US Govt Pursue UK hacker

[Idaho]

US want to extradite hacker

I am ever amazed about how vindictive the US govt is. Tey really want to put this guy in prison for the rest of his life. All for the sake of a few unprotected files.

[Rodion Romanovich]

I liked this part:

"My intention was never to disrupt security. The fact that I logged on with no password showed there was no security to begin with."

No password protection for military files...

Seems like the good old days when a hacker could get hired by CIA instead of put in jail are gone...

[Fragony]

Well it wasn't a very smart thing to do, I would say that hacking in a military network is a pretty big offence, but it doesn't seem like there was any bad intention. Let the UK trial him, that is where he did it after all. Could be worse, there was a dutch drugdealer who sold drugs in Holland to an american, america wanted him flown overseas. Even more crazy, 'we' allowed it.

[Joker85]

US want to extradite hacker

I am ever amazed about how vindictive the US govt is. Tey really want to put this guy in prison for the rest of his life. All for the sake of a few unprotected files.

"It said one attack at the Earle Naval Weapons Station took place soon after September 11, 2001 made it impossible to use critical systems. The US Department of Justice said it took a month to get systems working in the aftermath of this attack."

Poor guy, spent two years F'ing up a place he had no buisness being, but he's the victim.

I think I'll rob a bank tommorow and work my way into the safe. If I get caught I can always say "I was just doing it out of curiosity I didn't take anything!!!"

He openly admits he was trying to find, steal, and release technology that belonged to the government. That is not harmless looking around. He was actively trying to damage the dod.

Noone told him to spend 2 years of his life trying to F the govt and release classified technology.

He'll get 5-10 years and a fine and should consider himself lucky it's not worse. If he gets a slap on the wrist it will encourage every moron with too much time on his hands to try and crack their way into dod/govt systems and steal technology to release/sell.

[Rodion Romanovich]

Actually, if there's no password protecting a computer system, it's generally considered to be free to visit for everyone, and it isn't an offense to do so. With the logic of the persecutors in this case it would be illegal to visit for example the .org if the .org one day suddenly decides it's not open for everyone who wants to visit... Now if you have a bad, easy to break password, that's another thing. But if there's no obvious access denied message like a password requirement, then it's hardly a crime to bypass... ehm ... bypass what? There's no crime in this case, any sentence at all for visiting a not at all password or bio-protected (retina scan/fingerprint reader) or credit card number protected system or service would be outrageous. Just face it - they need to hire a couple of experts at computer security and try to make sure they don't repeat this mistake again. Making an innocent kid a scapegoat for it is just ridiculous.

[Joker85]

Actually, if there's no password protecting a computer system, it's generally considered to be free to visit for everyone, and it isn't an offense to do so. With the logic of the persecutors in this case it would be illegal to visit for example the .org if the .org one day suddenly decides it's not open for everyone who wants to visit... Now if you have a bad, easy to break password, that's another thing. But if there's no obvious access denied message like a password requirement, then it's hardly a crime to bypass... ehm ... bypass what? There's no crime in this case, any sentence at all for visiting a not at all password or bio-protected (retina scan/fingerprint reader) system would be outrageous.

Well without knowing the facts of the case, I think it's safe to assume that simply because there was no password does not mean it was as easy as typing go to www.letmeinyoursystems.com and you have instant access to highly sensetive DoD systems and techs.

While there may have been no password, I'm sure there were other security measures he had to violate to hack his way in.

To use your analogy about the .org a bit further. If the mods had a secret board for other mods only and the only way to have access to view it was to have them change your member status to "super duper cool guy" they might not password protect those forums because they assume the only people with access will be those who get super duper cool guy status. So if someone hacks his way into them, gets caught, and says, "but they wern't password protected!" it wouldn't really matter would it?

[Rodion Romanovich]

To change the member status to "super duper cool guy" you need to type in a password to access the database. Thus, it's password protected.

I think that if you knew more about computers, you'd realize that the "guilt" in this case is completely on the side of the military computer systems. If you're responsible for a nation's military resources then it's your duty to hire a professional at computer security or you're a threat to your nation. In fact those responsible for the lack of computer security should rather be tried in court to see if they took proper measures to hire experts at the subject. This thing is like wanting to punish the little child that goes pass the embassy and happens to see a confidential paper that a diplomat accidentally dropped.

[edyzmedieval]

"super duper cool guy"

Maybe that's the password.

[Joker85]

To change the member status to "super duper cool guy" you need to type in a password to access the database. Thus, it's password protected.

I think that if you knew more about computers, you'd realize that the "guilt" in this case is completely on the side of the military computer systems. If you're responsible for a nation's military resources then it's your duty to hire a professional at computer security or you're a threat to your nation. In fact those responsible for the lack of computer security should rather be tried in court to see if they took proper measures to hire experts at the subject. This thing is like wanting to punish the little child that goes pass the embassy and happens to see a confidential paper that a diplomat accidentally dropped.

