This article makes an important point about the brokenness of CFAA sentencing, but it (or Wired's editors) do the point a disservice by making an absolutely hyperbolic claim.
The "War On Drugs" has imprisoned literally millions of people, and done so in a fashion that is both racist (minorities are far more likely to be imprisoned for a drug offense) and classist (wealthy defendants are unlikely to be imprisoned for casual offenses). Furthermore, persecution of drug users targets actions people take that cause debatable harm to society.
If[f] Keys, who is accused of deliberately enabling Anonymous to vandalize the front page of the front page of one of the largest newspapers in the world, is shown to have done the things spelled out in the warrant, then prosecutors will have shown that he:
* knowingly damaged the computer systems of Tribune Corporation
* actually caused 5 figures worth of damage
* did so by abusing a trusted position at Reuters
Keys, who as we can see has exceptional attorneys working on his case, is far more culpable for his actions than a large fraction of drug offenders.
It is indeed a very serious flaw in the CFAA that sentences can "scale with the iterator in your for loop" as your actions cause seemingly spectacular amounts of damage despite no change in your actual criminal intent.
But it's worth pointing out here that that flaw plays a minimal part in Keys potential sentencing. The base level for CFAA crimes (like most larceny and fraud charges) is 6, which merits a 0-6 month sentence. The damage "accelerator" in Keys charges adds 4 points to that level, bringing him to level 10, which is a 6-12 month sentence where conditional probation is allowed. The damage accelerators aren't what's ramping up Keys' sentence --- it's the combination of damage (at any level), cost to remediate, and abuse of his position of authority.
Here's Popehat with a fantastic post on how the sentencing guidelines actually work (I don't think they disagree with Keys' lawyer, except that Popehat goes into more detail later in the article on how sentences are reduced in practice) ---
The article goes off the rails with this sentence: "As a country and a criminal justice system, we’ve been down this road of excessive punishment before: with drugs."
There's no particularly strong connection between computer crimes and drug crimes. As you point out, the comparison is hyperbole, and ignores the deep racial, cultural, and class conflicts at the heart of the drug war. None of those things are really applicable to computer crimes.
Rather, the time Keys is facing is simply a symptom of the broader malaise of the justice system: felony enhancements are too quick to trigger, sentences are too long and the sentencing guidelines offer false precision while reducing necessary judicial discretion.
The article's comparison to California's vandalism law highlights the issue described above: "Under California law, physical vandalism – like spray painting graffiti on a building — can be punished as either a misdemeanor or a felony..." That part is true of the CFAA as well, which is also a misdemeanor unless committed in furtherance of another crime. And the trigger for felony vandalism in California isn't high--above $400 in property damage makes a felony charge available to the prosecutor, as well as a sentence of up to three years in prison. In other words, I don't think it's fair to say that Keys faces more time for his computer crime than if he had physically vandalized a building to the tune of five figures of damage.
Drug crimes are just in a whole different league. Possession with intent to distribute less than 100 grams of heroin can carry a sentence of up to 20 years, or up to 30 years on a second offense. Meanwhile, prison time for computer crimes is still relatively light, unless they are effectively some sort of fraud or theft: http://en.wikipedia.org/wiki/List_of_computer_criminals. Something like this is much more typical: http://www.washingtonpost.com/local/crime/aspiring-medical-s... (three months prison + 7 months of halfway house out of 10 months sought by the prosecution for hacking into AAMC computers with intent to cheat on the MCAT exam).
I've been idly working on an essay for... I don't know, 5 years now? about how computers and the Internet catalyze harm, by shielding people who cause harm from the impact of their action, and by making harmful actions practically indistinguishable from benign ones --- "click this button and 'like' someone on Facebook, click this other button and help DDoS someone whose politics you disagree with".
I have some sympathy for defendants who are blindsided by the impact of simple, trivial-seeming actions; things that just see like pranks or political statements. But I'm also very familiar with the real damage these actions cause. I see the gap. I don't know how to resolve it. And I think it occurs all over the place, not just in computer intrusions but in things like mass file sharing, online trolling, defamation, revenge porn and sexting.
I don't have the right words yet for it, as you can see; I'll probably still be mulling it 5 years from now.
