Saturday 30 August 2008

Criminal responsiblity for lack of security features?

A recurrent idea, with the FTC (in the US) putting it forward once more. Note that the COnvention of cybercrime lets the member states parties free to narrow the offences (hacking and misuse of computers) by including a condition, that of having up-to-date security features. Now the problem is what is up to date?
http://www.techdirt.com/articles/20080825/2320012094.shtml (26 August 2008)

In the same line of thought is the comment of a Nigerian official who points out that victims of 419 scams should be held responsible "Nigerian Official Blames The Victims Of Nigerian 419 Advance Fee Scams" http://www.techdirt.com/articles/20080822/0315012062.shtml (22 August 2008)

And earlier, "Banks slip through virus loophole" (TheGuardian, 12 June 208): "A quiet rule change allows British banks to refuse to compensate the victims of online fraud if they do not have "up-to-date" anti-virus protection, says Danny Bradbury"

Hacking - insiders

"Bank Changes Man's Password After They Realize It Insults Them" http://www.techdirt.com/articles/20080828/0938222122.shtml (28 August 2008) and for the BBC link as the case is in the UK
http://news.bbc.co.uk/2/hi/uk_news/england/hereford/worcs/7585098.stm

  1. The employee does not work for Lloyds anymore. Has disciplinary action been taken? Concerning criminal proceedings, the behaviour falls under the CMAct 1990, for the employee modified computer data without authorisation
  2. Althought there has been no harm here (just a change of password without taking money or the like), the facts illustrate that crime can be generated from the inside. Security policies must be stronger to avoid this type of situation, despite a survey stating that insider crimes diminish "Insiders No Longer The Biggest Threat To Computer Networks" (TechDirt, 17 June 2008)

Scams -Nigeria and the challenge of cybercrime

An interesting article, a bit non-mainstream when it comes to cybercrime in Africa. The Nigerian commission admitted that cybercrime was a challenge difficult for its Government to tackle. Not often authorities admit that.

http://www.crime-research.org/news/27.08.2008/3537/ (27 August 2008)

although one can validly argue that victims are now really fools to fall for 419 scams after all the publicity surronding them for the past few years. http://www.techdirt.com/articles/20080822/0315012062.shtml (22 August 2008) "Nigerian Official Blames The Victims Of Nigerian 419 Advance Fee Scams"

Friday 29 August 2008

Hacking (Nasa hacker) - jurisdiction and policies

The last hope of hacker McKinnon vanished today. The ECtHR rejected his emergency appeal from the House of Lords' decision on his extradition case. Obliged to be tried now in the US, Mr McKinnon faces an unenvious position in a country where plea bargaining is rife. Having refused the plea made to him, the sentence is likely to be less lenient, especially if the prosecution is exasperated by the litigation process.
Three things here interest me:
  1. First, Mr McKinnon's admission that he hacked but to find documents on UFOs. In strict terms of criminal law, his motive (UFOs, pure fun, or terrorism) bears no influence on the existing offence. Mens rea, the mental component of an offence, discards motives which cannot be its component. Motives may come into play later, as an excuse (insanity for example) or justification. This is why the Asperger's syndrome argument becomes important as a ground for an excuse (constraint? barely insanity in today's understanding of the defence)
  2. Second, the procedural aspect of the case. 95% of criminal cases end up in a plea; plea bargaining is supposed to be a transaction between two parties and a minimum of fairness is supposed to exist, rules of the Supreme Court. But the conception of fairness is relative, especially in the eyes of Europeans: American fairness in relation to plea bargaining is not often perceived, rightly or wrongly, as fairness in the sense of ENglish law or European Human Rights. Pressures are great to accept the plea and not to do so is taking a huge risk.
  3. It is unclear what has been the attitude of the authorities. Pressure was claimed to have been exercised. Mistatements were supposedly made about the extent of the hack and its threat...

Overall, let's hope one thing: that Mr McKinnon's misapprehensions of his original actions does not cost him more than it is necessary. He should not be sanctioned for the symbol that some may want to see of him in the fight against cybercrime; he should be sanctioned for his actions only, not for political or policies reasons. He hacked into the computers; this is an offence. If hacking into governmental networks is an aggravating circomstance, fine; it is not, then he should be left alone.

"US: tackling cyber-crime" (22 August 2008)

http://news.zdnet.co.uk/security/0,1000000189,39475039,00.htm (28 August 2008)

http://www.crime-research.org/news/29.08.2008/3542/ (29 August 2008)

Earlier, "Nasa hacker to fight US extradition on Monday" (ZDNet.uk, 13 June 2008)

Crime in virtual world

Back from holidays, late on posting, but could not resist this one: according to McAfee, one of the multiple anti-virus companies, illegal behaviours are now numerous. Viruses, scams, phishing etc... all flourish and it is not a virtual behaviour. The financial consequences are real because virtual currency can be converted into "real" currency. Maybe it should be time to stop talking of virtual and real, and use concepts like "online"/"offline" currencies, both being real in their existence, and not always immediately tangible.
http://news.zdnet.co.uk/security/0,1000000189,39466789,00.htm