UK Hacker loses Extradition Case 370
SnakeOil Steve writes to tell us that Gary McKinnon, the alleged hacker who broke into Army, Air Force, Navy, and NASA systems, has just lost his extradition case. From the article: "'My intention was never to disrupt security. The fact that I logged on and there were no passwords means that there was no security,' McKinnon said, outside the hearing at London's Bow Street Magistrates Court. 'I was looking for UFOs.'"
Nice Try (Score:3, Insightful)
You want to guess how well that flies? I agree it is stupid that there were no passwords on the system, but just like a yard without a fence, the fact the fence is there does not imply permission to run around there and dig up the flowers.
And it's the military. You really think you can poke around in the military's systems without them coming after you?
Re:Nice Try (Score:1, Insightful)
"Well, I can call the guy whatever I want and insult his wife and mother cause it's the Intarweb."
"Well, I'm not really stealing when I pirate all these MP3s and movies. Information wants to be free."
"Compromising a military system shouldn't be something I get sent to Gitmo for, cause it was too easy to get in."
Time for intarweb nerds to grow up and realise that there really are consequences for actions.
Ouch (Score:2, Insightful)
I really hope... (Score:4, Insightful)
Re:Nice Try (Score:5, Insightful)
What constitutes "permission" to access unpassworded network services? Do you need written permission? If so I guess everyone who accesses public web servers is guilty of cracking them since they didn't get written permission from the server owners.
It may sound silly, but there really isn't a lot of difference between a public unpassworded service and a private service that's been left unpassworded on a public network. It's certainly impossible to tell if it's legitimately public before connecting to it and there's no guarantee you can tell that it's not supposed to be public once you have connected.
Lets say you connect to a web server - how are you to know if that's a public web site or a private company's intranet site that they didn't bother to password protect?
This is ridiculus! (Score:2, Insightful)
A couple of points (Score:5, Insightful)
Also, I've heard this story from all sorts of sides and opinions ranging from "He's a harmless wannabe cracker who just walked into unsecured
Whatever the outcome I'd like to see the same standards applied to SONY as to this kid. If he goes down then I want to see SONY programmers arrested and deported to the UK to face multiple criminal charges because installing rootkits is an offence under the Computer Misuse Act in this country.
With all these double standards I can't see people retaining any repect for justice or the law. Once governments undermine the law with such blatent corruption of principles it's a one way ticket down to social disintegration.
Field analogy (Score:2, Insightful)
Comment removed (Score:5, Insightful)
Re:Title is not quite true (Score:5, Insightful)
Much as I think McKinnon is an idiot he should be tried and, if found guilty, punished in the UK: he stands some tiny chance of a fair trial here, along with a proportionate sentence. All that crap about causing so much damage to a network that it "took more than a month to repair" (quote taken from the BBC News story) has the strong smell of bullshit. I suspect this is more concerned with the US military being shown, once again, to be incompetent and entirely incapable of securing anything than with the alleged damage this plonker caused.
Shame he didn't want anything from our own MoD: if he'd hung around long enough I'm sure he could have picked-up one of the many laptops they've left lying around over the years.
McKinnon didn't hack anything (Score:5, Insightful)
This has gotten way out of proportion. He didn't even do anything to damage US operations nor was this even his intent, he's not a terrorist and had no malicious intent. I would rather make sure those idiotic sysadmins never worked in IT for the rest of their lives since they left administrator passwords open! Freakin morons.
Re:I really hope... (Score:3, Insightful)
I really hope that's not some kind of excuse for his behavior. Just because he was in the UK and broke a US law doesn't give him the opportunity to walk off into the sunset. He needs to face the music; he willfully violated US law. Reverse the situation -- if he were in the US and broke into a UK computer, you'd think that was ok? If that's the case I don't know why we're looking for Osama Bin Laden. He may have ordered the deaths of thousands of Americans and others, but since he's in a foreign country and just happened to break some of our laws, that's forgiveable, don't you think? And don't think I don't know what you're going to say: apples and oranges. But while he was breaking into our military's computer network, he had ample opportunity to find out all sorts of things, He may not have been performing espionage in the classic sense, but it's espionage nonetheless. He was trying to find out US secrets, albeit secrets that only exist in his deluded mind.
I think the best he can hope for is the Wacky Farm.
Comment removed (Score:5, Insightful)
Re:Nice Try (Score:3, Insightful)
True, but I would assume that any government building with an unlocked doors during 'normal business hours' would be fair game to walk go in to. This was a publicly accessible server out in an area (the Internet) where the assumption is that everything not locked down is accessible.
Re:Nice Try (Score:5, Insightful)
The reason you know that a yard without a fence is still private property is because there is social history - first around property, and more recently around 'suburb property'. So now we have an acceptance of what is private and what is not, even if it's not marked.
But, if you are in the middle of nowhere, and crossed no fence and passed no sign, you could be under the impression that you're still on public property. While you may still be trespassing, no judge is going to find you guilty. The rightful owner can certainly ask you to leave, but charges are never going to stick.
So, by the same token, any computer system that has no password could easily be assumed to be open to the public.
