Security

Geek Trivia: Hollywood hack job

On what television show was the notorious cybercriminal Kevin Mitnick cast as a government-employed white-hat hacker, despite the fact that his probation ostensibly required the show's prop department to mock up a dummy computer because Mitnick wasn't allowed near a real one?

If someone asks the average person to compile a list of notorious hackers from history, odds are the first name they'd come up is "that kid from WarGames." When someone explains that WarGames was just a movie, the average Joe would probably do a Google search and come up with an almost as infamous -- and decidedly non-fictional -- individual: Kevin Mitnick.

After all, if one were to factor in all the cybercrimes Mitnick is alleged to have perpetrated, you could make a case that he was the inspiration for the kid from WarGames...and the entire cast of Hackers. Legend holds that Mitnick broke into the NORAD mainframe and gained enough knowledge to use his phreaker (telecom hacking) skills to launch nuclear missiles simply by whistling into a pay phone. That's after he wiretapped the FBI, electronically altered a judge's credit report, and harassed actress Kristy McNichol.

Of course, there's little actual evidence that Mitnick accomplished many of those highly implausible feats -- despite some New York Times reporting and conjecture to the contrary. That's why Mitnick was only convicted of hacking into and stealing source code from DEC, breaching cybersecurity at a half-dozen other major corporations (IBM, NEC, Nokia, Motorola, Sun, and Fujitsu Siemens), and evading FBI arrest for a few years. Serious crimes, but not exactly equal to placing a collect call to atomic Armageddon.

Mitnick spent five years in prison, though all but eight months of that was pre-trial, leading many in the hacker community to conclude that his punishment was disproportionate to his crimes. The contrary argument is that Mitnick managed to avoid prosecution for many of his actual misdeeds, but his flagrant flouting of the law and status as a long-term celebrity fugitive required that the government maximize his punishment.

Part of that punishment included a rather unusual post-parole probationary stipulation that Mitnick have no access to any communications equipment short of a conventional landline telephone. Though that stipulation eventually was reversed on appeal, it ostensibly led to a rather unusual Hollywood moment for Mitnick. You see, in an ironic twist for so "inspirational" a cybercriminal, Mitnick was cast as a government white-hat hacker on a popular television show -- but supposedly had to use a dummy computer for his scenes, because his probation prevented his use of a real one.

ON WHAT TELEVISION SHOW DID KEVIN MITNICK APPEAR AS A GOVERNMENT HACKER?

Get the answer.

About

Jay Garmon has a vast and terrifying knowledge of all things obscure, obtuse, and irrelevant. One day, he hopes to write science fiction, but for now he'll settle for something stranger -- amusing and abusing IT pros. Read his full profile. You can a...

61 comments
Andy M
Andy M

Stating "[s]erious crimes, but not exactly equal to placing a collect call to atomic Armageddon" is not technically correct. Calls must be made to a location (even if, where mobile phones are concerned, location is not a constant). "Atomic Armageddon" is an event, and so is not a valid route for a phone call. OK, so it's trivial. :) And a quibble!

NthDegree
NthDegree

As a former instructor of computer ethics and in my current position of Technical Product Mgr. for security software, in my opinion, hackers, crackers, phreakers etc. (or any other term you wish to use) should be recognized for exactly what they are; Cyber-terrorists. Let's not mince words or bandy about the idea that they are just computer geeks having a little fun. If you are logging onto a system for which you are not authorized, that is a criminal act. I don't care if you do nothing but look. It is still theft of computer services. With our dependence on computers and computer networks any unauthorized entry, malicious or not, is a threat to that infrastructure. A person blowing up a power transmission station on our electrical grid would be considered a terrorist. I see no difference from attacks on our computer/internet infrastructures. Five years was too harsh? I would have given him twenty. As for him not being able to use computers, good, ban him for life. Let the punishment fit the crime. Maybe if we started trying them under terrorist laws and they realized the penalties could be severe, maybe it would make a small dent in the hundreds of millions of dollars spent every year on computer security.

robert
robert

"Mitnick have no access to any communications equipment short of a conventional landline telephone" would usually imply that Mitnick cannot use anything less advanced than a conventional landline. Using "save" or "more advanced than" rather than "short of" would be more clear/correct.

neilb
neilb

I do hope this Brit's extradition is stopped. Not because he shouldn't be punished but just because the US really does come over as a bit barbaric in wanting to slam this guy up for life because of their own insecure systems. Seventy years? Stupid. If he's done what they said he's done, though, he makes Mitnick look like a script kiddy. http://www.itpro.co.uk/news/109415/british-hacker-loses-extradition-appeal.html http://www.itpro.co.uk/news/130556/mckinnon-given-leave-to-appeal-hacking-extradition.html

normhaga
normhaga

But... I think you are clueless. A security manager? Would you have us believe the BS that your product is secure? How about demonstrating it to be secure, but without a hacker around somewhere, how are you going to do this? Computer Ethics instructor? Have you never DL'd an MP3? Cyber terrorist? Ok, Bush.

