Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Wants UK Hacker To Pay To Fix Holes He Exposed

kdawson posted more than 5 years ago | from the on-second-thought-make-it-a-kryptonite dept.

The Courts 403

bossanovalithium writes "Gary McKinnon, whose tribulations we have followed for several years now, is the UK hacker trying to escape extradition to the US. It appears he is expected to foot the bill for the US Government patching holes his breaching uncovered — to the tune of $700,000. It's not really the norm for someone to pay for exploits to be patched — damages fixed, yes, but this is a very different thing." The article paraphrases Eugene Spafford as saying that the victim of a cybercrime should not take the blame. "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

Sorry! There are no comments related to the filter you selected.

If he's a hacker... (5, Interesting)

supersloshy (1273442) | more than 5 years ago | (#29506599)

...couldn't he fix them himself? With supervision, I mean.

Re:If he's a hacker... (3, Funny)

Anonymous Coward | more than 5 years ago | (#29506625)

dd if=/dev/zero of=/dev/hda

Fixed! At least the holes aren't there anymore.

Re:If he's a hacker... (0)

rs79 (71822) | more than 5 years ago | (#29506885)

Spaf's first name is Eugene? Really? I didn't even know he had a first name, I thought he was born "Spaf" like "Cher". Next you're gonna tell me Stef's first name is Einar or sumptin'.

Re:If he's a hacker... (1)

Mister Whirly (964219) | more than 5 years ago | (#29507217)

I don't know Cher's real first name, but her middle name is Ugly.

Re:If he's a hacker... (5, Insightful)

Jurily (900488) | more than 5 years ago | (#29507069)

couldn't he fix them himself? With supervision, I mean.

If I tell everyone that some houses have a big fucking gap where a door should be, am I responsible for not installing one?

Re:If he's a hacker... (4, Insightful)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#29507271)

You are if you made the owner look like a FOOL!! You're gonna fry.

Linux (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29506609)

I don't like Linux.

Re:Linux (1)

Yvan256 (722131) | more than 5 years ago | (#29507063)

That's ok, Linux doesn't like you.

Well, I've learned MY lesson! (5, Insightful)

NoYob (1630681) | more than 5 years ago | (#29506613)

If I find a hole in my Government's IT security, I'll keep my mouth shut and let the government hear about it from the Chinese or the Iranians or the S. Koreans or ...anyone but me because they'll send me to jail and make me pay.

Re:Well, I've learned MY lesson! (0)

Anonymous Coward | more than 5 years ago | (#29506671)

Just scan another country, not yours lol ;)

Re:Well, I've learned MY lesson! (5, Funny)

Dog-Cow (21281) | more than 5 years ago | (#29506817)

Gary did scan another country (other than his own).

Re:Well, I've learned MY lesson! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29506903)

With the UK being so firmly attached to the anus of the US its easy to forget sometimes.

China and Iran will tell Washington about it? (3, Informative)

rwade (131726) | more than 5 years ago | (#29506685)

South Korea (the one with Seoul) probably would tell Washington about it, but it's unlikely that China or Iran would. It's more likely that they would exploit the vulnerability in secret.

Re:China and Iran will tell Washington about it? (1, Funny)

sopssa (1498795) | more than 5 years ago | (#29506951)

South Korea (the one with Seoul)

Americans really dont know the difference between North and South Korea without explaining it further?

Re:China and Iran will tell Washington about it? (3, Insightful)

rwade (131726) | more than 5 years ago | (#29506991)

The original poster tossed South Korea (which Washington considers to be one of its strongest military allies) with Iran ( which Washington considers part of the so-called "Axis of Evil") and China (which Washington considers one of its strongest rivals), it is unlikely that he knows the difference.

Re:China and Iran will tell Washington about it? (2, Insightful)

eln (21727) | more than 5 years ago | (#29506993)

I think he was just trying to be punny. If someone is dumb enough to not know the difference between North and South Korea, I doubt they'll know where Seoul is, or even that it exists.

Re:China and Iran will tell Washington about it? (0)

Anonymous Coward | more than 5 years ago | (#29507081)

If someone is ignorant enough ... there is a difference between stupidity and ignorance, but as you surely known there is a lot of overlap between the to set....

Re:China and Iran will tell Washington about it? (1)

Stenchwarrior (1335051) | more than 5 years ago | (#29507131)

I think the joke is that South Korea has SOUL...not really referencing the city.

