Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Hacking Crime Victims to Remain Secret 179

Posted by CowboyNeal from the security-through-obscurity dept.
outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
This discussion has been archived. No new comments can be posted.

Hacking Crime Victims to Remain Secret More

Hacking Crime Victims to Remain Secret

Comments Filter:

  • Same as here :) (Score:5, Interesting)

    by adilsonoliveira ( 597940 ) <adilson.linuxembarcado@com@br> on Saturday November 02, 2002 @11:15AM (#4583750) Homepage
    We do have in Brazil a police force specialized on internet crimes but sisnce the majority of the attack victims are off-shore, it's kind difficult to track down the crackers.

  • How is this news? (Score:3, Informative)

    by Anonymous Coward on Saturday November 02, 2002 @11:16AM (#4583753)
    Companies that get hacked are, of course, only interested in recovering and getting back to their core competency. Nobody hsa time for forensics or any other bullshit, unless they've got an export control box hacked or we're talking classified data, in which case legislation dictates that more measures are required.

  • this is good (Score:5, Interesting)

    by prichardson ( 603676 ) on Saturday November 02, 2002 @11:17AM (#4583758) Journal
    This is good because I beleive then that a lot more companies will come forward with hacking tales, more development will be done to plug holes, more people will be able to talk about hacking, more people will be aware of the dangers, more people will become educated about hacking and virueses and the like, and we will have fewer "I cant find the any key" tech support calls and fewer viruses propagating like mad.

    • Re:this is good (Score:1, Interesting)

      by Anonymous Coward
      Yes, really good - how many false accusations are we going to see now that the identity of the 'victim' will not be made public.

      Why not go all the way and dispense with trials altogether.

      • Re:this is good (Score:2, Informative)

        by vicviper ( 140480 )
        RTFA

        The accused will retian thier 'right to face their accusers'. Many of these types of cases are settled such that the criminal aggrees not to name his target.

        • Re:this is good (Score:5, Interesting)

          by Daniel Dvorkin ( 106857 ) on Saturday November 02, 2002 @12:24PM (#4584010) Homepage Journal
          RTFA yourself. The accused retains the right to face his accuser -- if the case goes to trial. But as I understand it, a defendant could be pressured to accept a plea agreement without being informed of whom he'd allegedly hacked or what the hacking allegedly consisted of. I think the scenario goes something like this:

          Defendant [angry]: "But who'd I hack? What did I do?"

          Cop [toneless]: "You don't get that information until you go to trial."

          D [self-righteous]: "Okay, then I'll go to trial."

          C [smirking]: "You sure about that? See, if you go to trial, and you lose, you go to prison. And I hear skinny little geek boys like you are reeeaaal popular in prison ..."

          D [defeated]: "And what if I take the plea bargain?"

          C [toneless]: "$100,000 fine, confiscation of all your computer equipment, and a court order preventing you from being gainfully employed in the computer industry for ten years."

          D [outraged]: "You people want to ruin my life!"

          C [smirking again]: "Okay, we'll see what your cellmate Bubba the Axe Murderer says about that ..."

          D [barely audible]: "I'll take the plea bargain."

          • Re:this is good (Score:3, Insightful)

            by vicviper ( 140480 )
            What makes you think that a defendant can't be pressured *right now* to admit to any variety of crimes with out knowing his/her accuser? The article makes no claim that identity of the victom will be withheld until trial. From the article:

            Another U.S. attorney, Roscoe Howard of the District of Columbia, said the Constitution requires that a criminal defendant be permitted to face the accuser at trial, but he noted that many computer-crime investigations culminate with a plea agreement, where the names of victim companies can be kept secret.

            The article deals with the relationship between the victim corperation and the public. The idea here is that companies can come forward with knowledge that the govt. is sensitive to their concerns about public reaction to this type of crime.

            Now with all this said, if you are accused of anything and plea guilty to some crime without knowing who you are accused of victimizing, I have no sympathy for you (or your brainded lawyer... you did ask for an attorney, right?)

            • Re:this is good (Score:3, Interesting)

              by Daniel Dvorkin ( 106857 )
              Have you been paying attention to the way suspects in the "War on Terrorism" are being treated? US citizens are being held indefinitely, right now, without access to an attorney, without being fully informed of the charges against them, and without any opportunity to face their accusers. This policy change is a major step toward weakening the protections of the rights of the accused so that hacking suspects can be treated the same way.
              • I cannot make the large leap in association between encouraging victims to come forward and crushing constitutional rights when there is no evidence of such in this case. This is about the public perception of the victims, and your slipperly slope doesn't come close to applying here.
                • I do not find his position alramist or "slippery" at all. A LOT of civil liberties in America have been usurped since Bush declared war (oddly though, I thought only congress could do that) on terrorism. This is FACT, not fiction or a statement made without evidence. As an example: It used to be that in order to get a wiretap, a JUDGE had to grant it and there had to be reasonable cause. Now, any state's attorney can grant one without a shred of any evidence required to prove WHY it's needed.

                  I do not think it unreasonable to assume our (s)elected president and his posse^H^H^H^H^Hcabinet might consider cracking a form of terrorism.

                  It takes little for a cracker to then be labeled as an "enemy combatant" and all this stuff to play out in closed military tribunals.