Anyways: the fix I'd want to see for the CFAA is the one that applies approximately the same consequence to pulling 10 accounts from an AT&T endpoint as it does for 100,000, and so keeps Auernheimer from facing a long custodial sentence for abusing an AT&T web service simply because he ran his script too long. From the way these things are prosecuted, constraining sentences also (a) makes it safer to push back on potentially unjust charges --- since you're most likely looking at probation anyways, and (b) might keep them out of court to begin with.
I don't know what you do about the guy who fed his admin credentials to Anonymous to help them deface a newspaper. That seems overtly criminal no matter what rules we come up with.
"I don't have the right words yet for it, as you can see; I'll probably still be mulling it 5 years from now."
I call it the Turing Chaos; intrinsic to computer science is that a single bit flip can completely and utterly change how a system works... and this is not a trivial observation, it is actually a deep and profound observation about the difference between the "cyber"world and the physical world that has pervasive and radical consequences at every level from the entirely ivory-tower theoretic out to how Grandma uses her computer (as you mention). Usually I've thought of this in the context of programming in general and trying to contain bugs against the overwhelming forces of chaos pressing in on us as we try to build systems of millions, billions, or trillions of bits; as programmers, we are exposed to some fairly raw mathematical chaos, in the "chaos theory" sense of the term, and in particular, the difficulty of fully predicting what a chaotic system will do in response to some stimulus. A great deal of software engineering is a desperate attempt to wall it away from ourselves and confine our intrinsically wild and wooly systems to just the behaviors that fit in our heads... but alas, we fight against a crafty foe that can find even one bit's worth of weakness and bring millions of dollars worth of systems down around our heads.
And that's before we consider human attackers.
One bit flipped can be the difference between an attacker walking off with the entire contents of your billing database, or getting a simple rejected request. One click can start a cascade of trillions of instructions terminating in your amazing computer becoming a spam delivery device that belongs to a guy 15,000 miles away. Every computer program stands balanced precisely on a small, small knife edge, with an n-dimensional abyss waiting on all sides to consume it, and hostile, intelligent forces anxious to give it a small, carefully calculated tip into their bit of it.
That probably doesn't work for the essay you're looking to write; my metaphor comes more from the software engineering side. But I think it's the same thing; the computer world is the math world, and it is a harsh, subtle, uncompromising place compared to the physical world, no matter how complicated the latter can be.
Great comment! I wonder if the younger generation doesn't appreciate this because they have grown up with computers all around? I've been writing software for nearly ~15 years now and computers still amaze me. Like you say how we try to fight against the overwhelming forces of chaos pressing in on us as we try to build systems, I am constantly amazed that the systems we build with increasing complexity work at all.
I don't see that as an internet thing, its about long distance control, or remote control. Its the same thing when people say its easy for politicians to send troops to war, or when a soldier controls a drone. They don't directly witness the outcome. The internet is just a more efficient, wider spread, easier to access example of it. Maybe also, its the same sort of thing as common folk committing minor insurance fraud. They don't see a victim.
Often wondered.... If a website were set up which had just one button one the page, and message saying the following: "After 10 million unique hits, a nuclear missile will be launched at a random capital city" Then lots of genuinely convincing stuff about it being about it being real, such that it was know to be for real. Also probably restrict it to adults, some how. (No, I don't quite know how, but this is a thought experiment after all.) How long would it take to hit the 10M? Would anyone really click?
Anyway, its clear to me that the more remote something is, the more people disassociate from it. The internet is just another example.
Web crawlers? People still figuring it's part of some game? Broken browsers? Nukerolling?
There is only one possible sane answer, and in this hypothetical it is quite pronounced - assume the Internet is full of malicious noise, and fully blame the person who hooked the missile up to a web page. Anything else is an exercise in responsibility laundering.
The noise doesn't even have to be composed of malicious people to be malicious itself; the potential bartier is very low here. In this case I can easily imagine one drunk /b/tard posting in on 4chan because "hey, it has nukes on it", and then someone else thinking "hey, it's on 4chan so it must be troll, lemme hook it up to my DDoS bot and see what happens".
Boom, gone a city of 30M, vanished in the flash of pure randomness.
> about how computers and the Internet catalyze harm, by shielding people who cause harm from the impact of their action
In general distance from a victim shields people from experiencing the impact of their actions. My late grandfather was an artillerist on the Soviet side in World War 2: he talked about how soldiers would vomit, fall ill, and cry after visibly killing enemy soldiers for the first time with short-range handheld arms (i.e., grenades, rifles, submachine guns, bayonets, or pistols). Yet, himself, when shelling remote positions with full understanding the shells -- in addition to killing much larger groups of enemy soldiers than bullets -- may have also killed civilians (which for most of the war generally meant Soviet or other allied civilians).