Re:China and Iran will tell Washington about it? (1, Funny)

scotsghost (1125495) | more than 5 years ago | (#29507125)

Sadly, the modern American brain contains a short circuit that associates any mention of "Korea" with images of "puppet sex" [imdb.com] . Adding "South" to "Korea" doesn't overcome this effect. It's all Kim Jong Il territory to US. Amuhrrikuh, fuck yeah.

Re:Well, I've learned MY lesson! (2, Interesting)

gx5000 (863863) | more than 5 years ago | (#29506731)

It's not my fault! It's yours ! No responsibility, no accountability... Whoever designed this should be sued and bring in the hacker as a witness... If I build something and you can get around it, I WILL be paying you to show me how you did it and PLEAD with you to help me out.... Trying to cover my ass for my stupidity, well, that requires an act of ignorance.

Re:Well, I've learned MY lesson! (1)

Hadlock (143607) | more than 5 years ago | (#29507215)

Chinese or the Iranians or the S. Koreans

I was going to say "I hope you don't vote", but then I realized that you probably don't, so democracy is safe once again! (please don't start voting)

Taking responsibility for ones actions. (-1, Flamebait)

BWJones (18351) | more than 5 years ago | (#29506619)

No, it is not simply like charging him to buy the lock that had been missing. If you entered someone's home uninvited and deliberately or accidentally caused substantial cost and damage to the homeowner, you should be liable for your actions. This could be reduced to simply holding someone responsible for their actions. People have a choice in what they do and Mr. McKinnon knowingly engaged in his actions.

Re:Taking responsibility for ones actions. (5, Insightful)

intermodal (534361) | more than 5 years ago | (#29506655)

The holes aren't his "damage". The holes were already there. I don't care if a whole wall was missing, if an individual walks into a building and does damage or steals, the damage or stealing is what they are responsible for. Building the wall or replacing the lock is not their responsibility at all.

logic doesn't enter into it (3, Insightful)

NotQuiteReal (608241) | more than 5 years ago | (#29506779)

These are legal matters we are talking about here.

Re:logic doesn't enter into it (2, Insightful)

geekoid (135745) | more than 5 years ago | (#29506829)

Correct, and If I trespass onto someone property bu walking through a gate with no lck, I will not be force to buy a new lock. That doesn't mean I shouldn't be fined for trespassing.

Re:Taking responsibility for ones actions. (1)

rwade (131726) | more than 5 years ago | (#29506657)

But the hacker did not cause the bugs to be open. He exposed them.

Re:Taking responsibility for ones actions. (-1, Redundant)

calmofthestorm (1344385) | more than 5 years ago | (#29506693)

No, they were already there.

Re:Taking responsibility for ones actions. (5, Insightful)

Monkeedude1212 (1560403) | more than 5 years ago | (#29506663)

Repaying any damage he would have caused: Expected.

Going to Jail for his actions: Expected.

Paying 700,000 Dollars to fix the hole he DISCOVERED (not created): Unlawful.

Re:Taking responsibility for ones actions. (1)

walkoff (1562019) | more than 5 years ago | (#29506953)

Repaying any damage he WOULD have caused: Expected.

So if I walk through an open door with malice in my heart and and start rifling through your desk looking for documents about aliens I can be expected to pay for the fact I could have splattered the place with paint, smashed all your plates, peed in your coffee pot etc. ?

Re:Taking responsibility for ones actions. (3, Informative)

cabjf (710106) | more than 5 years ago | (#29506989)

"Great, now everyone knows we have the holes and we actually have to fix them. Everything was fine when people just assumed we had a secure system. Now this guy goes and rains on our parade. Let's try to get him to pay for fixing them."

Re:Taking responsibility for ones actions. (1)

DeadPixels (1391907) | more than 5 years ago | (#29506673)

Well, it sort of is like charging him to buy the lock. In this case, the lock was missing, unlocked, or broken; however, you're right in saying that doesn't give him the right to just walk in.

I'm not sure if he should be paying for the patching of the systems, but he should definitely pay for any damages and probably restitution. The analogy here would be "don't charge him to buy a lock, but make him pay for the TV he took and for the crime he committed."

Re:Taking responsibility for ones actions. (1)

dgatwood (11270) | more than 5 years ago | (#29507165)

I think it would be more accurately analogous to someone picking a business's front door lock with a paperclip, after which he might or might not have told others how to pick that type of lock with a paperclip. Then, they expect him to replace the front, back, and side door locks because now everyone knows how to break into the business. Pretty absurd inasmuch as the business had cheap lock to begin with that should have been replaced years ago, not so absurd inasmuch as the risk of those locks getting picked increased dramatically as a result of the person's actions. So I can see both sides of this one. It certainly isn't clear cut. It really depends on whether he can establish reasonable doubt that anyone else knows about the specific flaws as a result of his actions.

