Spammer Pleads Guilty 421
Rick Zeman writes: "A spammer faces up to seven years in jail after pleading guilty to "computer hijacking." " He apparently hijacked a mail server, and used it
to send millions of forged email to make it come from IBM domains. He's pleaded guilty to forgery and I hope he gets all 7 years. But
then again, I also wish someone would get 7 years every time they mail
me a credit card offer, or call me and ask me to change my long distance service.
Re:Does Spam Really Bug Everyone That Much? (Score:5)
Because it's theft. I don't like being stolen from.
But not just because it's theft. The real fight is how we preserve email as a useful communications medium.
> Add to that the fact that I can block senders,[ ... ]
And how much of your time do you spend doing this, when you could be doing other things? You say you've never had more than 10 a week. Before I started reading headers, I was up to 10 a day. And I'm on the light side. Others I know were in the hundreds per day.
Consider this - if we give Jay Garon net.access in prison, and only 1% of legitimate small businesses (ignoring the MMFools and pr0n-hawkers and snake-oil "pharmacists") in the US spam Jay Garon once a year. Jay will have to "just hit delete" 240,000 times a year. That's 657 a day.
As punishment, I think Jay Garon should have to reply to an email from the warden, three times a day, to get his meals served. Failure to answer the mail within an hour results in no meal service.
Now how long do you think it would be before Jay starved to death, "just hitting delete"?
> Now I just delete and forget.
I used to delete spam. Now I delete spammers.
Speaking of whom... hey Garon, seen any sexy babes [deja.com] lately? How's Premier Financial?
The wheels of justice grind slowly - Garon's spamhaus dates back to early 1999 - but they grind extremely fine. I'm gonna eat an 8-oz filet mignon tonight. I'm sure Jay will be eating meat soon too, but of a different sort.
Buh-bye, Jay. You might as well let the door hit you in the ass on the way out. A little tenderizing might make it easier on ya when Bubba comes a knockin'.
man , you priorities are f*cked... (Score:2)
- He's pleaded guilty to forgery and I hope he gets all 7 years. But then again, I
also wish someone would get 7 years every time they mail me a credit card offer, or call me
and ask me to change my long distance service.
you gotta be joking... you think SEVENS years of real prison time is adequate for faking emails?!?!sure the guy has to pay a big monetary fine, but this isn't in the league an assault, burglary, rape or kidnapping
spamming is not a violent crime.
Low Down Dirty Horse Thieves (Score:2)
Imagine trying to implement a reliable security scheme to protect horses from theft.
Horses are easy to steal/hard to secure. They provide their own get away vehicle, and even identification/proof of ownership can be unreliable. (Branding is write once, read many)
The result was that punishment for horse theft was DEATH or worse.
The punishment isn't only based on the value of the thing stolen, but also on the consequences to society if the type of behavior continues...
It is because Spamming is so easy to do and easy to get away with/hard to prosecute that the punishment should be harsher than other crimes.
7 Years is Too Much (Score:2)
---
Ben Garvey
Comment removed (Score:3)
Re:Does Spam Really Bug Everyone That Much? (Score:2)
I can't post to USENET with an e-mail address that I actually use (I did once, and I'm paying for it now).
I can't read much of USENET with the S/N ratio being as low as it is.
Those are my two main gripes.
--
Re:Lousy admins don't help: (Score:2)
Or if they must run third party relays (e.g. to cope with crippled software.) They make sure that their machine adds IP address, reverse DNS, identd to the headers and has an accurate clock.
Anyway with just about any modern piece of software you explicitally need to set it up to act as a relay in the first place.
What would be worse... (Score:5)
That would be a deterent.
Re:Does Spam Really Bug Everyone That Much? (Score:2)
Seven years? (Score:2)
Heh. After 7 years in the slammer... (Score:2)
That fuckhead spammer is going to look like the ``starring attraction'' at goatse.cx. I think millions of mail system administrators and mail users everywhere have just been avenged...
Note that this is supposed to be an in-joke for those that have already inadvertantly been to goatse.cx, I don't advocate going for those of you whose eyes are untarnished. You Have Been Warned.
--
You can curtail snail spam (Score:2)
As for credit card offers; just call the three credit reporting bureaus and ask to be taken off of *their* lists.
His guilty plea... (Score:5)
Please e-mail this plea to 5 people in the courtroom, who will then in turn e-mail it to 5 more people...
Failure to do so will result in the death of your immediate family, increase of Oracle pricing for your employer, and the installation of RedHat 7 on your C++ development machine.
Thank you.
Injustice (Score:2)
While I'm happy there are laws against this sort of obnoxious behaviour, I'm sickened that someone will go to prison for this and that so many of you (CmdrTaco included) would take that punishment so lightly. Fines, probation, community service, etc. are all acceptable for this sort of offense. Prison should be reserved for truly dangerous criminals.
Wil
--
Re:You can curtail snail spam (Score:2)
One minor, but important, nit to pick:
You don't ask to be taken off their phone list - you ask to be put on their do-not-call list.
It's a subtle distinction between the letter of the law (they have to maintain a do-not-call list and not-call the numbers on it) and the spirit of the law (which you describe).
