>A high school graduate, Lazar had no formal training or computer expertise. He told the New York Times that he obtained access to high-profile people’s email and social-media accounts by reading their Wikipedia pages and guessing passwords based on their personal information.
To be fair, if you break into my house, I don't care if you've spent years learning how to pick complicated locks without leaving a trace, or whether you just batter the door down with a big hammer.
Although to call this a symptom of a "hacking epidemic" is ludicrous.
If there's one thing I have learned in my time on Hacker News, it's that likening software compromises to physical B&E or unlawful entry goes nowhere that's useful to anyone.
Then why do security experts do it all the time? My first few security courses in my college computer science curriculum was filled with them, one of them was a book co-authored by Schneier.
Because they aren't interacting with an audience composed in significant part of querulous pedants who will promptly proceed to poke every imaginable hole into the metaphor, resulting in a vast and ultimately unproductive digression.
(As a querulous pedant myself, I can hardly condemn such behavior! But I do try not to indulge that habit when doing so offers no benefit to anyone.)
I'd say more like finding the key hidden in the fake rock.
...which is the only rock--real or fake--sitting on the front porch.
...and which is also coated in glow-in-the-dark orange paint, in case you need to find it at night.
The epidemic must indeed stop. We need to immediately enroll 10% of all celebrities in remedial network security classes, and stop crying "hacker!" for stuff like informed password-guessing attacks against insecure passwords and violating terms of service by scraping web pages with curl or wget.
The actual crime this guy committed was to annoy the powerful.
I'm not sure the analogy holds. I would much rather someone pick my lock than smash my window. In both cases the house gets robs. In the latter, I also need to pay to repair my window.
Much the same reason some people I know with expensive cars leave the door unlocked and the windows down :)
Plebs just aren't entitled to "no charges are appropriate in this case".
It's odd how people will contemplate past failed societies and file them as some sort of barbaric "other". But this is what lawful corruption actually looks like, right in front of our faces.
Even disregarding the public service aspect, what exactly did he do that warrants even four months in jail? But when "the law" really just serves as a justifier for the powerful, actions that poke holes in the abstractions of power are punished the harshest.
Can you explain that further? Although I see Snowden as a whistleblower who deserves legal protection, I'm not sure that I feel that way about Guccifer. Though he may have exposed misdeeds, this information was not something naturally in his possession as it was with Snowden; he had to force his way in to private networks and accounts to retrieve it. Given also the Russian interest in the upcoming US presidential election and in gaining access to this sensitive data to influence the outcome towards the candidate they prefer, I also see material harm done as a result (unlike Snowden, where the nebulous "because Terrorism" was deployed to explain the damage done).
If you were referring to the fact that only his crime was punished while the crimes of those he exposed were ignored, then I understand your point.
> Given also the Russian interest in the upcoming US presidential election and in gaining access to this sensitive data to influence the outcome towards the candidate they prefer...
So you drank that Kool Aid being passed around by the those with a vested interest to use Russia as an excuse for anything.
Why is there any particular Russian interest in this specific election? And not the previous? (Obama ridiculed Romney for 1980s style thinking for calling Russia our greatest geopolitical foe)
Could it be that you believe the narratives you find in major newspapers?
The Washington Post, which published the article linked by HN, has a bit of an undisclosed angle in going against these leaks. This can be seen from the leaked email above about the clandestine fundraiser the lawyers would never allow ("Great – we were never going to list since the lawyers told us we cannot do it.").
But maybe someone can point me to where they've explained themselves, because it's entirely possible that I missed it.
> Given also the Russian interest in the upcoming US presidential election and in gaining access to this sensitive data to influence the outcome towards the candidate they prefer...
I hear this a lot, but I don't get how it's relevant. Sure, Russia might be trying to influence elections it should have no say in, but the data they allegedly brought forth is still valid.
