Michigan "Anti-Hacker" Law's First Felony Charges

styles writes: "According to this article, two young men have been accused of gaining unauthorized access to third party computer systems. "The charges are the first under a Michigan law which makes the unauthorized alteration, damage or use of a computer system a felony." I have been a user on m-net (one of the two systems compromised) for a year and some change, and the fact that someone went and took the machine down for at least a month (more? I forget...), and that someone also hacked sshd to steal my password just kills me." And this raises the ever-sticky question of determining who is harmed, how much -- and then the stickier issue of what to do about the first. (Use your judgement in interpreting the source of this news, too.)

[Updated 19:00 GMT by timothy] As several readers have pointed out in comments, and as reader Conan Ford e-mailed, if that funny address sets your nose twitching suspiciously, note that http://www.ag.state.mi.us/AGWebSite/press_release/pr10189.htm does get you to the same place.

Has anyone else ever known a cracker...

...I have unfortunately. I would venture to say that most of them are *not* just the curious garden variety hacker types. In some sense, they are pretty much sociopaths. The ones that I have known (crakers, that is) don't necessarily *want* to destroy information -- its just that it truly doesn't matter to them. They don't see months or years of work, all they see is a way to fulfill their need to break into a system and anything that gets in their way is expendable.

There was a cracker that used to work for my company -- once management found out about him, they let him go. But during lunch, he used to go on and on to me about the new virii he was creating. I kid you not, there was a certain passion to his voice about it. (much like pyros, I'm told). Anyway, you really got the sense talking to him that people simply didn't matter -- all that mattered was cracking as many systems as possible.

I don't know if these kids in MI were just a little too curious or if there's something more to it. But often times, this goes beyond a simple "boys will be boys" explanation.

Re:Don't know much about psychology, do you?

Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.

Not true. Malicious vadalism tends not to occur in public view, which proves that the vandals have some understanding of the risk levels involved. While imagining the consequences may be a bit fuzzy, even anti-social types do recognize levels of severity of punishment, and are able to relatively accurately assess risks.

The real benefit is that it's fun, if you're of the right mindset.

Taco's Going to Jail??

Gotta admit, when I first read the headline I thought Taco and CowboyNeal were headed for the slammer.

-Vercingetorix

Yay!

Now I can start prosecuting the fuckers who portscan me! Oooh baby look at me go! Except for the ones located abroad. There's always some wiseass in Brazil or Malaysia or somewhere. For them, I usually E-Mail the offending ISP demanding footage of the caning of the perpetrator (in the case of Malaysia) or the head of the perpetrator in a box (in the case of Brazil.) I offer not to declare war on them in return for this. Thus far I have not had any replies and am now at war with half the countries of the world.

Re:Odd reasoning, that

Breaking and entering is a property crime; the presence or absence of a homeowner is irrelevant. B&E does, however, typically stipulate that damage ("breaking") was done pursuant to trespass ("entering").

Even if no damage was done, breaking into someone else's computer is sure as hell an act of criminal trespass.

Here's how the State of Georgia, for example, defines criminal trespass [ganet.org]:

(b) A person commits the offense of criminal trespass when he or she knowingly and without authority:

(1) Enters upon the land or premises of another person or into any part of any vehicle, railroad car, aircraft, or watercraft of another person for an unlawful purpose;

(2) Enters upon the land or premises of another person or into any part of any vehicle, railroad car, aircraft, or watercraft of another person after receiving, prior to such entry, notice from the owner, rightful occupant, or, upon proper identification, an authorized representative of the owner or rightful occupant that such entry is forbidden; or

(3) Remains upon the land or premises of another person or within the vehicle, railroad car, aircraft, or watercraft of another person after receiving notice from the owner, rightful occupant, or, upon proper identification, an authorized representative of the owner or rightful occupant to depart.

If a computer is an extention of my premeses, this sounds like cracking to me; frankly I'd be much more upset with you if you were going through my computer files than my tool shed.

One important difference, though, between criminal tresspass and whatever tough-on-crime bullshit they've got going on in Michigan, is that criminal tresspass is a misdemeanor, not grounds for a five year prison term.

--

Odd reasoning, that

Perhaps despite having worked for lawyers for several years I still don't have an astute legal mind, but Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

Yet another case of saying the net is like the real world as a justification for not treating it like the real world, I guess.