Phone spammers are almost as scummy as email spammers. Unless your request ("Place this number on your do-not-call list") conforms with the letter of the law, they can (and most likely will) ignore it.
Re:Stopping spam (Score:2)
--
+5, Insightful (Score:2)
--
Stopping spam (Score:2)
Only allow one message to be sent per second, per client, by each mail server.
To individual users, this is no hardship. (My mailer takes longer than that just to do its housekeeping.) Mailing lists will, of course, need special treatment, but they should be on special mail servers anyway.
But this would be the kiss of death to spammers. Now they can only send 60 messages per minute, 3600 per hour! Now it'll take them just under two weeks of continuous connect time to send a million messages. It's now not worth the effort to do it.
The changes to the mail servers should be pretty simple, too. There'd be a bit of extra overhead, but not much. You'd have to keep track of who connected in the last second to prevent people connecting, sending one message, disconnecting, reconnecting, sending another message, etc.
Any ideas if there's anyone I could suggest this to to find out if it's actually workable? (Other than here?)
Re:7 YEARS??? (Score:2)
Does this meaning fit today's computer hackers and "crackers"? Scary, ain't it?
Re:What would be worse... (Score:2)
7 years? Too much (Score:2)
Hey if he will write 1000 "I'm sorries" a day, that will mean 7 years... Oh damn...
Spamming .... and creatin' a nuisance (Score:2)
7 years in prison does seem a bit harsh. On the other hand
"I had to pay $50 and pick up the garbage."
sounds a bit light.
Re:Does Spam Really Bug Everyone That Much? (Score:2)
>databases
Yeah. Damaging their databases unknowingly. Go to their site, manually edit the cookies. Let them retrieve them and corrupt their databases by their own hands.
If there's a software that does this for you. I'll pay for it.
Now is there any?
Re:You can curtail snail spam (Score:2)
Please add this number to your do-not-call list and never call this number again, thank you.
Politeness helps -- I almost always get a polite "OK, sir" reply from them, I'm off the phone in ten seconds, and I really don't hear from them again. My phone spam has dropped dramatically, to maybe two or three calls a week from a high of about three calls per night.
John
Re:But an open relay is the right thing to do (Score:2)
5-6 years ago, it was. That's why so many servers are still open - they're run by lazy admins, or come configured with relay turned on by default (Sendmail 8.6 on SUN, anyone?)
Today, it's not. The 'net changes. Deal.
> Locks should be to prevent kids from playing with balsting caps, not to keep theives out.
Today, an open relay is an "attractive nuisance" - that is, it's analagous to leaving your garage, full of blasting caps, wide open, and hanging a sign on the door saying "Hey kids, don't come in here and play with the blasting caps!"
I think you're actually trolling, but I'll take you seriously for one more moment.
> An open mail server is likewise a nice thing to provide for those people who have unreliable internet connections.
If you're operating such a relay as a favor to a friend in such a situation, it's your responsibility to make sure it's not abused.
By way of constructive suggestions, you can require that users of your relay authenticate before using it, or you can restrict use of that relay to a specific IP address.
Re:Lousy admins don't help: (Score:2)
Lets see. You advocate the use of ORBS, yet ORBS launches a 15+ test attack on a target machine WITHOUT the premission of the sysadmin of the machine who's accused annonymously of having an open relay.
If it is asinine to use anothers system without premission, then why advocate ORBS, who do exactly that....launch a 15+ probe attack VS a host without that sysadmins premission, all based on submissions which proof can not be provided for?
Re:While we're at it... (Score:2)
The subject of "harm" is perhaps one place to look. In the case of check fraud, the money or property probably won't be recovered, or only partially recovered, and either the bank or account holder will take a loss. In the case of spam, a whole lot of users press delete, maybe an ISP bears some bandwidth or mail server load (low incremental cost), and maybe a couple stupid suckers fall for whatever scam the message is hawking, and take a minor loss, but from their own action (any they probably learn something from it).
Now this guy crashed someone server by sending too much stuff so quickly, so there is some real harm, but 7 years in jail? I'd personally like to see him do at least a little time, perhaps only to strike some fear into all the other spammers out there, but 7 years sounds pretty damn harsh.
Re: (Score:2)
Re:While we're at it... (Score:2)
Maybe the ISP's staff spends dozens or hundreds of hours fielding the responses from people who were spammed demanding that the ISP do something about the spammer.
Maybe the ISP finds itself blocked by hundreds or thousands of mail admins around the world, and its subscribers decamp en masse because they can no longer get mail through. The ISP then goes belly-up.
Unless the spammer is willing to bear ALL of those costs (and has an agreement with the ISP holding the ISP harmless, sufficient credit to pay the costs, etc. etc.), s/he should go to jail as the thief and vandal s/he is.
Spam is theft of service. Spammers have no business existing. Anyone who spams should have to pay back the trebled costs of their damages (including people's time to download, recognize and delete the spam) preferably from wages earned from a work-release program shoveling muck out of sewer pipes (one of the few poetically just outcomes). Or they could just die painfully.
"
/ \ ASCII ribbon against e-mail
\ / in HTML and M$ proprietary formats.