Re:Taking responsibility for ones actions. (1)

Whorhay (1319089) | more than 5 years ago | (#29506719)

But he isn't responsible for the security holes that existed. He might have made them more widely known but he did not create them. He should be punished for the act of illegaly hacking federal computer systems, but the flaws are not his responsibility unless he created them himself.

Re:Taking responsibility for ones actions. (2, Informative)

gnud (934243) | more than 5 years ago | (#29507145)

The fact that the systems are federal might not matter a whole lot, since the perp is British.

You know, not from the U.S.

Re:Taking responsibility for ones actions. (1)

MozeeToby (1163751) | more than 5 years ago | (#29506743)

But the flaws existed before he did anything. The example in the summary isn't exactly fair either, really they are trying to make him pay for a lock after he announced to the world that there isn't one. The thinking behind this logic is obviously "the security hole wasn't a problem until he announced it to the world". If you bought a new car and the doors didn't lock, would you just say to yourself "oh well, as long as no one knows about it"? Of course not, you'd want the locks fixed as soon as possible because eventually someone is going to notice that your locks don't work.

Re:Taking responsibility for ones actions. (4, Insightful)

pla (258480) | more than 5 years ago | (#29506759)

No, it is not simply like charging him to buy the lock that had been missing. If you entered someone's home uninvited and deliberately or accidentally caused substantial cost and damage to the homeowner, you should be liable for your actions.

I know, right?

Like last week, these kids walked uninvited across my lawn, and caused substantial damage to a number of blades of grass! And then to add insult to injury, their damned irresponsible parents just couldn't grasp their liability to pony up for the slab, four walls, roof, and two garage doors to "repair" the space their crotch-fruit just casually trespassed across!

Sure, some scofflaws would point out that I didn't have a whole garage there to start with, so why should they have to pay for the rest? But hey, I had the good solid dirt underneath a future-garage, at least.

Re:Taking responsibility for ones actions. (1, Troll)

dbcad7 (771464) | more than 5 years ago | (#29507071)

Your analogy changes though if it's a greased naked man who squeezed through a skylight on the roof and is looking through your sock drawer at 2 am. Now perhaps it is not the mans fault that you have a skylight, and that other people who are willing can do the same thing he did.. but you can see how you might want him to pay to keep others from doing the same thing.

Re:Taking responsibility for ones actions. (0)

Anonymous Coward | more than 5 years ago | (#29507161)

No, actually, I really can't.

Re:Taking responsibility for ones actions. (1)

oji-sama (1151023) | more than 5 years ago | (#29507175)

I don't think I would claim that installing some security measures for the skylight is the greased man's responsibility. Some punishment for his actions would be in order, which should work as a deterrant, but if I want more physical security, it comes out of my own wallet...

Re:Taking responsibility for ones actions. (1)

Ironica (124657) | more than 5 years ago | (#29507247)

Your analogy changes though if it's a greased naked man who squeezed through a skylight on the roof and is looking through your sock drawer at 2 am. Now perhaps it is not the mans fault that you have a skylight, and that other people who are willing can do the same thing he did.. but you can see how you might want him to pay to keep others from doing the same thing.

You might want it, but there is nothing anywhere in any code of law that makes *him* responsible for putting bars on your skylight. Yes, you'll do it, and your insurer might even require it if you make a claim for the actual damages he caused (maybe he got grease on a priceless pair of silk stockings that used to belong to Marilyn Monroe?). But there's simply no precedent or code that makes YOUR basic security HIS financial responsibility.

The issue here is that they're charging this guy $700,000 in "damages," and some of those "damages" are the costs of placing intrusion detection and firewall systems that weren't there in the first place and would likely have prevented his hacking. He didn't DISABLE or BREAK them; they just weren't there at all.

Re:Taking responsibility for ones actions. (1)

adolf (21054) | more than 5 years ago | (#29507123)

A new garage might be stretching it, but I think they at least owe you a good, high-quality fence.

Because, after all: They knew they shouldn't have walked there. It's only logical that they now be forced to pay to ensure that they won't in the future.

Re:Taking responsibility for ones actions. (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29507087)

Firstly, the guy has Asperger's, so he probably wasn't aware that what he was doing was actually wrong until someone told him (afterwards) that it was.

