Saturday 28 November 2009

Gary McKinnon Extradition

Gary McKinnon is in the news again after the Home Secretary, Alan Johnson refused to block the intended extradition to the United States. I was invited to comment on Radio Five Live on Friday morning, to raise points on the security and technical specifics of the case.
It is clear Gary has plenty of public support in the UK, from people who believe he shouldn’t be extradited to the United States, mainly on human rights grounds. Gary’s lawyers stated he is happy to pled guilty to the crimes in a UK court, therefore he appears to be guilty of these crimes, but his lawyer feel justice just won’t be served if he was sent to a US court.

I have actually meet Gary a couple of years back, however my comments on Radio Five Live were made from totally impartial and an Information Security expert’s point of view. Here is a summary of what I said.

The main point to understand is, what was the motivation of Gary McKinnon’s “hacking” attack? It clearly wasn’t for fraud, as he wasn’t trying to steal any financial information, and there appears to be no accusation of Gary stealing information to sell on for profit. This is the first point to understand, as people who are motivated to hack systems to steal for personal profit, do need the book throwing at them.

The next question, did Gary set out to damage systems maliciously? Well if you listen to his lawyers, they will tell you Gary’s motive wasn’t to break and damage systems, but to acquire knowledge, mainly about UFO’s and their power source. However the US authorities say Gary’s intension was to break and damage their systems and point to messages left on their systems, such as this one below, which I understand has been verified as being left by Gary, by his lawyers.

“US foreign policy is akin to government-sponsored terrorism these days? It was not a mistake that there was a huge security stand-down on September 11 last year...I am SOLO. I will continue to disrupt at the highest levels.”

For me these are all important questions to ask and answers to understand, as there is a big difference between a fraudster using hacking techniques to steal financial information, a malicious hacker out to deliberately out to deface and break systems, and a curious hacker trying to satisfy a “What If”. Confusingly Gary is portrayed as the later, but he also tends to be branded and tarnished with same brush as these other types of hackers. I feel this is because the general media and the public do not understand the significance of the different types hacking which are occurring today.

I believe there is negligence on US system owners part. For example if I were to park a shinny new BMW in an undesirable part of town, left the car unlocked with the keys in the ignition, wouldn’t I be negligent and be at fault if the car was stolen? Would an insurance company pay out? In the same way everyone knows the Internet is a dangerous place, and for any organisation to place “sensitive” servers directly on the internet without even the basics of best practice in IT security of the day, and then has these said servers hacked, in my view that organisation has only themselves to blame. If Gary didn’t get there first someone else or perhaps even malicious application would of breached these systems eventually. The majority of Information Security professionals I know tend to share this point of view on information security, however a lawyer wouldn’t, and perhaps the people who didn’t properly secure their systems in the first place won’t exactly be blaming themselves either. But I’m definitely with the insurance company on this point.

Gary is summarised by most media as being some sort of Super Hacker, actually in my experience and knowledge of the actual “hacking” which is alleged to have occurred in this case, I have to say Gary is far from being a super hack or even an accomplished hacker. It looks like Gary didn’t really have to work very hard to access these systems, such was the alleged lack of basic security on them, and at the end of the day he got caught. Even an average grade hacker knows how to be anonymous on the internet, and how to cover their tracks properly, only the inexperienced and the not so clever hackers actually get caught. So in my view Gary is far from being a “Super Hacker".

My final point on the Radio, which will not be popular with pro-Gary campaigners, but is a word of caution. We need to give some thought to the legal precedences which could be set here. There is a problem in bringing real serious cyber criminals to justice, because hackers tend to operate across international borders. I know our US extradition treaty isn’t the best as it currently stands, but if this extradition were to be blocked, I fear the next time the we arrest a credit card fraudster operating out of the UK (which has happened recently), that the fraudster’s legal team would use this case to prevent extradition. Similar legal precedents have been used to stop the extraditon of a foreign nationals back to their country of origin, despite them committing allsorts of heinous crimes are way much more serious than breaking a few servers.

There is much more I could have said on this subject, such as looking at the way US authorities have appeared to have put in place an over the top sentencing for this crime, which doesn’t have appear reflect the actual crime. It is ridiculous that this particular type offence seems to be carrying a greater punishment than murder in terms of prison sentence time. I understand Gary's hacking at worse caused a 24 hour outage, with no member of public (or military) armed as a result, and as I said it could be argued the system owners were partially to blame as well. I don’t believe any information of value was stolen, only system “software” damage is alleged to have occurred, which is estimated to be around $700,000 by the US authorities, which many would say is kind of high for rebooting and restoring less than 100 systems. The punishment for the actual offence must fit the crime, and if it did then extradition of Gary to face justice in a US Court might not be the problem it currently is.

4 comments:

Anonymous said...

Hi - found your post through Twitter.

A balanced article - would be nice to Listen Again. What time of day were you on the radio?

CG said...

you conveniently left out he was offered a relatively light sentence years ago but he chose to fight it and fein innocence. now he's choosing the "I did it but now the punishment is too harsh" route. bah.

its also not fair to apply todays computer crime standards and normalcies to a computer crime committed almost 10 years ago. compare it to crimes committed at the time where breaking into US govt computers was known to be illegal whether it was "easy" or not.

are those system owners negligent? most certainly so, but they also caught the guy that did the crime and just because it was an easy crime doesnt change the fact of what he did.

John Hardie said...

Good article. I wasn't aware of the comments he had left about "state sponsored terrorism" until i read this. It does countermand the story of "innocently looking for UFO evidence and propulsion" somewhat. Intent is probably key to the outcome of this, as he was caught.

Julia said...

Nice post which The main point to understand is, what was the motivation of Gary McKinnon’s “hacking” attack. It clearly wasn’t for fraud, as he wasn’t trying to steal any financial information, and there appears to be no accusation of Gary stealing information to sell on for profit. This is the first point to understand, as people who are motivated to hack systems to steal for personal profit, do need the book throwing at them.Thanks a lot for posting.