66 comments

[ 15.9 ms ] story [ 594 ms ] thread
I wonder what evidence broke this. Did he blab about it or was this a submarined parallel construction?
Those are the only two ways to get an indictment?
For "parallel construction" to apply, the intelligence community would have had to create the conditions in which a search authorized for some other reason would have uncovered evidence of the kernel.org rootkits.

The common example of parallel construction (because it's simple to explain, not because there's evidence it's happened) is: unauthorized electronic surveillance reveals that a drug transaction is going to happen at such-and-such corner at such-and-such time. The surveillance is shared with the police, who then station officers near the site of the transaction, and who are therefore able to observe the crime as it takes place --- giving them probable cause to effect the search themselves.

In other words, parallel construction is a way of allowing the police to be at the "right place and right time".

So, to move the ball forward on the conspiracy theory that some 27 year old doofus who rootkitted kernel.org with stolen credentials was so important to the NSA that they monitored him and conspired with the FBI to ensure he was charged, you must first come up with the set of circumstances in which the NSA could have shared something with the FBI that would have enabled FBI to de novo generate probable cause for a search.

Investigating a rootkit on kernel.org falls squarely within the NSA's counterintelligence mission. Until they investigate, they don't know whether it was done by a random 27 year old doofus or by a nation state.
That's the first half of the argument. The second half is why and how the NSA then set the 27 year old up to get searched by the FBI.
40 years in prison plus a one million dollar fine? Might as well kill a few people while he's out on bail, he already paid for it.
If anything, I would think that the bail would indicate he's unlikely to receive the maximum sentence. I suspect that few do. That said, I am not a lawyer.

Edit: A bit about the United States Sentencing Guidelines, linked from the lwn thread: https://popehat.com/2013/02/05/crime-whale-sushi-sentence-el...

Yeah. On some level, I try to get people to read "he faces up to ..." as "he faces no more than ..."

Still though, a little disproportionate.

(comment deleted)
Concurrent sentences do happen, especially when all the counts stem from one incident, though I'm unsure if they happen for federal crimes. (In that case assuming full conviction he'd serve each count at the same time, making it up to ten.)

They're obviously angling toward a plea, though.

Under the federal sentencing guidelines, a person charged with many counts of the same offense serves only the sentence associated with the most severe of those offenses; the sentences "group" by charge, and the grouping rules are part of the sentencing guidelines.
Although judges are not required to follow the USSG, and upward departures do happen; e.g. Dennis Hastert's structuring conviction. The DOJ is technically correct, but very misleading.

(I know you know this and that an upward departure from the Guidelines is very unlikely for this particular case--just stating for the record.)

Are you sure? The judge departed upwards from the prosecutor's recommended sentence, but did he exceed the guidelines? The class of charges Hastert was sentenced under include a sharp increase in offense level if the crime involves sexual exploitation of minors, easily enough to land you in zone D for a first offense.
From the transcript [1]:

"The government is recommending a guidelines sentence, meaning between zero and six months in jail... It's not sufficient to comply with the purposes of sentencing. It doesn't reflect the seriousness of the crime and the conduct surrounding it. It doesn't provide just punishment for the offense to give simply a guidelines sentence."

[1]: http://www.chicagotribune.com/news/nationworld/ct-pdf-transc...

The base offense level for structuring in the service of some other criminal act appears to be 8, and offenses connected with sexual exploitation of minors gain 6 offense levels; zone D starts at level 12 for first-time offenders.

It is as least as likely that I am wrong than that the reporting is wrong, but, there you go.

That's good to know. Basically concurrent with a slightly different technical approach.
So in 30 years the president will be giving clemency to a bunch of non-violent hackers we locked up during the "War on Cybercrime".
There actually was a "war on drugs", and while drug sentences are not the cause of mass incarceration (prison sentences are dominated by violent crimes, followed by property crimes), there are many tens of thousands of people in prison for drug offenses.

Are there even 100 people in prison for "cybercrime"?

Does "cybercrime", which includes credit card and identity theft, occur only rarely? Is that why almost nobody is in prison for it? No. The reason nobody is in prison for "cybercrime" is that despite what us message board nerds think, we are not in fact part of a persecuted class.

It is hard to understand the true magnitude of the war on drugs because it likely lead to sentence inflation of all crimes.

At this point people are being sentenced to decades for crimes they previously were sentenced to just years for.

The entire situation is disgusting.

This is widely believed but turns out to be false. The average length of prison stays may not have increased significantly at all in the last 50 years. Increased prison sentences are not the cause of mass incarceration.
What do you believe is the biggest factor that contributes to mass incarceration?
The best thing I've read on this, which is the Pfaff study on mass incarceration and the drug war, suggests that the biggest issue is that even as crime dropped steadily during the mid-late 1990s, prosecutors offices continued staffing up, and prosecutors themselves became more likely to file severe charges.

So the short answer is "prosecutorial discretion".

