Sophos Cloud Optix
Whenever talk turns to prison time for cybercrime, the fur of public opinion starts to fly.
Back in 2005, for example, a youthful Andrew Harvey and Jordan Bradley of self-styled UK cybercrime gang Thr34t Krew were sentenced for offences related to malware.
They received six months and three months respectively.
We conducted a survey in which 86% of our respondents felt they should have been dealt with more harshly.
On the other side of the Atlantic, in 2006, 21-year old Jeanson James Ancheta was sentenced for running a botnet of 400,000 PCs. He got 57 months (almost five years); 60% of people we surveyed thought he should have got more.
Take the malware out of the loop, though, and opinions on the punishment of cybercrime, and even what constitutes cybercrime, seem to soften.
Infamous UK hacker Gary McKinnon fought tooth and nail for ten years to evade extradition to the US, even after admitting he broke into computers belonging to NASA and the US Department of Defense.
In 2006, only 48% of our respondents thought he should be sent for trial in the US.
By 2009, that ratio dropped had dramatically, with just 29% saying he ought to face the music, even though his guilt was not in doubt.
Celebrity muso Sting went so far as to say that McKinnon’s plight was “a travesty of human rights,” despite McKinnon having admitted the charges on which he faced prosecution.
In the end, McKinnon got the outcome he wanted and was let off scot-free (if you ignore the ten years of fear, uncertainty and legal expense he put himself through to stay clear of the US). He won’t be extradited and he won’t be charged in the UK.
Not all crooks are that fortunate.
We wrote about the hapless Kariem McFarlin last year, a criminal who might have kept further ahead of the law if he had been a bit more cybersavvy.
He’s the chap who lost his job, began to run out of money and decided to start helping himself to other people’s stuff from unoccupied houses around San Francisco.
One burglary job saw him pinching goods from an apparently-empty house belonging to the widow of the late Steve Jobs. This haul famously included a wallet loaded with Jobs’s official annual salary: $1.
McFarlin also made off with the Jobsian iPad (a full-sized model, naturally, not one of those new-fangled minis). Sadly for our crook, call-home tracking software on the device dobbed him in to the cops as soon as he turned it on.
McFarlin pleaded guilty, under an agreement limiting his maximum sentence to about half of the sixteen-year stretch he might theoretically have got if he’d fought the case and lost.
Earlier this week, he found out his tariff, which saw him put away for seven years. Apparently he’ll get out after half of that time if he doesn’t misbehave while he’s inside.
(He didn’t steal just from Laurene Powell Jobs’s house. He was nicked for a series of burglaries across the greater San Francisco area.)
So, to those who say that cybercriminals get hard done by, with “real” crooks often getting lower sentences for “real-world” crimes, McFarlin could be considered an exception that disproves your rule.
What do you think?
Five years for a botnet of 400,000 PCs, used to make money through unauthorised software installs, and by renting it out to other crooks to use as they pleased. Seven years for stealing from numerous houses, including $60,000 of gear from Chez Jobs. (Those goods were returned.)
Are these fair sentences? Should cybercrimes attract the same sort of penalties as physically-present offences?
Have your say in the comments…
Gary McKinnon's case I feel (as 1 of those that said he should not be extradited) is entirely different. That's why he got so much support. He didn't steal anything, he looked. He didn't post anything he found like other hacktivists, he looked. He didn't break into anyone's house, he looked. He didn't damaged anyone's PC (The US charges of damages sound highly trumped up), he looked.
Gary McKinnon to me, and I admit I dislike hackers, malware writers and the likes and much as any one else… but Gary McKinnon came across like this analogy…
Shops have windows, they are at the front and are meant to be looked at.. bit like a public website. Most people look in the front shop window. Gary McKinnon nipped round the back and looked through the letter box at stuff the shop didn't mean for the customer to see. That's my analogy.
If someone nips round the back and has a look at other stuff does that seam fair to be harrassed for 10 years? He didn't steal anything, or have the intention of causing mass computer problems, or sell stolen identities. He looked at thing he perhaps shouldn't have.
It’s probably fairer to say that McKinnon nipped round the back, stuck a coat hanger through the letter box, opened up the door and wandered around the shop, the office inside the shop, riffled through the filing cabinets, fiddled around on the PCs, poked through the stock in the storeroom…and did it not just for one shop but for a whole row of them.
It’s also possible to argue that what happened to him over the past ten years can’t really be considered harrassment as some kind of “innocent abroad”. He’d already admitted to breaking the law; he used those ten years to mount an extensive series of legal appeals to avoid going to prison. (I’m not offering an opinion on whether he ought to have been extradited, or even been sent to prison if he had been. Just saying that there are facts from before his many appeals that are often ignored in any discussion of his case.)
