"I am practically hung and quartered already" – Gary McKinnon, speaking in London on Wednesday as a UK judge decides he should be extradited to the US to face hacking charges
The unemployed North Londoner's predictions for his fate are morbid but his instincts are sound. If his appeal fails, it is unlikely he will find mercy abroad.
But while McKinnon knows what will happen to him, US authorities show no equivalent insight. Harsh injustice breeds righteous anger, and the world is full of hackers who will be only too eager to protest their disgust in practical and most unwelcome ways. Very few of them will be as easy to find as the hapless and harmless McKinnon, whose good nature amplifies his plight.
A good way to protect your critical national infrastructure is to reduce the number of people wishing to do it harm, not provide them with needless martyrs and motivation. Actions like this are akin to President Bush's "Bring it on!" brag to Iraqi insurgents in 2003, and may have equally infamous consequences.
Such considerations would matter less if the real lesson of McKinnon's activities had been learned: don't leave your system security in a mess.
McKinnon claims that in one system he found the local administrator's password was blank, which he found understandably "frightening". But we have no evidence that the authorities really took his actions seriously: where is the widespread reform, where the sackings and new blood, that would normally follow from a breach of this claimed magnitude?
While McKinnon clearly broke the law and deserves some kind of punishment as a result, the US doesn't have the best track record in handing out retribution proportional to the crime committed.
If extradited and convicted, McKinnon could be sentenced to up to 70 years in jail. That's a scarily long time -- perhaps not long enough for the US to realise that bad justice hurts those who deal it just as surely as those on the receiving end.
Talkback
My statement regarding today's events.
The verdict in the Gary Mckinnon extradition trial was really no shock
to me considering the political climate. Lets face it, this is not about
hacking or security this is about politics and money. Cynical? You bet I
am, having been through an almost identical situation, very similar
computer intrusions and similar motives - the only difference was I was
pre-terrorism mania where everything and everyone is a suspect.
Think about this, almost a decade ago machines belonging to the
military, navy, army etc were broken into and this was the proof
Congress needed to show that cyber terrorism existed. An unknown spy
running rings of computer hackers to steal secrets for foreign
governments. The fact that I was not a spy, and certainly not "possibly
the single biggest threat to world peace since Adolf Hitler" didn't
really make much of a difference to the fear machine that was put in
place selling the idea that cyber terrorism was a real threat.
Millions of dollars in budget increases, that is where the difference
occurred. If you take the threat to be real (which it certainly wasn't
back then and highly unlikely to exist today) then this raises
questions, namely;
1. Where have the mega budgetary increases actually been spent?
Education cannot be one of them, as if machines are left in a state of
'unpatched since install', with unpassworded points of entry - I cannot
see that the money has gone to the improvement of sysadmin skills or
awareness of the problems of being online.
If you compare the awareness by consumers of security threats, people
have seriously woken up to the fact that unprotected they are just
sitting ducks to the onslaught of manual and automated attacks.
Phishing, hacking, spam, bots, virii, worms - the majority of home users
now have firewalls, anti virus software, spyware checkers etc - all of
which have a much lower budget than the military. I suspect that as
governments, unlike corporate entities do not have shareholders to
answer to. They do not have to explain why their machines were offline
and money was lost, that in fact they can just blame budget instead of
actually being proactive and moving with the times.
2. If in this case as in mine, there were clearly many other hackers
with access to the same systems at the same time, why have they not been
prosecuted or even mentioned?
This seems to me to be more proof of my theory that so-called super
hackers are hauled in front of the courts when it is convenient for
their cases to be used for more proof of computer insecurity and the
need for greater budgetary increases..
3. Where are the administrators and their bosses in this case?
In this political climate, one of the dark looming threat from the bad
men all around us (as we are constantly reminded), to not secure
machines properly they have committed federal offences. It is surely not
good practice to have machines, sitting on the Internet, unfirewalled,
unpassworded containing alleged sensitive information - and most likely
a direct violation of their contract and training.