My point was not that he deserves immunity [0]. I was pointing out that even if he had say cracked a friend's email account for purely selfish reasons, hacking in general carries draconian punishments simply because it deflates abstractions of the status quo. Burgling several sheds likely wouldn't result in 52 months in prison, but "hacker" is the modern day "witch".
[0] Although I was implying that perhaps USians should appreciate the forced government transparency. It's kind of odd to talk about "material damages" due to crimes being exposed - it seems like damages are better ascribed to the original acts themselves.
This is special pleading. Charges like these are vivid because we can see ourselves as somehow sometime being in the same judicial crosshairs. But in the grand scheme of American justice, hackers do not have the rawest deal --- that probably goes to low-level gang members.
Sentences are across the board too high. The US isn't accomplishing anything with a 4 year sentence in this case than it would with a sentence of 1 year. But we should be careful to remember that white dudes messing with computers are not an especially persecuted class.
Low-level gang members get their raw deal from being systematically trapped in their situation. Go to jail, get out of jail, find no other opportunities, repeat.
Punishment divided by harm-caused obviously goes to drug users, being infinite.
Hacking has stiff criminal penalties for many things that should be civil matters at best, precisely because it makes powerful people realize how tenuous their control actually is.
Let's not succumb to identity pity politics about who has it the "worst". Each codified injustice is ultimately the result of a ruling class slowly eroding the rule of law for its own benefit.
(Also, I'm pretty sure the definition of "hacker" does not imply "white dude")
> Punishment divided by harm-caused obviously goes to drug users, being infinite.
That defines the harm as being zero. I'm not sure that's the case. Some drugs (angel dust, at a minimum) greatly increase the user's propensity for violence. And the argument for saying "they haven't done anything yet, so arrest them for the violence when they do it" is similar to saying "drunk drivers haven't caused any harm yet, so wait until they cause a crash before you arrest them". The harm to others is (for drunk driving and some drugs) too likely to follow to simply wait for it to occur.
Driving while under the influence creates a condition where one can cause harm with no further intent. General being under the influence does not, to the limit of philosophical zombies.
Furthermore, any drug user's increased propensity towards $whatever is going to correspond to the dosage they've taken. Criminalization of the substance itself is still not implied, just as driving with a trunk full of beer is fine. And there still exists the correlated crime-by-association [0] of public intoxication.
[0] Observe how the legal cancer spreads based not on true misdeeds, but on ancillary behaviors that are simply correlated to misdeeds. But if correlation were sufficient justification, then profiling based on skin color and lack of political connection would also be perfectly acceptable! Since the entire point of the rule of law is to protect the long tail of individual outliers, creating avenues to arbitrarily persecute people by association is its destruction.
> Burgling several sheds likely wouldn't result in 52 months in prison, but "hacker" is the modern day "witch".
Perhaps computer crimes are more disruptive than shed burglaries, because most of us depend more on computers than we do on sheds, and it is easier for most people to understand a shed burglary and how to take steps to protect their sheds.
I agree with your description of some of the motivations, but disagree with this status quo escaping criticism.
If so many people depend on computers, then shouldn't actually securing them be a priority? If an individual shirks doing the work to understand account access the way they understand shed access, then are they not partially to blame for the result? This is awfully close to leaving a shed door open and then complaining something must be done about the wildlife.
The story was interesting, but I found the end abrupt and incongruous. Asimov clearly demonstrates an understanding of advancing to de facto reliance, so prescribing "take it away" is overly simplistic.
If the society relies on such law to prevent people from defrauding computers, then it has a gaping vulnerability to someone who just exploits the enforcement computer first. And if it doesn't rely on it, then the punishment need not be so draconian - applying a similar punishment to a violent criminal would mean that everyone from polite society would be free to attack them with impunity. Which I believe we used to do to those who evaded the law ("outlaw"), but stopped.
The post-hoc "rule of law" is a Schelling point because it is the best we can do in the physical world. But the entire advancement of networked computing is to preemptively create formal mechanically-executed protocols rather than relying on ill-specified natural language ones. It's regressive to insist that the virtual environment be ruled by both regimes, causing any benefits from formalism to be erased by the ambiguity of the legacy system.