This isn't about moral rationalization -- obviously resisting Nazis and winning World War II was a good thing -- but emotional reaction. To get back on topic, what I think happens here isn't someone thinking that somehow committing one crime electronically vs. physically is less severe; it's that one's disgust with what they're doing is less, which makes a various rationalizations (whether correct or incorrect) for one's actions easier to accept.
> I don't know what you do about the guy who fed his admin credentials to Anonymous to help them deface a newspaper.
I am trying to draw a comparison here with someone either letting an unauthorized person enter the printing rooms of a newspaper (and as a result something other than a newspaper was printed and delivered). Yet that isn't quite right: someone with physical access to printing room of a newspaper could have done even greater damage.
Another comparison could be with a newspaper boy agreeing to deliver a sarcastic parody of a paper in place of the actual paper. Yet that too isn't quite right, as it's far easier for the newspaper to recover promptly, and the damage is localized.
Its not in a human beings best interests to create something capable of undergoing an intelligence explosion. Of course, that won't prevent somebody from doing it.
Its better to control the technology you're using. Most robots will be either remotely controlled or designed to handle a specific domain. To create a potential competitor with an ever-evolving ability to compete is very dangerous.
But even drones will be very dangerous even when tightly controlled by someone malicious.
I'd say we have some interesting challenges ahead of us.
Would this truly fit "real damage" in your opinion? Based on the outcome I'd project it doesn't - but the real question is do you feel the potential punishment is representative of the crime?
I'm guessing the actual monetary value assessed was some consultative analysis paid out to investigate the "breach", beyond that I find it hard to believe the actual cost to fix was more than three figures.
Of course it does. And if they paid forensic analysts to track down the breach, they got the deal of a lifetime; we don't do that kind of work, but of course work with other firms that do, and $15k is below table stakes for that kind of work. A high-profile forensics investigation can clear 50k easy.
And again, while cost accelerators on sentences are disquieting and a serious problem, they're not the fulcrum for Keys' outcome; it's the combination of cost, overtly damaging acts, and abuse of authority that combine to put Keys in Zone C. Put differently: had Keys not been a Reuters employee, he'd be eligible for probation. (He could still be, depending on what the prosecution does and doesn't manage to prove. Unlike drug defendants, Keys has excellent representation.)
What if Tribune had a sister company in some other country (Australia) that did something completely unrelated. Sell children's toys or something.
An admin for the sister company gives up his credentials in order for Anonymous to deface the children's site. They instead use it to deface the Chicago Tribune.
The admin has no earthly clue that the systems are inter-related. In fact, they've been told that the systems are independent by design; anonymous found a very clever flaw.
Is he as guilty as your hypothetical Tribune admin who gave up his password to deface the Tribune?
As I understand it, he's guilty, but potentially not as guilty.
He's an accomplice if he understood the goals of Anonymous, gave them credentials to further their acts, but didn't map out with them exactly what they were going to do --- accomplice liability is for all intents in purposes liability.
On the other hand, if he casually gave them credentials because what the fuck who cares, and had no understanding that Anonymous might deface a website, he have lesser liability, or might not be liable for the defacement of the website while remaining liable for a reduced or lesser number of CFAA charges.
You're certainly right about the hyperbole of the title, but I think that the point of the article is to identify these kinds of oppressive judicial and law enforcement patterns while they are in their germination stages, before they begin affecting millions of people and severely threatening civil liberties.
In that sense, it seems like a good idea to be on the lookout for the next incarnation of the war on drugs/war on terror/red scare/etc. so we can do something about it before it gains momentum. Hyperbole may not be the best tactic to accomplish this, but I suppose it beats being ignored by everyone when you have an important point to make.
Yeah I would say once the "War on Hackers" begins to ruin people's lives on the order of 100,000s of people, now we're actually getting CLOSER to being similar to the War on Drugs.
But suggesting otherwise is analogous to stepping on an ant colony and calling that genocide.
Well, the point of the article is that prosecutors who prosecute 'hackers' are 'learning' from the drug war prosecutors and a culture of overpunishment is spreading. In that sense it is a 'new' war on drugs, but I wouldn't call it "the" new war on drugs; the only real problem with the article is the title.
