Gary McKinnon, the British hacker facing extradition over allegations he broke into US Military and NASA sites, has earned the right to take his case to the House of Lords. The law Lords agreed to hear arguments that US authorities acted in an "oppressive" and "arbitrary" manner during plea bargaining negotiations, for example …
Is it really going to help.
Maybe I am in the minority on this one, but here goes. So G. McKinnon has got an appeal. The former sys-admin broke into US military & NASA networks looking for evidence of UFOs and did some damage. What was the guy expecting, a WHSmiths book voucher? Ignorance / downright stupidity is not a defence against any crime. I’m sorry, but on this one that guy should go to jail in the states and for a reasonable stint.
Maybe a prison sentence would stop others (script kiddies included) from doing in equally stupid things. Look at it this way, if a UK citizen broke in an MOD system and did some damage / affected the performance of any defence system however minor there would a jail term involved. So in this case we should let him off with a slap on the hand and send him to stand in the corner. I think not!
Why in the United States?
I agree that McKinnon should be tried for his crime, but what makes you say that this should take place in the United States? This sets a very dangerous precedent. McKinnon committed this offence in the UK:
Consider someone looking at a website that is perfectly legal within the United Kingdom, but hosted within, oh, Saudi Arabia. Would you be calling for this person to be extradited?
It's a long standing principle of law that you break the law in the jurisdiction where you the physical person are located, not where you are operating as a remote agent, whether that's by giving instructions over the phone or on a PC.
We are a sovereign nation, and mr McKinnon is, for all his criminality, a UK citizen who deserves due process under OUR law, not thrown to the wolves in a foreign country. He stands absolutely zero chance of a fair trial in a US kangaroo court.
these extraditions set worrying precedents
These extraditions are very concerning for anyone who does business with the United States whether that be on a formal or informal basis. Leaving McKinnon aside for a minute, you could be extradited on the basis of fairly flimsy evidence to a country where not too long ago a primary school supply teacher was jailed for 40 years essentially because a pc in her classroom got infected with spyware which popped up porn pics. It took a large number of reasonably IT-literate people to campaign on her behalf before her case was considered for review. And we want to send citizens there for trial? What if they suddenly come up with reasons that ordinary business people from the UK have apparently broken their laws in some way - do we just cart them off to Heathrow and stick em on a plane?
Secondly it is deeply insulting that the authorities in the USA do not consider our criminal justice system to be rigorous or meticulous enough to try what they consider to be major crimes across borders. McKinnon committed a crime in Britain, under British law, he should be tried and punished here. That is what it means to be a sovereign state. Until American fighter pilots can be extradited here for killing British troops (even by mistake) there is hardly an argument that we should be extraditing idiot hackers over there.
Gary shouldn't be Tried in the US or UK
A prison sentence won't stop others. As a hacker, information should be free for all; it’s about having the ability that not many people possess to be able to access information that is kept from us, i.e. government, police etc.
Information is Power. With power the ability to control the masses.
I see no problem at all as long as his actions weren’t malicious.
Why do we not have a system in place so that white or grey hat hackers can explore public systems and report flaws without being screwed by the courts every time?
If he was trying to Crash the US military and NASA systems, fair enough send him to the USA. No doubt they will start claim that he crashed loads of computers.
Come on, scanning for blank passwords, Have the US and NASA not got some sort of Password Policy to protect from things like this? It’s pretty low level on a supposedly high level system.
Ok he got into a US military System and NASA; if the information is so important why keep the computers connected to the internet?
Why not have an internal Intranet for the US Government to prevent hack, after hack, after hack etc
The damage costs, is really the time it's going to take to fix an insecure system that was vastly insecure in the first place.
Back to Money and justifying the expenditure!
The US military and NASA have been caught with there “Pants” down.
This is most probably the head of network security for the US military or NASA not doing his or there job properly.
The question I would be asking is how he did this so easily if these systems are meant to be secure.
If he can do it surly this means spy’s, terrorists and Black hats are in the system as we speak.
Remember Gary is one guy in his bedroom doing this, not an organized group.
Free Gary ! And give him a job in the UK !
US kangaroo court
What I am more interest in the fact that the gentlemen in question is guilty. Extradition for minor crimes I disagree with, but this is not a minor case. McKinnon broke into a US DOD computer network and modified it. This is not some fraudster or the head of an online gambling website. This is a person who thought it would be a really clever idea to stir up a hornets nest rather than leaving well alone. He may have been doing something remotely, but at what point does that definition stop. You or I are not directly wired into a PC, we use an interface / level of abstraction. You could be using a thin client to access the web, I don’t know. Would that be classed as remote access? In this case the interface spanned an international boundary.