The longer answer might be something like this:

During the crime wave from the late 70s through the early 90s, the American public demanded increasingly aggressive prosecution of crime. Prosecutors offices staffed up in response to it. People were elected on promises of increasing funding both to police and to prosecutors. Prosecutors themselves were incentivized to file more cases, again due to the public mood.

The crime wave passed, but once set in motion, the systemic increase in prosecutions didn't stop: in large organizations, headcount, once obtained, is only released dearly. Managed business objectives (like expectations on percentage of offenders for whom prosecutors will charge with felonies), once established, are only with great effort ever changed.

And so that's where we're at now: a prosecutorial system calibrated to the crime levels and hysterical public mood of the late 1980s.

Very interesting. I have been paying attention, but I guess not well enough. That makes sense and falls along the same line of thinking as... you make what you measure.
If the only thing stopping you from committing murder is fear of government punishment you might be a sociopath.
There is absolutely no chance that this person will serve 40 years in prison, or anything resembling that sentence. DOJ press releases add up the maximum possible sentence for the class of offense people are charged with. It's terribly misleading.

In reality, for a non-remunerative first-time offense, even of this severity, the guidelines suggest low single-digits.

There is too much risk built in to the sentencing though. He will basically be forced to take a plea of 10 years and hopefully get out in 5.

I would like to see a situation where the max penalty that can be issued by a judge can only exceed a plea offer by 20%.

He's not going to be offered 10 years. If he goes to trial and is convicted, he'll likely serve less than 5.

Once again: 40 years is not in fact a sentence that is available to the judge; the judge would have to discard the sentencing guidelines entirely, and that sentence would fall apart on appeal.

Further, there is simply no relationship between the number "40 years" and the guidelines. It's not like the DOJ is marking up the guideline sentence by X0%. They're instead using a ridiculous process to add the sentences for every count of a crime up, which is simply not how federal sentencing works.

This harsh bargaining was in part why Aaron Schwartz killed himself. The punishment doesn't fit the crime.
It's "Swartz". Not "Schwartz".

Swartz had the advice of some of the best attorneys in the field during his ordeal. Nobody doubts the stress of a federal prosecution contributed to his death. But nobody familiar with the case believes --- or believes that Swartz believed --- that he was facing a double-digit-years sentence. His own attorney, who advised him to take the case to trial, believed that if convicted on all counts, he might not even get a custodial sentence --- that his worst case would be a felony conviction with a probation sentence.

You can read the sentencing guidelines (they're public) and see why. First offense. Non-remunerative crime. Highly debatable damage. Reluctant, ambivalent victims.

While you were off murdering people you weren't really a threat to the US Government. The second you proved you could break into hardened computer systems, you became a direct threat to the US Government.
Good

As much as technical solutions to security are important, there, the legal aspect should not be forgotten

40 years, or even 10 years is not a reasonable sentence for cybercrime. It should be no more than 2-3 years in the severest of cases.
IMO it really depends on the cybercrime. Maybe in this instance 2-3 years should be sufficient. I can, however, imagine scenarios where much longer sentences should be applied. If a cybercrime results in human casualties, for (a more extreme) example.
There are already laws against homicide, though. Use those.
What if the effects result in an estimated 12 suicides, 1,000 children becoming homeless, and 10,000 teenagers not being able to go to college? Probation, or not worth charging?

What if someone punches you in the face and steals your wallet, resulting in minor bruising, an adrenaline dump, the loss of $42 and at least three hours spent on the process of replacing your ID and credit cards?

..and the board of directors of many major banks should all be in jail after the 2008 financial crisis. They're not only free, many of them kept their bonuses.

1% of Americans are in the incarnation system or out on parole. That's more than all of the other high income countries.

Our legal system is hardly fair, and this is another example of it.

I don't understand this comment. Are you saying that it's good that bankers didn't go to jail, but bad that malicious hackers do? If so, I disagree; bankers should have gone to prison for a period of time easier measured in decades than years.

What I have a problem with is all of the tears for the white collar, educated criminals, and the insistence that the people who really deserve prison are those poor, uneducated, violent criminals. Somehow everyone seems to think that the criminals that they could most easily see themselves as deserve the least punishment, so middle-class crime is seen as less criminal by the middle-class.

Unfortunately for this argument, the framers of the Constitution were pretty firm about the idea that for people to be sent to prison, they had to violate a law already on the books at the time the crime was committed, and that the burden of proof for establishing the violation was on the prosecution, not the defendant.
Consider that cybercrime could potentially turn off power for half of United States, launch a nuclear missile or deorbit a satellite over a populated area. Ability to say break into a say a Ubuntu or Red Hat binary server could server malware to hundreds of organizations including Governments.

As usual, there is no one size fits all and so Judges usually have leeway to decide severity of punishment.

>Consider that cybercrime could potentially turn off power for half of United States, launch a nuclear missile or deorbit a satellite over a populated area.

Any such acts would be criminal on their own, not sure what point you're trying to make besides emotional appeal.