Neon Samurai
Neon Samurai

Especially as an educator, please, let's not start more "Hackers are terrorist" type BS. The public misconception that all hackers are souless criminals is bad enough. Cyberterrorists? That's just a balatanly ignorant error of understanding and from an educator and security professional? Really? You need to get yourself copies of 2600 for both professional and intelectual growth. A criminal is a criminal regardless. Using a computer for criminal intent is no different from using a crow bar or club; why must we make it something special in the first place. Existing laws even cover such criminal offenses. What we must differentiate is what Hackers and hacking is all about versus those who would breach a system without authority or any other criminal act with or without a computer. I mean I'm 100% with you on this point: "If you are logging onto a system for which you are not authorized, that is a criminal act. I don't care if you do nothing but look. It is still theft of computer services." Absolutely, correct though nothing to do with Hackers. Not remotely what hacking is about in any way. I don't through the magazine title around on a whim nore do I work for or intend to premote it but for you, as a security professional, I gotta say; you really need to hit your local Borders book store and buy a copy of 2600 magazine. This is a quarterly you can comfortably consider a professional journal. Hackers are not the higschool skript kiddies or ill intended criminals that most actaully mean when using the term. Terrorists are criminals. Criminals are criminals. Hackers are not and have a lower opinion of the first two groups then, by the sound of your comments, even you have. http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=255648&messageID=2438407

NthDegree
NthDegree

When the barbarians sacked Rome, did Ceasar invite them? When the barbarians are at the gate do you try to placate them? The US Military did not ask him to hack in. He violated not only US laws but international laws. If he had worked for Russian intelligence, he would have been shot on sight. He potentially saw information that could have compromised our security. In my opinion, he is the barbarian. Wanton destruction for no good purpose is very barbaric. He also caused over $700,000 dollars in damage and expenses. If he had robbed a bank for that much money, how many years would he have gotten? An that is just simple theft. As for his trial and rights, he will be afforded every right that American citizens have even though he isn't one. I also doubt he will get seventy years that's just the maximum. As the old jailhouse saying goes, if you can't do the time, don't do the crime. He knew he was doing somthing wrong and he did it with no moral concience and with deliberate intent. Sound like any barbarians you know about?

ESchlangen
ESchlangen

The security or lack thereof is no excuse. Did he know that the systems that he broke into were not his? If I am working in the fields and leave my door unlocked (common in the rural area where I grew up), does that mean you can come in and take anything you want? Sure those organizations that were hacked should tighten up their security. But that does not relieve him of the responsibility for the actions that he chose to take. Perhaps you would be more concerned if it were the Ministry of Defense that he hacked instead of us "barbaric" Americans.

NthDegree
NthDegree

I have never downloaded an MP3 illegally or anything else for that matter. The product we sell is designed to monitor networks for intrusions and such. And yes it's very secure. I'll pay a years salary to anyone that can unscramble our encrypted executables. I don't need a cracker to test our software. We have extremely intelligent people that can run rings around them. I also don't do cheap insults. Last time I looked, this country still supports freedom of speech.

NthDegree
NthDegree

When that computer criminal (I'll refrain from calling them hackers as it's true it's taken a different meaning in recent years and I was using it in its current connotation. My apologies to true hackers) shuts down an electrical grid, gets into a hospital's system and changes prescriptions around, gains access to national security information or shuts down thousands of web sites all of which could cause hardship and death and you don't call that terrorism? Sorry, I think you're the one that's way off base. The internet and the computer systems of today are undeniably an integral part of our society. Any attack on that infrastructure has to be treated in the same way as an attack on any of our other infrastructures (e.g. gas, water, electrical, bridges). Just because the internet is always depicted as a cloud-like entity, doesn't make it fair game for joy riders. Maybe you should do a little more reading about the billions of dollars computer crimes have cost our economy. How security breaches have affected our national securiy. As being someone who sees first hand everyday, what effects computer criminals have on our society, I stand by my assessment.

boomchuck1
boomchuck1

The problem is that the English language has taken the word Hacker and given it a different meaning than may have been originally intended. This has happened to many words. Can you refer to yourself as being gay without someone thinking you are homosexual? Other words just tend to get their meaning stretched to include more than was originally intended. Is your frig a Frigedaire? Hacker, in the general public, has taken on a meaning that includes the criminal type. Even in the hacker world people find it necessary to indicate that they are White Hat Hackers, apparently to distinguish themselves from the bad guy hackers. You can fight it if you want but the term hacker has evolved to include criminals. The way the English language works you are unlikely to ever get it back.

neilb
neilb

I didn't deny either his guilt or his crime, merely the fact that he would not have received justice [b]in my eyes[/b] because of his inability to work your system of justice and the, [b]to my eyes[/b] barbarity of that system that has 686 people per 100,000 population in the slammer. This compared with our figure of 139 per 100,000 and we are the highest in Europe. If he had robbed a bank over here, he would probably have got six, maybe eight. What would NOT have happened over here is a threat of seventy years to make him cop for a shorter sentence on a guilty plea as we have just seen with the Natwest Three. I might suggest that the $700,000 damages and expenses is due both to his hacking AND the overreaction of the relevant US authorities. HE maintains that he did no damage but that's certainly not true as simply cleaning up after him would have cost real money. However, all of this needs to come out in a trial but so long as this guy is threatened with an increased penalty unless he pleads guilty, the truth will not come out. As for whether he would get 70 years? What on Earth do you have maximum figure like that FOR, then? How does McKinnon know that he "probably won't get that much"? Twenty? Thirty? What?

Neon Samurai
Neon Samurai

There's cause for concern on both sides. The US gov wants to make an example of this Cracker. While he should be punished for breaking and entering, I'd be hard pressed to expect he actually have a fair penalty. They should be putting far more concern into there sad state of information security rather than trying to redirect public attention away from that with this case. (How exactly did he cause hundreds of thousands of dollars in damages? Did he format drives and delete files or just damage some military officer's reputation?) On the other side, the Cracker who knowingly chose to breach systems without owners consent is responsible for his actions. Regardless of what personal research crusade he was on, he lost the title of Hacker the moment he decided to break and enter. I'd like to see him penalized for the criminal offense but that could be done just as easily with a prison sentence in a British facility under a fair ruling of time to be served. What he did is not legally or morally justifiable but what the US wants does seem more political than judicial. (You [cracked] a computer across state lines? Are you stoned or stupid?)

