Slashdot Mirror
US Wants UK Hacker To Pay To Fix Holes He Exposed
bossanovalithium writes "Gary McKinnon, whose tribulations we have followed for several years now, is the UK hacker trying to escape extradition to the US. It appears he is expected to foot the bill for the US Government patching holes his breaching uncovered — to the tune of $700,000. It's not really the norm for someone to pay for exploits to be patched — damages fixed, yes, but this is a very different thing." The article paraphrases Eugene Spafford as saying that the victim of a cybercrime should not take the blame. "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
...couldn't he fix them himself? With supervision, I mean.
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
If I find a hole in my Government's IT security, I'll keep my mouth shut and let the government hear about it from the Chinese or the Iranians or the S. Koreans or ...anyone but me because they'll send me to jail and make me pay.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
I wouldn't report any kind of crime or safety hazard if this becomes a regular tactic.
This is exactly like charging for a lock that was never there. Another analogy -- it is like forcing the thief to pay for the security system that the store owner now feels that he has to buy to prevent future actions.
If he damaged a system by hacking in, that's one thing. He should pay for that. But it's hardly his fault that the holes were there in the first place and he shouldn't be held responsible for funding the software improvements to prevent such actions in the future.
The holes aren't his "damage". The holes were already there. I don't care if a whole wall was missing, if an individual walks into a building and does damage or steals, the damage or stealing is what they are responsible for. Building the wall or replacing the lock is not their responsibility at all.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
But the hacker did not cause the bugs to be open. He exposed them.
Repaying any damage he would have caused: Expected.
Going to Jail for his actions: Expected.
Paying 700,000 Dollars to fix the hole he DISCOVERED (not created): Unlawful.
This seems like quite the case of people, oblivious of technology, deciding over a technological matter. His crimes might be illegal entering, but he didn't have to break any doors windows or locks. They were all wide open. If someone ever breaks into my house and gets caught I should sue em and get em to pay money to turn my home into an impenetrable doom fortress.
Well, it sort of is like charging him to buy the lock. In this case, the lock was missing, unlocked, or broken; however, you're right in saying that doesn't give him the right to just walk in.
I'm not sure if he should be paying for the patching of the systems, but he should definitely pay for any damages and probably restitution. The analogy here would be "don't charge him to buy a lock, but make him pay for the TV he took and for the crime he committed."
Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
It's paying for the research, development, and possibly deployment of a new and improved lock.
Analogies should be correct to be effective. Sadly, the most effective ones are often incorrect.
South Korea (the one with Seoul) probably would tell Washington about it, but it's unlikely that China or Iran would. It's more likely that they would exploit the vulnerability in secret.
Sort of. It's more like forcing him to fund research into glass that can't be broken by the brick he threw / a lock that can't be picked by the tools he used.
FTA: "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door."
Okay, so I can agree with paying for a broken door. Furthermore, I can say that there could be real costs involved in doing security checks to see what damage might have been done - so I'd be okay with that argument. I think they need to draw the line there, between "money spent checking what damage was done" and "money spent making sure someone else can't do the same thing". It's not entirely clear from the article what side this situation falls on, and while 700,000 dollars sounds absurdly high part of that is other more direct "damages" in theory.
But he isn't responsible for the security holes that existed. He might have made them more widely known but he did not create them. He should be punished for the act of illegaly hacking federal computer systems, but the flaws are not his responsibility unless he created them himself.
I like the lock analogy, but I think it would be more appropriate to say that they are charging him for discovering that the bolts that hold the locked door shut were missing. He simply pointed it out...
The entire concept of having to lock doors is the concept of paying for security which is only necessary because of the criminals. Locks wouldn't exist without crime. We're not talking about keeping children out of cabinets.
So when a criminal does indeed prove that a lock is required, it makes sense to have those criminals pay for the security required to keep them out.
Hell, it makes a lot more sense for the criminal to pay for the security measures than for me to pay to keep them at bay.
That's like asking him to pay for the grate and security guards to cover up the pipe he crawled through to get into the Pentagon...
Yes, I am obsessed with ellipses.
But the flaws existed before he did anything. The example in the summary isn't exactly fair either, really they are trying to make him pay for a lock after he announced to the world that there isn't one. The thinking behind this logic is obviously "the security hole wasn't a problem until he announced it to the world". If you bought a new car and the doors didn't lock, would you just say to yourself "oh well, as long as no one knows about it"? Of course not, you'd want the locks fixed as soon as possible because eventually someone is going to notice that your locks don't work.
"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"
No, it's more like making him pay for new locks because he wrote a lockpicking book. The flaws existed, and he exposed them, but it's not his fault that people might use them to perpetrate crimes. If someone tells me how to crack a safe, I'd generally blame the safe's maker for designing that fault... not the person who realized the problem. Eh?
-----[0_o]-----
We are not amused.
No, it is not simply like charging him to buy the lock that had been missing. If you entered someone's home uninvited and deliberately or accidentally caused substantial cost and damage to the homeowner, you should be liable for your actions.
I know, right?
Like last week, these kids walked uninvited across my lawn, and caused substantial damage to a number of blades of grass! And then to add insult to injury, their damned irresponsible parents just couldn't grasp their liability to pony up for the slab, four walls, roof, and two garage doors to "repair" the space their crotch-fruit just casually trespassed across!