> Ability to say break into a say a Ubuntu or Red Hat binary server could server malware to hundreds of organizations including Governments.

If you actually did something with such access it shouldn't be very hard to find suitable crimes to charge you with other than breaking to the servers.

It also depends on whether you're the fall guy or not.
How do you arrive at this number?
Seems reasonable, it's extremely difficult for hacking by itself to be a particularly serious crime. Of course, murdering someone by hacking their medical equipment is still murder.
Its extremely easy for it to cause thousands to millions in damages. If I burned thousands -> millions in property even if nobody was hurt it would still be a serious crime. Its also a potentially lucrative area which ought to be counterbalanced with high consequences.
I was charged with criminal damage (like you would for damaging ones physical property) on top of hacking charges.

Seems fair to me, I really don't see why cybercrime deserves special treatment.

>Its also a potentially lucrative area which ought to be counterbalanced with high consequences.

Yeah, copyright infringement is even more lucrative. Does that mean we should start locking up people for whats currently civil copyright infringement?

It's weird that bankers never get sued, after causing millions in damage.
Bankers get sued all the time.

You're probably talking about criminal charges anyway, in which case the answer is that they rarely do anything that illegal, and when they do it's not very easy to prove.

The potential impact of a hacking crime is massive. Millions to billions of dollars and a real impact on people's lives for well over 2-3?! years. If someone suffers identity theft, invasions of privacy, etc. the direct impact could easily go beyond a few years and secondary impacts almost surely would.

The sentencing guidelines make available remedies for those cases - and I can imagine large scale attacks which should be punishable by life in prison.

Do the merits of this case warrant max staycations in prison? I dunno, but the government should have the flexibility for the lulz.

And a physical analogue: The potential impact of breaking and entering is massive...

So, B&E is a relatively minor offence, it's the crimes that follow (theft, destruction of property, etc) that are significant. The same should apply for a cyber-B&E. In fact do you even need a law for breaking into a computer? I wonder if we could simply revise the traditional B&E definition to apply to computers as well.

"Hackers penetrate and ravage delicate public and privately owned computer systems, infecting them with viruses, and stealing materials for their own ends. These people, they are terrorists."
2-3 years is the sentence he's most likely to get. Look at the sentencing guidelines; they're public.

FWIW: 2-3 years is also too harsh for a first-time offense. There's no corrective outcome you get in year 2 that you don't already have by the end of year 1.

But regardless: the sentences in these press releases have absolutely no connection to reality.

Hacking hackers is a dangerous game.
This took 5 years to prosecute and the guy has at least one shell company mentioned in the panama papers.

Seems likely there's a little more to the story. (or they didn't find anything for 5 years until the guy bragged to someone)

However by far the strangest thing here is how very specific the charges are, one hack 5 years ago and no co-conspirators? How on earth didn't they find anything else to charge him with? [1]

[1] Of course this all could be explained away by them having a weak case, which they probably would have if they failed to seize his personal equipment

My gut agrees with yours. What's the benefit? Was he working for someone, or is this part of a plan to become Dr. Evil? Seems to be beyond a prankster act.
I couldn't easily figure out just who this guy was (i.e. handle) but it seems somewhat unusual that he would've performed the hack alone. Especially given the malware deployed[1] and information shared by the victims [2].

>What's the benefit?

Tons, having personally tried the same thing in the past :^) Being able to serve backdoored copies of the kernel to targeted users would be all kinds of useful, and you'd be in an unique position to target the kernel developers themselves, allowing you to actually insert a backdoor into the kernel.

[1] Phalanx is by far one of the most advanced pieces of publicly analysed linux malware https://volatility-labs.blogspot.de/2012/10/phalanx-2-reveal...

[2] Kernel.org folks claimed that they weren't the only target, which is to be expected (people with no prior hacking experience rarely decide to acquire/produce somewhat advanced linux malware and install it on kernel.org)

[2] ctrl+f credential-stealing https://lwn.net/Articles/464233/

One silver lining I would like to see is that public facing websites are starting to use the word 'programmer' rather than the plain old 'hacker' slang.
I'm not quite sure if that's a silver lining, as it's usage in such a way might do to the word "programmer" what it did to the word "hacker", namely turn an innocent word into one with connotations people would rather not associate themselves with.
is kernel.org open source?

Why do you need to hack in to access it?

Is there something in kernel that is hidden I wonder.

I know that motive will sometimes play into the sentencing, so it will be interesting to see what reason he had to gain access to the servers. I can't imagine what monetary gain there may have been, so it must have been something else.
Is this a sign of Linux' growing political influence when government agencies are investigating crimes against it and enforcing them?

Would this crime have been handled by the federal government 10 years ago? 20? Would an attack on your server get a response from the FBI and the DOJ?

That influence doesn't have to be the Linux Foundation; it could also be corporate or other powerful entities that are heavily invested in it, such as IBM.

Why is him being from FL relevant?