Neon Samurai
Neon Samurai

Regardless of the system configuration he breached, he knew that he had neither ownership or approval from the owner to access the system so there is no defense on his part for that and some form of punishment is warranted. (It's not the good old days when one could leave the Admin an email from there own account telling them how to correct there configuration nor is that what he did.) On the other side, if the system involved was owned by a private company then there security or lacking security would be there own business. The systems being owned by the government makes them property of "we the people" and there is no excuse for a military/espianage/government system to be left that wide open; are these not the peopel tasked with defending the nation from threats both real and politically dreamed up? I see two guilty parties in this but a whole lot more attention being paid to one party for the benefit of avoiding attention by the other.

neilb
neilb

then I'm sorry, but you absolutely fit my definition of the word. Oh, and a $1.75million fine. What I have is a problem with the concept of "plea-bargaining" when a defendant is threatened with a long term of imprisonment - or worse! - but is then permitted to plead guilty to a lesser crime with a lesser punishment whether he actually did it or not. Given that this guy is not a US citizen and has no money, what chance does he have within your legal system? None. Also, I'm pretty annoyed that British citizens should be extradited to the USA when the US government (NOT the UK government) has not signed the extradition treaty between the two countries. McKinnon was originally arrested in March 2002 and the first extradition request came in 2005. What's up? Had to wait until the numbers of "terrorists" slammed up in Gitmo went down before you could get round to THIS "terrorist"? Given that the US authorities admitted that "no classified information had been accessed", 72 years is barbaric.

TheSwabbie
TheSwabbie

Youre right! No matter how you slice it or dice it - Hackers are criminals. They intrude into systems that they are NOT legally authorized to enter. If you google search hackers you will see a sort of "motto" - whats mine is mine, whats yours is mine". Basically the mindset is that ALL information should be open to everyone and if its on the internet its FAIR GAME. Not so. To them its a challenge to intrude on a system, some sort of Ego boost, whatever. The long and short of it is that they are breaking the law and should be arrested, convicted (if guilty) and sent to prison. The home analogy is perfect. Just because someone leaves their door unlocked does NOT give anybody the right to enter the house and snoop around or whatever. Just walking in the door constitutes "Breaking and Entering". There is no love lost with any Network Admin or Network Engineer that has had an intrusion and was left to deal with the reprocussions, loss and possibly damage to data. Unfortunately, there are too many "immature" little boys and girls out there that still believe they should be allowed to do anything they want in other people's systems... Maybe some jail time will help them GROW UP and act responsibly.

Neon Samurai
Neon Samurai

Provided you are not promoting or spamming the discussion with your product, it's would not likely draw the ire of the TR moderators. In this case, it would probably have been rather on topic. In my case, I was honestly interested to read more about it; encase you felt it was an attempt bring out a target to criticize. While in many places one would question a police officer's personal dealings with the law (the bad ones get all the press unfortunately), the mention of ethics does not cause me to question instantly (computer security and ethics was the best course in my time at Uni). My issue was purely with the use of the discussed term as only a pejorative; we've beat that dead horse in this discussion already. Understandably, there is no expectation of further posts here though I do hope you'll join in other discussions.

NthDegree
NthDegree

What amazes me is that because I have taught computer ethics, people immediately begin to question my integrity or assume that surely I have downloaded some copyrighted material. If someone introduced themselves as a police officer, would someone immediately ask them, "Have you ever gotten a speeding ticket or stolen a car?" I have never claimed to be perfect (even math teachers get a problem wrong once in awhile). As for your definition of ethics, it's a little off base, Ethics is not someone deciding what is right or wrong it is society as a whole and an individual's conduct in relation to that society. Computer ethics is quite simple in concept, if it isn't yours, don't touch it. I fail to see why that is such a difficult concept. As for our software, which I will not mention in here as it is a violation of TechRepulic's Terms of Service (there's that damn ethics thing again), suffice it to say that it is being used by nuclear power plants, U.S. military and several federal and state government agencies including law enforcement. In addition, these are my views not my company's, and as such, I will keep them seperate. This is also my final post on this subject.

normhaga
normhaga

While this is a late reply, I will attempt to give accurate answers in an analogous manner that may hit home when viewed from some of the current threads and from history. ATT/Bell Labs New Jersey held the same philosophy that you portray. Does the L.O.D. (Legion of Doom) ring a bell? If they do not, it is the group that penetrated a secure, government funded laboratory and stole the source code to Unix. Look at the the situation involving the secret service operation called Operation Sundevil. Windows Vista DRM lasted three days in the wild. The D.O.D. computers have been penetrated. Bell Labs had 100's of very bright people working there who could run rings around "them." You assert you have never dl'd an MP3 or anything else illegally. Have you ever watched Youtube? Youtube also carries illegal content. Have you ever speeded? Have you ever read a thread on encryption, they often give illegal information that violates copyrights and patents. Ethics are nothing more than someone deciding that something is/not acceptable and really has no real life or meaning of its own. You tout the security of your product. Have you sent examples of your code to the NSA's free cracking service? Most application take less than 5 minutes to crack and the NSA will tell you how they cracked it. My uncle has a Ph.D in mathematics. He spent a year on an encryption program as a hobby and used involved algorithms based on some intense math. Total time by the NSA to crack the encryption - 10 minutes. He sent me the two page NSA report. Ilock was supposed to be unbreakable. It took a concerted effort by the group AIR one week to crack it. They did it by attacking the encrypted executables. If you have a product that is of value to someone cracked, it will get its test. No need to pay someone. If the program lacks value to someone, it will be ignored. I did not intend a cheap insult. If you took it that way, you misunderstood. It was a point made about accepting information on blind faith.

IC-IT
IC-IT

Are you willing to setup a normal server that has no honeypot or tripwire attributes and allow us to legally test the penetration? PS your other post above showed the difference between the normal script-kiddie and a cyber-terrorist i.e. purposely going in to shut down powergrids, rearrange drug scripts, etc

Neon Samurai
Neon Samurai

I just read a great article on Sonicpoint and related appliances. What is the product you produce? Those extremely intelligent engineers of yours are probably Hackers or share the same mindset of life long learning and curiosity beyond what the user manual says a thing is limited too. You may even find that they already have issues of the quarterly that you could borrow to read through. Serious question though; what is the product or branding? If it's a security appliance I've not look at then I'd be irresponsible in my profession to not do so now. (I leave the rest of the comment and post your responding too with it's own defence itself as freedom of speech is the last thing I want to see repressed; I just ask for correct terminology or at least understanding the meaning behind the words even if that was not the intended meaning.)