Two Sides

If you bought a deadbolt for your front door and it had a defects in it so often you had to buy a new lock every other day to prevent some kid with a stick of gum from getting in your house and steal all your stuff, what would you do?

Buy a different lock.

There are two parts to this. The server maker is responsible for not being as carefull as OpenBSD has proven that you can, the Admin is responsible for not doing his job right, and the script kiddie is responsible for breaking in.

Admins are unsaveable at this point, any fool can install a server and set up shop these days. Companies and kiddies should be punished. If you sold me a shit lock and some kid broken in my house, I would have the kid arrested and you, the lock seller, would be sued for any damage the kid did to my house.

If only our legislators could see that. But, noooo, MS is an 'innovator', Macs are 'toys', and Unix is for 'hobbists'. Great.

Re:Serves them right

First of all, you are not allowed to use deadly force to protect your property.

You don't know that. You may not be, but I am, and Threed may be allowed to as well. As Threed said, in some .us states, you are allowed to use deadly force to protect property. In Texas, chapter 9, subchapter D, section 9.42 [state.tx.us] of the Penal Code defines the conditions in which "[a] person is justified in using deadly force against another to protect land or tangible, movable property".

Blowing things out of proportion

Theft is wrong regardless of the medium used. However, I found Michigan's Attorny General stated matters in the usual exaggerated tone that the government uses to smear technology users:

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. '

She probably didn't mean that literally (how stupid would she have to be in order for that to be the case), but using such inflammatory language is wrong. Does she really mean to give the impression that half of the Net users are legitimate, and half are criminals? That would mean hundreds of millions of criminals!

(sarcasm)No wonder law enforcement has to work so hard to make the Net safe for us!(/sarcasm)
________________

Harshness sometimes necessary

I think harsh penalties -- perhaps harsher than any individual crime may call for -- are sometimes necessary to bring under control a problem that's really widespread.

For example, if breaking windows on houses was so widespread to be considered a real problem but so easy to get away with due to the sheer number of houses and the inability of law enforcement to track the criminals to their crimes then maybe a harsh law against window breaking will provide some kind of deterrant effect in the minds of those breaking windows.

The same may be true about cracking -- the odds of getting caught may not be that great, but if the penalty is really severe and people are getting charged and convicted then it might make some people think twice about it.

I also don't have any sympathy for crackers caught in someone else's system who didn't want them there -- you're breaking the law. You might find safecracking a challenge, too, but if its not your safe you're going to jail. A common criminal is a common criminal, and intellectual justification doesn't make it ethical.

New Denial of Service Attack found

In other news today, a new Denial of Service attack, The Slashdot Effect was announced. To activate the DoS, the malicious user sends a story to the popular Slashdot [slashdot.org] web site, who posts this story, containing links to a web site that the story references. Slashdot users try to access the site with such frequency that the load causes general use of the site to be unavailable. This can effectively cripple the site for hours or days on end.

Fixes/Workarounds:
To prevent The Slashdot Effect, avoid doing anything noteworthy to "Nerds" or any technological group. Avoid getting into legal trouble with the Motion Picture Association of America, and most definitely, avoid anything to do with Linux, FreeBSD, X Windows, or Distributed File Sharing. Also, avoid interacting with the following companies professionally:

IBM
Micron
RedHat
Rambus
NEC
Compaq
Amazon
Yahoo
Google
id Software
AMD
Intel

Doing such could be hazardous, and increase the potential of being hit with this crippling DoS attack.

If this were a public warehouse...

If this were a public warehouse that was only giving the appearance of some level of security, but in fact was leaving it's doors open all night with nobody bothering to check for intrusions, over months, they would be heald to some level of culpability themselves (along with the intruders).
EVEN if they had a piece of paper saying that they were not responsible.

Same goes with a mechanic that lets someone else drive off with your car (even if strangers just "borrow" it for a little while and you get it back).

Why does this have to be any different?

Until both the person messing with someone else's public server AND the owner of the server itself are heald accountable for their actions, this activity will not even begin to slow down.

Caviat: there is no telling if anybody accused even did anything in this story because the FBI is involved and they seem to skip over or invent "facts" as it suits them, ref. Kevin Mitnick damage assessment.

Visit DC2600 [dc2600.com]

can never think of anything to go here

Well my first thought was A MONTH???.