Unless they figure out how to use hackers to justify frisking random minorities for the crime of walking on the sidewalk, then this is not really the new War on Drugs.
The War on Drugs is a "solution" to a "problem" that white suburbia America, and their police departments, perceived. At the federal level it was driven by people attempting to protect their political interests by criminalizing the behavior they associated with groups that they felt threatened by.
Hacker Panic is working at a different level. I think that it would be more accurate to say that it is our new War on Terror.
The original claim is outlandish and devoid of any perspective, but comparing this to the "War on Terror" is just mind boggling. You do realize that there's a world outside the US where the "War on Terror" has had some pretty devastating effects.
My comparison between Hacker Panic to the War on Terror is not meant to imply that a few teenagers getting sent to prison for decades is equivalent in any respect to raining missiles down on wedding parties.
It is a statement about the motivation of the people driving it. It isn't motivated by fear of civil rights movements, or a desire to continue segregation under the radar. Rather it is about using irrational fear to facilitate power grabs and justify pointless expenditures (In the case of hackers: any government program that has the word "Cyber" in it. In the case of terrorists: damn near everything else).
I did not have any specific case in mind, and undoubtedly you are now going to nitpick at me and tell me that there are no cases like that.
I meant it as a throw-away example of harm that could conceivably be caused by Hacker Panic to emphasis the absurd difference between the severity of Hacker Panic and the severity of the War on Terror.
Just to make you happy though, here, I'll fix it:
> "My comparison between Hacker Panic to the War on Terror is not meant to imply that a few teenagers being scolded by cops is equivalent in any respect to raining missiles down on wedding parties."
"My comparison between Hacker Panic to the War on Terror is not meant to imply that a few teenagers getting sent to prison for decades is equivalent in any respect to raining missiles down on wedding parties."
The observation that there may not be any teenagers that have spent a decade in custody, let alone several, is not a nitpick on that claim.
By way of comparison, Kevin Mitnick, a high-profile serial-offending adult about whom multiple books were written, spent 5 years in prison.
> "My comparison between Hacker Panic to the War on Terror is not meant to imply that a few teenagers being scolded by cops is equivalent in any respect to raining missiles down on wedding parties."
This is entirely non-material to the point I am making. Frankly, if anything, it strengthens it. You are nitpicking.
The problem with the U.S. "War on Terror" is not that it is an irrational program that was trumped up to facilitate corruption.
The problem is that it is a program that was created rationally in response to a truly horrible set of terrorist attacks.
That is a problem because most U.S. citizens don't want to be corrupt. What they want is to serve a good cause, and be effective in doing so. The "War on Terror" gives them both. And that's a problem because it makes it much, much harder for people waging that "war" to perceive the tradeoffs they create, and the lines they cross.
The War on Terror is an irrational response. The attacks presented an existential threat to the country only so far as we overreacted to the threats. Even if we assume that invasions of countries were a justified and rational response, we still invaded the wrong countries. The fear of terrorism was itself irrational, 4k people is a rounding error in the grand scheme of things, but humans are awful at evaluating risk.
To see the War on Terror as chiefly about domestic power grabs and pointless expenditures is the prerogative of US tax payers and US citizens, but it's also a pretty narrow point of view.
If you're going to make coarse, meaningless comparisons and only after that narrowing it down with qualifications, I guess the original article was right. Hacker Panic is the new War on Drugs. Except for all the ways it is not, of course.
It's not just about domestic power, and even if it was, it would not effect the veracity of the comparison.
The War on Terror uses racism as a tool. The War on Drugs is waged because of racism. Racism was not simply a tool used by the War on Drugs, it was the reason for it in the first place.
Is the Hacker Panic created and driven by fear of hackers, or is fear of hackers merely a tool being used to achieve another goal? I am arguing it is the later.
> "I guess the original article was right. Hacker Panic is the new War on Drugs. Except for all the ways it is not, of course."
I am saying that the War on Terror is a more apt and useful comparison if we want to answer any "why" questions. The comparison to the War on Drugs does not give us any useful insight.
May I ask you what exactly the War on Terror is "chiefly" about then? For example, perhaps you could tell us exactly what drove the war in Iraq, aside from corporate economic interests. And perhaps you could explain the explosive growth of our government's surveillance powers in terms that don't include "domestic power grab"?
