You call them a troll for stating the truth? The cluephone is ringing for you my friend, please answer it this time.

Also, for anyone reading, I could have s/hack/crack/ig throughout this whole article, but cracker is one-letter longer than hacker, so I am using the words interchangeably.

As far as "hackers" who "kill" over the Internet, I'd like to see one instance of this happening. As well, I'd like to see proof which shows that the "hacker" is solely responsible for one or more deaths.

Now for something ELSE to consider. What defines hacking? If I am port-scanning a permitted IP and accidentally mistype one of the octets, am I going to get put away for 5 years for an attempted intrusion into a 5 giga-mil-dollar system which logged the port scan which I sent to the wrong address? What if I ping someone else on the Internet, like Altavista. They didn't say I could ping, but for 7 years I've pinged altavista.com to test "outside" connectivity. I ping because their site answers.

Hacking needs a definition before any sentencing should be considered. Also, hackers are *NOT* terrorists. The world needs to:

1) Wake up. There is no difference between a terrorist and a criminal. Thus, sentencing should not treat them differently. This trend is much like the "hate crime" mentality which offers a more severe punishment if a white man robbing a black man utters the word "n1gg3r" during the crime. (Excuse the use of the word, it was to emphasize a point and not belittle any races.)

2) Not sentence as heavily for intrusion alone as for destruction of property, data, or theft. Additionally, when penalizing for theft, the type of data stolen needs to be taken into account. For instance, lifting 1,000,000 visas from paypal or ccbill is some serious sh*t. However, stealing 1,000,000 names and addresses, albeit theft, is obviously not worth close to the 1,000,000 visas, nor is copying payroll information (unless they get SSNs with it).

3) If data is going to have a measured worth, then the company needs to initially declare that worth and have it verified (when it goes online) with some "trusted" agency or third party, otherwise anyone could say "this was a 50 quadrillion dollar production box" when it may have just been a loghost for 10 unix machines. Companies deserve restitution, but if this framework is going to attempt to better sentence hackers, it also needs to ensure that the companies aren't over-estimating the financial value of their data. The last thing we need is someone breaking into a software company's network and stealing a hundred lines of code, only to have the company "value" the data at 15,000,000 USD.

4) Also, if companies can restore most of the data destroyed (if destruction occurs), the sentence should be considered differently in some cases. Data which is just "generic data", which I define as something non-universal (universal being credit card numbers, names of U.S. spies, other things that anyone would know about) aside, if someone breaks into XYZ Corporation and wipes an Oracle database, and the company has to restore the data from the previous night's backup, then the value of destroyed data should be computed with the company's actual loss (plus time spent recovering) rather than the total value of the deletion. Reason being, the company did not lose 15,000,000 USD worth of data, so why should the hacker be punished for it? Data is not always the same as physical property, and should not be regarded as such directly across the board.

5) The penalties on the hacker should be balanced with the measures the company took to protect the data. If the company does not make backups of their data regularly, that is absolute negligence and while a "hacker" might have committed a crime in deleting the data, the company also buried themselves by not taking measures to protect something "so valuable". As well, if the company does not take "specific measures" (as defined by some governing or trusted body like ISC) to mitigate risk and protect their data, they are being negligent. Ignorance of technology is no excuse. Consider this example: A bank leaves 20,000,000 USD on a public sidewalk, unguarded, unwatched, and counted once per day. Several individuals wander in and take a few thousand, some even take several hundred thousand. Yes, they are stealing, but is the bank negligent? That could also be considered entrapment, as leaving such a resource undefended is blatant stupidity. Data on the Internet is much the same. True, it's rare that someone could completely penetrate a network (and gain root or elevated privs) accidentally, and it doesn't make them entirely innocent, but this needs to be considered when sentencing.

6) Sentencing based on what "could have" happened needs to quickly become a forgotten idea. It's wrong, it's unjust, and it shouldn't even be allowed into the courtroom.

7) The companies must prove every lost dollar. Nobody should be sentenced on "estimated losses". As well, companies should be held accountable by the government for securing their resources properly. If you always left your windows and doors wide open, and came home to find your home burglarized, sure the cops would take a report, but everyone including the judge would laugh at you the entire time for you were obviously not concerned enough with your belongings to take even the simplest measures to protect them (locking your door, windows, maybe even leaving them shut).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/2028/17636#17636