Now obviously actions through computers can have physical-world effects, and if there is an intent for a real-world crime that is still justifiably illegal. Deliberately shutting off a ventilator remotely is still murder. But the current status quo is basically demanding the right to casually connect a ventilator to the Internet, have it fail due to a portscan or other Internet background radiation, and then blame "Anonymous" instead of putting the manufacturer and hospital administration in jail for gross negligence.
What would negligence liability for site owners have to do with criminal liability for hackers? When someone breaks into a warehouse left negligently insecure by its operators, the warehouse customers might sue the operators. But that suit will have no bearing whatsoever on the criminal prosecution for the person who actually broke into the warehouse.
Breaking into warehouses is a crime because no matter how bad a job the owner of a warehouse does at locking their warehouse up, we don't want random people breaking into other people's property. Why would the logic for Internet sites be any different?
Also, as I'm fond of pointing out: you can coherently and reasonably lobby for liability for site owners who fail to keep out hackers. But I don't think most HN readers are going to like where that leaves the industry. Hint: Facebook and Microsoft aren't going to have any real problems surviving. But indie developers? Different story.
I believe you've previously argued that one problem with current computer crime sentencing is that that difference between a misdemeanor and a felony is the number of iterations of a loop. My add-on to that if it is so easy to increase the scope, then perhaps such activities shouldn't even be bona fide criminal! Hence my allusions to "wildlife" and "Internet background radiation" - phenomena that can't really be ascribed to an individual's intent but will still mess stuff up.
Regarding intent - we don't need sledgehammer-crime laws to cover intentional destruction of a computer system using a sledgehammer. So why do we need network-crime laws to cover intentional destruction of a computer system using network communication? It seems like in either of these cases, one should be prosecuted for intentionally destroying a computer system regardless of the chosen technique.
I think this is where the culture divide originates. Because for many instances of cracking, curiosity is the sole motivation. While things can be damaged in the process (and thus one would be civilly liable), there isn't justification for criminal charge of malicious destruction. Of course, the curious cracker is still trespassing - but contrast current sentences with the general severity of meatspace trespass.
Now, this specific case does seem to have more serious intent than simple curiosity. And it's hard to find a guiding analogy, since analogous situations range from publishing the contents of a journal shoulder-surfed at a coffee shop (ie "tough shit!") to publishing the contents of intercepted postal mail (another area where technical abstractions have been warped into creating extreme penalties).
Perhaps if publishing someone's "protected" (in Java parlance - not public, not strictly private) information makes us feel that some wrong has been committed, then that itself needs to be the crime. Switching the paradigm to one directly based on activity (rather than access) could certainly help to curtail commercial surveillance bureaus who currently trade in this kind of information with impunity.
AFAIK, "Indie developers" aren't creating life-critical devices and should be disclaiming any use of their tools for such (eg "NO WARRANTY"). Every IC datasheet doesn't contain an explicit disclaimer regarding such just for kicks.
And if a shop is, for instance, creating and integrating life-critical Internet-connected medical devices based on Linux/C !? They should be scared away from that activity.
I generally don't think that people who hack for curiosity should receive custodial sentences on their first conviction.
But Guccifer isn't that. He wasn't curious about how things worked. He was curious about the contents of Jeffrey Tambor's mail spool. That's a malignant kind of curiosity, and I feel no compulsion to mitigate its criminality. We should be using criminal law to keep creepy people from invading other people's privacy. (Yes: that includes anyone who might be doing that improperly under color of law).
All that aside, most criminal sentences are far too long. Guccifer's is not at the top of my list of crimes that should have their sentences ratcheted down, but it's not entirely off the list either.
Be careful about the goal-posts here, please. Guccifer didn't hack life-critical systems. Any cat-sharing startup can create the same kinds of risks to Jeffrey Tambor that Guccifer's targets did.