Secondly, these holes shouldn't have been present in such a system up front. The holes weren't patched, the system was incomplete.

If I have a choice, I'm not buying American goods until you grow some balls and admit that you fucked up in this case, and stop harrassing someone else for it.

Re:Taking responsibility for ones actions. (1)

im_thatoneguy (819432) | more than 5 years ago | (#29507091)

This is crazy. It's like picking a lock without damaging it and then stealing jewlery out of a sock drawer and then being forced by the court to buy the victim a fence, guard dog, improved lock and safe to keep their jewelry in to prevent future crimes.

The one exception to this analogy would be if the hacker published the security holes. In which case you could argue it's like stealing a key and giving away copies--in which case he could reasonably be forced to pay for re-keying the locks he 'broke'.

Stick those stupid analogies up your ass (1)

Nicolas MONNET (4727) | more than 5 years ago | (#29507099)

No, it's not like "entering someone's home." It's nowhere near that. Nothing at all.
I could excuse this reckless stupidity on the Dumbtube (aka TV) but this is Slashdot. A technical website. People know what we're talking about, and those retarded, idiotic comparisons do not explain or enlighten, they just dumb the whole thing down. And in your case, they are completely wrong.
Besides, he didn't cause substantial damage. He didn't break anything. Hey, what if by posting this stupid message of yours you caused the death of someone? Hmm? What if? What if you caused the death of a million people? You'd be a mass murderer, that's what you'd be!

Re:Stick those stupid analogies up your ass (0)

Anonymous Coward | more than 5 years ago | (#29507269)

Looks like Nick is having a grandpa moment.

Re:Taking responsibility for ones actions. (1)

Altus (1034) | more than 5 years ago | (#29507181)

no, this is like someone entering your house through an open window and then making him pay for a new set of locks and an alarm system.

Potholes (4, Insightful)

Whorhay (1319089) | more than 5 years ago | (#29506637)

I wouldn't report any kind of crime or safety hazard if this becomes a regular tactic.

Re:Potholes (5, Insightful)

kylemonger (686302) | more than 5 years ago | (#29506723)

The good guys will make you pay them for exposing holes.
The bad guys will pay you.
Hmmm, maybe I got the "bad guys" and "good guys" mixed up there.

Re:Potholes (2, Insightful)

DragonWriter (970822) | more than 5 years ago | (#29506887)

I wouldn't report any kind of crime or safety hazard if this becomes a regular tactic.

McKinnon didn't "report any kind of crime or safety hazard", and there is no reason to expect that, even if the approach the government used to here to assess damages from a violation of the law were to be accepted in that role that it would somehow affect people who "report any kind of crime or safety hazard".

I have to agree with kdawson... (5, Insightful)

rwade (131726) | more than 5 years ago | (#29506639)

This is exactly like charging for a lock that was never there. Another analogy -- it is like forcing the thief to pay for the security system that the store owner now feels that he has to buy to prevent future actions.

If he damaged a system by hacking in, that's one thing. He should pay for that. But it's hardly his fault that the holes were there in the first place and he shouldn't be held responsible for funding the software improvements to prevent such actions in the future.

Re:I have to agree with kdawson... (5, Interesting)

sumdumass (711423) | more than 5 years ago | (#29507127)

This is not entirely unheard of.

I had someone repeatedly break into my garage and take my gas cans for the lawnmowers and root through the cars for money. Eventually, they took an expensive looking but stock car radio. The time that happened, my then girlfriend walked into the garage to go to work and startled the intruder. He knocked her down and ran but wasn't afraid to come back.

I eventually placed some hidden cameras in the garage and back yard with a dummy camera on the side of the house in plain sight. It took the guy about 5 days to realize the visible camera was a dummy and I got his picture including him rooting through everything and taking crap. I then placed a piece of a set of antique lamps made of sterling silver in the garage but locked them in a cabinet with a window. Anyways, those lamps were valuable enough to make his repeated breaking in worthy of a felony on the crap I could prove he stole alone.

The prosecutor advocated that the guy pay for the security system and cameras that I had to install because of his actions. The judge agreed and order it as part of his restitution. Of course he couldn't pay while sitting in jail, but as a term of his parole, he had to make payments to an account until the costs were paid off. As I understood it, I could have sued him for the costs but doing it this way made it a condition of his freedom which meant I was more likely to get paid.