X
/ \
7 years? That is too much (Score:2)
I see that the Legislature and "Justice" departments are at it again, they are trying to set punishments so the first people to be punished are examples for those to come.
I detest this bombastic view that has been done in many computer crimes, and when compared to other crimes, the amount of prison time, and monetary punishments just don't jive with other crimes.
It seems that computer crimes are becoming the drug crimes of their time. This is a just another example of a misunderstood boogie monster crime that must exaggerated in media coverage and criminal punishments. All this does in the end is fill our prisons with over punished people. This costs us too much money and causes us to have more criminals in the end.
I think 1-12 months in a county jail would do the trick, don't you? If not subsequent violations could result in a few years of prison, but really, I'd rather delete a few extra e-mail a day then pay more in taxes for prisons, and cause the creation of more criminals.
-My $0.02
Hormel should get involved. (Score:2)
Re:Relaying (Score:4)
> open mailboxes outside every post office is a
> security problem
Yes, they are. You can no longer post packages
via public mailbox because of security reasons.
Remember the IMF protests in Washington back in
April? I work half a dozen blocks from the IMF;
I remember when the security guys came and removed
all our street mailboxes to prepare for the
protests. They did put 'em back afterwards, but
still, it was a pain.
Chris Mattern
His plea (Score:2)
Please e-mail this plea to 5 people in the courtroom, who will then in turn e-mail it to 5 more people...
Failure to do so will result in the death of your immediate family, increase of Oracle pricing for your employer, and the installation of RedHat 7 on your C++ development machine.
Thank you.
Usenet and spam (Score:2)
I figure that if other people aren't using free e-mail accounts to filter out their spam, and then complain about it, they rank on the same level as sys admins who don't apply the latest security patches and whine when a skript kiddie roots their box. I appreciate your "once-bitten twice-shy" scenario, though. I had one of those too.
Re:7 years for spamming? (Score:2)
Cut off his hands?
Re:While we're at it... (Score:2)
An open port is an open door. (H|Cr)acking a firewall is B&E.
While we're at it... (Score:3)
Re:While we're at it... (Score:2)
I agree, but I think you are simply arguing about a libertarian system vs. our current legal system.
Crime for every email sent (Score:3)
Re:Proportional Response? (Score:2)
I'd argue that a closer analogy would be taking a delivery truck for a spin in the middle of the day, while it's full of merchandise that needs to be delivered. Furthermore, that analogy doesn't cover the resulting backlash of spam complaints back to the source. It'd be as if a number of the thousands (millions?) of people that he cut off in traffic all called your business to complain about your reckless driver.
Re:But an open relay is the right thing to do (Score:2)
Well you could have a neat system which works the following way... When you want to send mail you check with something (e.g. DNS) where to send it. Getting back a list of possibilities (which can be spread all over the world. All nicely documented in RFC 974...
Now why exactly do we still need third party relays?
Re:Uh, doubtful (Score:2)
Lousy admins don't help: (Score:3)
If I had a dollar for every open relay on the Internet, I'd be a very rich person. This kind of crap -- "hijacking", they call it -- wouldn't be possible if sysadmins would LEARN how to SECURE their mailservers!!! Here's a hint: turn off relaying! It's absolutely asinine to allow the entire Internet to send mail through your machines; hopefully $18,000 in losses has taught this person that.
- A.P.
--
* CmdrTaco is an idiot.
Community Service... (Score:2)
I'm all for not coddling people, but seven years for SPAM (yes I hate it too) isn't realistic....
Re:You can curtail snail spam (Score:2)
Re:While we're at it... (Score:2)
Well, that's just what I'm pondering. I would believe that I'd be within my rights to make use of a public resource (such as a mailbox) even if it does not belong to me. It is completely acceptable for me to deposit my outgoing mail into an unlocked mailbox (provided that said letters are not in themselves illegal). However, it is not permissable for me to remove things from the mailbox which do not belong to me or to place things into the mailbox which do not belong there.
It is my belief that open ports on computer systems are an invitation to make use (note: I am not saying abuse) of those resources. If you don't want those resources used by the general public then you need to close those ports or protect them in some other way.
_____________
Re:While we're at it... (Score:3)
Well how about I find a bank whose checks are extremely easy to forge because of something that they could easily fix (of course the truth is that any checks are easy to forge...since a forgery doesn't even have to be good enough to fool a bank in most cases)
So I forge a check for $0.01 (or $0 if possible...or some token amount) and immediatly have the money deposited back into the account that I forged it to be from.
The point of "ethical" hacking is exploiting the system, not for personal gain, but to expose the problem and get it fixed. Check out the story in the jargon dictionary "The Meaning of Hack" and read the last story.
It was about some motorola engineers in the 70s who found a severe security bug in their OS, they couldn't get the vendor to fix the problem, so they used it to gain access to the vendors system and placed an "example" of the problem there.
Now....ill admit the example was one where the people went quite oveboard and did do some damage (making a card stacker shuffle peoples punch cards is just plain mean!)
Of course...I guess the thing is... when it comes to actually hacking in the "break in" sense, for it to really be a hack it has to be novel, it has to be original, it has to have style.