The reason to have a problem with his conviction is that it was done under an overly broad law that can be used to convict many people, but is selectively applied. This is not the rule of law.
The actual creepy activity (and subsequent publishing) aren't the things that he was convicted for. Perhaps they should be, and perhaps being so would have even encouraged Guccifer to stay on the right side of the publishing law.
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels." - Mencken
FWIW, a cat-sharing startup (or webmail provider) seems in a prime position to continue disclaiming any security warranty. In fact, I'd be surprised if they did not. If users are actually interested in a security warranty, then they should seek alternate providers that are willing to advertise such, have obtained some sort of insurance, and have prespecified some amount of liquidated damages.
I too can see the general concept of liability being perverted by the government into something mandatory for any software developer. But I've advocated nothing of the sort, only application of the standard fitness warranty on real-world integrations. I haven't moved the goalposts - medical equipment is just one area where it's very clear such liability can't be disclaimed.
Are people maybe confusing this guy with Guccifer 2.0? What crimes was he exposing when he posted George W's paintings online? My understanding was that the private email server was only revealed incidentally to the material he released, when a reporter noticed a questionable email address.
Even accounting for the importance of transparency, it seems weird for the GP to assert this guy didn't deserve "even four months" when a large number of the times he accessed accounts were with no noble intent but with clear maliciousness
While Russia's nefarious intent or not is a subject worthy of debate, I think it's ENORMOUSLY interesting that the source of the idea that Russia is a huge problem and their interference is something we should watch out for is the Clinton campaign.
I think this tells us something interesting about Clinton's foreign policy orientation, namely, she is extremely interested in antagonizing Russia.
This is part of a pattern: Clinton and her foundation have been closely involved with Ukrainian oligarchs, the State Department was involved in planning out the Ukrainian government post-Yanukovych, and Clinton has waxed nostalgic about how we need to bring back our Cold War mentality (I recall her doing this in a Daily Show interview a few years ago, e.g.).
This is the thing to watch out for, regarding Russia.
Guccifer and Guccifer 2.0 aren't the same thing; even if one gives weight to the sources indicating Guccifer 2.0 is connected to Russia, that has no bearing on Guccifer. The Guccifer hack predated any particular expectation that Russia would take particular interest in this specific election, and so its hard to justify judging Guccifer based on that interest.
Confusing Romania with Russia is a bit ridiculous and makes Americians look ignorant. You do realize that Romania was never even part of the USSR? This has come up on HN before. It's shameful for a group apparently so highly educated.
The use of the term "megabyte" to refer to the other measure predates the coining of "mebibytes," which is used by rather few people. And as you can see on that page, at least one standards body still uses "megabytes" for the power-of-two units.
Technically I could measure a couple of gigabytes of data in megabytes. I suppose if the media where after the biggest number (big numbers are more scary) they could use bits.
> A maximum punishment “would also help address any false perception that unauthorized access of a computer is ever justified or rationalized as the cost of living in a wired society — or even worse, a crime to be celebrated,” Assistant U.S. Attorney Maya D. Song wrote.
> U.S. District Judge James C. Cacheris of Alexandria imposed a 52 month sentence, saying a tough penalty was needed to deter future hacking.
> “This epidemic must stop,” Cacheris said.
Will tough sentencing in US courts really dissuade future Romanian/foreign hackers? I mean the US is always giving out tough sentences for everything, you'd basically factor that in already if were to get caught and they put all that effort into extraditing you to the US. Seems like par for the course.
If it wasn't tough sentencing it would be superfluous charges getting tagged on, so any length is justifiable if you have a motivated prosecutor/judge or a politicized case.
Although I may be reading too much into the judges rationalization.
Not to mention that this "tough penalty" is LESS than what some poor schmuck who was caught with 1 gram of LSD, for the first time, would get as a _minimum_ sentence.
Is there any evidence that he'd have any means of cooperating with other investigations? He seems like a garden-variety social engineer, like the person who "hacked" their way to all those celebrity nudes a few years back.
