Schneier on Security
A blog covering security and security technology.
« Random Killing on a Canadian Greyhound Bus |
| Italians Use Soldiers to Prevent Crime »
August 4, 2008
Good perspective on Gary McKinnon's extradition to the United States.
Posted on August 4, 2008 at 12:58 PM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It wasn't really hacking was it? Well, I mean it was in the loose sense of it, but I heard he just ran some perl scripts to brute force passwords through a couple proxies.
Despite this, password rules for an organization (especially one so important and with so many users) must be very tight. He did a great thing to expose the lax password rules, but I don't think hiring him would have done much but teach them "admin/password" and "user1/user1" are not appropriate for NASA logins.
The interview I saw with McKinnon implied that he just hit systems with the default administrator account enabled with a blank password.
It just comes down to the Sorry state of the american justice system- and even more sorry state of the Government infrastructure.
History is doomed to repeat itself.
$700 k to clean up their security? cheap...
"For a start, [in the UK] you would not find yourself in jail for 50 years for stealing $160 worth of videotapes, or for 25 years for smoking marijuana."
Wow... this happens in the US? I mean, I'd certainly believe it, but I'm *really hoping these are extreme cases. WTF?
I know at least this much, smoking marijuana is not illegal in the US, possession is.
Well, good points from the Guardian, as expected. Oh the irony that this man is being extradited from a country that pioneered modern penal concepts such as the concentration camp, and they call America today a less fair justice system.
Could it be that the US might actually working from a dusty old playbook of disastrous "immigrant scare" and "economic bust" policies like those set forth by Prime Minister Ramsay MacDonald?
In such a case, even if far-fetched, I hope we keep our perspective on what it was like for those who lived in a nation known at one time for advocating slavery, forced child labor and burning a 19 yr old Saint at the stake. When they call you unjust...
Also... why the misspelling? 'Garuy'? Am I missing something? Everywhere I've read his name, it's listed as 'Gary McKinnon'...
Lawyers are often compared to zombies, but nevertheless, it's not too often that one comes across such a positively ancient perspective on a country's legal system.
...and the same idiot argument is brought forth again - hackers are really only helping, by exposing bad security.
A couple of weeks ago here in Sweden, a man stole 20,000 SEK (~ $3000) that someone had forgotten in an unlocked room adjacent to the bank's safe deposit box vault. Of course, when caught after having been spotted on a video camera, he claimed to only have wanted to point out the poor security of the bank.
McKinnon claims to only have looked for UFO information, but people, when accused of a crime they are guilty of, tend to lie a lot.
As for the horrible US system of justice - I'd say it works about as well as any system. See http://www.innocent.org.uk/, for innocent convictions in the UK, and I'm sure you can find similar stories for any modern western country.
Absolutely. I was just talking cybersecurity with a criminal justice student the other day and they unloaded a staggering number of case examples of harsh sentencing in America. I was informed that South Dakota has some really good material.
They will treat you as a "Class 5 felon" for the following:
- promoting prostitution
- distributing over an ounce of marijuana
That means forge one check and you can get 5 years in jail and $10K in fines. Apparently a case is about that actual event.
By the way, looks like SD only recently (1976) repealed "sabbath breaking" and "hypnotism" from the criminal code.
I hate to bring this up but "advising" on abortion in SD can find you facing a Class 6 felony. Note, I'm no lawyer and it has some kind of "per the Supreme Court decision on state rights" caveat.
Speaking of which, there's a bill in front of US congress right now arguing against felonies for marijuana.
H.R. 5843: Act to Remove Federal Penalties for the Personal Use of Marijuana by Responsible Adults
OK, cracking on the US "justice system" is deserved; HOWEVER they overlook one huge fact - we got OUR system from THEM (the UK)!
Almost every principle in our system is transferred from British law; common or otherwise. Granted they've diverged since it was instantiated but the kernel was theirs.
@Shane (re Gar*u*y): I would guess that one occurrence was a typo, and the other was a cut-and-paste.
As a historian, I'll take that as a compliment.
I don't know about the 25 years reference, but here's another good case to review:
An American in Utah was given 55 years for selling marijuana to undercover police; more time than child rape, hijacking an airplane or even terrorism with a bomb:
"...even [Bush II appointee] Cassell balked at sentencing nonviolent, first-time-offender Angelos to a virtual life sentence. He polled the jurors, who recommended an average sentence of 18 years. He then compiled a list of federal sentences for serious violent crimes and came up with numbers—like 24 years for an airplane hijacker, 19 years for a bomb-detonating terrorist, and 15 years for a three-time child rapist. Despite all his misgivings, however, last week Cassell bowed to the law and sentenced Weldon Angelos to 55 years and a day."
