Security Rant

Computer crime: Changing the public's perception
12 Oct 2000
https://seclists.org/isn/2000/Oct/51

You remember Jonathan James? He made national news a couple of weeks ago. You know, he's that nice 16-year-old young man convicted of hacking into computers at the Pentagon, NASA, BellSouth, the Miami-Dade school system and many other places. That's pretty funny. Right?

Can you imagine that some nasty judge put him in jail? Young Jonathan put it so well when he said, ``I don't think they should be putting a kid in jail because he proved they don't have very good security.''

Fortunately, poor misunderstood Jonathan didn't delete files or infect any computers with viruses while he was engaged in his youthful mischief. As his father put it, ``All he did was go look at top secret government information.''

Hey, you know what they say -- values come from the home. I can see where Jonathan learned his.

[Wrong or not, the point is valid. What morons running these systems are allowing even *sensitive*, let alone *secret*, let alone *TOP SECRET* to remain on public connected machines? Why aren't the admins and managers who are violating US Law and military regulations being put in jail too? why do they continue to draw tax payer funded income when they are violating US Law, just like this hacker did? Yes, the hacker broke the law. Yes, he may deserve to be in jail. Yes, the people that put the sensitive information there in the first place should be sharing the cell with young Jonathan.]

His father described his son as contrite. I guess that the obscene gesture he made at the courthouse to a photographer was yet another minor aberration.

Jonathan was lucky I wasn't the judge.

Computer crime isn't a joke. This attitude that he did them a favor by showing them that their security was bad is warped -- absolutely and completely warped.

I suppose that Daddy James would be the first one thanking the burglar for breaking into his poorly secured home if the burglar only looked at his most private and personal possessions, but didn't take anything.

We're at a point where computers are an essential part of our society's infrastructure. Any crime that touches the infrastructure of our society is by definition a significant crime.

[Ok, so apply this same standard to ALL the people involved that made this crime possible. Apply the same standards to Jonathan, the admin of the system that did not secure it, the managers and the powers that be who determined the information should be online at all. It is a nice luxury for short sighted and malicious journalists to use double standards here. But wait.. this isn't a journalist writing.. read on.]

The ``ILOVEYOU'' virus a few months ago is yet another example of the types of problems that can come from computer crime. ``ILOVEYOU'' disrupted businesses, governments, and people worldwide. We cannot permit these sorts of things to happen.

``ILOVEYOU'' demonstrates that every computer has the capability of being a weapon of mass disruption, even destruction. As we become even more dependent on computers, hackers will have even more opportunities to cause mass disruption or destruction.

[Oh, this isn't overly dramatic, no... It is amusing to see that you don't point out that these 'weapons of mass destruction' were ALL Windows systems. Why don't you hold the creators of Windows even marginally responsible? Oh can't do that, gotta blame those evil hacker types. Great scape goat and all.]

``Wasn't it cool when I turned off the air traffic control system?'' ``Wasn't it great when I turned off all the respirators in the hospital from home?'' I assure you that it's just a matter of time before the things hackers do become even more outrageous and dangerous.

Hey why not? As young Jonathan put it, ``All the girls thought it was cool.'' If you're a male over about age 14, what more reason do you need to do something really stupid.

The problem with security, whether it's hi-tech computer security or physical security is that ``perfect'' is an impossible goal. The goal is reasonable security.

[Really? Seems to me people have proven computer systems can get pretty damn close to 'perfect'. The problem is that the end user is naive and scared of computers. They demand point and drool interfaces that require an IQ two points above a lemming. Because of this, security is sacrificed for the masses.]

Everybody can and should implement three basic security concepts. You should start by controlling physical and logical access to sensitive information. Your methods could include passwords and encryption.

[Wow. You just condemned the right person and didn't even know it. Where was the good passwords and encryption on the sensitive files Jonathan accessed? Oops.]

Next, you should require individual accountability for sensitive information and identify those with access. Finally, you need to have audit trails that show who accessed what information. Your audit trail should be able to answer the basic who, what, where, when, why, and how questions.

[Wait, you condemned Jonathan for these break-ins, calling him a computer criminal who deserved jail time. Here you flat out say that the admins of the machines hacked should be accountable. Why don't you mention this in your misguided and opinionated rant above?]

All too often, we see computer crime as not that big a deal. While the Computer Abuse Act of 1984 imposes a $250,000 fine or a five-year prison sentence, or both, for each offense, it just doesn't often work that way.

[Much like the people that are convicted of murder or rape only serving four years in prison? But wait, that's ok, just burn the hackers.]

While I don't have any formal study to cite, experience has taught me that computer crime is generally not sternly punished.

[No formal study to cite? There is an abundance of computer crime statistics out there. Statistics on computer intrusion is easy to find (CERT, Attrition, etc.). Information on hacker cases and convictions is available (DOJ). Why can't you cite a study to back your claims?]

We need to have a basic change in attitude about computer crime. What we must do is use harsh punishment along with reasonable security as deterrents. We have to deliver the message that hacking and other computer crimes are so difficult to prevent and the dangers that come from them are so great that our society simply won't tolerate them.

[Computer crime is not difficult to prevent as a general rule. There are thousands of networks out there that have suffered no external intrusion to date. What, are thousands of competent admins all just lucky?]

What Jonathan did wasn't a childish prank. Saying that there were no horrible consequences from what he did is like justifying drunk driving by saying, ``But I got home and I didn't have an accident.''

If I'd been the judge in a world with perfect laws, Jonathan wouldn't get out of jail until he was 21 and would never, never, never earn a living in any job involving computers or programming. That's punishment. That's a message to others.

Mark Grossman is a shareholder and chairs the Computer and E-Commerce Law Group of Becker & Poliakoff, P.A. His website is http://www.EcomputerLaw.com and his e-mail address is techlaw@ecomputerlaw.com. Research assistant is Andrew Chulock.

[Ahh, the true motivation. Convict them all.. because I am a lawyer and get paid to do it. I hear sirens, better run Mark.]