Hopefully the government can now find some more important things to spend their time on. Should have told the Yanks to get lost in the first place.
Pentagon hacker Gary McKinnon will not be prosecuted in the UK, the Crown Prosecution Service (CPS) announced in the past hour. The decision comes after his extradition to the US was blocked by Blighty's government. Home Secretary Theresa May withdrew an extradition order against the 46-year-old Brit on medical and human …
From various media reports it seems like he was little more than a script kiddie, using manufacturer default passwords a lot of the time to gain access to various system. His biggest problem was that he made them look like fools and that is more unforgiveable it seems than actually doing some harm.
>But it's also not very difficult to mug a defence-less little old lady, however that doesn't mean one should get away without prosecution for doing it.
My above question was not meant to infer that McKinnon was right, or wrong- it was just a question.
Anyway, I'm tempted to up-vote you, just for comparing the US Department of Defence and a proverbial old lady : D
>> But it's also not very difficult to mug a defence-less little old lady, however that doesn't mean one should get away without prosecution for doing it.
So, when are they going to rename the DoD to DoDLOL (Department of Defence-less Little Old Ladies). Or perhaps they could call it the Defence-less Department of Defence - DDoD
What the US DoD described as the most serious case of computer hacking ever perpetrated comprised of this:
Buying a commercial copy of PCAnywhere (used to remote control PC's) and entering a load of IP addresses allocated to NASA and the US DOD until he found a few boxes running PCAnywhere with no usernames and password's entered.
NASA gate the police the serial number of the copy of PC Anywhere that he used who traced the number of his copy of PC anywhere to his local Dixons/Link shop and then traced it to his Barclay card and arrested him.
Worlds greatest hacker??? They wouldn't have been suspicious if he hadn't left notepad files on the PC's desktop saying stuff like "I've found all them files about aliens you know"
In 2002 it was pretty common to use PCAnywhere for remote support, not putting it behind a firewall or even sticking a basic username and password on should have been a sackable offence really. It would have been laughed out of court - that's why the brits never prosecuted him in the first place.
No, it's not OK.
That said - if you spent however many millions to fix the locks after the event (given the massive damages the US were claiming) - I'd like to know that what you paid for actually works...
...unlike the reality - some 10 years after... http://oig.nasa.gov/audits/reports/FY11/IG-11-017.pdf
"So if I have a shitty lock on my front door it's ok if someone comes in and spray paints on the walls?"
Not quite a valid comparison, unless you're a world super hero/super villain. In the circumstances, our Gazza found that Goldmember had a shitty lock, waltzed in and spray painted the walls.
In some ways it's a pity that he did. If he'd not, then the retards responsible would have left the door unlocked, and somebody with serious intent (like Russia, or Iran) could have waltzed in and done a bit more than spray painting the walls. And the rest of the world could have had an even bigger laugh.
Mind you, I'll wager that Gary's going to be grounded by his mum for a very long time when it comes to going within ten feet of a computer.
It's more like some loon going up to the White House, knocking on the door and asking for a glass of milk and the guy on the door letting him in and directing him to the oval office. The guy sits around waiting for his milk for an hour or so and finally leaves but not before leaving a note on the president's blotter saying how pissed he was.
The guy on the door, in a lame attempt to keep his job, makes out that the idiot looking for the milk he stupidly let in was some kind of rogue navy seal out to kill the president.
You do probably have a shitty lock (as many people with an interest in computer security, I also share an interest in physical locks), and given the stupid comment you just posted, yes, it would also probably be OK if somebody spray painted your walls.
While you're posting idiotic pseudo-analogies, somebody had to endure seven years of uncertainty over his life not because of what he did or the fact that he got caught, but because of political games that should have no place in a civilised society.
"Fail for the DoD, who being the Defense department might be a bit more protective of itself."