This is a sysadmins first job, to change any default passwords or to set
ones where they are not needed - and certainly ensure that those
machines are sitting behind a firewall. I am not trying to say that Gary
was attempting to test their security, but if this was a corporate
environment the sysadmin would have some major explaining to do.
4. Is the fact that the USA are fighting so hard for extradition a dig
at our legal system?
Gary has admitted his guilt and wants his trial to be in the UK, so why
can't he be tried here? Could this be to do with the fact that most
computer crime here (financial gain notwithstanding) is dealt with by
means of fines. Do the USA see us as a soft touch? This brings the idea
of two scenarios;
- Gary being tried by a jury of his peers. They hear the evidence and
consider the fac
Gary has admitted his guilt and wants his trial to be in the UK, so why
can't he be tried here? Could this be to do with the fact that most
computer crime here (financial gain notwithstanding) is dealt with by
means of fines. Do the USA see us as a soft touch? This brings the idea
of two scenarios;
- Gary being tried by a jury of his peers. They hear the evidence and
consider the fact that the machines were badly administrated and this is
taken into consideration when sentencing.
- Gary being tried in a foreign country by a jury that hears he has
'attacked their country' this is bound to have a bearing on the sentencing.
A possible 70 years in prison, for what exactly? showing that in a
decade the USA military have not learned, or at worst, blatantly ignored
the security threats around them when it is they who tell us every day
that we should be afraid.
In my case I was never debriefed by any of the authorities that I
hacked, never asking how I did what I did - never asking me to comment
on my peers or related community. Gary says he is guilty, why are we
going to punish this man further by sending him to a foreign jail which
is known for brutality against inmates:
[http://www.hrw.org/reports/2001/prison/report.html]
- where is the leniency for admission of guilt? Let this guy talk to
kids about how this trial has affected his life. Let this guy talk to
governments.. Let this guy talk and discuss and explain.. don't send him
to a punishment likely to be worse than he would receive in this country
for murder.
The extradition bill is being tested right in front of your eyes, it is
a blatant decline in our civil liberties and a worrying step forward for
our so-called democratic society.
Mathew 'Kuji' Bevan
www.kujimedia.com
I work for the Mod. In order to claim overtime, I am required to provide a login name and password for two sites. Hardly top secret stuff, but it would seem to be a damn sight more secure than the US military.
Furthermore, locking up Gary would, as the previous commentator stated, wave a red flag to other would-be hackers to have a go. If I was an insurgent in Iraq, I'd put down my gun and crank up my laptop.
Sacrificing a lamb to please the gods of the day is what governments did a few centuries ago. As well as burning to death anyone questioning the believes of the state.
As I understand it, the extradition arrangements with the US are not mutual and US does not have to prove it has a case, only make allegations.
The US should prove it's case in our courts and our courts should pass sentence, in our jails if a jail sentence is appropriate.
We read today that no way will the US close down Guantamo Bay!
Between the EU and the US, our citizens are loosing all the rights that they were used to, despite the EU legislation on Human Rights. We have never lived in a more restrictive age.
Perhaps Gary should appeal to the European Court of Human Rights, which should hold that he be tried and sentenced in his own country.
Gary McKinnon is not guilty of any hacking The internet was designed as an open access system right from the concept it was designed to share information. If the US government choose to connect secret systems to it unprotected by leaving default passwords they are actualy inviting access on an open system. However they also routinely burgle other peoples computers on a continuous 24 hr 7 day a week basis,also they illegaly tap telephone calls via the keyhole sattelite,and have installed an illegal backdoor access to every copy of windows operating system to allow themselves in they are far more guilty than Gary Mckinnon.see the following link
http://www.heise.de/tp/r4/artikel/5/5263/1.html
America should be seriously worried about the vindictive idiots that are about to enslave it.
If you leave your door unlocked its still a crime to trespass in someone house through 70 years seems a little silly