There is a huge grey area in this case which hopefully the house of lord will navigate and define a precedent for future cases. I don’t want the UK to continue slipping down the slope towards becoming the USA’s loyal terrier. Neither do I want people thinking that they can get off scott free!
Fascist rule ?
"The former sys-admin broke into US military & NASA networks looking for evidence of UFOs and did some damage. What was the guy expecting,.."
He told you what he was expecting and what damage did he do, other than only to alert DoD sys-admin to gaping holes in their programs and have them look like the amateurs which they surely must have been in the cyber security field.
And if it cost $700, 000 to fix it then they got a bargain/or were ripped off because obviously Gary could have told them exactly what was at fault.
Just admit it, the security was not up to standard and now you wanna punish Intelligence for showing it to you. Stroll on, buster. In CyberSpace, you have no jurisdiction over Intelligence, although that is what this is all about isn't it...... trying to set a precedent to intimate Inquiry for free Reign.
It aint gonna happen, so long as pussy is a cat, as we all like to know what is going on whenever we are all paying for everything which is going on. And you can be sure that as Intelligence grows, and it is growing exponentially in some quarters, to hide something will be indicative of something more than just unpleasant hiding for it probably has always meant that it has also been designed to be capable of evil.
I would agree with your first comment though ..."Maybe I am in the minority on this one,..."
The crime was commited in the United States, even if the hacker was sitting in Britain. Long term principles can be changed to suit current conditions. If we don't think we can trust US justice then we should cancel our extradition treaty - personally I don't think that's appropriate but I'm happy to have that discussion.
The analogy to Saudi Arabian websites is spurious - in that case the Saudi authorities could, would and should prosecute the web site host, not foreigners who visit the site.
Are we serious about fighting IT crime? Or are we more concerned that the criminals are treated gently?
Location, Location, Location
It's a long standing principle of law that you break the law in the jurisdiction where you the physical person are located....
I think that would also exonerate the Natwest Three.
Still, at least it saves the US doing some extraordingary rendition!....
as a citizen of a sovereign nation, he should absolutely stay right where he is, in the UK. if he accessed a server in Saudi Arabia by using a default password that someone didn't bother to change, would it be reasonable to extradite him to SA, considering their human rights record?
speaking of human rights, US practices haven't exactly been warm and fuzzy lately. they're not as bad as SA, but they're not good, either (Gitmo and secret prisons abroad, anyone?).
as for the crime itself, it can be argued that:
 if the server has a default password, that server is not secured. it is open to the public, especially if it is accessible through the firewall, because there is no circumvention or hacking required to access it. this puts the responsibility on the server admin, where it belongs, and doesn't turn some poor curious schmuck (yes, Gary, i'm looking at you) into a criminal.
 US organizations, and especially the government, have a habit of wildly exaggerating the damage caused by hacking, so as to pressure someone into a plea bargain. this saves the trouble and risk of going to court, where a judge or jury may decide that the plaintiff is making absurd, unsubstantiated claims, and dismiss the case.
access does not usually constitute damage, unless the accessed information was confidential and the organization was materially harmed by the dissemination of this information. if Gary altered things while he was in those systems, he may be out of luck on this defense; however, $700K of damage is a substantial number, and they should provide some proof to support that figure.
if incompetent US government employees or contractors are trying to cover their backsides with Gary's conviction, i think the names of these persons or companies should be given wide publicity, to discourage future stupidity.
default passwords went out of fashion in the early 90's. a default password on a US government server (and especially military servers) is like a man wearing bell bottoms and a daishiki at a black-tie event. the admins responsible should be held accountable for this breach. throwing the book at a script kiddie (Gary is one by his own admission) will accomplish nothing.
so if i hire some in the UK by phone to kill some in the UK I should be tried in what ever country I made that phone call in right?? Or would you Brits be pissed off that I was not being tried in the UK.
Who, what and where
From what I hear he just used scripts to get into the systems, not really a cracker at all.
In fact I think the exploits where as simple as the unicode directory transversal on IIS.
That’s just embarrassing.
Therefore the damage in costs the DoD are stating were only the cost of securing the systems, which they should have done in the first place. This means the actual damage done was as near to nothing as makes no difference for an organisation like DoD. I would even think they even added costs of securing systems he didn't even touch.
When securing a system it’s no different from cleaning up after an intrusion, you have to audit your systems when securing them anyway to make sure you haven't already been compromised with backdoors etc.
So, while I agree that he should face some sort of trial, having that trail in the US where he is just going to get bounce straight into a jail for a long time for the crime of embarrassing the DoD, is just not right.