I think you should re-read his quote.

"The fact that I logged on with no password showed there was no security to begin with."

First considering that he is not exactly unbiased in this, it goes back to my point that he had to get into the system in the first place to be able to logon and try to steal technology. It would be interesting to learn the security measures taken to prevent that.

Or, are you simply taking his word at 100% and because he said it was "your fault for making it easy" believing that.

Going back to my question about breaking in. If you forget to lock your door and someone breaks in and steals your stuff, is the "guilt completely on the side" of you? Of course not.

You do not have the right to exploit someone else's slip or percieved slip in security and steal their properity. If you believe a person does, then we find ourselves at a disagreement that will never be resolved.

He was a place he did not belong, trying to steal something that was not his. He has admitted both things. His only defense is "well they try hard enough to stop me". If you try to use that argument about any victim in any court of law in the western world you will be laughed out of it. Unless your victim is the government I guess. Then it's ok to steal as you please and blame them for not doing more to make sure you couldn't.

[Joker85]

Also, let me add, it's not about making him a scapegoat. If all he did was read around for a while for the "coolness" of being in a secret place I would understand. But he spent two years trying to find, steal, and release classified US technology. That takes it much further. He was actively attempting to damage the dod and research that in all probability cost millions. His attacks also crippled systems after 9/11 that were needed in the response.

He has caused a great deal of damage and is not some innocent scapegoat who got caught looking around. His actions and intentions were not "free of malice" as he claims. No more so then me deciding I can break into someone's house and steal their property because "well they left their door unlocked".

[Rodion Romanovich]

Well, if you make research for millions and don't password protect it you've committed a serious crime. Accessing a page that wasn't password protected is not. The stuff about crippling 9/11 response is just a fake excuse, just say 9/11 bla bla and it sounds like it's serious. No, it's fully the responsibility of the chiefs of computer security within these military networks.

In computers it's not the same as doing burglary because the door was left unlocked, because you can end up accessing networks you didn't intend to depending on how you get the reference to them. For instance you might google and find a subpage within a site. On the front page it says "access denied", but on the subpage it doesn't say so. Have you committed a crime then? No. Similarly you might bookmark and often visit that subpage, without ever finding out the main page said "access denied". For purposes of legal security the principle is that anything you can access without being asked for a password is free to visit.

[Xiahou]

Actually, if there's no password protecting a computer system, it's generally considered to be free to visit for everyone, and it isn't an offense to do so.

Yeah right. Just like if you forget to lock your door when you go away your house is free for everyone to come inside, snoop around your personal records and release anything interesting they find to the public. Get real.

I dismissed your burglary argument because computers work entirely different. It's not immediately clear what is allowed and what isn't, sometimes you even need to "hack" around some bug which doesn't enable you to immediately show what you wanted to show.

He knew full well he wasnt supposed to be there- he's admitted to it. The analogy applies. Had he just wandered in, realized where he was and then quickly logged out- your argument might hold some water. But 2 yrs? I think not.

Interesting, I don't think we have anything even similar to that in the US. If a woman is wearing provacative clothing and is raped, we don't say "well you shouldn't have dressed like a slut" or "well you shouldn't have been walking down a dark alley drunk at 3 in the morning".

Beat me to that one too.

I hope they throw the book at this guy- he destructively hacked into DoD computers with the intent to steal national security secrets. Yes, it's shameful that the DoD had such lax security- but it doesnt excuse his crimes.

[Rodion Romanovich]

Yeah right. Just like if you forget to lock your door when you go away your house is free for everyone to come inside, snoop around your personal records and release anything interesting they find to the public. Get real.

He knew full well he wasnt supposed to be there- he's admitted to it. The analogy applies. Had he just wandered in, realized where he was and then quickly logged out- your argument might hold some water. But 2 yrs? I think not.

Beat me to that one too.

I hope they throw the book at this guy- he destructively hacked into DoD computers with the intent to steal national security secrets. Yes, it's shameful that the DoD had such lax security- but it doesnt excuse his crimes.

Because you aren't clever enough to read the responses I already made when Joker85 made those comments, I think it might be appropriate to point out that below the post of mine that you quoted, you can find my responses to those comments, so I don't have to post them again.

