Can anyone remember what exactly was compromised

Wasn't this a case of someone trying to gain entry to US military computer systems, the entry detected and the Pentagon securing up their systems and counting the cost of that securing up as the cost of the intrusion?

I thought he was looking for proof of UFOs, and just used some basic Perl scripts to try and gain entry. Now if the Pentagon wish to say that their sensitive data is kept on the perimeter then that is a failing, but I am sure they are not that daft.

This is a bit of a storm in a teacup really, and posturing by the US on the tough crackdown on cybercrime, but his crime was one of curiosity, a prison term doesn't seem justified, but something else should be done to act as a deterrent.

Community service does appear to have been on the table to begin with, and that is probably appropriate. The admins of these systems do need to take some responsibility in ensuring security, not just rely on the law as the stopper, which is a bit lazy for all of society. Had it been a malicious crack attempt, then it looks like they could have caused some damage.

Makes a change

from the Pentagon vowing to make extradition flights to Europe

Poor Guy

Waiting all this time for the slow court system. I hope he wins his extradition case and this country full of corrupt officials who are embarrassed at how easily he got in don't get their hands on him.

Two issues

First, let me say I don't agree with the pressure the US government is exhibiting in this case compared to other similar cases. It's obvious to me they're just looking to make an example of him. Having said that, I do have two issues:

First, The US has every right to say (paraphrased) "Take our deal or all bets are off". They are under no obligation to offer a plea bargain. They have every right to go after him to the full extent of the law. I have no doubt they used dirty tactics in attempts to get him to plead guilty, but they have every right to say "all bets are off" and seek the maximum penalty, just as the prosecution does in every other case.

Second, these next two sentences are mutually exclusive: "McKinnon has admitted taking advantage of lax security in US systems to install covert software that gave him control of settings and access to files... He has not admitted causing hundreds of thousands of dollars of damage..." If he admitted to installing software, then he admitted to causing damage. What, does he (and his legal team) think the computers magically cleaned themselves of his malware? Depending on the number of systems he infected, it could very well have been hundreds of thousands of dollars to clean up his mess (especially with the pork government contracts get). It takes time to clean a system and verify/validate it is infection-free, and that time costs money.

Lastly, this is nothing he did not already know when he chose to perform these acts. He knew the risks, and he went ahead anyway, probably using the all-too-common thinking of "it won't happen to me". Well, it did. He got caught, and now he has to take responsibility and accept the consequences.

Hopefully...

... this case might see the end of the shameful extradition treaty between the UK and the US where they can say "We want to extradite this person and we don't have to offer you any evidence, but if you want one of our citizens, you'll have to show you have a reason to do so!"

Adam Foxton

So by their logic, things that the US do that may have repercussions in the United Kingdom can be punished under our local laws- such as rendition flights landing on our soil. That made us a more "legitimate" target for terrorists than ever and given that the threat is so grave- or at least that's what the Americans tell us- could be extrapolated to encouraging terrorism in the UK.

its not may it did. So if hired a Hit man to kill princess Diana in the US but he kills her in the UK , you would be content for me to be tried in the US ??

If they trade embargo us over this

... it may just be worth the sacrifice :)

No american shows on UK TV, heaven.

No american films in the cinema bliss.

No MS Windows nirvana.

Oh and no McDees, it just gets better.

No coca-cola back to panda cola for us, more healthy.

I don't really see what we get from the US that is worth anything, why are we always cow towing to them, oh yes Labour.

the real question is

why does UK implement this bilateral agreement before both parties ratified it? This seems highly unusual to say the least.

@Adam Foxton

As a US citizen, I couldn't agree more except possibly about the amount of damage. It's difficult and time-consuming (and thus costly) to verify a system is secure after an infection has been removed. In order to accurately determine a non-infected status, you have to verify and account for every single file (and possibly/probably, on Windows systems, every single registry key). Really, the only safe way to do it is to back up your data files, wipe the system, reload the OS, drivers, and apps, and restore the data files. Of course, that still might be problematic because registry keys would be lost (which is the primary reason I hate the registry and wish we never strayed from .ini files). That'll take some time and cost some money. I don't know how many systems he infected, but it could easily cost $500-1000 per system using standard service rates. Adjust those rates for the government pork factor, and I wouldn't be surprised if it cost $2500-5000 per system.

@AC re: "Can anyone remember what exactly was compromised"

Please read the article before commenting. The article clearly said what he did (cracked into systems and installed software allowing him to change settings and access files) and what he claimed his reason was (looking for evidence of UFOs). As I explained above, cleaning that up will cost quite a bit, especially if it was many systems. Also, please understand that where sensitive data is kept is completely irrelevant. Once a system is compromised, you need to remove the infection and return the system to a secure status. This is true if it's an internal system with sensitive data and if it's a kiosk system in the lobby used to log in visitors. You can't say "Well, this system doesn't have sensitive data on it, so it's OK to leave it compromised". Similarly, the data kept on the system should have no bearing on the punishment. Cracking into a government system should carry the same punishment regardless of its purpose or network address.