As for how stiff his penalty might have been if, like McFarlin, he’d faced the music and pleaded guilty…IIRC McKinnon was offered a deal in 2002/2003 under which he’d have served about two years in prison, with roughly 6 months in the US and the rest in the UK. McFarlin, assuming good behaviour, can expect to serve 3.5 years.
Firstly, analogies like this are useless.
Computer-security software vendors love using the 'breaking into your house' analogy, because it instills fear and they want you to buy their product to feel safe.
Ask a group of people (ask yourself) what would be worse, someone breaking into your house or someone looking at the files on your PC ?
Also, McKinnon did 'face the music and plead guilty'. He admitted all the intrusions in full and frank interviews with the police from day one.
As far as the 'deal' he was offered, he accepted it and said 'where do i sign', to which the reply was that there would be no written agreement and no guarantee that the 'deal' would progress as promised.
Who in their right mind would accept a 'deal' like that ?
Coupled with Ed Gibson saying "we want to see him fry", the US disctrict attorney declaring him guilty on TV, and the Crown Prosecution Service saying that the US evidence of damage amounted to 'nothing more than hearsay', anyone who's powers of logic are working reasonably well would probably say he took the right course of action in exercising his right as a UK citizen and going for appeal after appeal.
I think it's handy to have some facts at hand when commenting on these articles.
The article says :
"even though his guilt was not in doubt.", he always denied the damage, for which it turned out there was no evidence.
"despite McKinnon having admitted the charges on which he faced prosecution." he always denied the damage, for which it turned out there was no evidence.
" ten years of fear, uncertainty and legal expense he put himself through" the DoJ and the Home Office put him through this, don't forget, he was only fighting extradition because of the alleged damage, which we now know didn't occur, not because of unauthorised access, which wouldn't have constituted an extraditable offence since it doesn't carry a 1-year prison sentence in both countries.
This is a very shallow and emotive article and doesn't constitute journalism, IMHO.
If someone breaks into my house but takes nothing – I still think there are damages. I now no longer feel safe in my house – I may change all the locks and install a security system to help me feel once again secure.
If Joe hacks a credit card company but just "looks around" – don't they still have repair what let Joe in, replace cards, provide watches for fraud, send out notifications, possibly face damage to their brand, etc? And wouldn't Joe, as the cause of all that, still be responsible for his actions? I believe so, and I believe he should be held accountable for those actions as well.
I'm not saying there were damages beyond the embarassment and the need to CYA. But there may have been a lot of changes to 'fix' the issues and become more secure. Could the damages have been trumped up? Sure… to me, that's just like people asking $$$ for pain and suffering. It's something that doesn't always have a clear cut value to – but there is damage done and there are new costs incurred as a result. Bottom line – he shouldn't have been there and it's the being there without the authorization that's the problem…
…….I think the level of attack he got was more based on NASA and the US Govt worried what they think he saw more than what he 'ACTUALLY' saw. The biggest issue is with virtually a mouse driven dial up modem and Babbge's Difference Engine he managed to get in, for so long, so easily. If I worked for NASA I'd have enployed him for a while to show me where the holes in my security were. Massive embarrassment to huge organisations, lets find a scapegoat and deflect the public's attention… a.ka. operation Gary McKinnon
The others noted. These people set out to make money, cause normal people and big businesses computer issues, have posted ordinary peoples stolen information on websites makimg ID theft a bigger issue and more. If they get sent down for years, harsh to say it, but gooood. There sentences actually seam to find the crime. Gary McKinnon, worse case for him should have been slap on the wrists and told to stop snooping, best case scenario..get him to show where security was slack and go fix it.
Seven years? I've seen people convicted of manslaughter get less time.
The penalty should not be based on whether it was perpetrated in the "real world" or using computers, but in proportion to the amount of damage done.
This whole argument about whether there should be more or less punishment completely misses the mark. Punishment satisfies an emotional need for revenge, but it has little or nothing to do with justice. It might provide a deterrent to…well, those for whom such an example actually does deter them from criminal behavior. But obviously it doesn't deter everyone, as the overflowing prison system clearly demonstrates.
Consider this: In the U.S., over half of the males and nearly half of the females who have been imprisoned end up in prison again. So much for punishment by imprisonment as a deterrent.
First and foremost, actual justice should require those who commit crimes of theft or other tangible property interference to make amends via restitution to their victims. Without that, all talk of "justice" is just noise.
If those who commit such crimes as those mentioned in the article knew that they would be on the hook for making good on the losses they cause if they got nabbed—instead of getting room and board behind bars at taxpayers' expense—the deterrent effect would be far greater.
Undoing the damage (to the extent possible) at the criminal's expense is a much closer approximation to real justice. Arguments over punishment are useless for that purpose.