Slashdot Mirror
No Charges In UK For Gary McKinnon
clickclickdrone sends this news from the BBC:
"Computer hacker Gary McKinnon, who is wanted in the U.S., will not face charges in the U.K., the Crown Prosecution Service has said. Director of Public Prosecutions Keir Starmer QC said the chances of a successful conviction were 'not high.' He announced the decision some three months after Home Secretary Theresa May stopped the extradition. Mr. McKinnon, 46, admits accessing U.S. government computers but says he was looking for evidence of UFOs. The U.S. authorities tried to extradite him to face charges of causing $800,000 (£487,000) to military computer systems and he would have faced up to 60 years in prison if convicted."
The UK CPS declined to prosecute him originally and further decline to do so now.
This trumps all other arguments.
blog.sam.liddicott.com
Could he come & cause $800,000 to my computer system too? I could use the upgrade...
So if he's not getting extradited, and there are no charges in the UK, is McKinnon a free man?
Give me Classic Slashdot or give me death!
Damages they are claiming though come from having to fix the vulnerabilites that let him in in the first place. That and the money spent on the legal bills for embarassing them.
Bullshit numbers.
He may have cost them that much in man-hours to clean up the mess, but he most certainly didn't cause any physical damage.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Money better spent on a crazy British dude than the Chinese hackers who would have found the holes next.
I buy 3000 rolls of toilet paper drive to the middle of a busy interstate and dump them in a huge pile. I didnt cause any physical damage so therefore I am not guilty of anything. Is that your logic here? If someone had a fender bender because of it then I am guilty?
Look here is the facts he broke into someones computer (in this case the US gov). They then had to go thru and re-audit everything (as they are required to by law). Spending huge amounts of time (and money) checking things out that were otherwise fine. And remember contractors are not paid 10 bucks an hour (the people most likely doing it). They are paid 50+ per hour...
They are probably dropping it because the other side doesnt want to bother with it but wanted a way out as they buy the guys story. The US and the UK are BFF's... You are right he did not do much harm but did waste lots of peoples time.
That was an awfully long way to say "yep, I agree."
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Right, so the real people responsible will be charged now? The ones who left seriously insecure military computers connected to the internet?
No. Its the cost of having people scour the systems for any damage he causes, compare the data against backups to chance for changes, deletion and any programs he left behind, for tracking him.
This isn't One computer, it's a lot of computers on a lot of systems, and it costs money to have people do that work.
As well as possible legal bills.
The Kruger Dunning explains most post on
How do you know that? hmm?
The Kruger Dunning explains most post on
He may have cost them that much in man-hours to clean up the mess, but he most certainly didn't cause any physical damage.
Not entirely.
It would have cost them that much to clean up the mess when in the absence of McKinnon an internal audit had shown that all those systems were insecure and potentially hacked by neferaious foreign national spies.
The machines were insecure and needed fixing.
That is the case whether or not the flaw was highlighted by McKinnon.
I'm not claiming he's the good guy in this (though they should thank their lucky stars it was a UFO seeking nutball, not a Chinese government operative in those systems). But to claim he caused the damage is disengenuous.
I repeat: the machines were already damages with or without McKinnon.
SJW n. One who posts facts.
and it costs money
It would have cost the same with or without McKinnon. Unless you think it's reasonable for them to leave unsecured computers connected to the net until such time as they happen to notice an exploit.
SJW n. One who posts facts.
Shouldn't all that work be done anyway? If they had an insecure system, then it might have been hacked by others before and after McKinon. So why should he bare all the blame for it?
If anyone should be punished, it's those incompetents who did not secure the computers in the first place. It's like leaving the door to the office building unlocked and unguarded. There's nothing like a foreign scapegoat to distract the news media.
Surely if you discovered computers important to national security were unprotected, were using default passwords allowing easy access, or hadn't been appropriately patched and maintained, you would have to treat these machines as potentially compromised whether or not you know someone had accessed them.
As a result, all the costs you mention, other than the legal ones, would necessarily have to be incurred anyway.
Wouldn't they have to check the systems anyway after discovering they were vulnerable? A break-in points out vulnerabilities in a system, but it is not the cause of those vulnerabilities and if one person can break in, others can as well.
If someone else had found the same vulnerabilities earlier and alerted them without breaking in, would that person be charged for the costs of reviewing the systems?
You get drunk and hit someone with your car. Are you also responsible for the careful search of all the other roads in your state, since it's possible you've also hit someone else so they might be lying in a ditch somewhere?
He's responsible for what he DID - break into a computer, not really a major crime when you think of it. He's not responsible for the costs of checking if he did anything else. Once it's been revealed that the system had crap security, that check should have been done anyway - how many other hackers might have exploited the same security holes before McKinon?
