Toolkit

Story: McKinnon should be scared; so should America

• 
• 

My statement regarding today's events.

The verdict in the Gary Mckinnon extradition trial was really no shock
to me considering the political climate. Lets face it, this is not about
hacking or security this is about politics and money. Cynical? You bet I
am, having been through an almost identical situation, very similar
computer intrusions and similar motives - the only difference was I was
pre-terrorism mania where everything and everyone is a suspect.

Think about this, almost a decade ago machines belonging to the
military, navy, army etc were broken into and this was the proof
Congress needed to show that cyber terrorism existed. An unknown spy
running rings of computer hackers to steal secrets for foreign
governments. The fact that I was not a spy, and certainly not "possibly
the single biggest threat to world peace since Adolf Hitler" didn't
really make much of a difference to the fear machine that was put in
place selling the idea that cyber terrorism was a real threat.

Millions of dollars in budget increases, that is where the difference
occurred. If you take the threat to be real (which it certainly wasn't
back then and highly unlikely to exist today) then this raises
questions, namely;

1. Where have the mega budgetary increases actually been spent?

Education cannot be one of them, as if machines are left in a state of
'unpatched since install', with unpassworded points of entry - I cannot
see that the money has gone to the improvement of sysadmin skills or
awareness of the problems of being online.

If you compare the awareness by consumers of security threats, people
have seriously woken up to the fact that unprotected they are just
sitting ducks to the onslaught of manual and automated attacks.
Phishing, hacking, spam, bots, virii, worms - the majority of home users
now have firewalls, anti virus software, spyware checkers etc - all of
which have a much lower budget than the military. I suspect that as
governments, unlike corporate entities do not have shareholders to
answer to. They do not have to explain why their machines were offline
and money was lost, that in fact they can just blame budget instead of
actually being proactive and moving with the times.

2. If in this case as in mine, there were clearly many other hackers
with access to the same systems at the same time, why have they not been
prosecuted or even mentioned?

This seems to me to be more proof of my theory that so-called super
hackers are hauled in front of the courts when it is convenient for
their cases to be used for more proof of computer insecurity and the
need for greater budgetary increases..

3. Where are the administrators and their bosses in this case?

In this political climate, one of the dark looming threat from the bad
men all around us (as we are constantly reminded), to not secure
machines properly they have committed federal offences. It is surely not
good practice to have machines, sitting on the Internet, unfirewalled,
unpassworded containing alleged sensitive information - and most likely
a direct violation of their contract and training.
This is a sysadmins first job, to change any default passwords or to set
ones where they are not needed - and certainly ensure that those
machines are sitting behind a firewall. I am not trying to say that Gary
was attempting to test their security, but if this was a corporate
environment the sysadmin would have some major explaining to do.

4. Is the fact that the USA are fighting so hard for extradition a dig
at our legal system?

Gary has admitted his guilt and wants his trial to be in the UK, so why
can't he be tried here? Could this be to do with the fact that most
computer crime here (financial gain notwithstanding) is dealt with by
means of fines. Do the USA see us as a soft touch? This brings the idea
of two scenarios;

- Gary being tried by a jury of his peers. They hear the evidence and
consider the fac

• 
• 

• 
• 
• 

Full Talkback thread