I really hate these sort of laws, surely is on the CIA to not be easy to get access to this sort of stuff from a 15 year old kid.
It's the same with banks lending to countries who are unable to repay, or CEOs never going to jail for aiding and abetting Mexican drug cartels. No one takes responsibility for their own stuff any more.
I don't see why the CIA's apparently lax security means a crime isn't a crime. Just because the security guards should be fired for falling asleep and leaving the door unlocked doesn't mean that the burglar isn't guilty.
Sure, I don't think a kid trying to show off should face the same punishment as an adult doing something purely malicious, but "it was actually a surprisingly easy crime to carry out" should never be a reason not to prosecute.
It is hard to find obvious real world comparison for this kind of thing. Perhaps it should be thought of like food hygiene.
If you sell dangerous food you should take responsibility for that and not just blame the bacteria. But if someone intentionally infects food they should also take responsibility. Those two perspectives are not incompatible.
But the lesson is that bacteria and hackers will always exist!
I'd go for the classic bank analogy. Who's responsible, the bank that left the front and vault doors wide open all night while not bothering to hire any guards, or the guy that walks in, goes "bloody joke", and takes some lollipops from the counter?
99% of all houses are secured worse than any online account would be my counterargument, while holding items of much higher value, relatively.
Give me 15s with a crowbar and I will be able to enter almost any house. Crowbars are like 10 dollars at your local hardware store.
Physical security is almost always based on expected risk of detection and subsequent penalties, not prevention of ability to intrude, yet we somehow don't accept the same reasoning for digital security?
There is literally trillions of dollars worth of assets sitting around the world protected by nothing more than the idea of a closed door and some sort of expectation that a sheet of glass represents a barrier. Our society relies on a system where people respect the laws and have penalties enacted on them if they dont.
Both are. Common sense dictates that if you're moving millions around, you MUST have enough money to buy yourself some security at physical or digital level. I'm not saying CERN-level security, but at least SOME security standards should be fulfilled. If the bank doesn't care, then it should be punished IMHO.
Same goes for the criminal.No matter how lax the security precautions of the bank are, an individual is judged for his crime.
The problem with cybercrimes and digital-rights related material (piracy, etc.) is that punishments are usually disproportionately severe. I believe that the fault lies to lawyers who over-sensationalize these crimes and judges who are totally unable to understand the real vs possible damage. For example, a 15 year old hacker who found a 5-years old XSS and hacked (as in copied 15 MySQL databases) from a CIA/NSA/FBI website and post his IRC nick on the page to brag about on his friends vs a 35-year old spy who sold these info to some other country for huge profits. These are different situations but are most of the time treated equally by judges.
And yes, I also think that the weight of criminal penalties should generally place more emphasis on deterring people from trying to steal stuff rather than deterring people from working in infosec or security cleared professions. Not that I don't think there are potentially people who should no longer be working for the CIA as a result of this.
Sure, but again, just because something is possible and seen daily around the world does not mean it's legal or should not be prosecuted. Like someone else said, that is like a rapist blaming the victim for making it too easy.
I don't think the argument is that they shouldn't be prosecuted for hacking the CIA, as much as that the CIA should also be prosecuted for having such shit security on important data.
Personally I don't think drafting a new law for that is a good idea, but I can see how it could fall under gross negligence.
I would argue that this kid should be punished no more than he would be for breaking into anyone's email. The CIA should require nation state level effort to break into, not bored 15 year old effort.
> Or are you arguing that just because it's the evil CIA, it's fine to hack them and leak tons of personal info (which potentially puts lifes in danger)
If he isn't arguing that's a valid reason, allow me. Or are you arguing that the CIA is not "evil"?
For anyone outside the US, or anyone inside who can set blind patriotism aside, the CIA has spent its entire existence doing very bad things, up to and including including murder, torture, coups d'etat and other violence and atrocities against countless people and nations.
Given this role the CIA takes upon itself around the world - ruining or taking actual lives, using the excuse of theoretically saving lives - maybe leaking names (and AFAICS all this kid has done is access a Verizon email account) puts fewer people's lives in danger.
It's called victim blaming not only for rapists; but the analogy is flawed. In this case, the "victim" is an institution, which really should know better to defend themselves. In fact, the institution here in question is often on the offense.
Not necessarily. One of the first format string exploits was created by a 16 year old. Luca Todesco provides a constant stream of iOS issues since 17, I believe. I'm sure there are younger hackers around.
Yeah... Most of personal systems suck, especially old people's personal systems... Like in this case, it's their own personal emails got hacked. Director probably don't even know how to setup 2 factor authentication and using the same password everywhere. One service got hacked, he's name and email is on the list with password. It happens clearance process is not well protected even today. So, yeah, its shit, it's just too easy... Then again, don't do it if you don't want to get caught. There are pretty good security "avengers" as well.
Go on, find an example of a minor being extradited overseas.
The US wouldn't even request such a thing simply because of how bad it would look. They're already losing another hacking related extradition case, I doubt they'd take a third decade long legal battle that'll only lead to the extradition treaty being revised.
The UK's extradition policies are a joke. There's no reason Britons who hack into US target from the UK can't be tried here in the UK under the Computer Misuse Act. The only logical reason for extraditing someone for hacking would be if they went to the US to commit the crime, then returned to the UK before they could be apprehended.
The whole McKinnon debacle is an embarrassment on a number of different levels.
But that's not the only logical reason, it's just the only one you happen to agree with. It's not illogical to suggest that a person being tried for an offence should be tried in the jurisdiction where the injury occurred. Disagreeable to many perhaps, but not illogical.
It seems rather illogical when the requested state already has laws that prohibit such acts against foreign entities.
The UK has already set what they feel are the appropriate punishments for these crimes, how is it logical that a UK resident that hacks a US company faces a significantly more severe punishment than say a UK citizen that hacks a Finnish company?
The could be prosecuted in the UK but the 'advantage' of extraditing them is the US can then apply all sorts of pressure to get a plea bargain. (quicker you plea, quicker you get to go home…)
I think you're seriously underestimating those chances - they tried long and hard to get McKinnon extradited before May made some variety of back room deal - she isn't the type to be compassionate to someone over mental health issues.
That and the climate has become more, not less, hysterical and reactionary in the past few years.
> Uh, "ever"? How about when a man murders his girlfriend and her two children and then flees the UK?
If he's British then Ghana would not be extraditing one of its own citizens.
If he is Ghanaian, then a court in Ghana could - and in the interests of healthy diplomatic reasons, would - try him, if provided with the evidence by the UK authorities.
It's the same with banks lending to countries who are unable to repay, or CEOs never going to jail for aiding and abetting Mexican drug cartels. No one takes responsibility for their own stuff any more.