I really hate these sort of laws, surely is on the CIA to not be easy to get access to this sort of stuff from a 15 year old kid.
It's the same with banks lending to countries who are unable to repay, or CEOs never going to jail for aiding and abetting Mexican drug cartels. No one takes responsibility for their own stuff any more.
I don't see why the CIA's apparently lax security means a crime isn't a crime. Just because the security guards should be fired for falling asleep and leaving the door unlocked doesn't mean that the burglar isn't guilty.
Sure, I don't think a kid trying to show off should face the same punishment as an adult doing something purely malicious, but "it was actually a surprisingly easy crime to carry out" should never be a reason not to prosecute.
It is hard to find obvious real world comparison for this kind of thing. Perhaps it should be thought of like food hygiene.
If you sell dangerous food you should take responsibility for that and not just blame the bacteria. But if someone intentionally infects food they should also take responsibility. Those two perspectives are not incompatible.
But the lesson is that bacteria and hackers will always exist!
I'd go for the classic bank analogy. Who's responsible, the bank that left the front and vault doors wide open all night while not bothering to hire any guards, or the guy that walks in, goes "bloody joke", and takes some lollipops from the counter?
99% of all houses are secured worse than any online account would be my counterargument, while holding items of much higher value, relatively.
Give me 15s with a crowbar and I will be able to enter almost any house. Crowbars are like 10 dollars at your local hardware store.
Physical security is almost always based on expected risk of detection and subsequent penalties, not prevention of ability to intrude, yet we somehow don't accept the same reasoning for digital security?
There is literally trillions of dollars worth of assets sitting around the world protected by nothing more than the idea of a closed door and some sort of expectation that a sheet of glass represents a barrier. Our society relies on a system where people respect the laws and have penalties enacted on them if they dont.
Both are. Common sense dictates that if you're moving millions around, you MUST have enough money to buy yourself some security at physical or digital level. I'm not saying CERN-level security, but at least SOME security standards should be fulfilled. If the bank doesn't care, then it should be punished IMHO.
Same goes for the criminal.No matter how lax the security precautions of the bank are, an individual is judged for his crime.
The problem with cybercrimes and digital-rights related material (piracy, etc.) is that punishments are usually disproportionately severe. I believe that the fault lies to lawyers who over-sensationalize these crimes and judges who are totally unable to understand the real vs possible damage. For example, a 15 year old hacker who found a 5-years old XSS and hacked (as in copied 15 MySQL databases) from a CIA/NSA/FBI website and post his IRC nick on the page to brag about on his friends vs a 35-year old spy who sold these info to some other country for huge profits. These are different situations but are most of the time treated equally by judges.
And yes, I also think that the weight of criminal penalties should generally place more emphasis on deterring people from trying to steal stuff rather than deterring people from working in infosec or security cleared professions. Not that I don't think there are potentially people who should no longer be working for the CIA as a result of this.
Sure, but again, just because something is possible and seen daily around the world does not mean it's legal or should not be prosecuted. Like someone else said, that is like a rapist blaming the victim for making it too easy.
I don't think the argument is that they shouldn't be prosecuted for hacking the CIA, as much as that the CIA should also be prosecuted for having such shit security on important data.
Personally I don't think drafting a new law for that is a good idea, but I can see how it could fall under gross negligence.
I would argue that this kid should be punished no more than he would be for breaking into anyone's email. The CIA should require nation state level effort to break into, not bored 15 year old effort.
> Or are you arguing that just because it's the evil CIA, it's fine to hack them and leak tons of personal info (which potentially puts lifes in danger)
If he isn't arguing that's a valid reason, allow me. Or are you arguing that the CIA is not "evil"?
For anyone outside the US, or anyone inside who can set blind patriotism aside, the CIA has spent its entire existence doing very bad things, up to and including including murder, torture, coups d'etat and other violence and atrocities against countless people and nations.
Given this role the CIA takes upon itself around the world - ruining or taking actual lives, using the excuse of theoretically saving lives - maybe leaking names (and AFAICS all this kid has done is access a Verizon email account) puts fewer people's lives in danger.
It's called victim blaming not only for rapists; but the analogy is flawed. In this case, the "victim" is an institution, which really should know better to defend themselves. In fact, the institution here in question is often on the offense.
It's the same with banks lending to countries who are unable to repay, or CEOs never going to jail for aiding and abetting Mexican drug cartels. No one takes responsibility for their own stuff any more.