Pass the blame

The problem is, it's not his fault. If you take the front door off your house or dont bother to have one in the first place and someone enters your house and places cameras in it, you can't get them to pay for a new front door or to pay to search for cameras. It was the resposability of the US GOV to ensure there was a door in the first place.

Ok, your not buying this, lets put it another way, your in a pub and for no fault of your own, you get into a fight. Do you think you can sue the other person for the cost of now wanting bodyguards to ensure you don't get hurt again?

I agree they can sue for damages but thats not what they are doing, they want to hide their incompatence at the expence of others, the UK & US taxpayers.

Two other things 1) why hasn't anyone in the US been fired and 2) why didn't our govenmeant pass an amendmeant saying this treaty would only come into effect when the US agreeded.

I remember when this was first reported (the agreemeant). Very clear where the ruling class are taking our country.

No problem with the US wanting to procecute.

This guy is bang to rights, he has done what he is being accused of, and cleaning up after him will cost money. Mind you if he's any good perhaps the US should consider a community service punishment and make him work for them for a while.

Where I have problems is that US law always seems to be about vengeance and not justice, so why should we extradite anyone to that kind of barbaric legal system.

Not only that, WTF are we doing honouring a one sided treaty, the law lords should just say come back when you ratify the treaty then you can have him.

Perhaps one thing we should take to the court of human rights is the right of any signatory to extradite to a non-signatory.

@AC to me

Entirely the opposite- by their logic, if you hired a hit man in the US to kill someone in the UK you'd be committing an offence under UK law because it affects us rather than under US law (Where the actual offence was committed).

McKinnon broke the law on UK soil. So he should be tried and if neccessary punished in accordance with UK law. He'd be punishable under US law if he was on US soil (say, an embassy or in the US itself).

Alternatively if the US would care to ratify the no-evidence-required extradition treaty we could get around to extraditing anyone over there who's sold weapons to or trained the Terrorists. Or stirred them up in a way that affects us.

Exactly Nigee

I wrote my MP (Labour) asking why the hell Blair was in such a hurry to pass this bloody treaty when there were (and still aren't) any signs of reciprocity? Regardless of the location of the systems involved, given the draconian prison sentences passed down in the States for minor crimes to help fuel the massive prison industry over there, the man should be tried here in the UK and that treaty ripped up.

The States would NEVER pass such a treaty because it's bloody unconstitutional over there -- why did we?

Bitches....

Welcome to the UK, America's little bitches.

I know he broke the law, but he has my every support. If for nothing more than some arsehole in charge saying a life should be taken for somethnig as simple as their own countries p*poor discipline.

Just think of the UK as Americas pet puppy..

Relatively harmless but finally figuring out that the easiest way to avoid getting a slap on the nose with a rolled up paper is to just do as its master commands.

Sorry to be so .. honest .. but the truth is the UK has long ago lost the will to make its own decisions in its relationship with the US and from all the yanks I have ever met one thing is clear ... they see the UK as their ..<insert derogetory comment here>.. and they would be truely shocked if the UK were ever show some backbone.. After all the UK may as well be the 51st state.

The French have the right attitude

According to Wikipedia, at least, France will under no circumstances extradite a French citizen to any other country.

Another reason why I would happily swap my British passport for a French one, were I to be given the choice.

@Chris C

For your first point you will find that this, if true, is unlawful in the UK and could be cause for refusing extradition. The UK, although agreeing to unilaterally hand over people to the US without prima facie evidence (i.e.. at least some evidence that a crime has been committed and that the person named is a valid suspect) does retain some rights of refusal.

As a particular example the extradition rules forbid any UK citizen being sent to a country where they may or will face the death penalty.

In this case applying undue pressure on a suspect to ease the extradition process is expressly forbidden. Should it be proven (or at least believed) that the US prosecutors tried to apply undue pressure on McKinnon then the Law Lords would b well within their rights to refuse extradition, as well they should.

For your second point, and this is admittedly a little nit-picky the statements are not mutually exclusive. McKinnon does not deny causing damage, he denies causing that much damage.

Remember that the figures quoted by the US authorities suspiciously fall just the high side of an amount where under is a petty crime with only a slap-wrist permissible as punishment whereas above that is a serious crime that can be punished with hundreds of years in prison and millions of dollars of fines.

@jurisdiction issue

Surely, if you are going to try and compare hacking a system in another country with something else. You need to take an example where your action in one country has an effect in another that is illegal by the law of that country.