McKinnon is accused of deleting a load of "critical system files" from a number of key military computers (shutting down various networks), along with over 2,000 user accounts from Army's Washington DC(?) network. They wouldn't have had to fix all of that without his interference.
As for the computers being unsecured, afaik there is no way to completely secure any network connected to the Internet, although I don't know how much work he had to do to break in.
he also admitted his "hacking" was almost entirely limited to guessing default or super weak (12345) passwords- this is actually farcical. they have to paint him as some Asperger super hacker to stop themselves looking like idiots
It's possible deleting a load of critical system files (shutting down various military networks) and removing over 2,000 user accounts may have caused some of the damage (both long-term costs of replacing, and call-out fees for technicians during the short-term panic of working out what was going). If you want more details of what he is accused of, read the first few paragraphs of this judgment.
Oh man....wait....it's almost like they *FIXED* this.
but yeah yeah collateral damages, etc etc. keep up the imagination there.
Actually it was 97 computers (possibly 96). From which he was* able to access a further 73,000 networked, US Government computers. He shut down "the entire US Army's Military District of Washington network of over 2000 computers for 24 hours", and rendered some 300 computers at US Naval Weapons Station Earle inoperable for a while, including one "used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships." Oh, and he installed a "suite of hacking tools" on the computers he did access to make it easier for him (and anyone else) to gain access to them in the future.
But yes, that's just like breaking into a single computer...
*Please insert the word "allegedly" as appropriate throughout. As this will never go to trial, we will probably never know what actually happened.
It can. Not directly by damaging files, but indirectly by requiring a verification on all those files because they COULD have been tampered with. Now all it takes is a LOT of data with originals stowed in some hard to reach place and you're getting there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They wouldn't have had to fix all of that without his interference.
Please NEVER EVER get a job in security.
Ever
Ever
Ever.
Once such important systems had even been found potentially compromised, they become entirely untrustworthy and cannot be used.
They noticed McKinnon by sheer blind luck.
If it had been a competent agent of Mossad or something they would never have noticed. Or by someone as competent as the guys that made Flame.
But the fact that they were wildly insecure meant that they would have had to shut down the entire system basically instantly and repair it.
They were bloody lucky it was McKinnon and not someone else.
SJW n. One who posts facts.
No, he has Asperger's syndrome, which, from what I can gather, is way for IT guys like us to behave like absolutely fucking pricks, and we just have to hold up the card "Asperger's" and everyone is supposed to accept our miserable attitude. Apserger also apparently extends to hacking into systems we have no business being in. Apparently, providing we have this wonderful social ineptitude disease, we don't face the consequences of any of our online actions.
I don't know about the rest of you, but I think I'm going to go out at lunch and kick some little old lady in the ass. "Asperger's!"
Did you really just have an uncalled for, violent, frothing rage at people with "social ineptitude disease"? You know, it pays to look both ways before crossing Irony Street.
They would have had to shut down the computers/networks, but (and at this point I should declare that I'm not a computer security expert) presumably had they simply discovered the flaw, they could have taken them down in a controlled, scheduled way, and then combed through the stuff to check for problems at will. This way it seems the networks were crashed by McKinnon, which strikes me as being likely to cause much greater short-term problems and thus costs.
And no, I have no intention of getting a job in security; and I'm not saying this system was good, or that the US were not at all to blame - but that doesn't really matter in criminal prosecutions. The guy (allegedly) broke both UK and US laws by intentionally breaking in to some high-profile military computer networks and trashed them. That sounds fairly serious to me.
...his name is Gary McKinnon and not say, Babar Ahmad...
No, he's laughing at the people who think assburgers is a defense for committing crimes.
Yes they would IF they were doing their jobs. As soon as it was found that someone from the outside could (even in theory) gain access to those machines, they were untrustworthy and needed to be wiped completely and re-installed. For all we know, actual enemies had been playing in those systems for quite a while and would still be there if not for McKinnon bumbling in and making noise.
All (minus legal bills) of which any IT group of a handful of people tops could do in a month. And guess what, you'd be able to hack off a zero from the end of their "damages" price tag.
You and I both know it, the vast majority of the sentence time and fine are the "making the US military look stupid again" tax. The annoying part is that it's so goddamn easy to do that, you have to be careful you don't do it accidentally.
Or maybe it was just that the military's lawyers cost $720,000, which given the utter insanity that is the US legal system, is entirely possible.
Hack into a foreign government's computer system and cause $800k worth of damage, violating international laws in the process? Extradition is blocked.
But if you're Richard O'Dwyer and do something completely legal in the UK and causing no direct monetary damage? Theresa May goes out of her way to bend over and let Uncle Sam do his dirty work.
