Sunday, 27 September 2009

Justice For Gary McKinnon?

Well, yesterday (26th September, 2009) saw UK based “Tribune magazine” who describe themselves as, “A thorn in the side of all governments, constructively to Labour, unforgiving to Conservatives” posted about the plight of Mckinnon in an article called, “Securing Labour's future.”

The opening paragraph stated:

Ann Black identifies the priorities for Labour in the time remaining before the general election.

"As Labour gathers for its conference in Brighton, penned behind the ring of steel, the omens are mixed. The recession is easing, but the summer saw errors over Gurkhas' settlement rights, compensation for wounded soldiers and the lingering MPs' expenses scandal. Blaming the SNP for freeing Abdelbaset Ali al-Megrahi, the man convicted of the Lockerbie bombing, will not wash. Instead Labour hits out at soft targets in agreeing to deport Gary McKinnon, the hacker with Asperger's syndrome, to face rough justice in the United States for accessing military computers in search of evidence of UFOs.”

Source: Tribune Magazine

It seems as if the general consensus has gradually swung in favour of McKinnon, posted under their, “Legislation and Regulation” section on 14th July, 2009 that:

US allegations against UFO hacker Gary McKinnon were 'over baked'

US allegations about the severity of Pentagon hacker Gary McKinnon's crimes were trumped up, a court heard today.

Edward Fitzgerald QC, McKinnon's barrister, argued that the Director of Public Prosecutions decided wrongly in February not to prosecute the hacker in the UK and so allow his extradition to face charges in the US instead. Fitzgerald told the court that US allegations that McKinnon was guilty of "the worst crimes of the century" were over baked. He submitted a file said to contain DPP evidence that demonstrated how the US did not have evidence to support these allegations. The actual US indictments - as apposed to allegations - were for computer fraud and damages. These charges were comparable with those listed under the British Computer Misuse act, the court heard.

McKinnon, who is accused of causing £475,000 worth of damage to computers by hacking into computer systems belonging to the Pentagon, Nasa and the US military from his home in North London, claims that under human rights law he has a right to be tried in the UK. McKinnon hacked military systems in the search for suppressed evidence of UFOs. He found little evidence of other-world natives or technology, except for a spreadsheet that listed "non-terrestrial officers, ships' names and goods movements", and a picture of what he said was a UFO with a perfectly smooth surface.

Source: ComputerWeekly

Back on the 10th September we were told that the presentation made on behalf of McKinnon by several MPs was apparently dismissed:

McKinnon plea falls on deaf ears

LABOUR, CONSERVATIVE and Lib Dem MPs who argued the case for protecting Palmers Green hacker Gary McKinnon from extradition in the US have drawn a blank. Michael Meacher, for Labour, former shadow Home Secretary David Davis and Liberal Democrat MP Chris Huhne had a 30-minute audience with Home Secretary Alan Johnson yesterday, but were disappointed by his response. The senior cross-party trio relayed arguments made by leading human rights lawyers concerned for the welfare of the 43-year-old Asperger's sufferer if the planned extradition took place.

Mr McKinnon admits cracking NASA codes, but says he was looking for evidence of UFOs, while the US says he is guilty of the biggest military computer hack and could send him to prison for up to 60 years if he is found guilty. The MPs will now take their case to the new US ambassador Louis Susman, who recently backed a sponsored walk for an autism charity.

Mr Meacher, who has criticised the UK's Extradition Act as being unfairly weighted in favour of the US, said:

“Alan Johnson made clear that in his view, after a string of court decisions at all levels over the last seven years, it would be very difficult for him to [intervene]…..It was also quite clear that Alan Johnson was concerned about the precedent that would be set in regard to other current cases, notably that of the alleged terrorist Abu Hamza…..We pointed out that this showed how poorly drafted the Extradition Act 2003 had been when not only was it gave rights to the US that were denied to the UK, but it bizarrely applied the same rules to a misguided but innocuous young man as to a serious alleged terrorist. A more common-sense and proportional approach was needed.”

Mr McKinnon is now waiting to hear if his legal battle will be taken on by the new Supreme Court, which replaces the House of Lords as the highest appeal court in the UK and starts to hear cases from October 1.

Source: Enfield Independent

Putting political agendas aside and again with who posted the following on September 22nd (2009) in their, “Risk Management” section:

Expert challenges UFO hacker's $700k bill

The US inflated the $700,000 bill for damages it slapped on UFO hacker Gary McKinnon by stuffing it with costs incurred for patching the gaping holes the hacker had exposed in its computer security, according to a document filed with the Supreme Court. The US had not taken reasonable steps to protect its security and now expects McKinnon to pick up the bill, said an expert witness statement made in McKinnon's ongoing appeal against a US extradition order.

Peter Sommer, professor of security at the London School of Economics, said damage assessments of computer security breaches should consider, "whether the victims have taken reasonable steps to limit the damage."

McKinnon had used Remotely Anywhere, a software tool, to hack US military computers in search of UFO secrets. The 42-year-old faces extradition after being accused of hacking into 97 US government computers causing $700,000 of damage.

But Sommer said, "Every intrusion detection system I have come across would flag up the installation of a remote control program like Remotely Anywhere……Any firewall also ought to block the 'ports' [internet access points on a computer] used by Remotely Anywhere. On this basis, the costs claimed for are features that should have been there in the first place."

Sommer, who once advised insurers underwriting the risks of computer damage, said hackers could not be held accountable for the, "consequential loss" resulting from their intrusion into systems unprotected by "preventative measures for reasonably foreseeable hazards ….. Insurers will not insure computers or computer-dependent businesses in the absence of reasonable levels of protection and means of recovery.”

But security experts in the US said McKinnon should be liable for the full $700,000 of security checks performed in his wake.