Well, there are an awful lot of computers at the DoD, and - difficult as it may be to believe - not all of them have, say, detailed blueprints for a hydrogen bomb, or the parts list for the Stealth Fighter, or the top 10 movies Mahmoud I'madinnerjacket has rented from Netflix. Some of them - most, probably - belong to admin assistants for the guys who maintain the HVAC systems, or whatever. I don't know specifically what machines McKinnon snooped on, but not all of the machines at the DoD necessarily have to have uber-insane security, and lack of same on a given machine doesn't itself imply that all of the computers hosting the US' most deadly and arcade secrets are just sitting around without passwords.
"McKinnon snooped on, but not all of the machines at the DoD necessarily have to have uber-insane security, a"
Let me see.
1)Install a tool that allows remote takeover/monitoring of all screen, mouse and keyboard functions without password protecting those functions.
2) Connect it (and a bunch more) to the internet in a way that allows them to be directly accessible.
That's not "uber-insane security."
I've seen that level of security on a 3 PC office network. A business known to perhaps a few hundred people in a whole country, not one of the world's biggest bureaucracies with access to 100s of $Bn of funds and nuclear weapons which is widely disliked by a lot of quite technically proficient people.
1. Find the IP address of a Windows server (this was the difficult bit)
2. Fire up Remote Desktop. I think it was called something else 10 years ago, like Terminal Services Client
3. In the username box, type "administrator". Leave the password box blank
4. Press "Connect" or "Login" or "OK" or whatever the button said back then
In the case of Robert Tappan Morris who was dealt with for a much greater hack (the Morris Worm) much more leniently and appropriately, he went on to become a computing science professor. In McKinnon's case, not being able to do anything useful for the last 10 years - during what should normally an extremely formative period of life - will have restricted his possible avenues of employment - and ability to contribute his talents to the good of society.
A hundred hours community service served locally to McKinnon's residence when the crime he admitted was commmitted would have been appropriate. Destroying someone's career prospects through his persecution by threatened extradition for a decade is a great loss to all of us.
"If he were American, you would have thought this was banned under the constitution."
Not sure what your country's constitution reads as, but you clearly don't understand that the American constitution was written by the English (we can argue and nit pick, but they were still VERY much English). So you must not be English or American.
In America and England you cannot commit a crime, then get caught for that crime, and just walk away without a consequence of some kind. And yes, in both countries you can be tried endlessly for the rest of your life until the respective government delivers a verdict. In this case, 10 years of litigation seems to have been enough punishment.
P.S. I almost didn't post this ridiculous reply as it just states the obvious, but decided to anyways because apparently for some it isn't obvious at all.
In America and England you cannot commit a crime, then get caught for that crime, and just walk away without a consequence of some kind.
You must not be from this planet. Or you're very naive when it comes to the workings of legal systems.
I'm sure 10 years of wondering whether you're going to end up spending a significant amount of your life imprisoned in a country known for its implicit, and in some cases explicit approval of prison rape, is no punishment at all.
And all for what, showing up a foreign agency as complete and utter fools?
What he did was wrong. This seems to be forgotten and now there is no actual punishment. The protracted period of pain whilst he tried and succeeded in evading extradition/ prison is not in itself punishment.
His illness is not an excuse, he knew what he was doing....not even going to watch the downvotes !
Why the fuck did anyone downvote EDFX, all he did was tell the truth.
If the books were turned round the other way and it was any of your PCs that got hacked, whats the betting you would all be really pissed of. Then just to really piss you off, the police turn up and say sorry we can't do anything the hacker has a difficult to determine syndrome.
I have never been able to believe his bloody story, something feels to damned contrived and fortunate......He was fully aware of what he was doing, how do I know, well he repeated the act on many occasions...That is not just a random chance. The guy loved it or he would never have gone back.......
Whether he was looking for Aliens or not is not the problem. He was hacking, that is a determined act from a determined mind, so what if he was just kiddyscripting, it worked..
If Garry McKininnons suspected Aspergers syndrome is such a problem then why does he have access to a PC and the internet ? What stops him becoming a menace again.
If there is one thing I hate on El Reg it is the bloody PC Brigade.
As Marlon Brando almost once said "The hypocrits......the hypocrits"........
NO, sentences deny you liberty and choice, he's been denied none.
