On the other hand, we have CEO's who recently stole billions and billions of dollars (and I gaurantee you they still are) yet these who got caught were not only slapped on the wrist but were never even considered to do hard time. Which is worse? The blackhat cracker who creates and distributes a virus or the arrogant CEO who blatantly steals money from his or her employees? The CEO is the worst in this scenario because he or she intentionally (by nature) stoled from others' well-being. The blackhat, on the other hand, may or may not have maliscious intent. Intent, btw, is 99% of the law.

Now, lets take a different example. How about an example of a person who is only interested in learning about computers who writes code to exploit *his* machines only, for the purpose of learning? What's his intent? To learn. Where is his sandbox? His machine and/or network. Somehow, his code gets out into the world. Should this person get put in hard core prison? NOOO! That would be ridiculous.

Next example; a young college student who is majoring in CIS decides that she is going to try her hand at some hacking. The purist considers hacking to be absolutely harmless and exploratory by nature. She starts to scan a C block. She happens to find a machine running rpc.statd, a very common exploitable service. She decides to look into this further by seeing if it is exploitable and lo and behold it is. She emails the administrator of the machine to let him know that she found a hole on the machine. According to the US Law she violated she is guilty simply because of her actions. What was her intent? Generally, the way things are these days, it seems, in this arena, that her intent is moot. She broke the law and people seem to want to throw her in jail because she's a "menace" to society. However, her intent was purely exploratory and indeed the end result was she was helpful. Let's take this example and put it into perspective:

You go to the mall to do some Christmas shopping. You dutifully lock your doors before leaving your car in the parking lot. While you are shopping there is a teenager walking into the mall who happens across your car when he notices that the lights are on. Well, he doesn't want you to have to come out to a dead battery so he tries your doors. It just so happens that you left the driver's side window down enough for him to sqeeze his arm in there and unlock your door. He does so, opens the door, turns the lights off, re-locks the door (perhaps even rolling the window up the rest of the way), and closes your door. He decides to let you know what he did by leaving a post-it on your window. In some states he broke the law. As the owner of the car, however, what would you do? What was his intent?

I have heard rumors of hackers getting twenty-five years in prison. I have heard of rapists getting out of jail in three years. Come-on! That is ridiculous. Let me put it this way. If I had a choice of which to hang out with I'd pick the hacker any day. My point is that society is not at risk of harm because of a hacker. Society is at risk of harm because of a rapist or a murderer.

If white collar crimes from CEOs do not get punished then I certainly don't condone harsh punishment of people who are by definition and intent learning and occasionally costing a lot of money to companies. Now, it may sound like I'm suggesting "hackers" get off scott-free. I'd like to curb that thought by this last statement.

People who break laws with mal-intent don't deserve to get off scott-free. However, we must make things relative. CEOs who steal billions upon billions deserve life in service. If a cracker intently causes billions of dollars of damage then I believe that that person deserves life in service as well. Notice I stated intent. What do I mean by service? Well, the CEOs and the hackers don't hurt people physically. They do hurt people monetarily. In this case, the key is restitution. The state should liquidate *everything* they (the bad guys) own and put those moneys toward restitution. Finally, those who wronged live out the remainder of their days working toward making restitution and hopefully minimizing any money the state has to use toward their basic living needs. Placing them in prison is a bad idea. However, the state should ensure that they have a studio apartment that they pay for. They pay for their own food. They take care of their basic needs (no TV, no radios, nothing glamorous) and their wages are garnished for the rest of their lives until they make full or partial, depending on court rulings, restitution.

It's about being fair to people and treating people with respect. Prison is not the answer to everything. Letting people go is not the answer, either. Rehabilitation is not always a difficult task either. But teaching these people, and indeed everyone, to respect their peers is a HUGE task.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/2028/17763#17763