If I were to let any of my clients sites go down for more than a day, I'd be dead, I already suffer from telephone phobia from times when servers have crashed/email has gone weird. These days there is no excuse for not having backups and at least some idea of an alternative if you do lose a machine (he sez hypocritically).

Having said that this was a public access system run by volunteers, and given it's nature pretty hard to recover.

And as for the people who hacked it (and kuro5hin) they really have to rank in the intelligence stakes with people who would put their own balls in a vice and slowly turn the wheel until the plates met. You don't attack people who are helping the net remain open, and a community, many of whome may previously have had some sympathy for (h|cr)ackers, or at least draw from the same knowledge base.

Also stupid acts like this are just making it so much easier for various governments to sneak in with legislation that is inthe end just going to make it harder for everyone, and turn the internet into little more than a commercial, monitored service (anyone ever used aol?).

What is unauthorized use?

My question is simple: what is unauthorized use? Does authorized mean "written permission"? Or is it implied?

I ask because of a simple case of sendmail: if it is running, is that an implicit authorization to send email to the owner via that port? I saw an article over at rootprompt [rootprompt.org] where a sysadmin tried to contact the owner of a box by sending him email via the sendmail port of the box (the box was apparently on a DSL line). The owner got all pissed because he didn't "authorize" the sysadmin to use that machine. The sysadmin argued that sendmail was PRECISELY for doing exactly what he did--sending email.

This may seem stupid to most of you, but remember that many people do not understand the technology they use, let alone legislate about. Could this law be used for suing people who connect to your machine? If you have sendmail up, and someone connects to it, is it their fault or yours? What about FTP and HTTP? If you do a base install of RedHat, you get FTP, HTTPd, Sendmail and a bunch of others. If someone connects to your web page or your FTP server, is that unauthorized?

There are obviously two sides to this issue. I personally get all paranoid when people connect to my box--it is a firewall with nothing running but ssh and ident. If someone tries to connect to my RPC port (i.e. NFS), I am a bit suspicious of their intentions. So this is unauthorized? But what about someone who gets hacked and my machine's address is used as a decoy (or in the case of ADSL with PPPoE, I'm now at the address that was used to attack them, but I'm a different person) and they run a port scan in an attempt to figure out if I am hostile. Does a port scan count as "unauthorized"?

The issue is pretty simple: the techniques used by crackers are legitmate techniques used by security concscious sysadmins every day. Will clueless legislation start to put honest, hardworking sysadmins at risk?

My feeling is "yes". And that bothers me. Sigh.

Reactionary Politics?

What's the real story here? Beats me. Felonys are things like Grand Larceny, and Killing Grandma. Serious repercussions and lots of damages are required for something to be a Felony, right?

Or it may be that any crime which is so unknown that its damages may not be easily talliable becomes a felony as a deterrent. It may be that making laws banning data theft and hacking become 'cutting edge politics', and all the street savvy politicians want their name on that bill.

Probably, the severity of the law is caused by the blinding fear the average luser has about his machine being hacked, or all the dirty emails he sends his mistress being looked at by someone.

Theft is theft -- and if its information, how that information is used should determine the crime, or how much the (unrecoverably) destroyed data is worth.

Consider this: If someone broke into your house, while you were watching TV, romped through the kitchen naked, and left out the back door, but didn't take anything, would the courts care? No -- the police officer who showed up would say that since nothing was stolen, and no one was hurt, it's probably not worth the hassle to take it to court. But if someone were to enter your computer system it's a felony?

Case of sexy politics here, methinks. I could be wrong, but everyone runs that risk. Bugs me, though that while I can't get a guy who threatens to kill me sent to jail when I provide the officers with his name and address, as well as a witness to the event, laws exists that state unauthorized access to a system is a felony.

I don't dispute that charges should be brought -- it's the severity that gets me down.

A note from m-net's sysop:

M-Net isn't an ISP, we're a conferencing system. M-Net is the first public-access unix machine, or so some people claim. We give out free firewalled shell accounts with our primary focus being on our YAPP bbs conferencing system. If newuser was up, which it's not, due to some password locking issues with FreeBSD's pw command, you could create an account and be dropped into a shell. I'd encourage you all to drop by once we have it back up, and if you want to support a public access unix machine, use paypal to give us money at treasure@arbornet.org. Also, you can send us a check here:

• Arbornet Accounting Department P. O. Box 7938 Ann Arbor, MI 48107-7938

Uh oh. Is my TiVo a 'third party' system?