Neon Samurai
Neon Samurai

Did the person break into a system without authority to do so from the owner. Did they accidentily stumble into the companies wifi they disconnect when they realized the error or did they intend to breach security or cause harm. You'd find that most who fall into the Hacker mind set do not approve of breaking into computers without approval from the owners. Like any group, there is a degenerate minority who will use any skill they can pilfer too get something for nothing but the Hacker community does not support or premote such degenerates; hense the very derogatory term "cracker". Security hackers are only one group within the greater community and many focuses of interest for hackers never come closer to conflicting with laws except for voiding warrenties on there own purchased hardware. Too differentiate, I put importance on intent and authorization. It's simple, if you don't have permission to connect too a machine then legally, anything behond a portscan of the most external access point brings legality into question. Well, in Canada thief of service comes into play only after you try to connect and interact in any way beyond the equivalent of seeing the front door from across the street. Intent can then differentiate between accidental harm and intended harm. If someone steps on my foot in the mass of subway travellers then there's no intent to harm and no ill will expected. If someone makes a point of stepping on my foot then I'm going to have to consider why the demonstrated the intent and respond accordingly. If someone breaches my system then there are legal results. If the person happend across my wifi and didn't realize they'd crossed connections (not possible with my setup but for an example) then I'd boot them and go about my day. If they intended to connect and did so repeatedly then we have an issue. If they intended to connect and cause damages to my network then the issue is much bigger. If (and baud forbid) they connected with the intent of using my network as an anonamizer to purpetrate crimes beyond my network then we have a huge issue and I'd be pushing to see very harsh penalties; but, within reason. If a criminal shuts down an electrical grid then you have someone responsible for harming others and legal penalties apply; absolutely. I don't care if they hit the power station with explosives, pulled down power lines with a pickup, whacked a blocks power splitter with a crowbar or happened to cause the same effect by employing information technology. The tool they chose is irrelevant since the result and intent was the same. I'm also not saying that networked information systems are not an integral part of modern society. I'm actually very much supporting that notion. My meaning is that Hackers are not the inherently criminal sociopaths that public media would have us believe. The network started as the project of a few backroom computer hackers with some (direct or indirect) government funding. that humble start has grown far past being even just an American network that other's are allowed to borrow. You must see the irony in posting blanket statements on the internet that condem the very social outcasts who developed the internet though. Any attack in infrastructure absolutely has to be (I repeat myself now a third time I think) responded too with legal reprecussions. The point is still that it is a criminal act and intent and as such should not be made special by labeling it "computer criminal", "cracker" or any other cool sounding buzzword instead of what it is; Criminal. A criminal isn't special because he uses a crow bar or a keyboard any more than a Hacker is, by default, a criminal. Again, why must we differentiate and say "computer crime has hurt our economy" - NO, crime has hurt the economy and some of it was purpetrated using information tools just even if the majority of it On the topic penalties for crimes regardless of the tool used during the crime; we agree fully. My reaction was too the black/white assurtion that all Hackers are terrorists. Not just criminals but terrorists. Too that point I say, hacking has nothing to do with crime or terrorist activity. Believing the media's definition of hackers is like believing the media's demonstration that anyone can just jump in a chopper and fly off or that Jack Bower is a real person saving the free world season by season. As a security professional, I'd highly recommend picking up a compule issues of the quarterly, you may find the creativity and curiousity of some of those you condem with blanket statements rather enlightening and of benefit to your own product and professional development. (I have no busines ties to the quarterly though so it's simply a recommendation in passing and your free to do as you choose) (My spelling sucks but it's just one of those days) Lastly, for this rant, I actually persue the profession of information security because I want to see systems better protected from the intentional or accidental damages you have so much concern over. I have even lost contracts because I've seen networks completely overrun and wide open and couldn't hide my surprise that such companies would allow such conditions.

Neon Samurai
Neon Samurai

I'd direct you too the jargon file unless you can find a published copy of The Hacker Dictionary. http://www.catb.org/~esr/jargon/html/H/hack.html http://www.catb.org/~esr/jargon/html/meaning-of-hack.html A quick and dirty solution "hacked" together as your mention is one meaning though I don't think it's source is building furniture with rough cuting strokes. It is also easy to think of it as hacking one's way through dense jungles of cabling but that's really more specific to security only. If you think back to the MIT model train club, there was both meanings. Hacking together the wiring under the model table and experimenting about just too see what the outcome is. As a source of the word, I've heard old english sited. In equestrian terms a hack is a ride about the fields on horseback with no specific destination or or focus like jumping or racing. This fits the regular use of the term as a computer hack is defined as poking about on your machine or in your source code with no specific goal in mind. (It's a geek word so reaching back to old english isn't very far fetched) In terms of the media; fear sells. It's not in there best interest too use correct terms when there abuse of terms can be used to generate fear and higher sales. I think it's one of those words that one can use if they are in with the group because one understand the subtle meanings. If your not in with the group or at least understanding of it beyond what Hollywood tells you then the meaning is lost and you only understand what you've been brainwashed into believing. "Cracker" also comes from old english as in Shakespear's "What cracker daines to cross my ear" though the derogitory meaning found in the American south emparts the same feeling in it's meaning.