> A maximum punishment “would also help address any false perception that unauthorized access of a computer is ever justified or rationalized as the cost of living in a wired society — or even worse, a crime to be celebrated,” Assistant U.S. Attorney Maya D. Song wrote.
If the US judicial system is serious about that statement they should be addressing the blatant violations of the law perpetrated by the NSA and FBI. As long as our own elite groups engage in hacking crimes, "unauthorized access of a computer" will remain "justified" in the minds of hackers.
And I think a lot of people would start to shoot back if the government was massively shooting people. But you don't need to worry, they will only shoot you in the foot, so they know where you have been by following the blood trail /s
I'm not for lawlessness on the net, but like mentioned here, until the elite is punished for their crimes, people will fight back.
War is, or should be, an extreme case where the ability to live under a legitimate set of laws is threatened. Both our optional wars of aggression, and mass surveillance are lawless acts, and acts against the people. The reason people find such a sentence offensive is that they find our government has lost the legitimacy it takes to impose such a sentence on a non-violent crime.
Seems like an inherent conflict of interest when he hacked the head of State Department, and they're the ones that would be dealing with his extradition.
I really don't understand the comments here. My first response was "only 52 months?"
This guy broke into people's accounts by guessing passwords and then used the identities of his victims to victimize others. How are people rationalizing this as OK?
He's certainly not a white-hat hacker. He didn't publish work for the public interest (Snowden). He didn't responsibly report a security vulnerability, as there was no vulnerability beyond public figures using question-answer authentication.
Think about if your accounts were hacked for the "crime" of being a public figure's relative? Friend? I know you think "public figure" only means politician, but to make this thought exercise more real, remember that Linus Torvalds, Steve Wozniak, celebrity startup CEOs (the types of people many of you want to someday become), etc. are public figures as well.
Finally, ask yourself if you can honestly say you've never broken a law; never had a moment that affected others negatively; never did anything that the public could judge you for. If you don't pass all those tests, consider whether anyone could pass those tests, and then consider whether Hillary or anyone else should be expected to. (Unlike you, Hillary and many others probably didn't grow up with internet, or email, or the concept of basic things like legal equality for African Americans - will you find it easy to pass the test of public perception for your past actions 20 years from now? 30 years from now? 40?)
'A maximum punishment “would also help address any false perception that unauthorized access of a computer is ever justified or rationalized as the cost of living in a wired society — or even worse, a crime to be celebrated,” Assistant U.S. Attorney Maya D. Song wrote.'
I'm not US citizen but what could be done (by me or other people) to support this guy? To reduce and expose this abuse of power and corruption by the US government so that things would get better? Are there organisations for that?
72 comments
[ 3.1 ms ] story [ 138 ms ] threadThe name is a portmanteau of Gucci and Lucifer, using the Italian cc- pronunciation of Gucci and not the soft-c of Lucifer. The G is hard.
“This epidemic must stop,” Cacheris said.
Funniest thing I've read all day.
If true, this is even more concerning.
https://en.wikipedia.org/wiki/Sarah_Palin_email_hack
Although to call this a symptom of a "hacking epidemic" is ludicrous.
(As a querulous pedant myself, I can hardly condemn such behavior! But I do try not to indulge that habit when doing so offers no benefit to anyone.)
...which is the only rock--real or fake--sitting on the front porch.
...and which is also coated in glow-in-the-dark orange paint, in case you need to find it at night.
The epidemic must indeed stop. We need to immediately enroll 10% of all celebrities in remedial network security classes, and stop crying "hacker!" for stuff like informed password-guessing attacks against insecure passwords and violating terms of service by scraping web pages with curl or wget.
The actual crime this guy committed was to annoy the powerful.
Much the same reason some people I know with expensive cars leave the door unlocked and the windows down :)
It's odd how people will contemplate past failed societies and file them as some sort of barbaric "other". But this is what lawful corruption actually looks like, right in front of our faces.