Sure, some scofflaws would point out that I didn't have a whole garage there to start with, so why should they have to pay for the rest? But hey, I had the good solid dirt underneath a future-garage, at least.
vulnerabilities exist. this is true of all systems, no matter who uncovers them
therefore, an intelligent organization: a bank, a military, a government, will have a system where private disclosure of vulnerabilities results in a reward for the discoverer
if you don't have such a policy, a discoverer might turn to finding reward in your vulnerability with your enemies or criminality instead
unfortunately, the discoverer must consider the possibility that if he divulged the discovered vulnerability quietly, the organization he penetrated might find the least costly solution to the problem to be the the disappearance of the discoverer
such that the most moral and safest approach for a discoverer is to go public with the vulnerability instead. which of course invites the wrath of the organization penetrated. its a no-win situation for the moral discoverer of a vulnerability, such that there is constant pressure on white and gray hats to go black
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
These are legal matters we are talking about here.
This issue is a bit more complicated than you think.
This is outrageous. What if these security holes were exploited and used by someone with intention of doing something bad?
The real crime is exposing sensitive data through the internet. If a hacker shows his concern and makes it clear that the government is exposing sensitive data, the criminal is the government, not the hacker.
The funny thing is that the real crimes are often not legally the real crimes. In the Netherlands, it is not a crime to have a system full of sensitive data that is hardly secured. But it IS a crime for anyone to expose this insecurity. The Dutch government has created a special "theft of processor time" law to ensure this.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"
More like they want him to pay for a lock that wasn't there because he was the first one to tell them that the lock wasn't there.
Or even more obvious, somebody forgot to put in a front door and now the store wants him to pay for a new door because he was the first one to tell the store that they had no door.
Beer is proof that God loves us and wants us to be happy.
No, not really; I think it's a little more complex than that. As far as I can tell, to use your analogy, McKinnon basically rattled the locks on the door, and found that they were unlocked. He then entered, rifled through the underwear drawers hoping to find something sexy (UFO data), and took some photos of what he found (copied files). He then left again leaving things mostly undistubed except for a few things out of place. Upon later noticing this, the owner reacted as most victims of burglary do; by going completely over the top on security to prevent similar things happening again. McKinnon isn't just being asked to pay for the missing lock on the door, but also dead bolts on the windows, steel shutters, a motion detection system and burgular alarm.
UNIX? They're not even circumcised! Savages!
He should counter-sue the US gov for putting an insufficiently protected system on the internet in the first place. Normally that wouldnt be sensible as the damage cant be proved, but in this case it can by the governments own reckoning: $700k.
This is where dogmatic views and analogies really contrast with technological reality. Those security holes would have existed whether or not he abused them in some misguided and naive attempt at finding info about UFOs. This is clearly a very intelligent person whose skills are of immense value. He just wasn't mature enough to realize the consequences and he certainly wasn't paranoid enough to keep his mouth shut.
It makes no sense whatsoever to lock him up with dumbasses whose greatest accomplishment in life is learning that beating their girlfriends is a bad thing or that guns and drugs don't mix well. What a sad waste of talent.
No, instead, I say: let him pay that $700000, but let him do it in the form of consulting. And fire the idiots who made those security holes in the first place.
see a Text Widget
I'm sorry, you must state your question in the form of an Automotive analogy...
It must have been something you assimilated. . . .
Repaying any damage he WOULD have caused: Expected.
So if I walk through an open door with malice in my heart and and start rifling through your desk looking for documents about aliens I can be expected to pay for the fact I could have splattered the place with paint, smashed all your plates, peed in your coffee pot etc. ?
To answer the question posed in the write-up with a question: aren't the door and the lock one system ? Wouldn't replacing the door usually also mean: replacing the lock ?
Religion is what happens when nature strikes and groupthink goes wrong.
"Great, now everyone knows we have the holes and we actually have to fix them. Everything was fine when people just assumed we had a secure system. Now this guy goes and rains on our parade. Let's try to get him to pay for fixing them."
Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?
From what I can find of his "hacking" abilities on the black vault:
Somewhat frustrated by the common avenues of UFO research, Gary began some basic computer hacking techniques from his girlfriend's Aunt's house in the mid-late 1990s. Soon he began using a system of scanning for blank administrator passwords on supposedly secure networks ...
Sounds more like the lock company distributed a working lock to many U.S. government entities and they put the locks on their sensitive possessions but some individuals simply forgot to close the clasp and had no policy for walking around double checking locks. If he did do $700k of damage and bring the system to a halt, he should pay for it. If they are charging him $700k for a script that scans for blank passwords on accounts on their systems and drop it in a chron job, I'll gladly fulfill the work order for half that price!
My work here is dung.
It should be remembered he is just about the biggest arsehole in the world. who gets in a huff quite alot when dealing with hackers. read up on 8lgm.
Now he just need to hack a bank ;)
People should be punished for opening a safe and snooping around classified information, no matter how badly the safe was designed. This could be mitigated by telling them he found a flaw, but as far as I know McKinnon did no such thing.
If anything, they should be thanking the guy for showing them the holes in their security. Then asking him to "plug" the holes. Not pay for them.
Now we all owe millons to Microsoft
I remember years ago debating the value of a login banner. Granted, having a message that says "for authorized use only" won't *deter* anyone, it does make this sort of legal weaseling more of a moot point. Instead of proving that he was intentionally out to cause damage, or that he wasn't just mindlessly poking around, they just would have had to prove he wasn't an authorized user.
By his lawyers defense, having any open port exposed to the internet on any machine absolves the perp of responsibility.