Pounding a system thousands of times over to send out mails, and not a single one of them being to postmaster telling them that their system is open? Thats not original, its not novel, and it completely lacks style.
Its more than an offense of stolen resources, its an offense against good taste.
-Steve
Re:You can curtail snail spam (Score:2)
Re:While we're at it... (Score:3)
There's a little bit of a difference when you place a service on the internet. By leaving the port for some service open to the public you have in effect issued an invitation. Placing a public resource in a public place and being surprised when it is used by the public is stupid. If I open port 80 on my machine I should not be surprised when people connect to it and attempt to use the http resources on my machine. Why would I expect it to be any different if I leave port 25 open on my machine?
I think that an apt analogy is if I were to put a drinking fountian on my front lawn adjacent to the sidewalk. If you happened to feel thirsty as you walked past my home you could reasonable expect that I had extended an invitation to you to drink from the fountian since it was placed in a public place. If you were to connect a hose to it and use it to fill your swimming pool that might well be a different legal and ethical question.
One should be able to place a resource avaliable that is available to the world and expect that it not be abused. The internet and human nature being what they are though that just might not be the wisest decision. Something to think about anyway...
_____________
You pay for your email box? (Score:2)
I agree with you that spam is a Bad Thing(tm), but there are a couple of simple steps you can take to minimize its effect on your life.
Re: (Score:2)
Re:Poor analogy. (Score:2)
Re:While we're at it... (Score:2)
I've found that a pretty good way of not going to jail is not to commit crimes like theft or forgery. Works for me.
A better way is to require restitution to the victim, in the form of a lump-sum payoff, or garnishing of wages. This is the libertarian way of doing things. If the person cannot or will not work to pay off their debt to the victim, then they would go to jail.
Jail simply turns people into criminals, and should be a last resort, not a first. IMHO.
-thomas
Disgusting proportion (Score:2)
Listen, he's NOT going to get 7 years (Score:2)
In fact, the sympathetic response by many of those on Slashdot suggests to me that maybe punishments need to be made stronger in order to firmly establish that breaking into someone's computer is NO DIFFERENT from breaking into someone's house. If you want to take a look at someone's house, and slip a note in their mailbox if you notice they've left a window open, well that's one thing. If you crawl through the window and take a look around, even if you don't do any damage, that's a problem.
Re:While we're at it... (Score:2)
security hole in someone's system, and immediately
notifying the sysadmins so they can close
it.
Hijacking an email server, and committing
thousands of cases of fraud is another.
Email is worthless if we cannot trust that the
apparent author is the true one.
Doug
It's fraud. (Score:2)
Congress is about to pass a change to the tax code that would place a 50% tax (a sin tax, in the spirit of tobacco) on beanie baby sales. As a professional beanie collector who makes his living selling them on ebay, this would put quite a crimp in my business. Although nobody has sympathy for beanie baby collectors, I figure that senior citizens have a lot of clout. (they do) So, I write up a letter on faked AARP letterhead that tells them that the new tax bill will place a 50% tax on Social Security, take it down to Kinko's and make 100,000 copies when nobody is looking, mail them off with a rubber stamp I "borrowed" from behind the counter when the grunt took a bathroom break, and then sneak out before he comes back, without paying. I have them all addressed to a bunch of addresses I found in a dumpster somewhere that may or may not be senior citizens, and figure that at least some will hit their mark and benefit my cause. Most will be ignored because they're mistargetted, but it doesn't matter to me because it didn't cost me anything. It cost Kinko's to make and mail the copies, and it gives the AARP a headache when people start calling complaining about this junk mail that's a lie.
Now, the fact that I lied in the message (common in spam) probably constitutes fraud on its own, but that's harder to prosecute than the much more obvious theft from Kinko's and impersonation of the AARP. That's what's going on in this case, and whether you think the guy has a right to spam or not, he certainly does not have a right to steal someone else's resources or impersonate another party.
Laws? (Score:2)
>neotope
More spam problems (Score:2)
-Chris
...More Powerful than Otto Preminger...
Actually, spam IS a crime (Score:2)
Re:You can curtail snail spam (Score:2)
I don't think the credit card people care about that. Years ago, Sears gave a $5 discount on any sale if you filled a credit card request form. I filled one of those every time I bought at Sears, as long as the promotion lasted. For every $100 I got in discounts, Mr. John Weissmuller, #2225 Poinsettia Ave. Huntington Beach CA, Social Security #618-32-8263, California driver license A8342885, got 20 Sears credit cards.
Spam Removal 101 (Score:2)
Just keep sending back your junk mail AND get yourself off the direct marketing mailing list.
Go here [talboa.com] to be able to create forms with the address already on it. I am not sure how other countries can do it, but I used this site and I get only a few pieces of junk a week now. Also, Junk Busters [junkbusters.com] is good, but the other site is easier to use.
=-=-=-=-=
"Do you hear the Slashdotters sing,
Re:But an open relay is the right thing to do (Score:2)
s/car/gun/g
s/ran someone over/drove away with the child I was babysitting but left in the back seat when I went to the store/g
People have been charged for precisely those kinds of irresponsibility.