Professor Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Indiana's Purdue University, said the victim of a cybercrime should not take the blame. If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door. Anthony Reyes, a former cybercrime detective who helped develop the US Cyber Counter Terrorism Investigations Program, said, " Just because security is weak, it doesn't give you a red flag to go into a computer system and start browsing around ."

Source: Computer Weekly

Apart from the discrepancies between the dollar amounts stated to date regarding the alleged damage McKinnon caused (apparently depending entirely on which webpage the information was posted) this is the first time I've seen the allegation that the, “Damages” were nothing of the sort but instead are down to the cost of plugging the holes in the amateurish system setup that McKinnon exposed. While I agree that just because the security is weak it doesn't give you free licence to breech the network at will, but when someone exposes the system weaknesses to then try and also pass the cost of fixing these flaws onto them (which are there due to your own incompetence) doesn't seem right, does it?

And if the damages being pursued are just for locating and correcting his edits then it's still ridiculously overpriced at $700,000. Plus, if McKinnon is to be believed and this security flaw was indeed directly due to no more than the machines not having been assigned a password and so were still operating on the default settings, then I would tend to agree with McKinnon in that this estimate is massively inflated for the sole reason of obtaining extradition to the US, which in turn means I also share McKinnon's apprehension in that this is quite a risk to take if the US are just planning to extradite him for a lenient sentence.

I appreciate that the only reason I'm even mentioning McKinnon is due to what he claimed he found while browsing through the -less than- secure system and for what it's worth I don't believe McKinnon saw what he thinks he did, I wouldn't go as far as to say McKinnon is lying but I feel he is at best mistaken. However, that doesn't and shouldn't in any way affect the bigger picture which is surely that extradition while always accepted as a possibility is one I feel was never really expected to go as far as it has and especially so when several high-profile UK hackers have been tried for similar offences here in the UK (i.e. where the people were located when the cyber-crimes were committed).

I should also point out that I believe, “Team McKinnon” should have long since dropped the UFO angle, if absolutely necessary then perhaps play on McKinnon's (alleged) naivety in searching for answers to one of the most profound questions we as a species have ever asked, but to continue pushing the fact that McKinnon actually found evidence of this at the exact some moment being ‘caught in the act' is a very difficult coincidence to accept. Basically they are saying that after at least 96 fruitless attempts at discovering ANY information and many, many hours spent searching for it, Mckinnon finally stumbles upon the evidence he has been relentlessly questing for at the exact same moment that someone happens to notice he is online and has unauthorised access, the EXACT same time after so long undetected (in the act)?

And in what appears to be something of a contradiction McKinnon when appearing on the Hackers' Panel at the Infosecurity Europe 2006 conference (April 27th, London) and upon being asked how his exploits were first discovered, answered that he had miscalculated the timezone. He further claimed that this led to him actually using remote desktop software to operate a Windows computer while its user was sitting in front of it.

But yet also in 2006 when specifically asked, “What did you find inside Nasa?” McKinnon told the BBC's, “Click” programme:

“I got one picture out of the folder, and bearing in mind this is a 56k dial-up, so a very slow internet connection, in dial-up days, using the remote control programme I turned the colour down to 4bit colour and the screen resolution really, really low, and even then the picture was still juddering as it came onto the screen…..But what came on to the screen was amazing. It was a culmination of all my efforts. It was a picture of something that definitely wasn't man-made…..It was above the Earth's hemisphere. It kind of looked like a satellite. It was cigar-shaped and had geodesic domes above, below, to the left, the right and both ends of it, and although it was a low-resolution picture it was very close up…..This thing was hanging in space, the earth's hemisphere visible below it, and no rivets, no seams, none of the stuff associated with normal man-made manufacturing.”

Source: Click (BBC)

So from what information is available something doesn't seem to jibe as how was McKinnon able to locate and commence the download of an image on a PC on which a user was logged in and actually using at the time? Of course this is purely my unlearned opinion and either way I suppose this is something of a minor discrepancy and pales into insignificance when compared to the charges and the possible repercussions faced should extradition go ahead and McKinnon faces trial in the US.

And let's not forget that searching for UFOs/free energy etc. may be what Gary is claiming as the reason behind his foray into cybercrime it would be negligent to omit the statement he left on the system while hacking under the guise of, “Solo”:

“U.S. foreign policy is akin to government-sponsored terrorism these days ... It was not a mistake that there was a huge security stand-down on September 11 last year... I am SOLO. I will continue to disrupt at the highest levels.”

Remember this is post 9/11 and personally speaking this is not only in very bad taste but for all intents and purposes it certainly sounds like the words of a terrorist, cyber or otherwise.

Anyway that's more than enough rambling from me so I‘ll wind up by saying:

Support Gary McKinnon!!

But perhaps just not for the reasons you might have thought.....

A few earlier Blog posts:

(29 Aug 2008) Gary McKinnon Loses European Appeal
(31 Aug 2008) Protest For Gary McKinnon , Home Office (London) Tuesday
(31 Jan 2009) Boris Johnson criticised for defending UFO Hacker
(06 Apr 2007) Gary McKinnon Faces US Extradition On Hacking Charges, (+ Video)


Tammy said...

Why is it so surprising that the gov has common people pay the bills? Seems that is the expected way of doing business in their eyes.

Mike Philbin said...

re: Eugene Spafford's "broke door" comment.

It'd be better to ask, "Would any reputable insurance firm insure a property with NO LOCKS ON THE DOORS AND WINDOWS against content theft? You know what I mean? Keeping my delicately-balanced analogy going, "These non-locking doors and windows, why weren't they even in their frames. 'In the showroom' does not mean you can charge their purchase to future theives."

Really, and they call these Professors?