Have the trail over here; let the DoD witnesses come over here to prove what they say and then we can decide who is guilty and of what crimes.
Pots and kettles
The criterion I would apply is to consider the reverse situation. Would the US allow the UK to extradite one of their citizens on a similar charge? I rest my case...
"I'm a bumbler"?
So he says he's a "bumbler" and not a real criminal. So I say I didn't really know how to handle a gun and it "just went off" and killed someone.
If you walked up to a house, tried the door knob and the door was unlocked, would it be legal for you to go inside and rummage around?
Would the US extradite to the UK? Well, they have.
As far as making extraordinary demands, consider what the French did before extraditing a convicted murderer back to the US. Ira Einhorn. I knew his victim and dated her sister, Meg.
He deserves a medal
Do some research. It appears many of his alleged crimes did not even require a password. Hewas simply presented with a warning screen about authorsed access - a bit like those footnotes on emails really p who wouldn't read them?
Let's face it, the guy did them a real favour by highlighting their Mickey-Mouse to non-existent security. I bet they can't be hacked into now - thanks largely to Garry McKinnon.
What a lot of people are forgetting is ...
It is customary to offer evidence to support an extradition, and that is the case with other countries. Here we have a situation where the US says "we'd like this person" and the UK authorities simply offer them up with no questions asked. Any other country would have to offer evidence (as in admissible in court evidence, not some vague "we think" anecdotal evidence), but for our 'special friends' we are expected to trust them when they go no further than "we have evidence but we aren't going to tell you what it is" ! The ONLY reason we think it is a major crime that's been committed is because the US tells us so - they have not actually put forward any evidence (and I doubt if they ever would).
And since the US won't consider any request for extradition of their citizens (with or without evidence), I think we should tell them where to go !
Lotfi Raissi, anyone?
Remember him? The alleged terrorist that the US tried to extradite - and failed?
The US simply lied, made stories about the poor git. Now, his life's destroyed and so's his family's. Only thanks to Justice Timothy Workman, this guy is not in Guatamano.
Who can trust that lying scum in the "free world". 9/11 was a miss. Better luck next time.
<< If we don't think we can trust US justice then we should cancel our extradition treaty >>
Don't think the US have ratified it. However, the US's puppy (UK) signed it in a New York Minute.
View from a US citizen
McKinnon should be tried in the UK, and, if found guilty, should serve his sentence in the UK.
For at least the past seven years, the US has a human rights record somewehre between that of Communist China and Darfur. I don't trust my own Government to follow the law when US citizens are involved - why would anyone trust them when a non-citizen is accused?
Besides, if McKinnon goes to jail, someone's tax money will be supporting his jail term. Economically, it makes no sense for the US to throw more money down the rathole.
@Free Gary Cheerleaders
McKinnon, bumbling tosser though he may be, lame skript kiddie that he most certainly is, may not have had to go to a great deal of effort to penetrate DoD systems.
But he *did* do it, and has admitted it.
Get that ? He committed a crime, and admits doing so.
Commit crime + caught/fess up = Jail time.
So for gods sake, put down that copy of the Gospel of St Levy, switch off that 'Hackers' DVD and start to interface with the real world a bit. Information does *NOT* want to be free, It never did, never will. Curiosity might not be a crime, but unauthorised entry into a computer system is a breach of (at least) Section 1 of the Computer Misuse Act. End of story.
I've said it endlessley to 'hackers' of my acquaintance, but it bears repeating. If you can't do the time, don't do the crime.
McKinnon pretty much deserves what ever he gets, quite seperate to any issues of the UK, once again, spinelessly bending over and taking it up the Gary Glitter from Uncle Sam.
I mean, seriously, WTF did he think was going to hapen ?
Lots to be said here about McKinnon's guilt and the appropriate punishment. However, what's not said - much - is the unfortunate fact that he's a citizen of a country that has an appalling record on treaties. Specifically, the UK-US Extradition treaty signed by David Blunkett and Tom Ashcroft.
That treaty removes requirements for the US to provide prima facie evidence of a crime when requesting extradition to the US but maintains the requirement on the UK to provide probable cause evidence when requesting extradition from the US.
In other words, if the US wants someone who's currently in Britain, all it need do is provide "a statement of facts of the offence". Put another way - allegations. The UK, on the other hand, has to stick to the old requirement of providing evidence to the standard of a 'reasonable' demonstration of guilt.
If you have to throw stones at anyone for this, start with your own - apparently - spineless politicians, not the country that won the better deal.