As an example, if I was in America and fired a gun, and that bullet went over the boarder and killed someone in Canada, in which country did I commit murder? If you can answer that, then you surely have the same answer as for hacking.

Of course this could get very confusing, as in theory you could broadcast a programme in Belgium that would be considered an offence to show in France, and if your signal is receivable in France are you a criminal?

Extradition

Here in the U.S. we don't/very rarely extradite our citizens. I think you should talk to your government and see why they are so willing to fly you off to another country for punishment. That a pretty weak government and a pretty weak people that let that happen to them. Too bad.

Sorry but he hasn't "done what he was accused of"

Presumably the USA's legal system still operates under the archaic principle of innocent until proven guilty? Let me say that I unequivocally reject the sham treaty under which this extradition attempt is being pursued. It makes a hollow mockery of our democratic traditions.

Please can someone specifically state the nature of the damage he is alleged to have caused? Of course, in McKinnon's case, I suspect that the US authorities may have exaggerated the "damage" in order to justify his extradition.

There are interviews with McKinnon in which he claims to have viewed hi-res satellite pix of large, copper-coloured, cigar-shaped craft. I think he found what he was looking for. That could be the reason the damages have been inflated.

An interview with Gary McKinnon is available here http://www.projectcamelot.org/gary_mckinnon.html

@richard - did he find any alien evidence or what?

An account I read described his download of a low-res movie of a spaceship, and what looked like a hand moving it away (hardly evidence of aliens). More than anything else it seemed to me that he had stumbled into a honeypot designed to catch UFO afficionados. He happened to be rather more adept than they expected, which must have been a bit embarrassing.

Something like this happened to me in 1985...

...I found an open dial-in modem attached to a Unisys mainframe operated by a large British utility company. I spent a couple of weeks playing around looking at interesting stuff, didn't damage anything, got bored and didn't dial in again for about a month.

The Police kicked in my parents front door at 3 am one Wednesday morning and took me away for questioning. I was accused of working for the KGB because 'no 15 year old kid could have broken into a secure computer like that without specialist training'. I spent 3 days being interrogated by unnamed men in dark suits until the QC my parents hired finally got in to see me. He convinced the guys questioning me that it would be a very bad thing if the British public were to discover that one of their most trusted nationalised industries could be so easily compromised by a schoolkid!

In the end, I was given a conditional discharge in a closed court, the condition being that I went to work for the company involved to help them secure their systems. I've been working in the IT security industry ever since, working on keeping the bad guys out of important bits of our critical national infrastructure. The funny thing is; I didn't know anything about the subject at the time I got caught - the modem number was 2 digits away from the main switchboard number and had no password!

If I'd have been convicted and punished as the authorities originally wanted, I wonder what kind of contribution to society I'd be making now?

Hackers are vandels

I can't stand this posturing that hackers are doing us a favour by showing how lax security is. It's like some coming round to my house, breaking a back door window, reaching in, opening the door, rumaging around my possessions and saying "Look mate, I'm doing you a favour by showing you how lax your securiry was and I was just looking around to see if you had any evidence on UFOs. It's lucky for you that I'm not a crook".

They cause milliions of pounds of damage. Well Mr. McKinnon I hope you are locked away for a few years. You are no worse than a petty vandel who breaks into a shop and trashes it.

As for being extradited.... well you knew the risks.

@Chris C

Please remember that these machines should have been secure in the first place!

Damage done was necessitated by the fact that the configuration of these machines were incompetent and the acts the US have taken is more in the order of vindictive spite for showing this incompetence than any real damage.

Most of the work undertaken after the fact is work that should have been done. If it had been done and they had to do it again, then *maybe* they could argue for the cost. The cost is made up so that they can show it criminal in extent which allows them to demand without proof the guilty party. Pure sophistry.

Typical

He knew very well if he was to get caught, he would have to face the music.

The next time you feel like defending a hacker. Think how easily one can get into your system, hide a folder on your hard drive, fill it with pictures of child pornography, send out some mail containing a few pictures. Then to be really nasty, he makes a few phone calls to the authorities and gives them a tip that you collect, distribute, and solicit child porn.

Apparently it is your own fault that you allowed this, so you should be prosecuted.

Quit making this about one country vs. another (only impotent morons use this to compensate for their own short comings). If the situation was reversed, you would want him to hang from the ferris wheel next to the Thames.

Fact is, he broke the law and caused damage. The damage was in the US, therefore it falls in its jurisdiction. He has nobody to blame but himself.

We need a Stevie Wonder avatar; because even he could see this guy is a twit.