"Your honor, my client was fully within his rights to use a 0-day exploit to gain access to a machine, ignore the login banner, place trojans on all machines within the subnet, order the backup catalog to long erase all backup tapes, drop all tables on all of the database servers, and change the company webserver to goatse. The ssh server was sitting wide open on an unregistered port! Why, the root account had simply been renamed to "dont-ever-use-me-ever-what-ever-no-never", and access required nothing more than a 4096-bit PSK and the knowledge of a 36 character password!"
Remote access to desktops directly connected to the interweb: probably not a good idea. Browsing said desktops when you're not an authorized user: illegal. Even if the plain text password is 12345.
There are some people that if they don't know, you can't tell 'em.
That's ok, Linux doesn't like you.
Your analogy changes though if it's a greased naked man who squeezed through a skylight on the roof and is looking through your sock drawer at 2 am. Now perhaps it is not the mans fault that you have a skylight, and that other people who are willing can do the same thing he did.. but you can see how you might want him to pay to keep others from doing the same thing.
waiting for ad.doubleclick.net
Firstly, the guy has Asperger's, so he probably wasn't aware that what he was doing was actually wrong until someone told him (afterwards) that it was.
Secondly, these holes shouldn't have been present in such a system up front. The holes weren't patched, the system was incomplete.
If I have a choice, I'm not buying American goods until you grow some balls and admit that you fucked up in this case, and stop harrassing someone else for it.
This is crazy. It's like picking a lock without damaging it and then stealing jewlery out of a sock drawer and then being forced by the court to buy the victim a fence, guard dog, improved lock and safe to keep their jewelry in to prevent future crimes.
The one exception to this analogy would be if the hacker published the security holes. In which case you could argue it's like stealing a key and giving away copies--in which case he could reasonably be forced to pay for re-keying the locks he 'broke'.
No, it's not like "entering someone's home." It's nowhere near that. Nothing at all.
I could excuse this reckless stupidity on the Dumbtube (aka TV) but this is Slashdot. A technical website. People know what we're talking about, and those retarded, idiotic comparisons do not explain or enlighten, they just dumb the whole thing down. And in your case, they are completely wrong.
Besides, he didn't cause substantial damage. He didn't break anything. Hey, what if by posting this stupid message of yours you caused the death of someone? Hmm? What if? What if you caused the death of a million people? You'd be a mass murderer, that's what you'd be!
A new garage might be stretching it, but I think they at least owe you a good, high-quality fence.
Because, after all: They knew they shouldn't have walked there. It's only logical that they now be forced to pay to ensure that they won't in the future.
Kid-proof tablet..
Did he steal anything? Did he cause any actual damage, not counting the fake damage that is the cost of securing the whole damn thing in the first place? No and no. Stop with the analogies, if you can't argue without an analogy, that means you're probably wrong.
... but I think I actually agree with the majority of the posters here. Glad I was sitting down!
He should be held liable for his actions, and for the crimes he committed - that includes breaking into government computer systems and accessing classified information. But it does seem silly charging him with the costs incurred by the government when they worked on improving their security post-breach. Really, they should have done those "security checks" long before - and if the system had been competently administered, those tests WOULD have been run early on.
But, to reiterate, the fact that the system was incompetently administered does not excuse Mr. McKinnon from the crimes he did commit.
#DeleteChrome
The fact that the systems are federal might not matter a whole lot, since the perp is British.
You know, not from the U.S.
He should pay to re-train the entire government technical staff.
Nullius in verba
Similarly, Ralph Nader should pay for the research, development, and deployment of a new and improved Chevrolet Corvair?
No, actually, I really can't.
I think it would be more accurately analogous to someone picking a business's front door lock with a paperclip, after which he might or might not have told others how to pick that type of lock with a paperclip. Then, they expect him to replace the front, back, and side door locks because now everyone knows how to break into the business. Pretty absurd inasmuch as the business had cheap lock to begin with that should have been replaced years ago, not so absurd inasmuch as the risk of those locks getting picked increased dramatically as a result of the person's actions. So I can see both sides of this one. It certainly isn't clear cut. It really depends on whether he can establish reasonable doubt that anyone else knows about the specific flaws as a result of his actions.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I don't think I would claim that installing some security measures for the skylight is the greased man's responsibility. Some punishment for his actions would be in order, which should work as a deterrant, but if I want more physical security, it comes out of my own wallet...
It is what it is.
no, this is like someone entering your house through an open window and then making him pay for a new set of locks and an alarm system.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
To have someone set some damn passwords? (10th Paragraph).
'Speak softly and carry a beagle'
Q: If a burglar climbs through an open window that would cost the homeowner $700,000 to close, does he owe the homeowner $700,000?
A: Of course not.
How much would the US Government have had to spend to discover the security holes Mr. McKinnon exploited? While he shouldn't be paid that money, that theoretical number should count against any "damages" he caused.
It's probable that most of the "damages" being pinned on the guy are inflated government-contractor consulting rates, which (in this taxpayer's opinion) might be worthy of an extortion trial. The jokers probably closed a few firewall ports and went to the Riviera for a few months.
I'm exaggerating a little bit. I envy you, government contractors, in a dirty sort of way.
Your analogy changes though if it's a greased naked man who squeezed through a skylight on the roof and is looking through your sock drawer at 2 am. Now perhaps it is not the mans fault that you have a skylight, and that other people who are willing can do the same thing he did.. but you can see how you might want him to pay to keep others from doing the same thing.
You might want it, but there is nothing anywhere in any code of law that makes *him* responsible for putting bars on your skylight. Yes, you'll do it, and your insurer might even require it if you make a claim for the actual damages he caused (maybe he got grease on a priceless pair of silk stockings that used to belong to Marilyn Monroe?). But there's simply no precedent or code that makes YOUR basic security HIS financial responsibility.