Like saying Jimmy Savill has served his sentence for being a paedo by having to hide it for all those years.
some people have limited vision of "it isnt a crime if it didnt hurt me"
no crime is victimless and no crime is perpetratorless.
only thing in between is the scale of the punishment and severioty of the act.
Gary has Aspergers, so does my son....should i let him off trashing his phone / TV / playstation or smashing up his car because of it?
>some people have limited vision of "it isnt a crime if it didnt hurt me"
Not necessarily pertinent in the McKinnon context but very pertinent to your subsequent presumption:
some people have vision of "it isn't a crime if it didn't hurt anyone"
>no crime is victimless and no crime is perpetratorless.
"If the books were turned round the other way and it was any of your PCs that got hacked, whats the betting you would all be really pissed of. Then just to really piss you off, the police turn up and say sorry we can't do anything the hacker has a difficult to determine syndrome."
You appear to think the British police would investigate such a crime.
OTOH suggest they may have planted some CP on it and watch them tear it out of your hand.
TOTC because that's about the only way you'll get a British PC anywhere near a personal PC.
Just like the Pikey gangs from Dale Farm used kids to shoplift in Bluewater and Lakeside, so when caught they're under the age to be prosecuted, meanwhile the adults live like kings on the proceeds and benefits.
Crime in the UK does pay, more so if you claim your disability made you do it.
Next week, 10 female murderers get let off for being "on their period and stressed" that day
Were this to happen in America, or an American being harrassed over a period of a decade for his crime, their lawyer would have argued this was "Cruel and unusual punishment."
The moral of this story. Don't sign any document with the US unless you a)Read it very carefully b)Don't accept such grossly asymmetric rules of evidence.
"What he did was wrong."
Strictly as there has been no trial what the DoD has claimed he did was wrong and what he has admitted to is wrong.
"The protracted period of pain whilst he tried and succeeded in evading extradition/ prison is not in itself punishment."
That depends. If you have the arousal level of a psychopath probably not. On that scale he's "normal," and most people have a great deal of trouble dealing with long term uncertainty about their future.
You'd have some idea of what that's like if the company you were working for was rumored (not announced, just hinting at) people are for the chop, maybe we will, maybe we won't. Maybe we've already got a list, maybe we're still deciding.
Now picture that going on for 10 years.
Of course you'd probably say to hell with that and leave.
But what if you can't?
A crime was committed on British soil after all. As for getting US witnesses to appear, the CPS seems to have conveniently forgotten for a moment that witnesses can appear remotely, from pretty much anywhere with a fast enough internet connection.
As for a mad one in Vegas to celebrate, how about a mad one anywhere that has a one sided extradition treaty with the US? I suspect a weekend break in Stockholm is out of the question. McKinnon may have escaped extradition to the US but there's no real closure here, and a US prosecutor is still without a pound of flesh......
Did he even commit a crime though?
I assume the reason US witnesses wont appear is because the case is so weak, and the evidence so laughable, that the whole thing would have ended in a caution/suspended sentence/community service.
Meaning the yanks would have been embarrassed three times over, inept security allowing anyone who wanted to get in, to get in. Their failure to extract the man illegally and finally being made to look like a pack of monkeys in the UK courts.
Much better to not hand over the witnesses, then black bag him if he leaves the UK to face Yank "justice"
I don't think there was ever any doubt he committed a crime. He coughed up to that himself a long time ago.
This case was always about extradition, bullying from the US and wildly exaggerated punishments for what was at most a minor offence. I'm glad Theresa May saw sense and managed to put this to bed once and for all.
There's no argument that he logged into systems without permission but was that a crime? I seem to remember in the states you need to cause damage (the Americans covered this by saying they needed to pay to patch their systems if I recall correctly), I can't remember what the computer misuse act said in 2002.
Yes it was
Causing damage makes it a more serious offence
Which makes the difference between a maximum of 2 years in jail and a maximum of 10 years.
Realistically, it is going to be a few months at most, and that would be covered by the time he spent on remand, so he would walk free.