Ed Woychowsky
Ed Woychowsky

Unless I?m mistaken, the term hacker originally referred to a programmer, who coded as if they were making furniture with an axe. The end-result worked, but it wasn?t pretty. Over the years the term has come to mean someone that figuratively used an axe to hack a system. Mostly, this change is due to the inability of the media to distinguish acts of creation and acts of destruction. And, face it, acts of destruction get a lot more attention than acts of creation.

Neon Samurai
Neon Samurai

The post at the start of this thread blatantly says that Hackers are terrorists; period. No discussion, no room for anything beyond hacker = terrorist. (which alone is about as valid as bringing up various german references to support ones claims) For an off the street person who's only learned computer history through TV that's still extreme but I understand where the mistaken idea that hacker = criminal comes from. This opinion is from a security professional however. One would think that information security being your profession would lead to you knowing something about computer security history and those driven by there curiosity to learn a thing down to it's lowest levels. The reason that the Hacker community continues to through out ways to differentiate is directly in reaction to constantly being cast by the media and general public misconception as inherently criminal. Cracker arose as a term for degenerates to differentiate ethical Hackers (a redundant term) from crackers. Hat colour again is an attempt to give the media a way to differentiate between criminal behavior and Hackers. It's just not as cool sounding as "Hacker" so the term continues to be abused to mean the modern day boogieman. I personally don't like the BS "I'm a white hat" "I'm a grey hat" "I'm a black hat" terms but fair enough, the serve a purpose. Bah.. I just had a look to see if the 2008 issue 2 of 2600 magazine had the editors opening article posted; no luck. It's a little long for me to transcribe and privid a link too and definately too long to include here. If you can find a copy of 2008 Summer (v24n2) it's about the best currently analysis of the general Hacker community. In all the letters I've read that got published in the magazine asking for "can some hacker group help me hurt X for doing Y too me", I have never seen a response that supported, premoted or helped to carry out the request. In v22n1 (again, if you can find it or choose to order the backissue) the resopnse to one letter goes like this: "Hackers are curious and inquisitive by nature and will spend an awfully long time trying to find results. That holds true of people writing computer programs, scanning for interesting phone numbers, decrypting algorithms, defeating security systems, and any number of other activities. They are all bound together by a quest for knowledge and aren't inclusive or exclusive of any particular age groupk, sex, race, nationality, etc. Technology isn't even a requirement for the development of a hacker mindset. But people who have no interest in the actual learning process and ar focused instead on stealing, intimidating, bragging, privacy invasion, and other such ends really aren't hackers in our opinion. The mass media may disagree since they consider anyone who touches a computer and then does something bad to be a hacker" "Of course, it's also possible for someone to have a hacker mindset and then use that ability for evil purposes. But when they make the transition, they pretty clearly leave the hacker world behind." - 2600 magazine, volume 22, number 1 (2600 folk, if you happen across this please know I transcribed it with the best of intentions and not in full as the magazine is your bread and butter) This is not the daily inquirer or some supermarket rag; this is about as close to a quarterly scientific journal that the community has. I think that response to the letter (I didn't want to duplicate all the text as they give most of there media outside of the magazine away at no cost; freedom downtime is no professional work but it's historically accurate regarding Mitnick). And the points they made? - hacking is a mindset not an action or activity. It is constantly questioning and seeking to understand (that constantly questioning scares the hell out of authority figures) - hacking often involves exploring technology but does not depend on technology being involved - hackers are not an elitist exclusionary group but very much the opposit; come one, come all who have a love of learning beyond what button to push to download pron. - criminal actions are *not* hacking or part of the hacker mentality This is representative of the greater communities opinion in everything I've read and seen outside of the BS media sensationalism. (boogiemen get eyeballs and sell issues after all and that's what mass media is all about; whatever sells the ragg or 60 minute time slot) Last, was gay (meaning happy) originally used to describe a subset of the greater population? Yes, words change meaning within language as it evolves but words have specific meanings and if we do not make a point of using the correct meaning then they loose all meaning. Apathy is not the answer. Labeling a large population of the online world criminal by association is not the answer and make no mistake, Hackerdom's natural element is the online world; who do you think built it after all. Don't be a mass media fed blind sheep. Ask questions and seek knowledge (within legal limit). If you see something, say something. Above all, don't laydown and die just because someone told you it was in your best interest or because "that's just what the word means now". Hacker does not inherently equal criminal; Criminal inherently equals criminal. Let's not make crime special because it involves a computer and let's not destroying the meaning of a word because it's abuse sells more movie tickets.

Neon Samurai
Neon Samurai

The people who would blast you and advocate tolerance of crime regardless of tool used are not the people that most should take seriously in the first place. I agree, like martial arts, such skills need to be used with positive motivation. The majority of people who use Hacker discovered tricks are those who barely have the skill to run a script that replicates the exploit; Hackers they are not. Still smart "kiddies" mind you and surely smart enough to find a positive outlet. This may also be the result of mass media paranoia and the ostracizing of those who show higher intelligence or above average curiosity of what most consider a mundane by the average person. Being from a small town of sports jocks, I know I sure wasn?t the cool kid for knowing about computer beyond how to turn them on.

neilb
neilb

then the charge would be different and therefore the maximum sentence would be different. No-one did die. Although, according to one US prosecutor he has committed "the biggest military computer hack of all time" and that McKinnon's hacking was "intentional and calculated to influence and affect the US government by intimidation and coercion". Whatever. We will find out what happens as my craven government will not try and sentence McKinnon here as should be done and seems quite content to hand over the man for your government to use as a scapegoat and example.