The issue here is that they're charging this guy $700,000 in "damages," and some of those "damages" are the costs of placing intrusion detection and firewall systems that weren't there in the first place and would likely have prevented his hacking. He didn't DISABLE or BREAK them; they just weren't there at all.
Don't you wish your girlfriend was a geek like me?
The one exception to this analogy would be if the hacker published the security holes. In which case you could argue it's like stealing a key and giving away copies--in which case he could reasonably be forced to pay for re-keying the locks he 'broke'.
That doesn't seem to be the issue in this case. TFA quotes an expert witness who was also an insurance adjuster for technology systems, who says that the "damages" include basic IDS and firewall systems that should have been in place to begin with. If he'd hacked *through* such systems, and published the hacks, rendering the systems useless, and then they had to pay to fix the vulnerabilities or replace the systems, you could maybe make the case. That's not the issue here, though.
Don't you wish your girlfriend was a geek like me?
Linux doesn't really like anybody.
i want to kill the stupid fucks that are this retarded
There's a lot of misinformation in this thread being paraded as fact.
The scope of available restitution is defined by statute. The only limitations on statutory restitution are imposed by state and federal constitutions.
Contrary to some of the nonsense spouted here, in California (in re Jeremiah F.), a burglar may be ordered to pay for the cost of a burglar alarm in a (previously unalarmed) house that he burglarized and the Montana Supreme Court has authorized restitution for enhanced security (State v. Thompson). These two instances are cited to show that the States get a LOT of leeway in establishing how restitution is determined.
Thieves and hackers are the people responsible for this need for enhanced security. I say make them pay for it as much as they possibly can!
In at least North Carolina, a burglary victim is entitled to receive money sufficient for a burglar alarm as restitution.
Gaining entry by breaking down a door is not the same thing so I'd expect the person who did it to pay to have it fixed.
I wouldn't expect them to pay for a new lock however if they unlocked a door using only a Bic pen and showed how unreliable the lock was. :)
This is crazy. It's like picking a lock without damaging it and then stealing jewlery out of a sock drawer and then being forced by the court to buy the victim a fence, guard dog, improved lock and safe to keep their jewelry in to prevent future crimes.
This might be a better punitive action than locking someone up. I fully support this idea.
After all, I am strangely colored.
one of those MIND THE GAP! signs?
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Disregard the last sentence. It's inadvertent.
> Isn't the McKinnon case more like charging him to buy the
> lock that had been missing when he walked in?
It's more like charging him to replace the window latch that he showed could be easily lifted with a credit card.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Even granting the OP's flawed analogy, I don't care if MacKinnon is placed into perpetual servitude to NASA and the U.S. government. The bad act started with him. He knowingly committed the acts for which he is being punished, and I see no need or use for treating him leniently because he was a flake looking for UFO material, or because he didn't trash the system.
When you, of your own volition and under your own power, commit crimes, you own the consequences. Don't want the consequences? Don't commit the crime.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
If you entered someone's home uninvited and deliberately or accidentally caused substantial cost and damage to the homeowner, you should be liable for your actions. This could be reduced to simply holding someone responsible for their actions. People have a choice in what they do and Mr. McKinnon knowingly engaged in his actions.
You are right.
And the computer system he WAS invited into (even though they are denying that fact now) which not only told him he could come in, but was configured that way knowingly by the owners. Like you said, the owners of those systems need to be responsible for their actions.
Sure, charge this one guy $700,000 for a new security system.
Then make that same place turn around, take that $700k, and pay out $700,000 from it to every American who gave up hard earned cash to pay for this system, and who were lied to when told it was a secure computer system, instead of one in reality configured to allow everyone into.
no... absolutely not. Its would be my fault for having an open skylight.
Sure, he should be punished, he should pay for any grease damage he caused to my socks but he should not have to pay to remove a perfectly functional sky light and re-roof my house
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
He hacked into 97 systems... a mere ~8000$ per server... not that much...
It's not only 1 hole...
Cost for patching: 700K
Cost for discovering the hole in the first place: 7M.
Problem solved!
"What do mean there was a hole there? There wouldn't be a hole there if you hadn't found it."
This sounds like some dip shit Admin/Contractor trying to cover their own ass and blame someone else.
Charging a hacker for fixing the holes he discovered is like charging the customer for all the costs of a car recall because that customer happened to be the one who discovered the problem.
Sorry, but charge appropriately and don't get stupid. Assess and prove damages just like every other person would have to in court.
Then again, we are talking about the Government here, so I'll rescind my statement about getting stupid.
If this were true, which it isn't -- most Americans know that North Korea is a very poor totalitarian country and that South Korea is a prosperous democracy that provides many high-technology consumer and industrial exports to the US -- but if this were true, it would be a great tragedy.
There is a tremendous amount of military aid that the United States provides to South Korea and a larger amount of sensitive military equipment that Washington allows South Korea to purchase from US vendors, including variants of the M1 Abrahms tank, the F-16, the F-15, the UH-60 Blackhawk, the sea-borne Aegis fire control system. There are also 25,000 US military personnel stationed in Korea.
If Americans did not understand the resources and secrets that their government is sharing with Seoul, it does not bode well for the American democracy...
You're reading it wrong. He mean that damage he would have caused, had he caused any damage. As in, he would have caused the damage, had damage been done. If no damage had been done, he would not have caused it.
Don't take life so seriously. No one makes it out alive.