* lopsided plea bargains (you can go to jail for anywhere between 18 months to 30 years, depending on whether you take the bargain)
* prosecutors pushing for convictions as a means of adding to their professional scorecard
* rampant fear and paranoia (marijuana is a gateway drug! command line interfaces are scary!)
* using that fear and paranoia to pass draconian (and oftentimes ineffective) legislation via door-in-the-face argument -- propose something obviously ridiculous, and when it's rejected then you propose something that's still overreaching but not enough to cause outrage
* using the above-said legislation to funnel public funds to our congress-critters' friends
Actually, the CFAA carries no mandatory minimum. The judge could, though it's unlikely, choose to completely ignore the sentencing guidelines (which are advisory) when sentencing for a CFAA offense. In contrast, many federal drug crimes have specific mandatory minimums which actually do tie the judge's hands when sentencing.[1]
And all the other attributes are true of practically every federal crime, not just drug crimes. The premise of this article is pretty terrible.
so, you mean the comparison is apt in all the points of contact where it's an issue of law. There are fewer hackers than there are drug users, so the impact of the trend is going to be limited; but the point is that the drug war culture is fueling an expansion of legal abuse by prosecutors in other domains. I think this is an important point; and the only problem with the article, is the title.
I remember when I came home from school to find cops going through my room demanding to know where I kept my copy of the cellular hackers bible because I had told somebody on fidonet I had it and it was deemed forbidden knowledge
Note that a lot of the work we do every day, in development or devops or normal administration, can probably be presented to a layperson as "hacking". Especially as we promote services which reduce the average person to a bunch of database records and take away their middle-class job and parade about in our buses and whatnot, we do not engender much love from the common person.
This is a great way of the .gov getting the tech sector back under control, and reminding it of its place. Be careful folks. :(
Written by one of weev’s lawyers. Weev, the absolute cyber-douche who threatened Kathy Sierra’s family and precipitated her years-long avoidance of Internet and speaking appearances. Who absoutely deserves punishment.
If the “crackdown on hackers” were remotely like the “war on drugs”, then should we suppose weev to be analogous to a mere user of crack cocaine who was racially targeted and unfairly handed an outsized jail sentence? No. weev is no victim.
Could someone please help me understand how can changing a headline on some websites cause five-figures damages?
Honest question, really. Every time I see articles about computer vandalism or hacking I see these big numbers and don't understand how they are calculated.
* Employees of the company spend X number of days responding to the incident, and you take their fully loaded cost and divide it out by the number of days they spent having to deal with the incident, and that's a big number. Plus:
* If the site is disabled or degraded, you can often easily calculate outage costs based on the average volume of revenue the site generates during the outage period. Plus:
* In a high-profile incident, outside professionals will often need to come in, first because insurance and contracts require a full investigation, and second because once a site is compromised you have to assume there are backdoors that will restore access for the attackers in the future. The cost of an external forensics investigation can hit mid-5-figures by itself very easily. Plus:
* A high-profile incident is inevitably going to involve legal fees for the victim.
That's before you get into things like reputation damage, loss of clients/customers/advertisers, &c.
Like I said upthread, $10k-$20k damages for the defacement of one of the largest newspaper websites in the world sounds like a very low figure to me. I don't mean that in a normative sense. I mean, in the positive, descriptive sense, that sounds like less than what these incidents usually actually cost to their victims.
That makes some sense, but is a little out of keeping with what people expect in part because losses in many "physical" kinds of crimes aren't usually reported in an all-inclusive manner, but just report the direct damage. For example, if someone vandalizes (or steals) $20k of goods in a Wal-Mart warehouse, both Wal-Mart and the media will typically report that as $20k damage (or theft), rather than adding to the $20k the cost of the security response, lost business or increased overtime caused by supply-chain disruption, etc. Theft statutes that include thresholds for different classes of theft also usually refer only to the value of the stolen goods, not other losses caused by their theft (such as loss of business, cost of security response, or supply-chain disruption). You could justify including them, but it doesn't seem to be that common.
We might be talking about two different issues. If you steal $20k worth of PS4s from Best Buy and totally fuck up their January promo event, the $20k theft amount might be all that factors into your criminal sentence, but Best Buy can probably come after you civilly for the rest of it.
> "Employees of the company spend X number of days responding to the incident, and you take their fully loaded cost and divide it out by the number of days they spent having to deal with the incident, and that's a big number."