It's obvious that you have no idea of how computer networks work. It's about the principle you're using to judge, and it can't be compared to any non-computer related situation. If you sentence this guy you've said yes to principles which mean any normal day surfer could be a criminal and sentenced at random. Computer networking consists of making request and getting responses. If you're not authorized you get a "access denied" response, or no response at all. That response doesn't necessarily mean you're never allowed to go there, it means that the last request posted isn't to be considered allowed to give the wanted response. Also, most applications do these requests for the user, so you don't really know exactly what requests they make. There's a chance, small but still existing, of network traffic accidentally being corrupted in the control data part, so you receive or packages that aren't yours, or send requests you didn't intend to. Sending any request message must be allowed, given that: 1. programs generate the request messages, 2. there's no built-in functions in the protocols that tell whether a negative response means access denied forever, server having temporary problems, or access denied at this specific time. 3. without asking explicitly for it, many requests are made via other servers. Normal policy is that any request message is allowed, and all responses you receive are allowed to receive, but that you aren't allowed to hack past a password. Now if there's no password then it's really easy to get inside the systems by accident. If your principles of "guilt" apply then anyone can be accused of being hacking illegally and sentenced, because if there's no password it's very easy to accidentally end up inside the systems even for a regular user. It's the duty of the host to provide a password or challenge response system both to protect himself, and to protect someone else from accidentally committing a crime they didn't want to commit. And if the host fails to fulfill his part of the agreement, then it's really hypocritical to try and call the user a breaker of the agreement and a criminal. The guy is innocent, and any sentence at all for that guy would be a shame. I think we both agree that there should be some kind of legal protection against this hacking, but the principal requests he made over the Internet can hardly be differentiated from normal computer communication at all, so unless there are explicit access denied signals like asking for password it's really impossible to see the difference between the two types of communication. That's why it's necessary for anyone to have a password prompt before he can speak of anyone being guilty for entering the system, because it's possible, and easy, to do it by mistake. You might say that "he did it for so long time", but what is long time? Is there any formal legal limit on for how long you're allowed to do it before it's a crime? You can't draw lines with "long time", "quite big", "pretty long", "I thought it looked cruel" etc., that's not a serious way of approaching the subject of law. It's not comparable to burglary, because you can't commit burglary by accident. It's not comparable to any non-computer related situation. If people who know nothing about computer security and networking in general make statements about computer related laws it's pretty ridiculous AND dangerous as they seem to quite often end up making the definitions in a way such that normal usage becomes possible to interpret as criminal, which is a threat to the security of citizens.

[Don Corleone]

So the guy basically found a DoD website that posted national secrets for anybody that cared to look, Legio? I find that hard to believe. Wouldn't that be the real shock of this story, not that the DoD was actually going after him? What's more, if that's the case, why do they refer to him as a 'hacker'? Just accessing a network PoP makes you a user. 'Hacking' implies that you have taken some step to defeat privacy/security protocols, no?

He himself admits that he was looking to steal secrets and that he thwarted security measures to do so. The fact that he claims he wasn't motivated by profit has no bearing. He caused some very real damage and who knows what his actual intentions were. For all we know, he's an agent of the PRC and he was indeed highly motivated by profit.

[Xiahou]

It's obvious that you have no idea of how computer networks work.

Really? Here I thought I worked in the IT industry, had a Bachelor's degree in Data Communications, a MCSE and a CCNA.... but it turns out I know nothing at all about networks.

I'm really not at all sure what your argument is... but it smells like a red herring. Of course its possible to 'accidently' connect to a system that you're not authorized to be on. But this clearly is not the case. He knew he was in areas that were confidential, he crashed systems and otherwise caused damage while nosing around with the specific intent to find classified information. Your argument that "He didnt know" is ludicrous. He knew what he was doing- that's not even in question.

Then, you're left with your absurd claim that if a computer is not adequately secure then there's nothing wrong with breaking in with intent to steal information. That idea is just laughable on the face of it and is very similar to the burglary and rape analogies others have made.

Just to be clear, you would see nothing wrong if he connected to a WAP setup by your average Joe who neglected to secure it and then proceeded to sift through his financial records, finding Joe's checking account information and posted it on the Internet for everyone to see before seeding Joe's system with viruses- because it wasnt secured? Because that's what you're saying.

[Louis VI the Fat]

Mr McKinnon will obviously face a sentence in the US that the general UK public would find disproportionate. Therefore I would trial him before a UK court.

The UK is an independent country and well up to the task of arresting and prosecuting her own citizens, under her own laws.

[English assassin]

But, if Biff Chunks III hacked into Scotland Yard's computers from his home in Gatorville, Florida, it would be a UK computer he compromised so I'd want him dealt with over here. And lucky Biff because he's get about six months in jail featuring decent telly and no anal rape. Well, the telly's not that good anymore. And there might be a little bit of anal rape. But it would still be a cakewalk compared to the US.

So I have to let the US have the same priviledge when its the other way about.

[Redleg]

But, if Biff Chunks III hacked into Scotland Yard's computers from his home in Gatorville, Florida, it would be a UK computer he compromised so I'd want him dealt with over here. And lucky Biff because he's get about six months in jail featuring decent telly and no anal rape. Well, the telly's not that good anymore. And there might be a little bit of anal rape. But it would still be a cakewalk compared to the US.

So I have to let the US have the same priviledge when its the other way about.

Agreed

The United States is following the process that both countries use when dealing with criminal activies.

The arguement about unprotected systems because of a lack of password protection doesn't seem to hold much water in the English judicial system.

So either the judge didn't buy his story, or found major fault with his reasoning.