After all, I only 'license' the software, I don't own it. Since I hacked my TiVo by cracking the sealed case, added a 75GB second drive, and modified the boot files, am I going to have to stay out of Michigan? Man, there goes my vacation!

Dangerous Laws

These laws can be as dangerous as they are helpful, however. I'm in the network security business, and I've been running boxes on the net for 4 years now, and in this time I've seen a lot of complaints which go something like:

Dear root, I received the following ping packet at 13:13:13 on Jan 30. Per USC blah blah, unauthorized access to a computer system is a felony....

And it goes like that. In the past, these ignorant people would cite the US law which applies to unauthorized access to government systems. It didn't apply either way, but the point of the stupid email is this: "unauthorized use" and "unauthorized access" do not take into account the implicit permission for connections when you hook a box to the net. Knowing people in ISP/NSP abuse departments, I've seen way too many complaints along the lines of: "Someone connected to my webserver and this isn't a public server!" Could you call it unauthorized? Technically, yes. But shouldn't connecting a machine to the net be implicit authorization if you don't take steps with a tcpd, ipfilter, ipchains, firewall, etc? Absolutely. Or a password on your web pages. The same goes for pings -- people will get a single ping packet, and complain that they are "being hacked".

This brings me to an even stickier anecdote: someone has a box on the net running an irc server. Someone hacks a box at a government agency, connects to their irc server. The irc server, as many do, autoconnects to the client box on port 1080, maybe port 23, looking for (1) Wingate and (2) stupidity. Not much later, someone (maybe Nasa, maybe the SS) manages to unlink and postmortem the box, seeing the auto connects logged, and goes after THAT person. Thankfully, they were never dragged into court or anything, but the government actually believed that the person had a hand in the hacking of the box, and that even if not the mere autoconnects were a violation of the law.

That said, I think the "uproar" over hacking is causing laws that also may be too harsh. Removing the $1000 cap on the michigan law is irrelevent -- any hacked system can easily generate a $10k tab, just by citing expert recovery time for dozens of hours at >$100/hr. The simplest 1-machine hacks of companies have generated 6+ figure "damages" in the past.

Even as a security professional, and agreeing that cracking a system when not invited should be a crime, cracking should be a reparation case. If someone spends $5k in time and loses $10k in business because of your crack, you should pay that back, do a few hundred hours community service. It's rough, but it is a crime. It should remain a misdemeanor, unless things are done to multiple systems, with malicious intent to cause harm to the system(s), etc. I'm sure there's a lot of room for discussion, but felonizing script kiddies is not, in my opinion, what we need to do. At least the original bill seems to allow for _10 year_ sentences for "damages" of >20k. Sending some 18 yr old to jail for 10 years over a hacked box is absolutely insane. As a network security professional, I'm also fully cognizant about how easily most of these boxes ARE compromised, and replacing security precautions on shared machines with draconian laws with absurd sentences is absolutely unacceptable.

Don't know much about psychology, do you?

"...maybe a harsh law against window breaking will provide some kind of deterrant effect in the minds of those breaking windows."

Logically, this should be the case--it's a simple cost-benefit analysis. If the rate of catching the criminals stays the same, you can increase the "cost" by making a harsher penalty. The flaw in this reasoning is that the criminal isn't doing a cost-benefit analysis for something like breaking windows--after all, what's the real benefit? For that matter, people who break windows are generally unable to imagine consequences anyway.

Making a stiffer penalty will not lower the crime rate--the few people put off by the increased danger will be more than offset by the people turned on by the increased danger.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/

It's a felony to press our panic button!

These are two very different cases that should have two very different treatments.

First I would like to point out Jennifer's poor sense of perspective:

For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime.

The suggestion that there "may be" one "criminal user" out there for every legitimate user is nothing less than retarded. If there were 10 million+ hackers out there it seems unlikely that Jennifer's toaster would remain unhacked after a display of such blatant prejudice.

But reactionary posturing aside, the ugly part of this mess is that these two people can be mentioned on the same page.

Salcedo is likely a criminal under non-computer law. And additionally, he's an idiot. If he's responsible for intentionally, irrecoverably (to the novice of course) crashing a business system, there is no need for computer-oriented law to prosecute him.

Salens on the other hand is just a punk kid to did a little digital graffiti. It's ironic that Jennifer can make the connection to real world graffiti, but then go on to push for the digital version (which is cheaper and easier to clean up) to be a felony.