Well... (2, Insightful)

ManlySpork (1542827) | more than 5 years ago | (#29506665)

This seems like quite the case of people, oblivious of technology, deciding over a technological matter. His crimes might be illegal entering, but he didn't have to break any doors windows or locks. They were all wide open. If someone ever breaks into my house and gets caught I should sue em and get em to pay money to turn my home into an impenetrable doom fortress.

Faulty locks (5, Insightful)

Adrian Lopez (2615) | more than 5 years ago | (#29506677)

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?

Re:Faulty locks (3, Insightful)

sonnejw0 (1114901) | more than 5 years ago | (#29506775)

This is security through obscurity, and it's frightening that a government entity relies upon it enough to fine someone for publicly declaring a security flaw. Should Microsoft, Apple, or the Linux Foundation pay a fine every time they patch a security bug, thereby describing how to utilize that bug in all unpatched systems?

I think not, I think that's ridiculous. But that quickly brings us to the argument that all software that we rely on should be open source so that we can modify it to fix it ourselves ... or the corollary, that all software we rely on should be closed source so it's difficult to find bugs (which is kind of an untrue assumption. I'd rather be in control of how I keep private what I'm trying to keep private. If I don't have control over the means of privacy, I have no privacy at all ... I guess I should go delete my FB account).

Faulty Lock Users (3, Insightful)

eldavojohn (898314) | more than 5 years ago | (#29506997)

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?

From what I can find of his "hacking" abilities on the black vault [theblackvault.com] :

Somewhat frustrated by the common avenues of UFO research, Gary began some basic computer hacking techniques from his girlfriend's Aunt's house in the mid-late 1990s. Soon he began using a system of scanning for blank administrator passwords on supposedly secure networks ...

Sounds more like the lock company distributed a working lock to many U.S. government entities and they put the locks on their sensitive possessions but some individuals simply forgot to close the clasp and had no policy for walking around double checking locks. If he did do $700k of damage and bring the system to a halt, he should pay for it. If they are charging him $700k for a script that scans for blank passwords on accounts on their systems and drop it in a chron job, I'll gladly fulfill the work order for half that price!

It's not paying for the lock... (5, Insightful)

spydabyte (1032538) | more than 5 years ago | (#29506681)

It's paying for the research, development, and possibly deployment of a new and improved lock.

Analogies should be correct to be effective. Sadly, the most effective ones are often incorrect.

Re:It's not paying for the lock... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29506931)

"Analogies should be correct to be effective."... "the most effective ones are often incorrect."

Your post is oddly self-contradictory...

Re:It's not paying for the lock... (1)

spydabyte (1032538) | more than 5 years ago | (#29506987)

You've discovered irony. What would you like to research next?

Re:It's not paying for the lock... (0)

Anonymous Coward | more than 5 years ago | (#29507045)

Actually, I think I've discovered the difference between how analogies actually work and how you would like them to work.

Oh, wait, that's kind of ironic...

Re:It's not paying for the lock... (1)

ivonic (972040) | more than 5 years ago | (#29507265)

Ooo.... I'll have a vowel please Carol.

Re:It's not paying for the lock... (1)

FrostedWheat (172733) | more than 5 years ago | (#29506965)

Doesn't matter how good the lock is if they don't use it properly. You might have the best keypad entry system in the world, but if the entry code is 12345 then who's fault is it when someone gets in?

Re:It's not paying for the lock... (0)

Anonymous Coward | more than 5 years ago | (#29506973)

What's sadder is the categorical destruction of a perfectly good analogy.

Re:It's not paying for the lock... (-1, Offtopic)

Try Catch (1642433) | more than 5 years ago | (#29507031)

The Internet is a series of tubes...

Re:It's not paying for the lock... (1)

TheNinjaroach (878876) | more than 5 years ago | (#29507129)

If I pick or break a lock I should be responsible not only for replacing the lock but also for all of the research and development that goes into a newer, less breakable lock?

Car analogy... (3, Insightful)

mangu (126918) | more than 5 years ago | (#29507151)

It's paying for the research, development, and possibly deployment of a new and improved lock.

Similarly, Ralph Nader [wikipedia.org] should pay for the research, development, and deployment of a new and improved Chevrolet Corvair?

Re:It's not paying for the lock... (1)

Evildonald (983517) | more than 5 years ago | (#29507221)

The security holes are a series of tubes....

Re:It's not paying for the lock... (1)

ivonic (972040) | more than 5 years ago | (#29507223)

It's paying for the research, development, and possibly deployment of a new and improved lock.

Well it's paying for the scoping, designing, building, testing, deployment and testing of the shop's security system, which would include a better lock, alarm and bars on the windows. And lots of coffee for the builders.