All irrelevant to McKinnon's case, but just to remind you before you choke on your own froth:
Ramsay MacDonald - Died 73 years ago
Boer War internment camps over 100 years ago
Child Labour - Abolished in the over 100 years ago
Slavery - Abolished in the UK over 200 years ago
Saint Burning - (assuming you mean Joan of Arc) Almost 600 years ago.
Bush administration's terror scares and rhetoric - Current, 70 years after MacDonald
Interning US citizens of Japanese ancestry in WW2 - 40 years after the end of the Boer War
Child Labour statutes - Don't know, assume approximately concurrent with UK legislation
Slavery - Abolished over 100 years after the UK abolition; allowed legal racial segregation by the state until less than fifty years ago
Salem Witch trials - About 300 years after Joan of Arc
What shocking here is the fact that the UK extradites its own citizens, or rather, subjects, to a foreign country. This is f'ed up. As I mentioned in other threads about this, not only is it completely illegal in my country just across the channel, but people would go in the streets to protest that. Even with Sarkozy in a contest to out-Bush Brown.
When will the US ratify the treaty under which McKinnon is to be extradited?
A more ethical government would not rely on an agreement that they had not yet signed.
I don't know the full details of what this guy did, but it sounds like it would be best handled by computer crime laws of one sort or another.
This marks another step in the continuing redefinition of the word "terrorism" towards "anything the people in charge don't like."
If he did something wrong, sure, prosecute the guy, but not everything bad falls under the label of terrorism.
Note to site admin: the "Garuy" typo got fixed, but "exradition" is still misspelled. Needs a "t" between "ex" and "rad".
Yes, my point exactly.
Thanks for your support.
"...the world's most dangerous hacker...".
Yeah, right. THIS week. *eyeroll*
Well, now that Harald is doing my work for me on historical facts, I thought I'd post some the details documented in the appeal:
Page two has the UK courts' opinion:
"As the Divisional Court itself pointed out (at para 34), the gravity of the offences alleged against the appellant should not be understated: the equivalent domestic offences include an offence under section 12 of the Aviation and Maritime Security Act 1990 for which the maximum sentence is life imprisonment."
I suppose they are referring to the fact that he interfered with military systems:
"Having gained access to these computers the appellant deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours, significantly disrupting Governmental functions; 2,455 user accounts on a US Army computer that controlled access to an Army computer network, causing these computers to reboot and become inoperable; and logs from computers at US Naval Weapons Station Earle, one of which was used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, deletion of these files rendering the Base’s entire network of over 300 computers inoperable at a critical time immediately following 11 September 2001 and thereafter leaving the network vulnerable to other intruders."
Understated? What about the risk they are being overstated? Seriously. I have seen numerous global companies go inoperable for 24 hours due to a fat-finger internal error and watched execs just shrug it off as the cost of doing business. Try to sell a redundancy or security solution and some would say they'd rather pay for downtime.
The range of US estimates for damages appear to have been all over the place. Someplace between hundreds of thousands of dollars and millions was the cost to restore Windows to less than 100 systems? Or is the Pentagon saying that a corrupt windows system with no redundancy/backup and connected to the Internet is to be considered mission critical. Seems like it should be one way or the other, no? Were these systems so critical that they had proper redundancy, or were they so irrelevant that they could be replaced for a nominal fee. If there is something else going on, is that really the fault of an attacker or is there negligence also at work?
I guess my point is that the cost estimate reminds me of a $640 DoD toilet-seat story. And then there was the $1 trillion missing story in 2005
Would you really trust those guys with a damage/cost estimate, especially when they are embarrassed publicly?
The actual cost of re-installing a Windows OS and restoring a backup might be something in the order of a few hundred dollars per system, but it probably required endless paperwork and bureaucracy...plus it happened around the time of 9/11 and clearly ticked off the Army and Navy. And I doubt it helped that he supposedly left behind one taunting text message.
Anyway, the appeal text says the accused scanned over 73,000 systems but damaged or accessed just 97 of them. If we take a $700K estimate of repair in paragraph 15 that comes out to a repair cost per system of $7216.50. Given a hard figure, I wonder how that stands up to disaster recovery program estimates and the cost of downtime.
In other words the "damages" very well may have been trumped up in an overly rigid system to the point where prosecutors hope the Angelos case above is what McKinnon is going to face if/when he arrives in court in America.
Angelos, like McKinnon, backed away from a plea bargain arrangement with angry officials, then got the book thrown at him, and ended up with a life sentence for selling marijuana.
The Slate article discussed how the judge said "his hands were tied" when he handed out the sentence. Bad sign for America's justice system, no? I think that's what should have been addressed in the appeals document, instead of a comparison of bargaining rights, but I'm not a lawyer.