That should be discounted by the amount of time they spent getting their site up to basic good practices, if any. Otherwise it makes hacking the incompetent a greater crime than cracking in to a high-value hard target.
Damages are damages. If I throw a bowling ball into your garage late at night, is it "fair" that I have to pay more because you own a new Ferrari while the damages would be much less if you owned a 15 year old Honda?
Once you commit a tort, it's generally all on you.
Because fixing the problem isn't just a matter of changing the headline back to what it was supposed to read.
Someone entering your system, which is supposed to be secure, and changing the headline on your front page mean that you'll (if you're sensible) then go and contract an external firm to perform a security audit and find out how the intruders got into your system, what needs to be done to fix it, and why your system had that particular vulnerability to begin with. All of which costs money.
Alternatively, you'll use your own staff to do the same - which isn't free either, since they're now not doing their normal jobs for the duration. If I'm paying you $120,000 to be my sysadmin and then need to pull you off your normal duties to investigate someone entering my systems for a month then that investigation has cost me $10,000. That I was going to be paying you that money anyway isn't really relevant - that was the cost of your time that was used on that investigation.
You probably can't simply use your own staff to do it; your contractual and insurance obligations will probably mandate that a reputable third party conduct the audit. That's not always the case, but in big cases it usually is.
Oh, absolutely. In my arena, finance, there's no way you'd use your own staff - it would go straight to external auditors who'd conduct the investigation or contract specialist firms to investigate. Of course, not always going to be the case for smaller companies and more minimal impact cases.
I can't comment for the specific headline case but quite frequently these are just made up numbers. Prosecutors make up whatever they can get away with...
Public companies are required to report damages over X but when you find their quarterlies after a hacking incident it lists damages < X.
See Sun & Kevin Mitnick. Either these companies are lying to the court, or they are lying to the SEC.
I don't know but I suspect it's probably in the clean up.
For example I've cleaned up websites with malware infections that ultimately failed to operate (they had errors in their implementation).
The infections thus caused zero direct damage. There was nothing on the front end that changed and no hidden phishing pages were operated, etc.. However the infections nonetheless had to be cleaned up, the source of the infections found, modifications to the sites made (where possible) including increased protections and reporting mechanisms.
It's like losing your keys - locks might need changing, those locks might have multiple keys, etc., the locks might be secure facilities than need to be checked for incursions (eg inventories made) and such ...
If you read underground by Julian assange and Dreyfus you'll see a lot of these numbers are just pulled out of their asses. I remember once case went from 6 digit damages to 4digit when the defendant stoop up against it.
When we start locking up tens of thousands of people because someone Trojaned their computer and used it to run a LOIC node, maybe this could resonate. What makes the War on Drugs unique is that so many people are and have been locked up on felony charges for buying/possessing some type of substance that they willingly want to put in their own bodies.
> It’s time for the government to learn from its failed 20th century experiment over-punishing drugs and start making sensible decisions about high-tech punishment in the 21st century.
This guy's an attorney and he compares a local/county crime (vandalism) to a federal crime (CFAA) and expects the sentencing to be the same? I'm speechless.
I'm not hacker, but even I know pretty much anything having to do with any unauthorized access to someone's computer is a FEDERAL offense. Regardless of whether you were the person breaking into that computer or not. Even Keys should have know what he was doing was a crime.
It's the same defense people use when they're with someone in the commission of a crime. "I was only there, I didn't kill the guy, Jim did." which is not a viable defense. You're at the least an accessory to the crime, and at worst, helped in the commission of a crime like driving the getaway car, hiding evidence, etc.
The whole premise of the article is completely flawed.
And just like the War on Drugs, laws have been (CFAA) and will continue to be passed out of panic or cluelessness that will affect people for decades to come, unless we try to stop them today.
If this "War on Hackers" truly becomes an issue this could potentially be the most damaging war in the American economy.
Hackers are nothing like drug dealer the same people that vandalize a few websites when their teenagers and part of anonymous could later become the founders of the next great company like google.
By giving hacker overly hash punishments the US government is hurting their potential to do good by unnecessarily exposing them to a world (prisons) where the likelihood of them doing more black-hat hacking is higher.
There's a big difference between putting a substance into your own body and breaking into someone else's computer and taking their data. Personally I think the punishments for "hacking", the way the term is used in this article, are too light.
This doesn't go into the statistics but I'm sure light has yet to be shed on the ridiculousness of countless settled cases and state statute/pc violations based on the CFAA (502c in CA and others).