You'll be hearing from our lawyers soon. The crashes involving our automobiles were entirely due to operator error. There is nothing wrong with our braking system!!
Danny Ubanti
President and CEO
Ubanti Motor Company Inc Ltd
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The door may have been wide open, but after tracking in all that mud from the outside, there's a lot of cleaning services that need to be paid...
$700,000 is way, way, way more than sufficient to pay someone to block the Remotely Anywhere port on their network firewall, it's over a thousand times the sufficient amount actually.
Yes, all the examples here are so relevant. Walking across the grass, not having a door on your house... This guy did wrong and now all of a sudden he's the victim. Why don't all the skirt wearing pussies in Europe hope he gets compassionate release for an oil deal.
I don't have a car, you insensitive clod...
A better analogy would be for me to have to replace the emperor's wardrobe
For justice, we must go to Don Corleone
From Wikipedia
"The US authorities claim he deleted critical files from operating systems, which shut down the US Army's Military District of Washington network of 2,000 computers for 24 hours, as well as deleting US Navy Weapons logs, rendering a naval base's network of 300 computers inoperable after the September 11th terrorist attacks. They claim the cost of tracking and correcting the problems he caused was $700,000.[15]"
So I don't see where the idea that the claim the $700,000 is merely to secure previously unsecured systems originates from.
If you break into a networkof military computers, it seems reasonable that the owners of the computers would feel that a complete audit of the network to asses damages would be necessary.
I already covered that under "damage". The holes themselves aren't his damage at all.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
So I don't see where the idea that the claim the $700,000 is merely to secure previously unsecured systems originates from.
The imagination of slashdotters, who can never escape that techies-vs-the-rest-of-the-world mentality.
Many posters here seem to believe he just 'pointed out security flaws', akin to telling someone their door locks are easily picked, and then suddenly being held responsible for the owner wanting better lock.
That is clearly not the case here. He found security holes, -and exploited them-, and -damaged systems- as a result.
http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm
Even if I leave my door wide open, if someone comes in and trashes my house, I'm going to expect them to pay for the repairs and clean-up. That's going to include me doing a complete inventory to figure out what might now be missing or broken. And that will take a while.
Weak security != permission to exploit
And the $700K amount is vague as to it's origin, I also saw nothing that specifically indicated that any of the $700K was specifically for -upgrading- security.
Your point is ...?
McKinnon had used Remotely Anywhere, a software tool, generally used in Tech support to assist customers.
They did not block the ports of it, or have anything to stop the installation of the software.
Its not just 1 hole, but fixing any 1 of the holes would have stopped that kind of attack.
Oh well, guess this is a hard lesson for all of us, but this teaches us to *not* report any security holes we find in systems, but rather let them lie there for criminals to exploit in fear of getting fined ridiculous amounts of money.
Shouldn't the people that designed the faulty security in the first place be the ones charged for fixing it? Doesn't a user authentication scheme carry with it an implied warranty that some idiot in another country won't be able to easily exploit it? I assume this isn't the fault of the software, but rather of the configuration set up by the administrators, but still... "We're too stupid to do our job properly, so we think anybody that points out we don't do our job properly should have to pay to bring somebody else in to do our job for us!" Not exactly what I'd want to be claiming to justify my paycheck.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Nice Analogy pla.
The USA is increasingly behaving like a empire at the end of its reign.
Fascist behaviour. A beaurocracy out of touch with common morality/sense.
A debt that is no longer repayable.
The gig is nearly up!
If a script kiddy can get into their system, what do they think the Chineese, Indians, Russians are doing? They should be paying kids who find holes in their system.
46137
Car analogy: Person A buys a car and parks it in a bad neighborhood. "Good thing it has an alarm!" he thinks as he sets the alarm *boo beep* and walks off.
He comes back and finds person B sitting in the car. Person B says "I bet you didn't realize that the alarm could be disabled by crawling under the engine compartment and snipping one wire. I wanted to stay here and let you know that because I'm such a nice guy!"
Person A calls the police. Person B goes to jail. Person A also sues person B in civil court for damages to the car alarm system. Never mind if the wire was clearly visible to anyone sticking their head under the engine compartment, person B will still be found responsible.
One word: extradition.
if you were the one who pointed out to the rebels the location of the vulnerable exhaust shaft that lead straight into the reactor core.
Actually, though, this isn't like saying "LOOK! There's no lock on that door!" It's closer to the following scenario: "First, go to the back of the building where there's a whole in the fence. Then climb up onto the roof and enter the ventilation system. Crawl through the vent shaft and take the first left. Drop into that room, but stay close to the wall to avoid the motion sensors. Then, wait for the guards to pass and leave the room. Move quietly down the hallway and the super awesome vault filled with treasure will be the third door on your left."
While, technically you aren't damaging or stealing anything, you're clearly making it a possibility for others to do so. In this scenario, I wouldn't make McKinnon pay to clean up my security, but I'd hold him responsible for breaking and entering, plus any crimes committed based on the information that he gave out.
But then I realized the cable was blue, so I only gave it one star. I hate blue.
The systems he hacked being Federal does make a difference. It means that the people he pissed off have a lot more clout than a private business would. Being a "significant other" as it were to his own government.
Sadly, the modern American brain contains a short circuit that associates any mention of "Korea" with images of "puppet sex"
What you consider to be sad, you say it like it's a bad thing.
I consider to be a hilarious moment in movie history.
Can this gut even afford a pack of smokes today? Who is running this dog and pony show?
He did them a service by uncovering the holes. If he hadn't done it, someone else may have found and used them and it could've ended up worse.