(I'm not advocating criminal charges against admins of open relays - just pointing out that there's plenty of legal precedent for the moral tenet that one should take responsibility to see that one's property is not abused to the detriment of third parties.)
Instead of Jail... (Score:2)
Re:While we're at it... (Score:2)
The fact that an open port is a completely unguarded entry point into a computer system makes it analagous(sp?) to an open door to me.
Re: (Score:2)
Re:Prison?? (Score:2)
How many % of (let's say) US citizens are criminals?
(From now on, I'm assuming the answer to the above question is less than a few percent)
If this % is small, how economic is building jails, hiring polices, putting people on trial, etc. to just correct this minority?
Does the correction of this 2-5% of the whole population actually make a significant difference to the sanity of the society?
On the other hand, the system as a prevention tool makes economical sense, because it purports to keep the rest (i.e. 90% or more) of the population from committing crimes.
A thought experiment: imagine that, you see the news on your local TV channel that "for the next 3 days our local police department is going on a strike. There'll be no street patrol..."
Will you get nervous about the news? Then, think about *why* think you'll get nervous. It likely will point to the crime prevention function of the system.
>Reduce the incentive for murder. Why are people
>murdered? There are many social ills that drive
>people to kill. Try to correct these things, and
>you've prevented more murders than sending >someone to jail--where they get angry, lift
>weights, and prepare for their next crime spree
Yes. Sound in theory. Extremely difficult for practice. Murderers kill people for various reasons, some of which totally out of any stretch of our imagination.
It is not possible to make everyone happy at the same time over a series of many government decisions. Some must be upset, for individual reasons. If we cannot take care of each of them, there're bound to be criminals.
e.g. free food for everybody would definitely make a lot of people happy, and prevents helluva lot of crimes. However, it may create a riot among shareholders of big food companies.
Re:Uh, doubtful (Score:2)
---------------------------
Re:Low Down Dirty Horse Thieves (Score:2)
The result of what? The penalty for horse theft was probably so high because a horse was *so* valuable in the old West. Imagine having your only source of transportation taken when the nearest source of food or water might just be unreachable by foot. The impact of bringing down a mail server is not quite the same.
I know a couple of people who were sentenced to 5 years in prison for attempted murder. Again - not quite the same class of crime. I am no lover of spam, but 7 years???
Re:Uh, doubtful (Score:2)
http://www.2600.org/law/bernie.html
Read it all.
Re:Heh. After 7 years in the slammer... (Score:2)
*sigh*... You and other system administrators wouldn't have to worry about getting vengence on spammers in the first place if you use an MTA like PostFix [goatse.cx] or qmail [qmail.org]. They're a lot easier to configure to filter out all the crap. They're pretty secure, too.
Re:Lousy admins don't help: (Score:2)
Got any suggestions on just how to do that?
I have a teensy little Celeron box (running FreeBSD 4.0) I've been planning on putting live on my SDSL connection for months. The idea was to get my own domain, with local Web and email service under my own control, and then shop my connectivity.
To date, I haven't put the machine on the air. The reason I haven't done it is because, frankly, I don't know how to properly secure it. Sure, I could turn it on and hope for the best, but I don't want to be put in the class of "idiot sysadmins" because I'm not an idiot. In fact, it's because I'm not an idiot that I haven't put the box on the air yet. I want to do the work properly so I don't ruin someone else's day.
Taking solely the issue of securing a mailserver, I have a copy of the whacking great O'Reilly book on 'sendmail', which I have read almost cover to cover. I sort of grok the sendmail.cf syntax, but even with the 'm4' macros to generate the stuff for you, 'sendmail' is still a bitch to configure properly. And besides the relaying issues, there's also the cutesey 'sendmail' features, such as command piping, remotely directing mail to particular files, etc. Do I knock those out as well? What are the tradeoffs?
And then once I get 'sendmail' configured, then I get to worry about not fscking up the Apache config and opening myself up to who-knows-what vulnerabilities.
I'd also like to remotely administer the thing, which means setting up, learning, and understanding 'ssh'. Oh, yeah, the box may also need to function as a firewall; how do I set that without killing my ability to play Quake/Half-Life/Unreal Tournament/Diablo-II? Do I use simple filters? IPChains? Something else? What are the tradeoffs?
I'm not a dunce; I can understand this stuff. What I lack is the time to go hunting down the discrete resources, and the knowledge of how they all interrelate. And there doesn't appear to be a central resource (at least, not that I've found).
I'm trying to be a good netizen. But saying, "SECURE YOUR FSCKING MAILSERVER," suggests that being a good netizen is much easier than it really is, which can be misleading to the people wishing to wade out into our pond.
Schwab
You Dream of a Utopia (Score:2)
We will never get rid of spammers. We will never get rid of telemarketers. We will never get rid of Jehova's Witnesses. We will never get rid of television commercials.
I'm afraid that you may just have to swallow the fact that this isn't a perfect world and we must do what we can to protect ourselves. I could be a bastard here and extend your line of thought to home security (why should I have to buy a door lock?), but I won't. Oops. Sorry.