The government gives harsher sentences to hackers than many rapists. This is because it is actually afraid of hackers. Hackers hold power that petty criminals do not. The sentences for hackers are completely ridiculous because they are created by fear.
The case you're thinking of where a hacker got a harsher sentence than a rapist is... what? Did one of those cases perhaps involve juveniles, and the other adults? The base offense level for rape in the federal sentencing guidelines is far higher than that for computer fraud.
> The government gives harsher sentences to hackers than many rapists. This is because it is actually afraid of hackers.
There's a simpler explanation for this. Hackers are getting harsher sentences because the crime is a more recent concept. The law prides itself on its trial-and-error approach to life.
Gary McKinnon was looking at 70yrs. The guy who made credit card fraud sites and was busted in the carder.su op got 7yrs after pleading but was looking at life. Rape and hacking are impossible to compare though because usually a rape happens once, whereas charges are stacked a mile high for computer fraud because nobody steals one login or card they steal a db full of them which means multiple charges, so technically rape on the federal books is a larger sentence compared to 1 charge of fraud or trespassing.
Gary McKinnon was not "looking at 70 years". If you are charged with 7 counts of the same offense, each carrying a possible 10 year sentence on the outside, you are absent other circumstances "looking at" 10 years. Like offenses often "group" under sentencing guidelines.† Under grouping rules, the damages for each charge might be summed to produce a single sentence.
But the 10 year claim is also suspect. These are federal CFAA charges. They have a base level for first-time offenders of 6 (0-6 months). The damage claims for each charge in the indictment were "more than $5,000", the lowest damage accelerator, which adds 2 points. (If all the charges were grouped for sentencing and the damages summed, they'd instead add 6 points) The fact that his targets were military adds another two; he's now somewhere between 10-14.
For a first-time offender, that's a possible probation-eligible sentence of 6-12 months, and no longer than 15-21 months, if his lawyers were able to do nothing else to secure leniency.
What does what they were "looking at" matter one bit? I don't understand why the 70 years he was "looking at" matters at all, if he wasn't sentenced to 70 years.
Because nobody goes to trial for computer fraud, not if the prosecutor is seeking 70 years so you are forced to bargain for 12-20yrs and yes there is a real possibility you will get all that time if you don't plea
Since there has never been a trial in US history where a prosecutor sought anything like 70 years for computer fraud, nor has there (I believe) been a CFAA case that plead out to 20 years, I don't think these are real possibilities.
I don't know why anyone here is even discussing it. They'll make the laws they want and they'll enforce the punishments they want. People's front pages are too economically viable to let reason into the courtroom.
The "War On Drugs" has imprisoned literally millions of people, and done so in a fashion that is both racist (minorities are far more likely to be imprisoned for a drug offense) and classist (wealthy defendants are unlikely to be imprisoned for casual offenses). Furthermore, persecution of drug users targets actions people take that cause debatable harm to society.
If[f] Keys, who is accused of deliberately enabling Anonymous to vandalize the front page of the front page of one of the largest newspapers in the world, is shown to have done the things spelled out in the warrant, then prosecutors will have shown that he:
* knowingly damaged the computer systems of Tribune Corporation
* actually caused 5 figures worth of damage
* did so by abusing a trusted position at Reuters
Keys, who as we can see has exceptional attorneys working on his case, is far more culpable for his actions than a large fraction of drug offenders.
It is indeed a very serious flaw in the CFAA that sentences can "scale with the iterator in your for loop" as your actions cause seemingly spectacular amounts of damage despite no change in your actual criminal intent.
But it's worth pointing out here that that flaw plays a minimal part in Keys potential sentencing. The base level for CFAA crimes (like most larceny and fraud charges) is 6, which merits a 0-6 month sentence. The damage "accelerator" in Keys charges adds 4 points to that level, bringing him to level 10, which is a 6-12 month sentence where conditional probation is allowed. The damage accelerators aren't what's ramping up Keys' sentence --- it's the combination of damage (at any level), cost to remediate, and abuse of his position of authority.
Here's Popehat with a fantastic post on how the sentencing guidelines actually work (I don't think they disagree with Keys' lawyer, except that Popehat goes into more detail later in the article on how sentences are reduced in practice) ---
http://www.popehat.com/2013/02/05/crime-whale-sushi-sentence...