Well, my main point in posting was pointing out the lame kids running on the grass analogy.., and that in my scenario "you could see how someone would want to be compensated"... Here's the deal, I am not a lawyer but I do know that sometimes damages and compensation for victims are sometimes added into judgements against someone convicted in a criminal case.. and there is also civil court where victims can also sue.. As Whopner (sp ?) used to say, you can sue anyone for anything.. Truth is, you would probably win against a convicted burgler in civil court and get those bars paid for.. although you might have difficulty collecting as his income has gone to crap..
waiting for ad.doubleclick.net
Your analogy is horrible. Because in this case, Person A is also suing Person B for the installation of a lockable cage around the wire on the alarm and the wages of a chauffeur who will guard the car in future.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
If it takes a deadbolt to keep you out and this is demonstrated by you walking through my front door, then, yes, maybe should have to buy that lock. If it just takes a simple key lock to keep you out and this is demonstrated by you picking the lock in thirty seconds, then I am not so sure. If it takes me shutting the door and putting up a "no trespassing" sign, then I am pretty sure you are not responsible for having walked through that door. Bottom line, the harder and more remote the exploit, the more I might expect the "attacker" to be burdened with security costs. After all, there is a simple way to avoid this problem: stay the fuck away.
"Hmm a person can break into your back yard with the intent of robbing your house or going through your personal files that you leave on your desk, but if said person were to get hurt on your property, they can sue you." Interesting thought there.
Yes, a person could walk through the door so you have to buy a lock. How far do you take this ? Technically he could fire an 88mm anti tank round into your door too. This means you must put a few feet of plutonium shielding behind your door. The guy could also use a flame thrower to burn a hole in your door. This means you must have flame proof doors. Technically you could spend billions on your door defeating bio attacks, all kinds of things. Your argument is flawed.
This statement is not off topic. You might consider it a troll or flamebait (which I, personally, disagree with), but it most certainly is not irrelevant to the subject at hand.
Eggshell skull rule
You're liable for all costs stemming from anything tortious you do even if some of those costs are attributable to a preexisting condition.
This makes sense if you look at this reasoning:
My only political goal is to see to it that no political party achieves its goals.
In other news, the emperor is demanding that the child who pointed out that he lacks clothes be the one to pay for them.
You gentlemen are over are perhaps over looking the point here... ...
The analogy of the lock doesn't quite fit: but it applies anyway.
Either way, the whole point of a lock is not to stop people coming and stealing your stuff: for we all know how quick locks smiths and criminals can bypass them.
Locks just like computer firewalls and passwords are meant to be dissuasive.
These are meant to make you think twice before doing anything and also to prove that you made an effort to trespass thereby breaking the at least one law that in in the books.
He can't later on claim that he logged on or walked in accidentally. He proved his intent to willfully commit a crime and therefore it can be considered akin to breaking down a door to steal.
Beside punitive damages are not unheard of in criminal trials.
The same thing goes for people who are caught shoplifting, even though the store recovers their goods immediately, punitive damages are usually levied against them.
Beside who knows how many people he blabbed of these weaknesses to or even sold them ?
We can't compare him to a white hat either... He was caught red handed; and it wasn't because he reported these problems to the usa government.
If he wants to practice bug catching, he should play with his own systems
"That doesn't really encourage respect for the law, you know."
You are missing the point. It is not about respect for the law, it is about respect for and fear of authority. The law really has very little to do with it.
-- Terry
"If I didn't lock my doors, I'd be fined." ...
"It's a great idea. Why should I be purchasing the locks? They certainly don't benefit me."
How about "They keep you from being fined"? That's certainly a benefit to you.
-- Terry
This is like you jimmied the lock, and now you're being forced to pay a fee to rip out the insecure door and replace it with a 5 ton security door with a swipe card, retinal scanner, and that you have to pay for a surveillance camera being added too, to deter future break-in attempts.
More like being asked to replace the existing lock with a better one.
I have to agree with you, especially Weak security != permission to exploit
Just because I don't have bars on my windows doesn't mean someone has the right to break-in to my house. And if they did, I wouldn't expect them to pay for me to install a security system.
Do I feel he should pay for more than what he damaged, absolutely not. The government has chosen to spend more on security, that's their choice, and he shouldn't have to pay for that. But then it is the USA where huge corporations can sue a single person for millions of dollars of sharing a few songs.
"Gary McKinnon, whose tribulations we have followed for several years now, is the UK hacker trying to escape extradition to the US. It appears he is expected to foot the bill for the US Government patching holes his breaching uncovered -- to the tune of $700,000. It's not really the norm for someone to pay for exploits to be patched -- damages fixed, yes, but this is a very different thing."
This is BS!!! If anything the government should thank him and give him an award for pointing out how weak security was.
Falcon
Should there be a Law?
What seems fair to me is they pay him for showing them a weakness in their system.
Falcon
Should there be a Law?
The lock was broken, he did them a service by saying so. Its like a neighbor calling you on the phone and telling you that a basement window is open when you are on holidays. Its wrong for them to demand you provide security for them because you called them. Security by obscurity is a fallacy. Has been forever. He should be billing them for aiding them n their security (or insecurity). Sometimes people are stupid this way. You tell them of a problem, and they shout at you for telling about problems. Worse, they expect you to either fix it for them, or foot the bill (even though you don't own the problem). Even worse than that, if someone else breaks in, they point to you as a prime suspect. In short, they should be very very grateful for him telling them about their insecurity. Instead, they want to bill him for repairs. This is stupid. If he sold his knowledge to the Russian Mafia, the mob would have at least paid him a hundred bucks. The mafia would have trashed the place, stolen all of their money, and destroyed their site and anything attached to it. One thing is certain though. After this, anyone probing their site (and its a marked site now), and finding problems, *WILL* sell to the highest bidder, and their "NEW" security, won't be anywhere near enough.
