them have 22 CIA operatives charged with kidnapping and torture on Italian soil.

      Or Venezuela, seeking the extradition of a KNOWN terrorist the US has decided to harbor, because he only terrorized Cuba? How well would that fly if the UK responded to the US request "Oh, well, we'd love to, and normally we disapprove of cracking military computers, but well, he only attacked the US, not anyone that matters"?

      Or Spain, currently seeking the extradition of three US soldiers for the murder of a Spanish reporter?

      Or India, who currently wants Warren Andersen (former CEO of Union Carbide) for that little Bhopal mess?

      I could go on.


      So... Yeah. International law... Whatever helps you sleep.

    3. Re:I really hope... by Jim_Callahan · · Score: 4, Insightful

      As someone else in the thread has noted, a lot of the US extradition treaties are one-way (i.e. extradition in the other guy-> US direction was traded for something other than the reciprocal right). This means that the US can demand extradition of a lot of foreign citizens while those people's countries can't do the same to us. This isn't our fault necessarily, it's what both parties agreed to whenever the treaty was signed.

      Also, extradition generally has to be approved by the country doing the booting, so it's hardly a level of bullying beyone the normal bullying associated with any form of politics. There are doubtless times when countries denied the US the right to prosecute their citizens: in this case, they didn't, because they agree that the man is a criminal and know that nothing worse would happen to him under U.S. law than under their own law.

      --
      ...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
  4. Spock: Insufficient facts always invite danger by digitaldc · · Score: 3, Funny

    "I was looking for UFOs."

    Judging by the look on his facecould he be one of them?
    Of course he lost the Extradition case, we can't even transport to Mars let alone Alpha Centauri.
    This whole mess could have been avoided if he had only tuned in regularly to the History Channel.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  5. A couple of points by Anonymous Coward · · Score: 5, Insightful

    Given the US track record on treatment of detainees, torture, imprisonment without trial and so on I am very suprised and disappointed that any government would willingly allow their citizens to be taken into custody in the US. Here in the UK we have an issue with "illegal imigrants" who remain in this country because on arrival they plead persecution and their lawyers find it easy to block their deportation back to a repressive regime. By the same standards the USA is clearly a repressive regime.

    Also, I've heard this story from all sorts of sides and opinions ranging from "He's a harmless wannabe cracker who just walked into unsecured .mil sites looking for UFO information and is now being persecuted by overzealous 'security' gimps keen to make an example of someone (presumably because they never catch any real intruders who are far too smart)" all the way to "He's a publicity seeking prick who set this whole thing up to get busted as some kind of bid for fame"
    Whatever the outcome I'd like to see the same standards applied to SONY as to this kid. If he goes down then I want to see SONY programmers arrested and deported to the UK to face multiple criminal charges because installing rootkits is an offence under the Computer Misuse Act in this country.

    With all these double standards I can't see people retaining any repect for justice or the law. Once governments undermine the law with such blatent corruption of principles it's a one way ticket down to social disintegration.

  6. Well, ok maybe by finkployd · · Score: 5, Insightful

    Despite being batshit insane, he might have a point with this:

    "The fact that I logged on and there were no passwords means that there was no security"

    There needs to probably be some middle ground legally regarding what is and is not secure. It makes no sense that, say, accessing a windows share drive (or AFS cell if you like real network filesystems) out there on the internet with no passwords, no encryption, no attempt at all at security should be legally considered breaking and entering or whatever non-applicable metaphor the courts have wedged into computer case law. Nor should accessing an unprotected wireless connection be considered this, since many OSes will do that without asking.

    One the flip side, we cannot go so far as to say that just because someone can break security, it was not really there... "You honor, if he didn't want me using his wireless connection, he shouldn't have only used WEP and MAC restrictions. I mean seriously, it was trivial to get his WEP key and change my MAC address to one of the allowed ones".

    As much as I hate to say this, there needs to be SOME standard of security to apply to something before breaking it can be considered a crime. We run into this with the DMCA where ROT13 is a perfectly legit encryption algorithm in the eyes of the law. Maybe NIST approved cyphers or something like that should be the standard. It is just silly to leave something wide open then act all surprised and litigious when someone checks it out.