I'm strongly against computer owners who take no steps to mark the territory as private who then sue and/or lay charges. Anything I can access using a typical browser or ssh/telnet/ftp/whatever client is public property. As soon as it prompts me for a password, or even displays a notification that this is private, then anything beyond that is unauthorised access.
Note that shopping centers are private property, and yet we assume we can enter and move about freely. Sure, they can ask us to leave, but we work under the assumption that since the door is open, we are free to enter.
Once inside, there are often doors that are either locked or marked for no entry, and again, we assume that these areas are off-limits, but the rest of the area is 'public' (of course, not in the legal sense)
So, if from my computer I can access a remote computer belonging to the US Army, am I breaking the law?
Those who immediately say 'yes' forget that the US Army [army.mil] has a very public HTTP server which anyone can access freely.
So now the questions are (much more correctly) how does one tell whether one is on 'private property' out in the wilderness? Because that is what the internet is - a giant otherwise unmarked wilderness. Sure, parts of it look like the burbs with the on-line shopping and home-pages, but there's a whole host of other computers out there performing tasks, responding to credit, time, stocks quote, system update and various other queries. Which of those is public? Which is private? ... in my opinion the onus starts with the computers owner. If you attach a computer to the public network (aka the internet) and you fail to take a minimum of steps to state that this computer is private, than you should have no recourse if someone accesses it without your expressed permission.
It's only by putting up signs and locks that people can know which computers are public and which are not
Re:Nice Try (Score:3, Insightful)
I can do that legally in real life, too.
"Well, I'm not really stealing when I pirate all these MP3s and movies. Information wants to be free."
It isn't stealing, it's copyright infringement. Big difference. I'm not saying it's right, but it isn't stealing. And with current laws, I'd probably be better off if I were caught stealing a CD from a store, than if I were caught sharing MP3s online.
I don't question what he did was wrong... (Score:2, Insightful)
Re:McKinnon didn't hack anything (Score:4, Insightful)
Re:I really hope... (Score:3, Insightful)
Thing is, this guy wasn't hacking a UK server, he was hacking a US server, on US soil.
If he was stealing in the UK, he shouldn't be charged with theft in the US, but as it stands the crime was really committed on US soil.
I'd be more sympathetic to your argument if the server was on non-US soil. Then it'd be arguable that he didn't commit any crimes against the US, and shouldn't be tried in the US.
Re:Nice Try (Score:3, Insightful)
Re:Nice Try (Score:3, Insightful)
He committed a crime against resources not only in another country, but of another country's government. If you mail a bomb to the president of another country, that country will ask for you to be sent over -- even though you began the crime in your country.
Does the US ever ship anyone overseas for trial ?
That's why the UK is extraditing him -- they have a reciprocal extradition treaty. If they refuse to, then the next time they want a cyberhacker from the US to be extradited, the US would refuse.
Re:Nice Try (NOT!) (Score:4, Insightful)
I'm afraid I don't know the specific details of the case - was he accessing web sites? Were they obviously non-public? How could he have found out that they were obviously non-public before accessing them (and thus being branded a cracker)?
if you're finding passwords and deployment details, you can be pretty sure it's not supposed to be public
If you've found passwords and deployment details then you have already accessed the server and thus liable to be prosecuted as a cracker. Please explain how one would find out _before_ potentially breaking the law that they shouldn't proceed any further.
In fact, if he wanted to do the right thing, he should have emailed a security contact for the site and notified him/her about the problem.
Emailing them saying "hey, I just accessed all your confidential data" doesn't seem like a good way of avoiding prosecution does it?
It _could_ also be argued that since these were military secrets, knowing them turns him into a target and so the best way of remaining safe is to keep very quiet and hope noone notices.
Re:Nice Try (Score:1, Insightful)
I tell you I didnt do anything, I was just looking arround. It is not a crime, the door was open, and I did not damage anything. How are you going to feel the next time you go in the fridge to gran some food ? Or go gran a tylenol out of the cabient for your kid with a fever ?
Do you think you would feel okay with that ?
If you can honestly say you would have no problem with that, then you are a better man than I.
Re:Nice Try (Score:3, Insightful)
Re:Nice Try (Score:3, Insightful)
So if you steal a CD from walmart it's not actually stealing? I think there's a flaw in that train of thought.
Don't be a dumbass. Theft of a physical object is stealing. Copying a CD is not.
If you don't own the work in the first place, then it's copyright infringement AND stealing.
Cite please. It's one or the other, but not both.
Re:Nice Try (Score:1, Insightful)
http://www.blah.com/ [blah.com]
is obviously different than
\\ufos.blah.mil\C$
Open door analogy (Score:5, Insightful)
Re:Nice Try (Score:2, Insightful)
Re:Title is not quite true (Score:3, Insightful)
Re:Nice Try (Score:5, Insightful)
What I'd like to know is, with all this talk about "security" and "9/11" and crap, why is it that the military can be -- even arguably -- accidentally cracked? What if the alleged "hacker" wasn't from a friendly country?