Even disregarding the public service aspect, what exactly did he do that warrants even four months in jail? But when "the law" really just serves as a justifier for the powerful, actions that poke holes in the abstractions of power are punished the harshest.
If you were referring to the fact that only his crime was punished while the crimes of those he exposed were ignored, then I understand your point.
So you drank that Kool Aid being passed around by the those with a vested interest to use Russia as an excuse for anything.
Could it be that you believe the narratives you find in major newspapers?
http://www.politifact.com/truth-o-meter/article/2016/jul/31/...
https://www.schneier.com/blog/archives/2016/07/russian_hack_...
Is there any evidence that points to the contrary?
I do know that your (well-reasoned) point does not actually address my question.
https://wikileaks.org/dnc-emails/emailid/2699
The Washington Post, which published the article linked by HN, has a bit of an undisclosed angle in going against these leaks. This can be seen from the leaked email above about the clandestine fundraiser the lawyers would never allow ("Great – we were never going to list since the lawyers told us we cannot do it.").
But maybe someone can point me to where they've explained themselves, because it's entirely possible that I missed it.
I hear this a lot, but I don't get how it's relevant. Sure, Russia might be trying to influence elections it should have no say in, but the data they allegedly brought forth is still valid.
[0] Although I was implying that perhaps USians should appreciate the forced government transparency. It's kind of odd to talk about "material damages" due to crimes being exposed - it seems like damages are better ascribed to the original acts themselves.
Sentences are across the board too high. The US isn't accomplishing anything with a 4 year sentence in this case than it would with a sentence of 1 year. But we should be careful to remember that white dudes messing with computers are not an especially persecuted class.
Low-level gang members get their raw deal from being systematically trapped in their situation. Go to jail, get out of jail, find no other opportunities, repeat.
Punishment divided by harm-caused obviously goes to drug users, being infinite.
Hacking has stiff criminal penalties for many things that should be civil matters at best, precisely because it makes powerful people realize how tenuous their control actually is.
Let's not succumb to identity pity politics about who has it the "worst". Each codified injustice is ultimately the result of a ruling class slowly eroding the rule of law for its own benefit.
(Also, I'm pretty sure the definition of "hacker" does not imply "white dude")
That defines the harm as being zero. I'm not sure that's the case. Some drugs (angel dust, at a minimum) greatly increase the user's propensity for violence. And the argument for saying "they haven't done anything yet, so arrest them for the violence when they do it" is similar to saying "drunk drivers haven't caused any harm yet, so wait until they cause a crash before you arrest them". The harm to others is (for drunk driving and some drugs) too likely to follow to simply wait for it to occur.
Furthermore, any drug user's increased propensity towards $whatever is going to correspond to the dosage they've taken. Criminalization of the substance itself is still not implied, just as driving with a trunk full of beer is fine. And there still exists the correlated crime-by-association [0] of public intoxication.
[0] Observe how the legal cancer spreads based not on true misdeeds, but on ancillary behaviors that are simply correlated to misdeeds. But if correlation were sufficient justification, then profiling based on skin color and lack of political connection would also be perfectly acceptable! Since the entire point of the rule of law is to protect the long tail of individual outliers, creating avenues to arbitrarily persecute people by association is its destruction.
Perhaps computer crimes are more disruptive than shed burglaries, because most of us depend more on computers than we do on sheds, and it is easier for most people to understand a shed burglary and how to take steps to protect their sheds.
The 1981 Isaac Asimov short story "A Perfect Fit" took an interesting look at that. The story can be read online here: http://www.edn.com/electronics-news/4319939/A-perfect-fit
If so many people depend on computers, then shouldn't actually securing them be a priority? If an individual shirks doing the work to understand account access the way they understand shed access, then are they not partially to blame for the result? This is awfully close to leaving a shed door open and then complaining something must be done about the wildlife.