Sort of (0)

Anonymous Coward | more than 5 years ago | (#29506703)

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

Sort of. It's more like forcing him to fund research into glass that can't be broken by the brick he threw / a lock that can't be picked by the tools he used.

Hmm... (1)

SOdhner (1619761) | more than 5 years ago | (#29506711)

FTA: "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door."

Okay, so I can agree with paying for a broken door. Furthermore, I can say that there could be real costs involved in doing security checks to see what damage might have been done - so I'd be okay with that argument. I think they need to draw the line there, between "money spent checking what damage was done" and "money spent making sure someone else can't do the same thing". It's not entirely clear from the article what side this situation falls on, and while 700,000 dollars sounds absurdly high part of that is other more direct "damages" in theory.

Re:Hmm... (1)

jonbryce (703250) | more than 5 years ago | (#29506785)

If he's the one I think he is, he was looking around for evidence of aliens, discovered that the administrator account had no password, went in, had a look round, found no aliens and left a note telling them they needed to set a password on their computer.

Re:Hmm... (1)

DragonWriter (970822) | more than 5 years ago | (#29506963)

Okay, so I can agree with paying for a broken door. Furthermore, I can say that there could be real costs involved in doing security checks to see what damage might have been done - so I'd be okay with that argument. I think they need to draw the line there, between "money spent checking what damage was done" and "money spent making sure someone else can't do the same thing".

Insofar as how he did it would be revealed at least in part by the public record of the legal case against McKinnon, and insofar as he may have communicated details of the exploits that are not in the public record to others, the fact that he did breach the system makes it more likely that others would do so, increase the risk:cost profile associated with securing the system against that type of breach, and making it more necessary to protect the systems than it would otherwise have been. So there is at least an argument that protecting at least the particular systems breached against the same type of breach that McKinnon conducted is an expense that is at least in part necessary because of his actions.

Analogy, sans car (3, Insightful)

Bobfrankly1 (1043848) | more than 5 years ago | (#29506729)

I like the lock analogy, but I think it would be more appropriate to say that they are charging him for discovering that the bolts that hold the locked door shut were missing. He simply pointed it out...

There is some logic to it (0)

holophrastic (221104) | more than 5 years ago | (#29506735)

The entire concept of having to lock doors is the concept of paying for security which is only necessary because of the criminals. Locks wouldn't exist without crime. We're not talking about keeping children out of cabinets.

So when a criminal does indeed prove that a lock is required, it makes sense to have those criminals pay for the security required to keep them out.

Hell, it makes a lot more sense for the criminal to pay for the security measures than for me to pay to keep them at bay.

Re:There is some logic to it (0)

santax (1541065) | more than 5 years ago | (#29506815)

No problemo mate, here at LocksRus my cousin and me we offer free locks as long as people let us inside to place the trap, eh lock.

Re:There is some logic to it (2, Insightful)

Donovon (1245428) | more than 5 years ago | (#29506845)

However what is at issue here is what if you walk up to your neighbor and say "Hey don't you think maybe you should have a door on that house? Someone could get in you know..." He then sends you the bill for the door, lock, security bars, and exterior gate.

D.

Re:There is some logic to it (1, Interesting)

holophrastic (221104) | more than 5 years ago | (#29507059)

Such laws always come with boundaries. If you walk through his front door, and "trespass", to tel him that, then yes you get the bill. If you manage to tell him without "trespassing", then you don't get the bill.

If you ping a server, it returns a version number that you know is insecure, you don't get the bill. If you login with the default password, you do get the bill. Because logging in is trespassing if you're not authorized to login.

The benefit, of course, to going with "trespassing" is that you get the benefits of existing laws. Someone can accidentally trespass, and appeal to a judge, who can easily say "the private property sign was not properly displayed".

It's not the pointing out an insecurity that's at issue. It's the proving it.

Re:There is some logic to it (1)

Whorhay (1319089) | more than 5 years ago | (#29506883)

I can't remember the quote but it basically says that locks are for keeping honest people honest, locks don't prevent criminals from getting through in most cases.

I'm tempted to install bolt locks on the doors at my house but there are too many large windows and a huge patio door that a thief could easily break. Adding bolt locks wouldn't actually add to security.

Re:There is some logic to it (0)

holophrastic (221104) | more than 5 years ago | (#29507089)

here, we have glass-break sensors, cameras at teh doors, and bolt-locks on the doors, and wired alarms with a wireless back-up. And we don't need any of them.