NthDegree
NthDegree

Consider if the information he obtained resulted in the deaths of four or five uncover operatives or allowed terrorists to obtain information that allowed them to blow up an ammo depot and it killed dozens, would that warrant seventy years? That's what the max is FOR. Although personally, and I will get blasted for it, I have little tolerance for computer crimes. These are not stupid people, doing stupid things. They are, for the most part, extremely intelligent even geniuses. You would think they could find a better outlet for their talents.

neilb
neilb

Unfortunately, there does appear to be some (misguided from my perspective) desire on the part of the UK government to co-operate with the US authorities by electing NOT to try McKinnon in Britain. He should have been tried here, convicted (as he surely would have been) and locked away as an example within the UK Justice System. What I think is happening is that someone within the UK government is hoping that when McKinnon gets 20 years and a million Dollar fine in the US it will act as a much bigger deterrent to UK-based crackers. THAT is wrong. Neil :)

boomchuck1
boomchuck1

Before you bring a case to trial you have to make sure that you have sufficient evidence etc. to make sure you can convict. It is not unusual for a person to be indicted and then have the case not go before a judge for a considerable amount of time.

neilb
neilb

Two issues: firstly, I believe that the UK government is complicit in a demonstration to UK hackers in particular and to hackers world-wide that attacking US installations will be punished severely. I have no problems with a punishment that fits the crime but it just isn't fair to use this guy and wreck his life to prove a point and for the UK not have the balls to do it ourselves. Secondly, the concept of plea-bargaining where a threat of extreme punishment is made - HAS been made in this case - with an implicit or explicit indication that a guilty plea would be accepted to a lesser charge, doesn't fit with my definition of justice. In this case, McKinnon has been threatened with a greater level of punishment just for opposing extradition although the US justice Department denies that. I'd like to see THAT resolved! Lastly, why did it take the US so f'cking long to get this sorted? This, again, tends to lend credence to a bit of conspitracy.

schmidtd
schmidtd

There are way to many systems today that are weakly secured but remember the same it true of most houses. Odds are you have a lock on your own front door that can easily be bump keyed and accessed in less than a few seconds. The U.S. government should better secure it's networks, but that has nothing to do with this guy's crime. It is completely fair for this guy to serve some jail time. That said, the one thing I don't like about computer tresspassing laws is there never seems to be an honest attempt to really look at how serious the damage to the system really was. There is a difference between simple tresspass and looking around (real world, tresspassing), stealing data (real world, theft) and trashing the systems (real world, destruction of property). Just because it happened on a computer doesn't mean you give someone a punishment way out of line with equivilent real world crimes.

ESchlangen
ESchlangen

Actually, we do not agree. And as for your contention that you were responding to Conexxions, you should take a look at the post. The one that refers to me, by name and refers to me as "boneheaded" and ignorant. I would say that qualifies as responding to me, not Conexxions. A house is not a computer. But that does not mean that the concepts do not apply equally. If we have to re-develop all of our legal concepts everytime we refer to a different physical (or even virtual) object, our legal systems are in a lot of trouble.

Neon Samurai
Neon Samurai

You have no argument from me that cracking into a military network is going result in more severe response than cracking into a civilian network. I can't remember if it was just NASA systems he broke into though I could see why he'd make a run at the area 51 testing facility if he did that also. When doing contract work on local military bases, I was well aware that something like printing "haha" out of a network printer on teh other side of the country was going to bring the military police to my office door in under ten minutes. I'm surely not going to say that a cracker does not deserve penalties for breaking into a system. The moment he knowingly breached a system he had no authority to access, it became a criminal offense not some guy looking for evidence of aliens or anything related to Hackers. But the question remains; what did the military network security professionals have for lunch that day? There where obviously out too it. If some shmuck can cross country borders, cross state borders, cross onto military base network and access then some CISSP and his incompetent security underlings have a huge part in this too. Ok, so it was a military rather than business network; Gov versus civilian. So give him 20 instead of 10 years. 75 instead of 10 though? (I'm guessing, I don't know what sentancing has been like in the past for burglury) He wasn't in there pulling secret weapons specs to sell on the market. His life has already become a true living hell since the initial breach and he will likely see time served. Ramming him up for 75 years or sending him for vacation in gitmo still seems rather extreme. Punish him with fair sentancing (which still could be carried out in UK) but don't turn a blind eye to the incompetents tasked with your national security.

jdclyde
jdclyde

is and should be Espionage. That right there elevates what could/should be done, and how it should be handled. It is VERY different than to hack into the corporate pc's. No, they won't give the guy the death penalty, but it should be a military trial, not a civil trial.

nighthawk808
nighthawk808

Simply trace the line back up and you'll see that I was replying to Conexxions, not to you. He is the one who said your house analogy was perfect. But, since you're here: a house is not a computer. A computer is not a house. An apple is not a zebra. A zebra is not an apple. If you'll look at my post, you'll see that we do agree: I specifically said that Alice is culpable too, but that Bob is the one who let it happen. Where did your nutty idea that my post came from some sort of anger with my management come from? If I didn't like my job, I wouldn't have been at it for so long. While I don't agree with every decision my higher-ups make, that is because there is no one on the planet who gets everything right every time, not because I'm somehow angry at them. The management I have right now is head and shoulders above any other place I've ever worked. Far from being angry with them; if they weren't as good as they are, I would have left this job years ago. And I don't think any of them ever visit TechRepublic, so I'm not just saying that because they might be lurking.

neilb
neilb

Well, yes, and I think it is deliberately so to put the frighteners on anyone else who gets into inadequately secured systems. I do want McKinnon to get what he deserves and that does include some jail-time but the key word is "deserves". It's taken three years for the US authorities to request extradition so McKinnon is screwed on any question concerning dates and times. We are hearing damage and costs numbers as high as $1m bandied about but this is mainly because that incompetent admins for the systems in question shut down for a week because they has no idea what was happening. Are they going to get their arses reamed? This guy was a muppet. He shouldn't have been able to get in where he did. The thing that I was really annoyed about was the suggestion from the US that if McKinnon opposed extradition, he'd be treated more harshly. That is just not acceptable. I will state my main point again: Punishment should fit the crime and the criminal. Neil :) There is little doubt that the US authorities will eventually get their hand on McKinnon and we will then see what happens. Only a ruling by the House of Lords (top of our judicial tree) can prevent him from being extradited.

neilb
neilb

Yes, but we don't ship illegal immigrants back to countries that have too harsh a level of punishment so why are we shipping a UK citizen to the US, a country that practises comparatively very severe punishment, is legally and politically unaccountable and does not recognise any international courts? When your government and authorities finally get the post-911 emotions under control and start acting a little more rationally on the "War on Terror" (Close Gitmo!), then you can have McKinnon.