The story was interesting, but I found the end abrupt and incongruous. Asimov clearly demonstrates an understanding of advancing to de facto reliance, so prescribing "take it away" is overly simplistic.
If the society relies on such law to prevent people from defrauding computers, then it has a gaping vulnerability to someone who just exploits the enforcement computer first. And if it doesn't rely on it, then the punishment need not be so draconian - applying a similar punishment to a violent criminal would mean that everyone from polite society would be free to attack them with impunity. Which I believe we used to do to those who evaded the law ("outlaw"), but stopped.
The post-hoc "rule of law" is a Schelling point because it is the best we can do in the physical world. But the entire advancement of networked computing is to preemptively create formal mechanically-executed protocols rather than relying on ill-specified natural language ones. It's regressive to insist that the virtual environment be ruled by both regimes, causing any benefits from formalism to be erased by the ambiguity of the legacy system.
Now obviously actions through computers can have physical-world effects, and if there is an intent for a real-world crime that is still justifiably illegal. Deliberately shutting off a ventilator remotely is still murder. But the current status quo is basically demanding the right to casually connect a ventilator to the Internet, have it fail due to a portscan or other Internet background radiation, and then blame "Anonymous" instead of putting the manufacturer and hospital administration in jail for gross negligence.
Breaking into warehouses is a crime because no matter how bad a job the owner of a warehouse does at locking their warehouse up, we don't want random people breaking into other people's property. Why would the logic for Internet sites be any different?
Also, as I'm fond of pointing out: you can coherently and reasonably lobby for liability for site owners who fail to keep out hackers. But I don't think most HN readers are going to like where that leaves the industry. Hint: Facebook and Microsoft aren't going to have any real problems surviving. But indie developers? Different story.
Regarding intent - we don't need sledgehammer-crime laws to cover intentional destruction of a computer system using a sledgehammer. So why do we need network-crime laws to cover intentional destruction of a computer system using network communication? It seems like in either of these cases, one should be prosecuted for intentionally destroying a computer system regardless of the chosen technique.
I think this is where the culture divide originates. Because for many instances of cracking, curiosity is the sole motivation. While things can be damaged in the process (and thus one would be civilly liable), there isn't justification for criminal charge of malicious destruction. Of course, the curious cracker is still trespassing - but contrast current sentences with the general severity of meatspace trespass.
Now, this specific case does seem to have more serious intent than simple curiosity. And it's hard to find a guiding analogy, since analogous situations range from publishing the contents of a journal shoulder-surfed at a coffee shop (ie "tough shit!") to publishing the contents of intercepted postal mail (another area where technical abstractions have been warped into creating extreme penalties).
Perhaps if publishing someone's "protected" (in Java parlance - not public, not strictly private) information makes us feel that some wrong has been committed, then that itself needs to be the crime. Switching the paradigm to one directly based on activity (rather than access) could certainly help to curtail commercial surveillance bureaus who currently trade in this kind of information with impunity.
AFAIK, "Indie developers" aren't creating life-critical devices and should be disclaiming any use of their tools for such (eg "NO WARRANTY"). Every IC datasheet doesn't contain an explicit disclaimer regarding such just for kicks.
And if a shop is, for instance, creating and integrating life-critical Internet-connected medical devices based on Linux/C !? They should be scared away from that activity.
But Guccifer isn't that. He wasn't curious about how things worked. He was curious about the contents of Jeffrey Tambor's mail spool. That's a malignant kind of curiosity, and I feel no compulsion to mitigate its criminality. We should be using criminal law to keep creepy people from invading other people's privacy. (Yes: that includes anyone who might be doing that improperly under color of law).
All that aside, most criminal sentences are far too long. Guccifer's is not at the top of my list of crimes that should have their sentences ratcheted down, but it's not entirely off the list either.
Be careful about the goal-posts here, please. Guccifer didn't hack life-critical systems. Any cat-sharing startup can create the same kinds of risks to Jeffrey Tambor that Guccifer's targets did.