Fix the problems, not blame and leave problems in place.
Pure negligence with IT handling. A lot like Iraq civil war fallout.
USA should have the culture of, hack all you want, we are secure.
USA culture is the problem as well. Lies, and stealing within and putting small idiots on the cross, to distract from the real bad stuff going on.
This happen with congress during the Iraq war as well.
USA leaders are damaging international relations with these witch hunts and crusades.
Think people...your leaders have failed USA and world, badly.
Reponsibilty and meaning.
> Interning US citizens of Japanese
> ancestry in WW2 - 40 years after the > end of the Boer War
And don't forget the current Guantanamo Bay internment camp. What right does the US have to keep these people?
In a war situation POWs are kept in custody until the war is over. However here there is no declaration of war and how can a "war on terror" ever end?. Are they to be kept imprisoned indefinitely in terrible conditions and without proper legal representation?
For most, the only crime they committed was to fight back when US soldiers invaded their country.
This is an absolute disgrace.
"I know at least this much, smoking marijuana is not illegal in the US, possession is."
How do you smoke marijuana without possessing it?
I seriously doubt the US would extradite any of its own citizens to any other country on similar charges.
As I see it, the alleged crime hasn't even taken place in the US, but in the UK, and as such, he should be tried (if at all), in a UK court, under UK law.
I think it's time the rest of the world grows some backbone. You want a person extradited? Show me some evidence of the crime first, and an extradition treaty with both our signatures on it. You can't? Tough luck.
It's absolutely crazy that a person that may have never set foot in the US has to fear the US judicial system, without have any recourse or options to change it.
I believe an extradition should be based on evidence, admissible to and decided by a court in the country of origin.
Observer2: have somebody else hold it while you smoke?
it is not about law but about de l'esprit des lois. one does not need to go far into history to learn difference between constitution and its practice. stalin constitution on paper and its interpretation (gulags) should warn anyone about where paranoia can led us.
But unless you're being forced to smoke it (e.g. in Guantanamo as a form of torture, sorry I mean enhanced interrogation) surely you take possession of some of it by taking a puff?
Putting aside the specifics of this case my main problem is with the idiots who put a treaty in place that doesn't require _mutual_ ratification to become valid. This way it just becomes a game of legal chicken and there is no pressure on the US to ratify their side of the agreement. Odd that, perhaps it is working as designed ?
@Davi Ottenheimer: No, its an appropriate sentence; we have to do everything possible to stop undercover police from buying drugs all the time.
I'm glad we all agree that it's okay for foriegners to hack our military computers. If they ask, we should just box up all our computers and ship them to whoever wants them. And then we should all kill ourselves for being so mean and dumb.
And what about Dmitry Sklyarov?
He did something which is legal in Russia (where he lived an worked), but was arrested for doing it when he visited the US for a conference.
Is that any better?
"If they ask, we should just box up all our computers and ship them to whoever wants them"
you've already done that. this guy has apparently been polite enough to leave a note warning you about that.
Google "Marc Emery" and "BC3". Three well known Canadians are facing extradition to the U.S. for selling Marijuana seeds. Oh no! Billions of dollars of taxpayer's money are spent enforcing a war on cannabis and now people who were selling SEEDS may be sent to America and jailed. Marc has said himself that he's never been to the U.S., where's the justice?
"Land of the free" is a lie. Honestly, I think Gary McKinnon was onto something, I believe there are UFOs, and they HATE MARIJUANA!
Some of these comments demonstrate what happens when you become so open-minded that you won't take your own side in a fight.
I'm a US citizen, and we don't need to fry this guy, but he most definitely needs an attitude adjustment. All you need to regain some perspective on this is to translate it to physical access. If you leave a note on my front door saying "Your door's unlocked" because you can see that it's open, I'd thank you. If it's not visibly open, I'd ask what the hell you're doing rattling my doorknob in the first place. If you walk into my house, rifle through my belongings, and leave a note on my bed saying "Boy, your security sucks", I sincerely hope you get around a year in prison just for general stupidity.
As far as his protestations that he was only doing us some big favor: if you've demonstrated no respect for the property of others, you're a liar until proven otherwise.
USA leaders are becoming a group of NUNs who can't get through a revolving door because they got spears in their heads.
Seriously, the USA pathetic rule by fear and making examples of people is really bad. We need to start handling our problems and culture.
The current administration used these policies and overleveraged bad ruling.
Ignore this guy, and spend the money/time/blame on ourselves to solve our culture and systems.
Like many, I only oppose the extradition. We've got perfectly good computer crime laws in the UK he could be prosecuted under (and note that he was in the UK when he committed the offences); why does he *have* to go to the USA to face trial? Why can't he be prosecuted and punished at home?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.