I don't care how good this "hacker" guy was. Yes, perhaps he should be punished, but if he was able to get at systems that are critical to national security at all, regardless of the means he used, then clearly someone in the military isn't doing his job. I think the people in charge in the military, who have a duty (unlike this UK civilian) to safeguard the American public, should be punished more severely.
Re:I really hope... (Score:5, Insightful)
Also, extradition generally has to be approved by the country doing the booting, so it's hardly a level of bullying beyone the normal bullying associated with any form of politics. There are doubtless times when countries denied the US the right to prosecute their citizens: in this case, they didn't, because they agree that the man is a criminal and know that nothing worse would happen to him under U.S. law than under their own law.
Re:Onion (Score:3, Insightful)
You really aren't that stupid, are you? (Score:3, Insightful)
Give me a break. This guy spent at least a year (2/01 to 3/02) hacking into U.S. Government computer systems, he's 40 years old, and he's more than competent with computers. He knew exactly what he's doing, and he knows what he's doing when he obfuscates the issue by saying that he logged into systems that didn't have a password. It's ridiculous to assume from his flippant answer that all of the thousands of systems he hacked into had no passwords. Keep in mind by his own admission he was scouring file systems for evidence of UFOs. How many file systems do you know don't require any authentication whatsoever?
before you broke into port 80 and pirated all of this text and graphics to your computer
Talk about horrible, totally irrelevant, and not remotely applicable analogies. Anyone with half a brain and even moderate computer skills knows that using a web browser to access unprotected content is one thing. Telnetting into a machine, password or no, is a completely different matter.
Finally, I have no idea why it's popular to defend people with no life that are amused by causing damage to systems they don't own and know they shouldn't be accessing.
Re:Nice Try (Score:3, Insightful)
When you go into Walmart and pick up a CD without the intent to hand Walmart the required compensation, you deprive Walmart of the ability to sell that CD to someone. When you download music, most likely even not from the manufacturer but someone else who, in turn, also does not necessarily have the required rights to offer you this item, how do you take away the manufacturer's ability to sell that music?
Re:Disclaimer (Score:2, Insightful)
If they didn't take the time to password protect the server, I don't think it's safe to assume they did anything else at all to indicate that authorization was needed to access the machine.
A country that extradites its own citizens ... (Score:4, Insightful)
Re:You really aren't that stupid, are you? (Score:2, Insightful)
Assuming you're one of those with one half of a brain, can you explain to me how those two actions are a completely different matter in the court of law?
Re:Nice Try (Score:3, Insightful)
Good metaphor (Score:2, Insightful)
People have used a house with its door unlocked--not really.
A mall with an unlocked door marked "No admittance"--not quite.
A better analogy would be a hall (in a mall), with an unlocked, unmarked door.
Now, there are public places on the sites he "hacked", I'm sure. This would be equivalent to the store-containing areas of the mall. There are also places that require passwords. Now, the private places are equivalent to a hall full of locked, unmarked doors. Now say one of the doors is unlocked. Gary has been going down this hall, trying all the doors (he knows the mall is hiding all the "good stuff"--interpret at will), and finds one unlocked. He goes in, of course.
Now, the question is, when did this become illegal? In my opinion, when he went through the door. It was unmarked, so it could be assumed that it was public. But he had tried nearby identical doors, and found them locked. This adds to the assumption that he knew he was trespassing.
DISCLAIMER: I am not a lawyer.
Re:Nice Try (Score:5, Insightful)
Stealing: The act of taking feloniously the personal property of another without his consent and knowledge; theft; larceny.
http://www.answers.com/stealing [answers.com]
Steal: To take (the property of another) without right or permission.
http://www.answers.com/steal [answers.com]
I'm sorry but I see nothing about deprivation. You're welcome to look at the other definitions at those links and you'll see the same.
If you get your car worked on and then drive off without paying...that's stealing. You didn't actually take a physical object from that person though.
Re:I really hope... (Score:3, Insightful)
Come again? Whose fault is it then?
I know the one-way extradition treaty you have with Norway is bugging the hell out of us, BUT IF WE GO AGAINST YOUR BLOODY ADMINISTRATION IN ***ANYTHING*** WE'LL LOOSE ***ALL*** SUPPORT FROM YOU RIGHT AWAY SO WE'RE PRETTY MUCH STUCK WITH WHATEVER YOU WANT. (Apologies for caps)
You see, Norway is pretty dependant on the US on three things, trade, military protection/co-operation (we've got a lot of oil-platforms, and you've got one hell of a navy) and most importantly diplomatic support in the on-going trade-war against Russia over oil-supplies in the barentsea. (Russia doesn't recogognize the evenly split naval-terrority border; and have been busily stealing our fish for some time, and are looking hungrily at our oilsupplies there). It's easy for you to say 'grow a backbone', but actions that are completly inconsequental for the US can potentially totally fuck over us. We have backbones enough, they're just crushed way to easily :/
At the moment, if Saudi-Arabia, Venezuela, Russia ++ decided to oil-embargo the US, and Norway had a vote to decide if we wanted to join, I would actually vote *FOR IT*. The more I learn about politics and recent norwegian relations with the US the sicker I get of it.
Comment removed (Score:4, Insightful)