The saying here is that the cameras don't stop the criminals -- who just wear a mask. The cameras prove to insurance companies that we were actually robbed.

And in the end, we still don't need them, it's a very safe city of more than 7.5 million people.

Stupid analogy is stupid (1)

Nicolas MONNET (4727) | more than 5 years ago | (#29507133)

Did he steal anything? Did he cause any actual damage, not counting the fake damage that is the cost of securing the whole damn thing in the first place? No and no. Stop with the analogies, if you can't argue without an analogy, that means you're probably wrong.

A series of tubes (1)

dragonjujotu (1395759) | more than 5 years ago | (#29506741)

That's like asking him to pay for the grate and security guards to cover up the pipe he crawled through to get into the Pentagon...

Isn't it... (1, Interesting)

Anonamused Cow-herd (614126) | more than 5 years ago | (#29506751)

"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"

No, it's more like making him pay for new locks because he wrote a lockpicking book. The flaws existed, and he exposed them, but it's not his fault that people might use them to perpetrate crimes. If someone tells me how to crack a safe, I'd generally blame the safe's maker for designing that fault... not the person who realized the problem. Eh?

reward him (2, Interesting)

circletimessquare (444983) | more than 5 years ago | (#29506769)

vulnerabilities exist. this is true of all systems, no matter who uncovers them

therefore, an intelligent organization: a bank, a military, a government, will have a system where private disclosure of vulnerabilities results in a reward for the discoverer

if you don't have such a policy, a discoverer might turn to finding reward in your vulnerability with your enemies or criminality instead

unfortunately, the discoverer must consider the possibility that if he divulged the discovered vulnerability quietly, the organization he penetrated might find the least costly solution to the problem to be the the disappearance of the discoverer

such that the most moral and safest approach for a discoverer is to go public with the vulnerability instead. which of course invites the wrath of the organization penetrated. its a no-win situation for the moral discoverer of a vulnerability, such that there is constant pressure on white and gray hats to go black

Ridiculous (0)

Anonymous Coward | more than 5 years ago | (#29506787)

This is outrageous. What if these security holes were exploited and used by someone with intention of doing something bad?

The REAL crime is exposure. (2, Insightful)

Errol backfiring (1280012) | more than 5 years ago | (#29506799)

The real crime is exposing sensitive data through the internet. If a hacker shows his concern and makes it clear that the government is exposing sensitive data, the criminal is the government, not the hacker.

The funny thing is that the real crimes are often not legally the real crimes. In the Netherlands, it is not a crime to have a system full of sensitive data that is hardly secured. But it IS a crime for anyone to expose this insecurity. The Dutch government has created a special "theft of processor time" law to ensure this.

Me thinks (2, Insightful)

arizwebfoot (1228544) | more than 5 years ago | (#29506821)

"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"

More like they want him to pay for a lock that wasn't there because he was the first one to tell them that the lock wasn't there.

Or even more obvious, somebody forgot to put in a front door and now the store wants him to pay for a new door because he was the first one to tell the store that they had no door.

Fitting the lock (1)

Zocalo (252965) | more than 5 years ago | (#29506873)

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

No, not really; I think it's a little more complex than that. As far as I can tell, to use your analogy, McKinnon basically rattled the locks on the door, and found that they were unlocked. He then entered, rifled through the underwear drawers hoping to find something sexy (UFO data), and took some photos of what he found (copied files). He then left again leaving things mostly undistubed except for a few things out of place. Upon later noticing this, the owner reacted as most victims of burglary do; by going completely over the top on security to prevent similar things happening again. McKinnon isn't just being asked to pay for the missing lock on the door, but also dead bolts on the windows, steel shutters, a motion detection system and burgular alarm.

He should sue the US gov (1)

JustNiz (692889) | more than 5 years ago | (#29506889)

He should counter-sue the US gov for putting an insufficiently protected system on the internet in the first place. Normally that wouldnt be sensible as the damage cant be proved, but in this case it can by the governments own reckoning: $700k.

No, that's just plain silly. (2, Interesting)

moz25 (262020) | more than 5 years ago | (#29506939)

This is where dogmatic views and analogies really contrast with technological reality. Those security holes would have existed whether or not he abused them in some misguided and naive attempt at finding info about UFOs. This is clearly a very intelligent person whose skills are of immense value. He just wasn't mature enough to realize the consequences and he certainly wasn't paranoid enough to keep his mouth shut.