The actual creepy activity (and subsequent publishing) aren't the things that he was convicted for. Perhaps they should be, and perhaps being so would have even encouraged Guccifer to stay on the right side of the publishing law.
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels." - Mencken
FWIW, a cat-sharing startup (or webmail provider) seems in a prime position to continue disclaiming any security warranty. In fact, I'd be surprised if they did not. If users are actually interested in a security warranty, then they should seek alternate providers that are willing to advertise such, have obtained some sort of insurance, and have prespecified some amount of liquidated damages.
I too can see the general concept of liability being perverted by the government into something mandatory for any software developer. But I've advocated nothing of the sort, only application of the standard fitness warranty on real-world integrations. I haven't moved the goalposts - medical equipment is just one area where it's very clear such liability can't be disclaimed.
Even accounting for the importance of transparency, it seems weird for the GP to assert this guy didn't deserve "even four months" when a large number of the times he accessed accounts were with no noble intent but with clear maliciousness
While Russia's nefarious intent or not is a subject worthy of debate, I think it's ENORMOUSLY interesting that the source of the idea that Russia is a huge problem and their interference is something we should watch out for is the Clinton campaign.
I think this tells us something interesting about Clinton's foreign policy orientation, namely, she is extremely interested in antagonizing Russia.
This is part of a pattern: Clinton and her foundation have been closely involved with Ukrainian oligarchs, the State Department was involved in planning out the Ukrainian government post-Yanukovych, and Clinton has waxed nostalgic about how we need to bring back our Cold War mentality (I recall her doing this in a Daily Show interview a few years ago, e.g.).
This is the thing to watch out for, regarding Russia.
What a hero, a true Snowden 2.0.
Megabytes? As in just a couple of pictures? That can't be right.
What you described is a binary prefix mebi, which means 2^20.
Unless you're the FBI.
> “This epidemic must stop,” Cacheris said.
Will tough sentencing in US courts really dissuade future Romanian/foreign hackers? I mean the US is always giving out tough sentences for everything, you'd basically factor that in already if were to get caught and they put all that effort into extraditing you to the US. Seems like par for the course.
If it wasn't tough sentencing it would be superfluous charges getting tagged on, so any length is justifiable if you have a motivated prosecutor/judge or a politicized case.
Although I may be reading too much into the judges rationalization.
I think the drug war is fucking stupid, but still.
If the US judicial system is serious about that statement they should be addressing the blatant violations of the law perpetrated by the NSA and FBI. As long as our own elite groups engage in hacking crimes, "unauthorized access of a computer" will remain "justified" in the minds of hackers.
If the government wants to send the message that it's not on to break the law then it needs to police itself.
(I'm stipulating the rest of your point, which I obviously don't agree with totally).
I'm not for lawlessness on the net, but like mentioned here, until the elite is punished for their crimes, people will fight back.
This guy broke into people's accounts by guessing passwords and then used the identities of his victims to victimize others. How are people rationalizing this as OK?
He's certainly not a white-hat hacker. He didn't publish work for the public interest (Snowden). He didn't responsibly report a security vulnerability, as there was no vulnerability beyond public figures using question-answer authentication.
Think about if your accounts were hacked for the "crime" of being a public figure's relative? Friend? I know you think "public figure" only means politician, but to make this thought exercise more real, remember that Linus Torvalds, Steve Wozniak, celebrity startup CEOs (the types of people many of you want to someday become), etc. are public figures as well.
Finally, ask yourself if you can honestly say you've never broken a law; never had a moment that affected others negatively; never did anything that the public could judge you for. If you don't pass all those tests, consider whether anyone could pass those tests, and then consider whether Hillary or anyone else should be expected to. (Unlike you, Hillary and many others probably didn't grow up with internet, or email, or the concept of basic things like legal equality for African Americans - will you find it easy to pass the test of public perception for your past actions 20 years from now? 30 years from now? 40?)
Perhaps someone should pass this on to the NSA?