But an open relay is the right thing to do (Score:5)
There is a big difference between what is right and what we do. When I left my house this morning I locked the door behind me. The right thing to do however would be to leave the door unlocked so that if my neighbor ran out of sugar in her baking she could walk in and get it. I know she will return the favor next time I'm short and egg for my morning omlet.
An open mail server is likewise a nice thing to provide for those people who have unreliable internet connections. I temparly store mail on your server until my buddy gets online, and then you send it while my server is offline.
Trust for your fellow man should be the normal way of dealing with things. Locks should be to prevent kids from playing with balsting caps, not to keep theives out. Fraud and abuse should be completely unknown.
No I agree admins should lock down their mail servers. However everyone should feel very bas about having to do it. Locking down a mail server says bad things about socity.
Re:While we're at it... (Score:3)
Crap, that's an excellent point. Moderators? Mod this guy up!
I'd have to look at the forgery statute to see if forging a HELO really oughtabe "forgery" in the criminal sense.
It's certainly a false representation, and it's certainly intended to deceive people as to the message's origins in order to perpetrate fraud.
But I think I may be mixing up my (meager) understanding of law with respect to forgery and fraud. (That is, it's OK to send a funny email on April Fool's Day as alan_greenspan@really.really.big.bank.gov, since it's clear to a reasonable person that you're not Greenspan. Doing the same thing, but sending economic statistics portending the interest rate bias for the upcoming fed meeting, to a bunch of Wall Street analysts, wouldn't be.)
The interesting thing if I take that "reasonable person" standard - is HELO ibm.net - believable to a reasonable person?
When I see Recieved: from ibm.net (luser.dialup.uu.net [63.whatever]), whether as a relay rape or direct-to-MX, I know it's a forgery. I wouldn't reasonably believe it came from IBM. I would believe that the spammer is trying to fool others less knowledgeable into thinking that it was.
I think it's more fraud than forgery, but the distinction's probably too subtle to really be captured in the law as it's currently written.
Like I said - a damn good point you made.
Re:Antisocial? (Score:3)
No -- this is wonderful news! (Score:2)
The government should be congratulating him, not imprisoning him!
Proportional Response? (Score:5)
I think computer security law should reflect physical security law, and provide for different kinds of crime. As far as I know, neither "trespassing" nor "breaking and entering" land you seven years in the slammer.
Now, using a mail server to send unauthorized resource wasting mail is probably a crime. Taking someone's car for a spin w/o permission or pirating airwaves on a spectrum allocated to someone else are probably comparable law breaking actions (if you disagree, find something closer). Is 7 years in jail a crime fitting punishment?
There's different grades of trespassing and use of others property. Computer law should reflect this as well.
What about the admin??!!?? (Score:2)
It's not like this guy cracked a root shell and used /usr/lib/sendmail to send the mail. He connected remotely to port 25 on this system and did this. The admin is partly at fault! The admin said "Sure take my gun and start shooting people."
Also I agree with other people that 7 years is an awful lot too. It's not like he was killing people. Murderers and rapists don't get that much time usually anyway....
And no I'm not defending him. I think he should do SOME time. But he should get 7 years when rapists get life. And the admin should at LEAST get fired.
--
Garett
Re:Relaying (Score:2)
Even if someone was connected by UUCP you probably couldn't tell from the mail address.
On a UUCP set up you can't assume that connections will be made in real time also there is no equivalent of DNS. Instead UUCP "maps" were propergated as news postings.
Relaying (Score:5)
I think the sympathies here on
7 *YEARS* ? (Score:2)
You wanna stop being spammed? Use Spamido techniques:
http://www.yelm.freeserve.co.uk/spamido/
what next... (Score:2)
Newsflash - YOU pay for them to sit in jail (Score:2)
I agree. People who get carried away with lines like "lock them up and throw away the key" often forget one important question - which is, who pays for it?
It costs over $50,000 a year to keep someone in prison, which is something like twice the average income. Now, why should I pay for someone to sit in a square box and rot away, possibly be abused and develop mental problems of a sexual nature, and then be released into society with no skills? Just because revenge feels good?
Countries that have get-tough-on-crime policies have worse crime rates and a fucked up society. The US has the largest prison population in the developed world, larger than some european nations put together.
I've lived in other countries with different approaches to crime. The ones that focus on lighter sentences + rehabilitation have lower crime rates and less expensive prison systems. Of course, they also don't have electorates that fall for catchy soundbites like 3 strikes and you're out.
Ah, the analogy game! (Score:2)
One of the features of HouseKeeper is to be able to fetch various items from the household for a person requesting it.
As a default, HouseKeeper is configured to fetch anything for anyone. At page 384 in the manual there are (slightly outdated) instructions on how to restrict access to that functionality, for example set it to refuse to fetch the gun for anybody but you, but happliy lend a neighbour a cup of sugar.
Now due to either a bug in HouseKeeper, a faulty manual or negligence, the owner failed to restrict anonymous access to the fetch(gun) command. This, luckily, did not result in a killing spree, but "only" in some late night target practice, which caused considerable irritation for a lot of people and a lot of work patching bullet holes the following day.