Obviously to people with so little sense of the spirit of the law, anything their afraid of should be a felony.

When they are killing children for stealing lollipops, and the children start shooting back, the authoritarians will wonder, "What kind of monster would kill for a lollipop?" The bell tolls for thee.

here comes the drug war

now being applied to the internet. Wonderful. "Hacking" crimes should charged based on the actual damage done. Creating a law that states any "hacking" is automatically a felony is not a good implementation. Sounds a lot like the drug laws where you can be put away for a good long time just for possestion.

It probably won't be too many years now before some "hacking" task force has a budget along the lines on the drug war. I've seen more than a few "between the lines" suggestions by politicians that this is exactly what we need. With a mostly ignoranat public, the politicians will probably get what they want.

I wonder how much it will take to piss off the public though. Seeing a 13 year old skinny white kid from the suburbs being hauled off to jail for "hacking" might have a different effect on the public than some poor hippie or black pot smoker being thrown into jail on drug charges.

Re:Odd reasoning, that

Perhaps despite having worked for lawyers for several years I still don't have an astute legal mind, but Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

I think vandalism is a really poor comparison. It may be good for when a hacker actually defaces a website, but the actualy hack itself is much more akin to breaking and entering. B&E is (I think) a felony, no matter what you are breaking into. Anything else you do while you are there is a seperate crime, with it's own charges. I think this is the same approach that should be taken to hacking. Hacking into a system is a crime. Anything you do while you are there may be another. If you just look around, all you get is hacking. If you deface a website, you might get the electronic equivalent of vandalism. If you destroy files, that's another charge. But the hacking into a system is a crime unto itself. Unlawful entry is unlawful entry, no matter if it's a house, business, or a computer system.

NEW EQUIPMENT!

" The M-Net system remained down into July and became available only after M-Net replaced the
system's equipment. "

What in the hell did they do to make it require NEW EQUIPMENT to recover from a crack? I understand lost data, etc. I know it used to be possible to spin a HD until it blew up or set a monitor resolution that burned it out, but I haven't heard anything of the sort in a long, long time. What's up with this? Is the AG wrong? Did M-Net not know how to reinstall a system? Or is this kid really lucky or some kind of jedi master and made all the chips explode in a fiery blaze destorying the MBs?

I agree that unathorized cracking is wrong; there are also ample ways to set up practice if you really want. Cracking free sites is not only wrong and illegal, it's evil and stupid.

I was going to moderate this dicussion, but no one brought up my first point, and I'm really curious.

Re:Odd reasoning, that

Granholm's contention that regardless of damage, hacking should (and will) be considered a felony is a bit odd, considering that she then compares it to vandalism, which definitely does depend on the amount of damage involved.

That really stuck out to me too. To quote:

Granholm added: "In the future, any hacking, regardless of the amount of financial damage it causes, will be a felony. A vandal is a vandal whether you are a virtual vandal putting graffiti on a web site or a real world vandal putting graffiti on a wall. Both are illegal. And using a computer to break into a company from the comfort of your living room is just as illegal as using a hammer to break down that company's front door. Because the Internet makes the crime easier doesn't mean that it makes it right. These are the first hacking charges in this state; you can bet that they won't be the last."

So then the question becomes - when does vandalism constitute a felony (and I expect there IS a point that it does)? If vanalism in the physical world does not constitute an immediate felony charge, why should it in digital form? Once again, we have existing laws that can easily apply without writing up a new mess of digital laws.

Granted, that doesn't allow for the political "get tough" and Internet buzzphrase newsbites.

only to protect companies?

Granholm said: "Hacking is the dark side of high technology's power and progress. For every person using a computer or the Internet for research, commerce or communication, there may be another person using that technology to commit a crime. The Internet, unfortunately, has become one more tool to pick the locks of companies
across the country."

And long license agreements full of mumbo-jumbo legalese has become one more tool to pick the locks of the average computer user across the country.

If I install a program, say a graphics program, would this law cover behavior that sereptiously sends valuable personal information to the company that wrote the program? We know the info is valuable (the company plans to sell it), but they haven't paid me for it and I haven't given it to them. Isn't this crime analogous to workplace theft? ie, I gave you permission to work here, but I didn't give you permission to take what you wanted home with you.

How can digital graffiti be a felony, but digital theft is winked at?