Seriously, prosecution is asking for 5 years behind the bars for this (which may or may not be appropriate). But some nutters still want to deport McKinnon to the US. If this guy deserves 5 years (and he's going to get much less, presumably: this is the prosecution request), McKinnon should get a few 10s hrs of community service. Is it really worth an extradition?

Over a quarter of a million zombies and hundreds of thousands of stolen passwords, and he wasn't able to steal much?

Since when is claiming to be an incompetent crook mitigation?

I'm reminded of the old joke about the teenager who murders his parents, and then begs the judge not to send him to jail because he's just a poor orphan.

No, you're not the only one. I seriously want to know how the defense attorney could write and submit that without laughing. Who knows, maybe he was laughing at the time. I cannot for the life of me understand how "didn't steal MUCH money" can possibly be a mitigating factor. Everything he did screams "lock me up for life" to me, especially when he did it from work, employed as a security consultant. I'd love to know the defense's definition of "lasting damage", since the attacks against his victims (from him and those he passed the information onto) will have identity and financial consequences for years to come. Not to mention the immediate cost of cleaning his malware off of the system, a cost most people probably won't be able to afford right now.

And am I the only one who's sick of tired of people trying to blame everyone else for their actions? Substance abuse and sexual abuse do not dictate this sort of behavior. You committed a crime, you fucked up, you got caught. Deal with it. There's a reason we have laws. When we show people that criminals can do pretty much whatever they want and get away with it, we show them that it's acceptable behavior and that the laws are meaningless.

People like this, who knowingly, willingly, and intentionally cause damage to others, especially on a massive scale like this, need to be shown that their behavior is not acceptable. And other people need to be shown that this behavior is not acceptable. "Oh, but he didn't cause much lasting damage". That doesn't matter. He *INTENDED* to, as evidenced by his attitude and his passing of the information to others. We, as a global society, need to show that this behavior will not be tolerated, that it has serious consequences. He should be made to personally apologize to every person affected, and remove his malware from their system (supervised by a competent tech to make sure he does remove it without causing additional damage). He should be made to reimburse every affected person for however much this ultimate costs them, including the cost of lifetime credit monitoring (lifetime, not this meaningless "one year of monitoring" that banks and companies get away with). He should be made to give back a portion of his paycheck to his employer for he spent not doing his job. He should be made to personally apologize to his employer and pay them back for whatever this ultimate costs them (if any), including lost business resulting from this. Finally, he should be made to perform some laborious task (think prison chain gang) uncomfortable enough to discourage him from even thinking about doing this again.

In my view, the 250,000 bot net is really not a big deal, if as he claims it did not cause any harm. I mean I certainly wouldn't start one up, but with these windows holes these days, it's not that hard to get a botnet that size. Also, he' s probably right that the bot did not harm the machines it's on. In addition, although ironic, doing it from work is a work issue more than a legal issue.

HOWEVER, the ID theft is a big deal. So he (through his lawyer) gets real weasely and says he "ultimately did not steal much money". Well, OK, he maybe didn't *steal* much money.. this doesn't say if he made tons of money reselling these illegally obtained account infos or not. This is super-greasy and he should get 5 years for this alone.

"Prison is a boys club. All that talk about abuse there is stupidly ill informed. The worst that will happen is he can't talk to women and go out for a pint with his mates."

This depends on the prison, and on if he behaves respectably or not. I know a few people who were inside.. one was in for 2 days presumably at a rougher prison and had to kick the crap out of someone on day one, they tried to "take it from him". The other was in longer (in a different prison) and said people had no problem as long as they treated each other with respect, the ones who were not respectful had problems. So I'm guessing he'll almost immediately try to defraud his fellow inmates, and then they'll abuse him plenty.

id shit myself if i had to go into one !!!

I dunno if the guy deserves a good buggering in prison, but he deserves to pay for his deeds !!

i agree prison shouldnt be nice e.g. manual labour etc, but when you put them at risk ?? not a good idea

Seriously, there is no way I would consider using someone unless I have at least two independent OKs from sources I trust. Most of my guys have 3, and tend to appreciate why we audit. It's a pain, but we have to: plenty of criminals around - and idiots.

The ONLY barrier between discovering security issues and abuse thereof is an almost overdeveloped sense of ethics. Unless I can sense that being present you won't even go in for the trial period. There is not a single argument for using someone like that in security because he cannot assure the single most critical component for security work: trust.