Antisocial? (Score:2)
However, is the guy who gets 20 years for pot possession also a danger to society?
The justice system is set up to punish the lower classes and minorities more, regardless or the circumstanses of the crime.
Arn't the guys who run S&L scams and threaten the whole economy doing a lot more damage than those who steal cars or just happen to be carry enough drugs to get counted as a dealer?
Re:While we're at it... (Score:3)
>
> The chattel part.
Chattel: Lawyerspeak for "stuff".
From mycounsel.com [mycounsel.com]
So - if I dump three million spams through your mail server without your authorization, and during the course of that, I saturate your outbound link and/or fill up /var/spool/mail with bounces, you've (a) been harmed by having your bandwidth eaten by me, and (b) been harmed by having real mail dropped on the floor from the full mail spool. To say nothing of (c) the time it takes to clean up the mess.
It's an open-and-shut case, and if your relay has been compromised in this manner, regardless of your moral responsibility to secure the relay in the first place, you can sue the spammer for the damages.
You Has Mail! (Score:2)
To: LtBurrito@slashdot.org
Re: Take Time Off From The Daily Grind! Learn How!
Don't delete this email until after you've read it And then you won't at all. Guarranteed system means you will never have to work another day! You'll be going places in no time! You will be waited upon by servants, have people bending over to please you, live in an enormous house wear jewelry and be chauffered everywhere you go!
Call 1-800-555-1212 and ask for information!
To jail, to court, to jail, to prison...
Specifically, civil servants, i.e. prison guards
Or visa-versa
Also known as the Big House
Bracelets anyway
By a guard named Elmo
--
more than one kind of right (Score:2)
When the original poster referred to "the right thing to do", he meant the thing that would be right in an ideal situation. And he was right about this. If I could trust the world with it, I'd much rather give everyone open access to any part of my computer that wasn't specifically private (personal email, etc.) or reserved for something else (say, 2G of disk space that look free, but that I need for the BeOS installation I'm planning). In the absence of misuse (like spamming), an internet of open systems could be used far more efficiently than an internet of closed systems.
On the other hand, you're talking about what's right given the conditions of the real world. This is also a useful thing to consider--indeed, as the original poster seemed to acknowledge (remember, he does lock his house each morning), this is what should guide how we actually behave. When people act as though they're living in an ideal situation, they usually end up hurting themselves and others.
The reason that it's still useful to think about an ideal situation--always remembering that we live in the real world--is that it gives us an absolute standard for how good things could get. If we aren't reaching that standard, we can keep looking for ways to improve the situation.
Just to make things (a tiny bit) more concrete, consider the example of the Prisoner's Dilemma. Ideally, the best strategy should be 'trust always'--if everyone can be trusted to follow this strategy, the total score in the game will be as high as it possibly can[1]. In a random population of different strategies, though, 'trust always' fails miserably. 'Tit for tat' does quite well--probably better than any other general strategy--but still doesn't quite live up to the ideal. The reason to keep the ideal in mind is that it reminds us to keep trying to refine the 'tit for tat' strategy, even though it does better than everything else around, until it can do as well as the ideal of 'universal trust everyone'.[2]
[1] Assuming I'm remembering the scoring correctly. If one player cooperates and the other defects, the sum of their scores is less than it would be if they both cooperated, right?
[2] Such improvements are possible--just not through a change in general strategy. One solution would be to ensure that 'tit for tat' is as widespread in the population as possible. Another would be to change your strategy based on the previous performance of your opponent.
P.S. I've just been reading Dawkins's The Selfish Gene, and I think it's colored how I talk about the Prisoner's Dilemma--anyway, I don't think this talk of 'populations' is natural to game theory. But I hope my point is clear enough, anyway.
--Moss
Re:Relaying and Postal Terrorism (Score:2)
More precisely, you can only mailbox packages up to 16 ounces, or 454 grams for you non-Yankees; if you've got a heavier package than that, you have to either go to a US Postal Service window or use a competing package carrier like Fedex or DHL.
Re:Crime for every email sent (Score:2)
Poor analogy. (Score:2)
More accurate would be, I left my gun in my house. You then went into my unlocked house grabbed my gun, and went and shot someone.
I am guilty of negilgence ONLY if you *should* have had access to my house.
However, you clearly werent meant to be in my house, I never gave you permission to be in my house, I simply forgot to look the door.
THAT is how the law works, no matter how unfair you may think that is.
Prison?? (Score:3)
Maybe I am offtopic but...
No one likes spammers, and truly I think if convicted they should really lose their internet privileges, but PRISON?
This is evidence of a judicial system that is more about revenge than correction.
PRISON is for keeping violent people from hurting the rest of society. PRISON is for people who must be physically restrained. In the US, we send more non-violent offenders to prison than most other countries. Should you go to jail if you are caught speeding on the highway? How about jay-walking? Why do we send SOME non-violent criminals to prison and not others?
Re:While we're at it... (Score:5)
I see, fundamentally, no difference between forging a check to steal money from a persons account, and what spammers do.
They connect to another host, and exploit a configuration flaw to send mail through it. They masquerade as a legitimate user (just as a check forger masquerades as a legitimate check writter for an account) to achieve their end.