It makes no sense whatsoever to lock him up with dumbasses whose greatest accomplishment in life is learning that beating their girlfriends is a bad thing or that guns and drugs don't mix well. What a sad waste of talent.

No, instead, I say: let him pay that $700000, but let him do it in the form of consulting. And fire the idiots who made those security holes in the first place.

I'll take car analogies for $200 Alex. (2, Funny)

fahrbot-bot (874524) | more than 5 years ago | (#29506943)

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

I'm sorry, you must state your question in the form of an Automotive analogy...

Bad question, probably (1)

bytesex (112972) | more than 5 years ago | (#29506955)

To answer the question posed in the write-up with a question: aren't the door and the lock one system ? Wouldn't replacing the door usually also mean: replacing the lock ?

when reading quotes of Gene Spafford (0)

Anonymous Coward | more than 5 years ago | (#29507021)

It should be remembered he is just about the biggest arsehole in the world. who gets in a huff quite alot when dealing with hackers. read up on 8lgm.

Easy... (0)

Anonymous Coward | more than 5 years ago | (#29507023)

Now he just need to hack a bank ;)

On the other hand (1)

Vahokif (1292866) | more than 5 years ago | (#29507029)

People should be punished for opening a safe and snooping around classified information, no matter how badly the safe was designed. This could be mitigated by telling them he found a flaw, but as far as I know McKinnon did no such thing.

LOL (0)

Anonymous Coward | more than 5 years ago | (#29507039)

If anything, they should be thanking the guy for showing them the holes in their security. Then asking him to "plug" the holes. Not pay for them.

Setting a precedent (0, Offtopic)

gmuslera (3436) | more than 5 years ago | (#29507043)

Now we all owe millons to Microsoft

Somebody drain this weasel. (1)

Darth_brooks (180756) | more than 5 years ago | (#29507055)

I remember years ago debating the value of a login banner. Granted, having a message that says "for authorized use only" won't *deter* anyone, it does make this sort of legal weaseling more of a moot point. Instead of proving that he was intentionally out to cause damage, or that he wasn't just mindlessly poking around, they just would have had to prove he wasn't an authorized user.

By his lawyers defense, having any open port exposed to the internet on any machine absolves the perp of responsibility.

"Your honor, my client was fully within his rights to use a 0-day exploit to gain access to a machine, ignore the login banner, place trojans on all machines within the subnet, order the backup catalog to long erase all backup tapes, drop all tables on all of the database servers, and change the company webserver to goatse. The ssh server was sitting wide open on an unregistered port! Why, the root account had simply been renamed to "dont-ever-use-me-ever-what-ever-no-never", and access required nothing more than a 4096-bit PSK and the knowledge of a 36 character password!"

Remote access to desktops directly connected to the interweb: probably not a good idea. Browsing said desktops when you're not an authorized user: illegal. Even if the plain text password is 12345.

I'm surprised... (1)

93 Escort Wagon (326346) | more than 5 years ago | (#29507135)

... but I think I actually agree with the majority of the posters here. Glad I was sitting down!

He should be held liable for his actions, and for the crimes he committed - that includes breaking into government computer systems and accessing classified information. But it does seem silly charging him with the costs incurred by the government when they worked on improving their security post-breach. Really, they should have done those "security checks" long before - and if the system had been competently administered, those tests WOULD have been run early on.

But, to reiterate, the fact that the system was incompetently administered does not excuse Mr. McKinnon from the crimes he did commit.

the punishment is not heavy enough (2, Funny)

bugs2squash (1132591) | more than 5 years ago | (#29507147)

He should pay to re-train the entire government technical staff.

Is it really that expensive? (2, Informative)

FreudianNightmare (1106709) | more than 5 years ago | (#29507197)

To have someone set some damn passwords? [guardian.co.uk] (10th Paragraph).

Contractors' rates != damages (1)

neiras (723124) | more than 5 years ago | (#29507225)

Q: If a burglar climbs through an open window that would cost the homeowner $700,000 to close, does he owe the homeowner $700,000?

A: Of course not.

How much would the US Government have had to spend to discover the security holes Mr. McKinnon exploited? While he shouldn't be paid that money, that theoretical number should count against any "damages" he caused.

It's probable that most of the "damages" being pinned on the guy are inflated government-contractor consulting rates, which (in this taxpayer's opinion) might be worthy of an extortion trial. The jokers probably closed a few firewall ports and went to the Riviera for a few months.

I'm exaggerating a little bit. I envy you, government contractors, in a dirty sort of way.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?