And I get annoyed with anyone who suggests their country is deserving of any manner of special treatment. If they insist on acting like douchebags, (and I live in the US...so thats exactly what "they" do) then I say.... treat them like douchebags.
Does treating them like douche bags apply to the US? Or do you agree the US should not extradite Luis Posada Carriles to Venezuela to stand trial for blowing up Cubana Flight 455? Although he was arrested for illegally entering the US the US will not extradite him.
Falcon
Should there be a Law?
I don't think so, government should fear people not people fear government.
Falcon
Should there be a Law?
Basically the Government did not have a firewall or any security systems in place at all to stop someone from Remoting in. Thats like leaving your door open, and expecting someone not to enter without permission. Someone walks inside, does that constitute as breaking and entering?
Strictly speaking even though nothing is broken it's still breaking and entering when you enter a house you're not invited to enter by the owners or renters. I've had both police officers and lawyers tell me that.
Falcon
Should there be a Law?
Pointing out to someone that his door is broken or non-existant, with him then getting angry and insisting that you buy a new door for him as noone (especially thieves) would have noticed his door-lessness if you hadn't pointed it out.
Way to go USA, I'm not going to be the nice neighbour.
which was misplaced, it lies with one of the following:
a) Incompetent in-house security/administration
The correct answer is a, incompetent in-house security/administration. See here from the BBC:
"I found out that the US military use Windows," said Mr McKinnon in that BBC interview. "And having realised this, I assumed it would probably be an easy hack if they hadn't secured it properly."
Someone might say Microsoft shares responsibility but the Windows license states they are not responsible, and in some cases I imagine like this the software used has to have a special classification. The software has to be usable for mission critical applications, I don't recall exactly what it said but I seem to recall an MS license specifically stating it is not to be used in a critical system.
Falcon
Should there be a Law?
This to put it bluntly is a right load of fuckshit bollocks not only are the Yankee Doodle Dandys getting their collective panties in a bunch cus someone with more brain than their collective attempts exposed a fuckup (of their own making) but now they want him to pay to put it right well i'm sorry but "Kiss My White Hairy Arse as like" pay for your own fuckshit repairs plonkers !!! .
So, when doctor diagnoses me with cancer, should i sue him/her and insist on him/her paying for treatment?
this kind of "bonus programm" should also be implemented in the pentest industry. the security of all
systems will increase because there won't be any findings holes to fix. great job.
I know for a fact that some of the airports in the US don't do proper security checks and people are still able, at least in some cases if not all, take through items to the plane which should not be.
Whoops, does this now mean that I need to pay for the new security measures on all of the US airports as I made this a public information?
Nah, I think I would still need to make them look like fools and unfortunately they beat me to it a long time ago and are making a pretty good job at it, as we can see from this article as well.
In the UK we have a thing called the Privvy Council. Amusing really as privvy is a slang word for toilet.
Since "Privy" is derived from an old french word for "private", I don't think it is that surprising.
I will buy an allotment. However steps on my property first will be sued for breaking into my non-existent house and I will demand that the burglar builds the house for me. With proper anti-burglar features like proper doors, cameras, wires, walls, fences, "My Property" signs... :-) Isn't it paradox? How could you break the security in the case that there were no security? Is it possible to break something that does not exist? Can you be ordered to create something that didn't exist before by reasoning that you did break it before?
Sorry, is it just my bad English that forces my Slavic brain no to get the idea?
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
They're going to sentence him to something like 700 years in the slammer anyway so he's never going to be in a position to repay any cost of anything they might try and recover from him. He'll die bankrupt in jail.
Damages for patching systems is as corrupt as bankers bonuses in the USA or the damage to inncocent citizens when Enron went bust. This guy just wanted to find out the truth. He should be left alone and the sooner America understands that dictating to other Countries whereby they have no juradisction, the terrorism threat will reduce immensely. War is Gods way of teaching American's Geogphraphy.
All cows eat grass!
I think you're confusing cause and effect. The fine is further evidence that they don't benefit me. The fine is a way by which the government reduces crime in order to reduce the costs associated with fighting crime.
You see, that's exactly it. That fine by the government is the government not paying to fight crime. They pass some of that cost up the chain because they think it unfair to fight the crimes that were either preventable or easily discouraged.
I'm saying the same thing. . .but between myself and the criminal.
I'm sorry, are you suggesting there's something that does bode well for American democracy these days??
Improved access to healthcare would allow folks to spend less time worrying about how they will fund their poor health and more time as engaged citizens.
Although there are diverging takes on how to do this, it seems like most people realize finally that there is something wrong with leaving 46.3M people without health insurance.
It's clear the prosecution can't tell a hole-in-the-wall from a door. If that's true, how are they going to be able to tell if he fixes the holes or not?
I remember someone in my college days who found their way into the bank details of all the students. It was on a hidden samba share with poor permissions, able to be accessed with a user account's cached credentials from some batch file.
Needless to say, this guy was completely baffled. He hadn't much knowledge in computing, but still managed to gain access to a Cisco router that was in the provider's HQ as well as local admin access and multiple other things. He didn't mess about, young and naieve as he was he saw it as his duty to report it.