    And before anyone makes a brain dead "leaving my house open does not give you the right to come in and snoop around" analogy, let's be clear that by virtue of having something published on the internet, you are inviting people to take a look. There is no accurate and meaningful real world analogy for computer network security so keep your unlocked cars, unattended briefcases, and snail mail stories to yourself. There are many services you can log into without a password (think anon FTP, demo systems, or even some telnet/ssh BBSes), so if you don't want people thinking they can log in and look around, try setting a password. Sheesh

    Finkployd

  7. McKinnon didn't hack anything by t35t0r · · Score: 4, Insightful

    I've said this on digg and i'll say it here again, he didn't hack anything. In his interviews it was said that the systems were already compromised and were being used by people from eastern european countries. I commend him for seeking the truth but not for going about it idiotically. In any case he doesn't deserve anything more than a few months in jail (if that even, better in a halfway house if there are such things in the UK), probation, and community service.

    This has gotten way out of proportion. He didn't even do anything to damage US operations nor was this even his intent, he's not a terrorist and had no malicious intent. I would rather make sure those idiotic sysadmins never worked in IT for the rest of their lives since they left administrator passwords open! Freakin morons.

    1. Re:McKinnon didn't hack anything by Tx · · Score: 3, Insightful

      Yeah. What's the betting the guy gets extradited and eventually sentenced to several years in jail, and Ken Lay gets off scott free? American justice, eh?

      --
      Oh no... it's the future.
  8. Re:Ouch by AuMatar · · Score: 5, Informative

    The system was comprimised. You don't just reboot them- you need to reimage the system to make sure nothing was left behind by the intruder. For a military system, they probably did a forensic search to see what he had access to and what information may have been comprimised. That takes time.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  9. Re:Nice Try (NOT!) by FireFury03 · · Score: 3, Insightful

    Anybody who thinks that it's OK to go poking around obviously non-public military sites

    I'm afraid I don't know the specific details of the case - was he accessing web sites? Were they obviously non-public? How could he have found out that they were obviously non-public before accessing them (and thus being branded a cracker)?

    if you're finding passwords and deployment details, you can be pretty sure it's not supposed to be public

    If you've found passwords and deployment details then you have already accessed the server and thus liable to be prosecuted as a cracker. Please explain how one would find out _before_ potentially breaking the law that they shouldn't proceed any further.

    In fact, if he wanted to do the right thing, he should have emailed a security contact for the site and notified him/her about the problem.

    Emailing them saying "hey, I just accessed all your confidential data" doesn't seem like a good way of avoiding prosecution does it?

    It _could_ also be argued that since these were military secrets, knowing them turns him into a target and so the best way of remaining safe is to keep very quiet and hope noone notices.

    --
    http://blog.nexusuk.org
  10. Open door analogy by chihowa · · Score: 4, Insightful

    As you've said, the open door analogy isn't the best here, but it can be improved a little bit. A publicly accessible computer system on the internet is similar to a unlocked door in a business district. If it doesn't say 'Employees Only' or isn't locked (compare to requiring a password or announcing that permission to access is restricted), then you won't be charged with tresspassing for opening the door and checking out what's inside. Of course you can't take (or break) anything, but you can't do that in any 'open to the public' place either.

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  11. Bull by weierstrass · · Score: 5, Informative
    >That's why the UK is extraditing him -- they have a reciprocal extradition treaty.

    No, they have an almost unprecedented asymmetric extradition treaty.
    The Extradition Act 2003 is an Act of Parliament of the United Kingdom. Among its provisions, it removes the requirement on the US to provide prima facie evidence when requesting the extradition of people from the UK, but maintains the requirement on the UK to provide such evidence to the US in the reverse situation.
    (Wikipedia)

    This is the reason for the opposition to Gary's extradition, and that of the NatWest Three, and so on. The UK basically handed a huge chunk of sovereignty right over to the Americans, basically saying "If you want a British citizen, you can have him bound hand and foot."
    --
    my password really is 'stinkypants'
  12. A country that extradites its own citizens ... by Ihlosi · · Score: 3, Insightful

    ... should consider itself a vassal.

    1. Re:A country that extradites its own citizens ... by houghi · · Score: 3, Insightful

      So all I have to do is commit a crime in a neigbouring country and get back before I get cought?

      In Brussels not so long ago a young man was killed. The (aledged) killer went back to Poland where he is from to hide. So you say that the Belgians should just sit and do nothing?

      A country that does not extradites its own citizens is guilty of obstruction of the law, at least.

      --
      Don't fight for your country, if your country does not fight for you.