ESchlangen
ESchlangen

I never said that those in charge of the security on these systems was blameless. That was not my point. My point is that the gentleman from the UK seemed to think that the person THAT COMMITTED THE CRIME was, if not blameless, being unfairly treated, at least). A crime is a crime and the house analogy is right on the money. If you break into someone else's system, you are committing a crime. Period. End of story. It does not matter how you broke into the house/computer, it IS a crime. That is all that I was saying. I do not know whether the individual in question received appropriate punishment. That's not what I'm taking issue with. I'm taking issue with persons that apparently think "Oh, it's just a computer crime, it's not a REAL crime." The issue of the security personnel doing their jobs is completely separate from my point. I think that you will see this, if you re-read my post when you aren't angry at your management.

Neon Samurai
Neon Samurai

This thread is bad enough with the usual "Hackers are obviously and only criminals" but wait till you read the "Hackers are terrorists" crap below if you haven't already. From memory, the article I'm thinking of in the title/subject line asks why, is it always and only "those damn hackers" that are responsible when there is a loss of data by a major business or organization. An employee leaves a notebook on the subway; hackers must have stolen it. A hard drive get's sold off through eBay without being sanitized; damn hackers fault again. Bob marketing guy walks out the door with thousands of customer records and looses the database; hackers obviously. The first response is always "well, it was hackers! They stole the data! It sure wasn't my incompetence and lack if will to consider security when transporting highly sensative data; no sir." No one questions why an employee had umpteen thousand client records on there notebook unecrypted and unattended or forgotten in a public place. It's more important to place blame outside the company even if it's on a completely unrelated scape goat. I gotta admit, when I see someone actually refer to criminal intentions as the actions of a Cracker or a news article that properly places blame on criminals rather than the latest buzzword; I celebrate a little too. What can I say, long time OS/Security hacker, recent 2600 regular reader. Getting the monthly issue off friend's coffee tables just isn't enough. I'd commiserate and say I can't wait for the next quarterly but I'm also reading back issues :) so that keeps me between seasons (2001 is going to be an interesting four issues when I finally read back that far). Anyhow, good to know I'm not completely off the deep end with this one. I do try to keep my Hacker rant to myself but every few months or so the pile of BS get's too much too sit beside and not smell. It's also good to bump into another reader from the tribe.

nighthawk808
nighthawk808

However, even better than 2600 for getting a feel for what it truly means to be a hacker is Emmanuel Goldstein's show Off the Hook, on which Mitnick himself has made more appearances than I can count. Every episode since its beginning almost 20 years ago is available for free at http://www.2600.com/oth One paragraph from the most recent issue of 2600 is a nice summary of your point: "But something else which hasn't changed over the years is the malignment of hackers and what we stand for. The irony is that most people understand perfectly well what we're all about when presented with the facts. The mainstream media, however, never has and probably never will. It's simply not in their interests to portray us as anything but the kind of threat that will help them sell newspapers and get high ratings. Fear sells - that is the unfortunate truth. And fear of the unknown sells even better because so little evidence is needed to start the ball rolling." On the show, Emmanuel et al. have made the distinction between "criminal" and "hacker" at least a hundred times, yet sadly it is still cause for celebration when a news story says something like "criminals stole a million credit card numbers" rather than "hackers stole a million credit card numbers".

nighthawk808
nighthawk808

It's not even close. It never has been, and ESchlangen is far from the first person to come up with the boneheaded idea that a house is the same thing as a computer system. He certainly won't be the last, either, as ignorance is the only thing more pervasive and harder to kill than cockroaches. Let's play with your building analogy. Let's say that you have data on me (my bank, my credit card companies, etc.) or have data that I paid for as a taxpayer. Now let's say that you keep this in an unlocked file cabinet in a building with the front door unlocked. Now let's say that some passerby (we'll call her Alice) jiggles the door handle and finds out it's unlocked. When Alice walks through that door and takes my file out of the cabinet, I'm going to be pretty mad at her, but it's Bob--the moron who left the door open--whose head I'm going to go after. Alice wouldn't be charging up my credit cards if Bob had a clue. Yet in your world, Bob is somehow the victim. I'm not defending Alice, but Bob has committed contributory negligence here. "There is no love lost with any Network Admin or Network Engineer that has had an intrusion and was left to deal with the reprocussions, loss and possibly damage to data." Waahhh! I didn't do the job I AM PAID TO DO and now my laziness and/or incompetence has turned out to have real world consequences. Why can't I just sit here with my finger up my nose and draw a paycheck every week? This security stuff is hard. Waahhh. That's why security experts and competent admins are *professionals*, not chair-filling wastes of a perfectly good FTE. As a manager, you of all people should demand that the people in your department be doing their job. Their performance is a reflection upon you. But in your case, I suppose that only applies when they do well, right? When they screw the pooch, that's their own problem and naturally nothing you had anything to do with. Or, according to your line of thinking, it's not even their fault; it's the fault of someone who came along and showed them why network administration isn't something you can just do in one day and then take the rest of your career off. Unfortunately, there are too many "immature" little boys and girls out there that still believe they should be allowed to collect a paycheck without having to do their job... Maybe some reality checks will help them GROW UP and act responsibly.

boomchuck1
boomchuck1

The issue as to how justice is handed out is where the crime was committed. He may have been in the UK but the systems he broke into were in the US. At that point he is under the jurisdiction of the US courts. Doesn't really matter what he might have got in the UK. Kinda like getting caught with hashish in Turkey.