Spineless UK Government

He committed the offence in the UK, and we have rules against extraditing people to countries where they may face torture or death --- both possibilities in the good old USA. The problem is that new labour have signed away UK rights one by one until between the USA and Brussels they may as well just shut down the UK courts.

He should have been tried here under our anti hacking laws long ago; it was the dumb Americans who blew it all out of proportion and made him a media figure.

Please don't paint all Americans with the same brush

I would hope our friends (and yes, a vast majority Americans consider the United Kingdom our friends and feel we owe the UK a great debt as you had a lot to do with the shaping of this country) in the UK and elsewhere in the world understand that, like their own countries, the government of the USA doesn't always represent the feelings of all Americans or even a majority of Americans. Quite a few Americans are less that proud of our governments actions over the past few years but push us and we have no choice but to circle the wagons. The USA has it share of idiots and dolts, like all countries, and sometimes they get the most attention because they yell the loudest, but that doesn't mean the represent the majority of Americans. Also keep in mind that we, the USA, are going through a rough patch at the present, as all countries do from time to time, but I do hope and believe that things will return to a more respectable path soon, maybe January 20th, 2009. At the same time we will protect ourselves if we feel threatened, just like any country has the right to, regardless of what other countries think, also like any other country.

As the the story in question, in particular, I would certainly hope that this man doesn't get extradited as he sounds more in need of counseling than prison. In general, I do not think any country should ever allow one of it's citizens to be extradited, to the USA or anywhere. One country should be allowed file briefs in court about a crime that occurred in it's territory and maybe have other parts to play in a trial. Diplomatic resources can always be brought to bear if one country thinks another country is not dealing with a citizen that committed a crime in the first countries territory.

@AC "so what did he really do and admit to? "

No trespass laws in Scotland. So if you were up there and just wandered into someone's home that wasn't locked that's not an offence.

@Aodhhan

The problem is that he wasn't committing the crime in that country. If he was in the US, hacked in there and then flew back to the UK it'd be pretty much open-and-shut.

He'd still not be extradited as your politicians have said they'd see him burn so it would break the "no extraditing to a likely death penalty" rules. But at least it'd get rid of a lot of the controversy surrounding the case.

However, he didn't. He was in the UK and hacked the US machine. By "hacked" I mean he found an unguarded entrance and wandered in for a look around. He didn't even have to guess at a password- there wasn't even an "admin / password" combination to attempt.

So he should be tried under UK law as the law was broken from the UK. As someone above has said, if I broadcast a TV signal from the UK that's illegal in France I can't be punished under French law.

And this guy just sent a signal from the UK to the US- but because it was sent from the UK it's UK problem. The US just want (rather disproportionate) vengence and to save face rather than to stop him re-offending or make him a useful member of society again (as is the aim of any rational punishment).

Just thinking- wouldn't the lack of passwords suggest an implied consent to access the computer? Otherwise going to Google- unless you've written approval from them- means you're breaking the law.

The other question is who the hell removed the security passwords on the computers at the Pentagon?! And how many tens of thousands of volts (or years of "community service" in Guantanamo) are they going to get?

user name admin password admin

Correct me if I'm wrong here but we are talking about a guy who used scripts to test equipment and services for default password settings in the networks of major US three letter agencies?

The "damage" costs amount to the cost of forcing their own admins to go around removing the defaults in the "compromised" systems.

If I were the <insert agency here> I would be looking at taking my own admins to trial and employing McKinnon full time to ensure newly installed equipment and services had at least been secured at least at the level of having password protection.

Surely this is about covering up the embarassment of a host of multi billion dollar agencies rather than prosecuting a "malicious terrorist"

Extradition

First of all...

the death penalty can only be handed out for 2 things. 1st Degree Murder and High Treason.

Hacking into a computer system doesn't qualify for either.

Second...

He didn't access any classified information. The department of defense does not have their classified network accessible from the public internet. He only gained access to what is known as NIPRNet. This is an unclassfied DoD network which has connections to the Internet; obviously necessary for communications for non-DoD interests.

Third... There are many crimes you can do where you are in one jurisdiction, yet harm is done in another. When this is the case, the court where HARM WAS DONE (ie the US) has jurisdiction.

There are way too many things about this story which seem a bit outlandish, don't you think? If it doesn't pass the laugh test, then it probably isn't true. Don't believe everything you hear, especially if you hold a prejudice. Use your brain, be critical, and think. Those who don't are more idiotic and irresponsible than anyone they accuse.

@AC 17th June 2008 15:36 GMT

Why are you an apologist for a criminal, corrupt, and above all else, downright evil US administration?

It is mindless sheeple such as yourself who invents problems, in order to justify ludicrous knee jerk publicity stunts.

Thanks for the concern, but I really don't need someone to save me from all these non-existent 'cybur-terrurists'.