**1] if the server has a default password, that server is not secured. it is open to the public, especially if it is accessible through the firewall, because there is no circumvention or hacking required to access it. this puts the responsibility on the server admin, where it belongs, and doesn't turn some poor curious schmuck (yes, Gary, i'm looking at you) into a criminal**
So if you forget to lock the front door, I can walk in and look around?
A short time ago, I finished reading "the cookoo's egg" (for the umpteenth time), & as I was going through the comments a thought struck me. The hackers breaking into the milnet where tried in Germany, surely this sets a precident?
(I'll refrain from saying that the lessons of the cookoo's egg appear not to have been learnt by some sysadmins! :) )
re: Fascist rule ?
Hackers should be allowed to rummage around government systems as they please just because they want to? Even if you could convince me of this line of bullshit - how can you consider the military networks of a foreign government public domain?
The reason we have laws in place to stop dicks from sticking their noses in where they're not wanted is because more often than not the information stored on these systems is the personal information, often financial in nature, of everyday people. Veterans don't want spoilt brat dickheads leafing through their personal information.
Child support victims and beneficiaries don't want spoilt brat dickheads leafing through their personal and private information. Patients don't want it, nor to people with spent convictions or people claiming benefits or any of other of the huge number of ordinary citizens that have their private information stored on government networks.
The bullshit that you want to do it as some sort of public service is just that - bullshit. It's not yours to invade - if the system admins wanted security researchers in to find vulnerabilities they'd invite them.
As for whether this guy should be extradited - there was evidence, he made a full confession. His excuse is just that, an excuse - it may be relevant at sentencing as a mitigating factor, but that's all.
I don't care if he goes to jail, pays a fine or does community service. I do care that the US expects too much in return for too little, and I would find it pleasing if the UK shoved this back in their faces. It won't happen though. We'll continue to take it up the arse until we elect some politicians with a backbone.
So yes I have sympathy for his situation - but I don't have sympathy for the apparent legion of pricks that think it's okay to break into private networks just because they want to.
You mean like all those IRA terrorists hired by Irish Americans to murder Brits? Oh I understand now, IRA terrorists GOOD, nosey sys-admin EVIL.
Nobody seems to be suggesting the McKinnon had any intention to cause damage.
HOWEVER, had this been a serious attack from an unfriendly nation, the US would have no authority over the attacker, and would have to bow to the authority of the foreign legal process.
It seems to me that McKinnon is an easy target, and despite thet fact the he had no malicious intent, the opportunity for US.MIL to finally catch SOMEBODY and try them in a US court is too much to resist. Even though he isn't a terrorist, treaties supposedly intended to fight terrorists are being used to extradite him.
Next time a government tells you that their new anti terrorism legislation is there to protect you, and that it will never be abused, you'll know what to expect.
Remind me again what the benefits of this "special relationship" are?
US wants what it has not got
1) $700,000 = standard prosecutorial procedure
Because, in the US, the nature of the "punishment" is tied to the "costs" involved with the crime, either for repairing damage or lost as a result of the crime, American prosecutors ALWAYS inflate the monetary amount. As such, $700k reflects 35 sysadmins spending one week (40 hours) changing all the passwords (that they know about) and cleaning out rootkits at the going Federal sysadmin salary of US$500 per hour. Of course, those same sysadmins only see somewhere around US$80 per hour in their paychecks, but that doesn't matter ... the gov't believes that they SHOULD be making $500/hour, they just don't have it in the budget.
2) Extradition request is bullshit
McKinnon sits IN THE UK, and commits a crime by accessing computers in the US. Ergo, he is committing a crime IN THE UK. Can anybody actually believe that he committed the crime in the United States? The United States doesn't think so.
Let's take as an example another high-visibility computer-related crime: Online gambling. If a person sits IN THE USA and "illegally" "accesses" an online gambling site whose server is located in the Maldives, he is committing the crime IN THE USA. Otherwise, the offshore court systems (Togo, Maylasia, the Maldives, etc.) would be overwhelmed with processing all of our "criminals". What if the individual sat IN THE MALDIVES and accessed those same sites? Not illegal, no crime.
Just because the UK and the US have similar anti-hacking statutes in place does not mean that the crime was committed in the US, nor that the US has anything other than a civil action against McKinnon. They can feel free to sue him for the $700k, but it's up to the UK to criminally prosecute him, if in fact the UK believes that a crime has been committed (which I guess it does).
Any way you slice it, this is an example of the US occupying the bully pulpit at the expense of common sense.
Location of a server is irrelevant
Online gambling in the US is currently illegal, however you can host a server in the US and gamble in the UK on that server with no legal issue.