SoftwareMaven
SoftwareMaven

The eighth amendment prohibits cruel and unusual punishment. Without knowing what systems were hacked and the potential issues that provoked, I can't say whether 72 years is reasonable or not. However, I can say "creating an example" should fall into the "cruel and unusual" category.

Neon Samurai
Neon Samurai

There is a difference between a long and applicable jail sentance and a multiple life sentance (reserved for murder and three time loosers). What they want for this guy is on the level of stuffing him in one of those jails that don't exist indefinately. If the goal is excesively harsh punishment too disuade other criminals from doing the same then why not just bring on the chair? Would the punishment be 70 or more years in prison if it had been private companies breached or a breach that didn't emberass some higher ranking military officers? "Because it is there" is not a valid defense but neither is "but he was the bad guy, our poor security practices are not relevant".

Neon Samurai
Neon Samurai

Warning: this is a rant but not meant to be hostile though having reread your post, I realize you have no clue yet every convicion that your lack of understandnig is richeous. "Hacker", contrary too what the mass media tells you, does not mean criminal. A Hacker is simply a person how is curious about a thing beyond that of the normal person. The average user wants to check email, download "artistic" images and video, talk to Aunt Ethel or whatever basic "it just works" type task they do without caring for how that task is accomplished beyond what buttons to push. (most people are in this group and that's fine for them) The Geek is the step above who takes some interest in what parts they build a rig from and such but we're not quite there yet. The Hacker is the person who must *understand* how the computer does what it does. When I press the mouse buttons, what happens out of sight within the OS? How does that pulse flow around the BUS through the CPU and back out as a response? Knowing this lower level of the technology, how can it be extended to accomplish what it was not originally intended to do? Please do not insult a very large group within the online community including those who figured out this whole "Internet" thing in the first place by blindly calling the community criminals. Hackers hate criminals who would choose to harm others through technology more than even the media mislead, paranoid public does. Think of "to Hack" meaning "to understand" at a very low level of any process. There are Security Hackers (what most people project criminal intentions on too). Hardware Hackers are more interested in modifying there purchased and owned hardware to better understand the hardware side. Kernel Hackers are the groups of developers who enjoy understanding and extending Linux, BSD or other OS kernels. I've even met Brain Hackers who take more interest in psychology and social engineering yet still not for ill intent. Car hackers mod there cars (prius is a favorite for modders). Case Modders are a subset of Hardware Hackers. Darwin could be described as a biology Hacker for his rejection of ?do as your told? in favor of researching the details under the hood of this whole evolution thing (Hacking is a state of mind not a specific action). In the case of security Hackers in specific; these are the people who will take the time to evaluate and understand security processes (physical and digital) in detail rather than blindly accept what they are told. When a security weakness is found, it is brought to the attention of the applicable authority so that the system can be improved. I read a great article by one fellow who had an hour to kill so he (being a security professional) "audited" the airport: - airport security staff where clueless and uninterested. - airport security hardware was prominent but not aimed properly at the areas it was meant to cover. - doors to secure areas where left unlocked and unmonitored. - dividers between secure waiting area and the "outside" area could be easily bypassed on the second floor by melting the weak rubber seal that held glass plating in place. - (my favorite) on the second floor there was also a bank branch closed for the weekend with front doors wide open and computer terminals left turned on (monitors facing the open doors). - he walked around the place "casing the joint" and talking to airport security while wearing a black t-shirt with big white block letters; "I am a security professional". Never questions, never stopped, never observed or noticed. He didn't enter the bank branch (yet it's expected by the media brainwashed that any and all Hackers would have hit that cash dump without thinking or morality). He did not pass through unlocked doors from unsecured to secure areas. He did not remove the weak link of a glass panel between unsecured and secure areas. He did not push old ladies, steel candy from babies, cause anarchist chaos. All he did was prove, yet again, that airport security has nothing to do with security and everything to do with traveler confidence and terrorist paranoia theater. He tried to point out the flaws in hopes that they could be addressed and corrected; obviously he must be stopped being a Hacker who's such a threat to civilization as we know it. Criminals simply use the same tricks that where long ago discovered by Hackerdom but that does not mean one is equal or synonymous of the other. This British guy has nothing to do with Hackers or Hacking regardless of what the media tells you. He happened to use a computer and the same techniques but that's the end of it. Consider the actual definitions of the terms: From the Jargon File http://catb.org/jargon/html/go01.html (The Hacker Dictionary maintained with correct definitions since the MIT model train club days) Hacker http://catb.org/jargon/html/H/hacker.html 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users' Glossary, usefully amplifies this as: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. Cracker (criminal class of subhuman life) http://catb.org/jargon/html/C/cracker.html Samurai http://catb.org/jargon/html/S/samurai.html That last one is my personal leaning hence my life long interest in computer security and future career path as a security auditing and penetration tester. If you really want to understand what Hackers are about, check out the quarterly 2600 magazine in your local Chapters/Borders. I've never seen a response to a letter asking for criminal intent that aided the asking party. Ok, that's my rant for this month, I'll try to keep it too myself for a while again now.

neilb
neilb

No-one has any right to "make an example" of someone in an attempt to set a level of deterrence. The punishment MUST fit the crime and the person who committed it. That's what I think, anyway... To so orchestrate things so that McKinnon gets convicted and punished in the US FAR, FAR more than he would be by any UK judge is just not justice for anyone. Neil :) Shouldn't really be discussing this here as it's Jays Trivia thread. I may start another thread tomorrow but for now I'm off for a curry and a BEER!

jdclyde
jdclyde

should a punishment be fair, or should it be harsh, to make sure no one would ever want to do the crime? Which would have more of an impact, fair or harsh? Make an example and let others learn from it.

neilb
neilb

Seventy two years...

Editor's Picks