Indeed, so in the UK he'd probably have got off with a 6 month sentence or more likely a fine or suspended sentence. As he didn't argue the case from the start. It's not very likely they'd have made the greater charges stick in court, they'd probably have just gone with a summary conviction. Well, if the Americans hadn't been involved and waving their flaccid penis about anyway.
OK. So Wikipedia isn't exactly a gospel. And I am most certainly not a lawyer. And I don't even suggest that _had_the_case_gone_to_trial_ Mr M wouldn't at that point have been _found_ guilty. But:
"The Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe says (art. 6.2): "Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law".... this assertion is iterated verbatim in Article 48 of the Charter of Fundamental Rights of the European Union."
Was Mr M ever declared by a jury of his peers, after proper trial and process of law, to have been guilty? Was Mr M ever declared, by a Magistrate or Judge after proper trial and process of law, to have been guilty?
If not - it would appear his innocence must be presumed. Even if he was willing to present a guilty verdict, he was never given (to the best of my knowledge) that opportunity while under charge in a UK court.
Of course, the legislation might be such that it is outside the need for trial, and the offence one of absolute nature. As I said. I'm not a lawyer, so all I can claim is opinion - and I won't :-).
I don't know if a crime was committed - on Brisitsh soil or otherwise.
I may, of course, have opinions. But I was under the (perhaps mistaken) impression that assessing such matters, and the issuance of an authoritative opinion (for which I recognise mine most definitely does not qualify) as to whether a crime was in fact committed, and that persons X, Y or Z did or did not commit said crime was the jurisdiction (pun intended) of things called 'the Court Process' and 'Judges' - or sometimes 'Juries'.
Since no such 'Court Process' has as yet (to my knowledge) been carried out in the UK, though both the public and press have triedd really, really hard, and no such authoritative view issued (though I may be wrong), I'll return to my initial statements.
I don't know if a crime was committed. Though I may, of course, have opinions.
Sad to say that I commit a large number of crimes every time I visit the UK. (I challenge anyone to drive around the M25 completely legally - and safely).
Should the UK authorities mount a campaign to have me found, extradited and tried for my crimes? So far they have had more important things to do.
It's worse than that. According to US law, they have absolutely no problem with snatching him off the street in London, bundling him onto a plane and flying him out to the US without even telling the British authorities or government what they're doing.
Upon arrival, they can (of course) prosecute him for whatever they want, up to and including "entering the US illegally".
See http://catherinem.wordpress.com/2007/12/31/right-of-extradition-of-british-nationals-to-usa/ for more details.
This guy should have got community service and a stern telling off 10 years ago after attending a U.K. courthouse.
And the admins of those systems he compromised with bloody default passwords should be tried for putting national security at risk and allowing this pathetic charade to happen in the first place. If I did that at pretty much any private company, I would rightly be sacked, but these guys, in charge of sensitive defence systems, get no comeback for blatent disregard of security protocols.
I wonder how many years Russian and Chinese hackers had been strolling around those systems before mckinnon blundered through them like an Elephant at an exhibition of fine vases?
He did wrong and the CPS should have prosecuted him sensibly 10 years ago under the Computer Misuse Act. Instead someone decided to hand him over to the draconian over-the-top US Justice system, leading to the 10-year long farce that has finally ended.
Next time, can the UK Justice system please have the balls to take responsibility and prosecute a crime committed by a Briton on British soil in a British court?
...for McKinnon that his criminal offences are being ignored simply due to his 'condition'. How are his crimes less serious than for anyone else? Hey Gary, why not go celebrate by mugging someone - if anyone has the temerity to call plod just wave your 'Get Out Of Jail Free Aspergers' card.
Good to know that if you drag things out long enough and hold your breath and threaten to hurt yourself that you can avoid taking responsibility for your actions.
Extradition is for people that committed crimes in other jurisdictions which is what this guy did. Funny how when it is someone in the UK doing the crime how sympathetic everyone is but when someone in another country does something in or to the UK how outraged everyone is especially if they evade extradition.
This guy is an admitted criminal who agreed to plead guilty but played on the gullibility of the English populace and press but no surprise considering how easy it is for criminals here to play the system.