Major oil corporations have their Servers located all over the world, if you broke into these would you be tried in the country the server is located in ?
Some servers like Akamai for example have multiple servers clustered across the world for redundancy, would it be a lucky dip which one you get ?
Even Google.... how would you know where the server is geographically located ?
OH NOES .. I hit Iraq ... Hanging for me then :((
I believe they would have to follow due process through the courts in that country where the offense was committed from.
Just like this guy:
Has McKinnon committed a crime? Yes, even by his own admission. So I would have thought it reasonable to expect for him to be punished - whether this is in the UK or US is not important to me.
What is important is that there seems to be a collection of criminals that are getting off scot-free - namely the admins of the systems that he script-kiddied into. I'm a sysadmin myself and if I left a publically reachable system as open as these ones seem to have been then I'd expect to be disciplined/fired and probably prosecuted for professional negligence.
So here's a compromise: McKinnon stands trial in either UK or US, but does his time in a UK jail. The US could even "empower" the UK courts to deal with him (Special Relationship etc) - and that saves $$$'s for the US taxpayer - win/win!
Meanwhile, the DoD/DoJ identifies the sysadmins of the systems hacked. Experts are then brought in to assess whether reasonable precautions were taken, and any sysadmins at fault (remember some of them were demonstrably negligent!) can then be prosecuted under US law and do time in a US jail.
This way everyone at fault is dealt with, and the vision of the (US-based?) sysadmin breaking rocks in Levenworth would act as a good deterrent for DoD IT staff/contractors to do their damned jobs right in future!
Since we seem to be on a "open door" analogy - if I leave my front door open and get burgled, then I assume (correctly) that my insurance company will regard me as not having taken "reasonable care" (according to my insurance policy details) and laugh at any claim for monies that I lodge. That said, the burglar is still guilty!
"McKinnon sits IN THE UK, and commits a crime by accessing computers in the US. Ergo, he is committing a crime IN THE UK"
Section 4 of the Computer Misuse Act, says that the English courts have jurisdiction in any hacking ("unauthorised entry" - regardless of intent) cases where "at least one significant link with domestic jurisdiction must exist in the circumstances of the case for the offence to be committed."
In other words, had McKinnon sat in the US (or Maldives or anywhere else on or off the planet) and hacked a UK system, the English courts would be able to prosecute him - regardless of whether the country he was in considered his actions a crime.
OK so getting him here would pose different problems, but if we are happy to declare things committed in other countries to be crimes, we have to accept some reciprocity.
No such thing as tresspass
Actually, in the UK, if you try a door handle and it opens you're welcome to go in and have a wonder around until somebody asks you to leave, so long as you don't break or steal anything. There is no law against trespassing, so you can't be prosecuted for it, as many farmers' signs used to threaten. (In some US states, however, you risk being shot on sight).
The analogy with hacking breaks down a bit though, as its hard to say at what point you move from pushing on an unlocked door, to smashing a window and climbing through. And it is hardly a fundamental right to go and rummage through a stranger's underwear draw.
If hackers want freedom of information, their energies might be better spent campaigning for it on a statutary basis. But then writing letters to the information commissioner is not as exciting as looking for UFOs at the Pentagon.
"so if i hire some in the UK by phone to kill some in the UK I should be tried in what ever country I made that phone call in right?"
That's right:- the killer in the UK would be tried for murder by a UK court, and you would be tried in a US court (in theory) for conspiracy to commit murder and/or soliciting an act of violence. Experience shows however, that if you claimed a political motivation, you'd never be tried.
Bliar's poodle act to His Master's voice has done as much harm to freedom & democracy for UK citizens as Dubya's done to US citizens
Vis a vis, the NatWest three should NEVER have been sent to the US, as the US will not extradite its citizens for "Non-violent financial crimes". I think that description could also very justifiably be applied to Gary's offence, in the absence of any evidence or even suspicion of deliberate espionage or sabotage.
The treaty MUST be put on hold ntil the US ratifies the treaty, and it applies EQUALLY to US citizens who have offended against the UK, and we are GUARANTEED their extradition in the same way as the US expects from us.
I'll clear the pigs for take-off....
"What I am more interest in the fact that the gentlemen in question is guilty"
Is he now? Thats that sorted then! Confession/admission might not be the whole story!
"If you walked up to a house, tried the door knob and the door was unlocked, would it be legal for you to go inside and rummage around?"
Actually its a bit of a grey area, in as much as this is trespassing, locked doors mean breaking and entering. Different charges and sentences! Insurance companies won't pay out on theft claims if there was no breaking, just entering!