So basically about 4-5 threats of expulsion later he decides that ensuring his and his friend's bank details and personal information, as well as staff CVs and other sensitive data is not worth being expelled from the course. One last time handing in the keys for the safe (which he keeps finding sitting on the floor infront of the reception desk) he decides to call it quits and doesn't speak a word about it again.
Eventually a teacher quits out of disgust after hearing the story of what went on in the educational institute he was employed in, and is immediately hated by everybody who thought he was the nicest person and the best of the lot. From there, the Computing classes slide down the chute and nobody learns anything from underpaid, overworked and non-qualified teachers.
No analogy, this is a true story that highlights just how cruel and misunderstanding people can be even when they understand (or think they understand) what has happened.
In the end, though, Gary DID get into the system in such a way as it was clear that he should not be doing that. I can understand he might have seen it as a challenge, especially considering that a psychiatrist suggested he might be autistic, but that's not an excuse. However, he should not have to pay for companies to patch exploits that are problems with the software itself.
He's being used as a scapegoat by 'The Man' as far as I see, a clear message to all the innocent tinkerers and hackers.
I say a slap on the wrists is what he needs, and maybe a job interview :) if anything he could simply work for them and help them patch the system or at least tell them exactly what he did so they can get others to.
Call it community service.
The eggshell rule fails here. The security cleanup was spurred by his actions, yes, but the mess was no larger than it already was. They simply came to be aware of it as a result of his actions. This is like saying that because he came in a door with no lock, he's now responsible for the fact that there is no lock because it's his fault people have become aware of it. That takes care of the first bullet you have posted. Just because they fixed it after his actions made them aware of it doesn't mean the problem shouldn't have been taken care of without his actions ever having occurred.
The second bullet is always the responsibility of the fixer. Quality control is what any responsible repairman does on any job.
The third bullet is irrelevant, since the amount of fuss is not his fault nor his responsibility.
The fourth bullet is just patently false. In no way were the costs his burden to bear, no matter how much he was responsible for them being aware of a hole in their, not his, system.
The fifth ignores justice entirely, so it fails all on its own.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
If my front door is missing (for whatever reason) and I come home to find an intruder who tells me, "well, you're missing a front door!" I'm still going to be pissed that he's violating my privacy. Regardless of whether or not I should or shouldn't have a front door.
But the whole point is that the British goverment is merrily extraditing him to the US, where he will face charges and where the fact that they are federal will matter.
"You will be fined if you don't lock your car" (I still think this is ludicrous)
Means that if you don't lock your car, you ARE the criminal.
Yeah, ANOTHER criminal might come along and take advantage of your criminal behaviour to commit further crimes, but really, not only are you a criminal suffering a statutory penalty for your crimes, you're actually an accessory before the fact to any subsequent crime that takes advantage of the crime you committed.
As far as I can tell, the U.S. Government isn't claiming that subsequent to the electronic trespass that someone else took advantage of the disclosed hole to commit additional crimes.
-- Terry
Then that means you can't shoot me!
Once he's in the US, they can add charges. This includes the capital crime of espionage: it's a reason many countries are cautious about extradition to the USA. (This is particularly true of our neighbors in Canada.)
Governmental memory doesn't last long, otherwise Canada wouldn't have allowed the US to subject to rendition the Canadian who the US sent to Syria for interrogation. US officials have even lied to Canadians when asking Canada to extradite someone in Canada to the US.
Remember, they got Al Capone for tax evasion, not for being a murdering crime boss.
Yeap, they couldn't get Al Capone of anything else. Not even the Saint Valentines Day Massacre. Of course he was in Florida then not Chicago. One of those killed was Frank Gusenberg, who was still alive when the bodies were found, even said "I'm not gonna talk - nobody shot me" when he was asked who shot him before he died. They killed each other but wouldn't rat on them.
In this case, the US government claims he deleted critical operating system files.
Government claims that but is it true? Even if true why didn't they have backups? It took me all of an hour for me to make a bootable clone of my OS on an external drive a few days ago. It didn't take much longer for me to backup all the user documents by cloning my user partition afterwards, and I have more than 200GB on the partition. As a matter of fact I have 3 external drives I use for backups and I'm working on a system of synchronizing the internal drive in my laptop with each of the external drives. Next I'll upgrade my tower PC and do the same.
If the systems he damaged were so important, then why were they connected to the net?
Quite simply saying this guy created $700,000 worth of damage is asinine.
And if you've never had to clean up after a cracker, let me tell you, many of them do far, far more damage than they admit, even script kiddies.
How much damage they say or know they caused? I bet those are different, those who want to cause damage say they caused more than they did while those who don't want to cause damage underestimate it I bet.
Falcon
Ooh, believe me when I say I know how important backups are. When my desktop, er tower, PC had to be repaired the motherboard had to be replaced. Because I bought a 2 year extended service plan with it and only had it 10 months before the motherboard died I took it to the store where I bought it for servicing. After the mobo was swapped the OS had to be reinstalled, if they were the same I don't know why, and in case of that I specifically included instructions for them. Because the PC only came with a 40GB HDD I bought a 750GB disk at the same tyme and paid them to install it so I could use it for the user files. I had more than 500GB of data on the drive so in the instructions I specifically wrote that I did not want the disk formatted, I even talked to the tech and told him that. While he didn't format the disk himself he did put the OS install routine on auto-pilot which did format the disk. So I lost more than 500GB of data.
Well hopefully not lost, I'm going to try to recover the data by cloning the disk then try to unformat the clone.
Falcon
Should there be a Law?