"Funny how when it is someone in the UK doing the crime how sympathetic everyone is but when someone in another country does something in or to the UK how outraged everyone is especially if they evade extradition."
You might like to look at the standards of proof the UK require Vs what the US requires before they will hand someone over.
The US request has to be basically "He's a wrong'un" The US requires actual evidence.
There seems to be a general misconception of what extradition is and what a trial is. With extradition the purpose is to show sufficient cause that someone has committed a crime in their jurisdiction and that they would like that person sent there for trial. The trial is where the proof is presented and contested.
What most people seem to be saying here is that wait you can't extradite me until you show me all the evidence and show that I am guilty based on the laws of my country of residence and that is simply not how it works.
In this case the US stated that they had a case and it was accepted by the UK based on the terms of the extradition treaty between the two countries (the fact that the treaty may be one sided is an entirely separate issue) but the defendant then proceed to use every trick and manoeuvre in the book to avoid his extradition. The majority of this being using the public to make it politically unacceptable for him to be extradited regardless of his guilt or innocence which is really just a mockery of the laws.
Personally, I think the case against McKinnon was likely to be provable but that the punishment was likely to be excessive. But that is neither here nor there in regards to how the process should work and in this case he has escaped responsibility for his actions not because of legal reasons but simply because he got enough people to feel sorry for him.
Well as long as he doesn't leave the UK he should be fine.
Despite the UFO agenda here, I'd say that Pentagon should have paid (secretly) people like McKinnon for they did, when the damage is only publicity.. Not His and similar hacks just manifests a huge problem of incompetence that seem to reign there and everywhere. (Don't run Windows, use strong passwords!!! see below)
This in a way, is also pertinent to private Manning's ordeal. In the latter case we also had a systematic malpractice, at times criminal, added up to the incompetence.
Here's some points Gary had suggested to follow to not fall a victim to a similar prank:
2. Do not have blank or default passwords for local administrator privileges.
3. If you set up a password on a PC for a local administrator, make sure each PC has a different password for that administrator.
4. Do not put unprotected files on the network that describe what each machine on the network does.
5. Do not use Netbios over TCP/IP.
6. Do not run Windows.
Oh, court, trial and getting to the truth are very low priorities for your average US prosecutor. Making life as awkward as possible for the accused (for example, "You might face court a year down the line. In the meantime you're stuck in the US at your own expense and oh, we're going for the 50 years.") while dangling a tempting plea bargain to force a guilty plee from the accused are very much the order of the day. It very rarely gets to a trial, let alone a fair one.
The USA had grounds to have him tried in the USA.
The UK had grounds to have him tried in the UK.
The man walked.
Father Time had to play big brother to both countries to get the job done. I would say he was crafty and got away with it, but 10 years of just stress seems enough. But only when you consider the actual crime he committed, and how awful it must of been in dealing with those 2 countries in regards to his crime.
It is possible the USA might have him tried if he enters the USA, but I'm not sure they would bother otherwise. It was just luck that he was the token of gesture for the UK in changing their extradition policy.
Not if he didn't have to actually crack anything. As I understand it, there wasn't any circumvention required.
Put another way, if someone busts your door down and goes into your house, it's breaking and entering. First you break; then you enter.
If, on the other hand, you leave the door open, you can't be breaking and entering, since you didn't break anything. You're just entering. That's called trespassing.
Unless I've misunderstood... the Home Secretary withdrew the extradition order on human rights grounds because he *might* commit suicide rather than be extradited. Given that there's always a possibility that someone *might* commit suicide, wouldn't it logically follow that the UK will henceforth refuse to extradite anyone?
That might *logically* follow, but the same Home Secretary has been trying to get someone extradited to Jordan for the past year or two and blows a fuse every time the courts say no on the grounds that he might come to some harm when he gets there.
So I don't think we should expect any kind of consistency. Indeed, the fact that these two cases have been playing out over the same period of time is (I guess) just God's little joke.
Biting the hand that feeds IT © 1998–2019