Now hacking is another story. I see no problem with "hacking". Exploiting holes to gain elevated privilidge for the sake of doing it...and then closing those holes and helping those who run the system to fix the problem...thats another story.
There is quite a difference between breaking in as an example, the so called "ethical hacking", like what happend to slashdot a few weeks/months back, and exploiting a hole for personal gain.... over and over again.
Spammers are the most unethical creatures! They join online services with full intention of violating the Terms of Service. They search for "weak" hosts and then use them to launch their spam.
They remove all of the grief onto others. They cause the admins of the systems (who are not totally without blame usually) to get floods of abuse reports and cause them lots of greif. They then just open another account and do it all over again - closing their account doesn't even slow them down! As an added bonus, their mail floods slow down the hosts that they are using - causing mail delays and resource issues for legitimate users of the machines.
It is simple theft of resources, and they do it over and over again. Reaping the rewards at essentially zero cost to themselves. They can send out thousands upon thousands of messages for mere pennies.
If they setup their own domains, with their own legitimate mail servers, and used those to spam from - then I wouldn't have a problem with them. Of course, every mail server and ISP in existance would have them blocked at the boarder router within a week, and they know it - so they act like parasites, feeding off weak systems - and transfereing all of their costs to others.
They change their usernames and things often (want to see my spam message folder? Its interesting to see the tiny changes they make to things - one has to imagine specifically to get around blocking filters)
Make an example of the bastards I say. They are parasites.
-Steve
Re:But an open relay is the right thing to do (Score:5)
The right thing to do however would be to leave the door unlocked so that if my neighbor ran out of sugar in her baking she could walk in and get it.
Nope. The right thing to do would be to give your neighbor, and anyone else you trust, a key to your house. It has been mathematically proven that "trust always" and "never trust" are not optimal solutions to a wide variety of Real Life cases, at least where they can be reduced to math (for instance, Prisoner's Dillema). "Trust but verify" isn't just a catchy name for an algorithm in some abstract case; it works quite well in the real world. Assuming the common assumption that what works best in the long term is morally correct (that being how history tends to be written), why should anyone feel bad about doing what works?
7 years for spamming? (Score:4)
For spamming it'd be more appropriate to give them a large fine and temporarily ban them from any computer career (a la Mitnik).
Re:While we're at it... (Score:5)
What part of "denial of service attack" do you not understand? (Ever seen an open relay try to process 500,000 bounces?)
What part of "theft by trespass to chattel" do you not understand?
What part of "unauthorized access to a computer system" do you not understand?
But honestly, I'm glad they got him on the forgery charge instead of all of the above charges (i.e. forging a bogus return address) - because it's a very real attack (via 50,000 flames!) on a victim whose systems were completely unrelated to the damn open relay in the first place.
And it's a hell of a lot easier to say to the owner of a forged domain "consider suing the spammer for trademark infringement for forging your domain name into the spam" (civil suit launched at the victim's expense) to "Please contact the district attorney in (spammer's dialup's general area) and ask him to place criminal fraud charges upon the spammer" (a criminal suit).
> but JAIL???
I've found that a pretty good way of not going to jail is not to commit crimes like theft or forgery. Works for me.
Re:Proportional Response? (Score:4)
This is an excellent point. I used to argue that the difference between murder and attempted murder should merely be considered to be good luck on the part of the victim and not a difference in sentencing. Then I read this book [best.com]. David Friedman makes good arguments for different punishments for different crimes.
The major problem with making the penalties too severe is that it encourages additional crimes in an attempt to destroy the evidence or evade capture. To use this particular case as an example, if the penalty of grossly misusing someone's server is roughly the same as the penalty for completely destroying all of the data on it, it gives the criminal an incentive to wipe the system when he's done with it to be sure that no footprints are left behind.
Re:7 YEARS??? (Score:3)
I agree that its sad that people are punished less for rape than for fraud. However, I will not agree that this is too harsh of a punishment for fraud.
> How would you like it if a hacker got 7 years
> for breaking into a computer system?
Its not about breaking in. Its about exploiting a flaw for personal gain. Its about breaking in thousands upon thousands of times over and over and using it to promote your own financial gain.
A person who "hijacks" a system once to demonstrate that it CAN be done, and makes a point to not hurt anyone in doing it - has done little wrong in my book. Simple tresspass maybe, perhaps foolish, but nothing truely and fundamentally evil.
A person who "hijacks" a system directly for the purpose of furthering their own personal goals and to assign the blame away from himself? a Person who "hijacks" a system specifically for the purpose of committing FRAUD. This is much worst than the simple act of "tresspass".
I am sorry but... if its new and original, or if its done to demonstrate the possibility or just to learn about the system and to teach oneself what can be done...that is hacking. Just taking a well known problam and pounding it to death because you can or using it for personal gain, that is not hacking, its exploitation.
-Steve
Re:7 years for spamming? (Score:3)
7 yrs is too harsh. make the punishment fit the crime. give this turkey an appreciation of why its bad to spam.
how about this: force him to have to read all of slashdot, every day, browsing at -1 to 1.
--