Gary Mc Kinnon, accused of breaking into several computers in various government agencies in the US, is at the centre of an extradition storm after he broke into the US Military and NASA computer systems but reported in an interview that the charges against him in the US have been manufactured to ease his extradition there.  If extradicted to the US he could face a secret military trial with no right of appeal, but that he could even be sent to detention camp Guantanamo Bay.

"For it to be extraditable under their computer laws in America you have to have caused $5,000 worth of damage and lo and behold they say that every computer I was on I caused exactly $5,000 worth of damage so it is patently a falsely structured argument," Gary McKinnon told OUT-LAW, a specialized portal dealing with legal issues.

McKinnon argues that he should be tried, but that it should be in the UK, where the offence was committed. He says that he was working with very basic hacking tools from a simple internet connection,

and that the only reason he was able to access systems was because security was so poor.  "When you look at the fact that my method for gaining entry was scanning for blank passwords, technically you could say that there was no security to begin with," he said.

Here a couple of considerations might be worth.... starting from the defensive action.  Unfortunately for Gary it's not legal to probe for blank passwords. Full stop. Discussion about this takes place amongst lawyers and security experts periodically on specialized mailing list.  But everybody in the end have to admit that if you probe a password is valid, you're already inside the system and that's illegal (in most countries).

The second consideration regards the evidences found to validate the extradiction case.  Here it's at least diffcult to object what McKinnon states. 

We did not see the original documents from the US, but if it is true that it have been calculated in exactly 5000$ the amount of damage made for breaking into a government agency system, it may only mean that:

1) they do not know how to calculate a break in cost

2) they used internal personnel to do the job (any consultant would have asked 5000$ just for the rent of the forensic software licence)

3) they do not value appropriately the time for completely reinstallation and full upgrade and hardening of the system

4) they do not split appropriately the cost of additional management of perimetral and host based security (if any, of course)

I am sure i forgot something, but please feel free to add it in the comments....

Comments Index (Total Messages: 0)

Post Reply
Name:	Guest
Title:
Comment:
Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!