The difference? One guy was looking for UFOs, the other had a website that had links to pirated content. Logic, right?
My feelings could be summed quite well by a lovable Tim Minchin
Only until he pops up on Seal Team 6's list.
Look, clearly you're new to this whole thing, because the whole "it was unlocked" crap has been trotted around here since 1998 or so. 1)Trespass is still a crime. Further, breaking and entering requires only pushing open a closed door - it doesn't have to be locked. They're still separate crimes. If someone's front door is open but you don't belong in their house, you're still "entering" and committing trespass, which is illegal, and has been since common law times. 2)He didn't just enter the systems, he modified them, destroyed both data and functionality, and installed spying software.
Please help metamoderate.
I buy 3000 rolls of toilet paper drive to the middle of a busy interstate and dump them in a huge pile.
Please take photos!
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
If it had been a competent agent of Mossad or something they would never have noticed. Or by someone as competent as the guys that made Flame.
They were bloody lucky it was McKinnon and not someone else.
You assume that it WAS only McKinnon. Skilled attackers could have been waltzing in and out of that gaping security hole for years before McKinnon spoiled it for them by drawing attention to it. Who knows how many government secrets have found their way into unfriendly hands because of this?
More like breaking in (maybe through a weak door),...
The quote contains the root of the problem.
If these compromised networks had adequate security to start with, Gary M. wold not have gotten in.
As long as the mindset of 'convenience/budget overrules security' this stuff will keep happening frequently. /. all the time, and have for years....thousands of comments by IT folks on /. complaining that their pointy haired bosses begrudge the cost of network security, yet that network is so vital to the organization.
There is a good reason banks spend the money to install those expensive, elaborate bank vaults for the money to be kept in.
We see that here on
I propose that when these security breaches occur, that those responsible for security policy decisions share the guilt with the 'hacker' equally.
Only then will this issue be improved.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Now for the obligatory /. car analogy:
I leave my laptop on the front seat, get out of the car, lock all the doors, and walk away. Some passerby looks in and sees the 'OH, Shiny!' sitting there and then reaches in the open window and takes it.
I cry foul!
Where the major difference between the analogy and the network breaching comes into play:
Most everyone will agree the theft was wrong, they still consider me an idiot for not rolling up the windows, but the network lack of adequate security seems not to cause that same 'You're an idiot' response. WTF?
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
However, it's debatable whether his actions were illegal in the UK. US laws don't have jurisdiction over UK citizens unless they are in the US despite what the US government might want. The issue is which laws did he break?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
But that isn't how (most) crimes work. It is (in many places) a criminal offence maliciously to gain unauthorised access to computer systems, and thus those who do so should get punished. Arguments of proportionality of sentences, precise wordings of the offence and the purpose/merits of a criminal justice system aside, whether other people are also doing shouldn't really be an issue.
Whether or not other people are to blame (the operators of the system, other people breaking the law) is a separate issue, and is between them and the authorities. Should the system techs and operators be held criminally responsible? Probably not. However, should they be liable for their own negligence and/or breach of contract, definitely. And their supervisors. And anyone else who is liable (civilly).
He had to fire up Terminal Services Client (now known as Remote Desktop Client), and log on as administrator, leaving the password field blank.
Iran called. You're guilty of unislamic behavior in the US/UK/anywhere. Please report to Teheran's Torture and Corrections department tomorrow... They too have extraterritorial laws, we should respect that, right? Hahaha.
Internal audit? What internal audit?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Yep - most likely. I think he's already served the 6 months maximum prison term and he's probably lost more than the £5000 maximum fine.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Good thing you pointed that out.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I heard they tried to muzzle him, but he had them over a barrel. There's obviously mortar this story [enough - Ed]
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
You say "if you discovered". That's the point. It wasn't a problem before, because they didn't know about it. And you'd be amazed how many people would say that without a hint of irony.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
No, he's laughing at the people who think assburgers is a defense for committing crimes.
It could be a defence if it is relevant to the matter of intent. Person A might buy a bomb to commit a violent crime. Person B might buy a bomb to see how they work - maintaining strict safety precautions for working with explosives at all times. Person B could well have Asperger's (there was such a case - including both Asperger's and all the safety precautions) - and the Asperger's diagnosis could be directly relevant to showing that there was no harmful intent or even negligence - just an unusual, rather than violent, hobby.
"Unusual hobbies" is part of the Asperger diagnostic crieria (unusual or intense interests). And people with Asperger's do not always have the same intent (motivation) that other people do. And they might be very meticulous in things like taking correct precautions because of their attention to details and tendency towards routine.
Psychiatric conditions might also be relevant during sentencing...
I am anarch of all I survey.