                  No constitution will stop The Whitehouse [mediastudy.com] of Evil [artvoice.com]!
            • Generally, if you're pleading guilty, you'd be presumed to know who accused you, since you presumably know who you attacked. In fact, you're only supposed to plead guilty if you actually committed the crime (if you didn't do it but think you'd be convicted anyway, you plead no contest), so your guilty plea is unlikely to be accepted unless you at least know the identity of the victem. On the other hand, you don't necessarily get to face your accuser, which would reveal the identity of the accuser to other people who aren't presumed to already know (such as the jury and spectators) and potentially be hard on the victem (who might prefer to think of the hacker as a criminal rather than some scruffy kid).
    • If the companies are doing this anonymously, I do not really see how it would helps the public become more tech-savvy. Unless every time you see a headline like, "SuperMegaHacker caught!," you go out and learn more about computers.
    • If no one takes notice that holes exist, then a lot less development will be done to plug holes. What makes people more careful about security is precisely the insight that, if even "MEGAXYZ Corp" is vulnerable, then we are vulnerable as well.


      Even more worrisome is the mention in the article that they want to make hacking details exempt from the freedom of information act. This is a small, but very significant, step towards a fascist police state. With the overall prevalence of computers in society today, anyone would be liable to be called a "hacker", and prosecuted secretly.

    • This is bullshit, I only agree with this if the perpetrator is given the same conditions of anonimity, imagine sitting in a court room and being told that some unknown financial institution is accuseing you of breaking into their systems yet you cannot question them. This is on the same level of bullshit as the US trying to convict people of terrorism charges and not releaseing the evidence on grounds of nation security, they should really make up their fucking mind, either terrorist are "enemy combatants" and should be treated under the Geneva convention, or they should be regarded as terrorists and given the rights ordinary citizens have. If you call them enenmy combatants you cant charge them with terrorism laws because then they are fighting a war and in war you blow the shit out of the enemy.

  • Comment removed (Score:5, Funny)

    by account_deleted ( 4530225 ) on Saturday November 02, 2002 @11:18AM (#4583759)
    Comment removed based on user account deletion

    • Re:Favorite Part (Score:5, Funny)

      by meringuoid ( 568297 ) on Saturday November 02, 2002 @12:28PM (#4584028)
      My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

      Why is that? Because it's spelled wrong?

      Well, more because an amorphous mass of FBI-flesh writhing obscenely and pulsating as it flows in a continuous stream through your office door can sometimes be distressing. The new method of FBI agents arriving as discrete individuals is far more friendly.

    • Re:Favorite Part (Score:1, Informative)

      by Spazntwich ( 208070 )
      Don't you mean spelled 'incorrectly'? ;)
    • My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
      Why is that? Because it's spelled wrong?

      No, because it means no black helicopters circling.

  • Agents will arrive discretely? Great! (Score:5, Funny)

    by seldolivaw ( 179178 ) <me&seldo,com> on Saturday November 02, 2002 @11:19AM (#4583764) Homepage
    You mean they used to arrive all lumped together? [dictionary.com] No wonder people got upset!

    Learn to spell [dictionary.com], guys...
  • From what I've seen of them, I didn't know they _could_ do things discreetly.

  • FBI! THIS is a BUST (Score:2, Funny)

    by Anonymous Coward
    No...
    THIS (o)(o)
    is a bust

    -Fedreral Breast Infect0rz
  • FBIs agents will have to undergo exterminator discretion training????

    And snail-mail correspondance will arrive in plain brown wrappers????

  • Jargon File (Score:1, Troll)

    by Anonymous Coward
    So where are all the leet geeks pointing out to the Jargon File's definition of "hacker" and that it has been used wrongly once again?
    • How is it possible for a word to be used wrongly? Communication happens when one party talks and the other understands the message. The correct picture has gone from the party that sent the message to the party (readers) receiving it. I venture to say that more people will have understood the article if it said "hackers" instead of "crackers."

      I think those who pray to a talmudic god of vocabulary need to understand that language is a living thing.

    • We have given up. Oh, and not wanting to change our business cards, we also had to turn evil...
    • *Raises hand*

      Oh well, that battle is really lost. OK, I realize that. Language has evolved beyond reach and we can't possibly managed to do all the education to revert it.

      But what should I call myself? Or rather, what should people call me when they want to pat my back for something cool I did on the computer? I mean, everybody likes that, and we all need that, don't we?

      Computer professional? Nah, I can't even accurately describe a Turing machine. I have merely basic training in computer science, on a "tools" level.

      Computer hobbyist? I can do a lot more than most people, I can learn things fast, and I'm trained enough to point out flaws in the things many computer professionals do, including really good ones. Besides, I'm getting paid for it, even though the job market isn't that good.

      Geek or nerd? Well, yeah, I guess I am, in some respects, certainly, but it doesn't really describe what I do accurately.

      Well, many people gets a real identity crisis from this...

      • Oh well, that battle is really lost.
        I don't think so. You need to take a bit of care where and to whom you use the term "hacker", but nothing else captures the meaning. The media is a lost cause, but this is because they have no concept that anyone playing around with a system could be up to anything other than mischief. The media also has a hard time with the idea of scientific curiosity in any field.

  • Men in Black! (Score:5, Funny)

    by Black Parrot ( 19622 ) on Saturday November 02, 2002 @11:26AM (#4583791)


    > My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

    The guys in black trenchcoats? Uh, those are our network consultants. Yeah, network consultants.

  • Protect the hackers, too! (Score:4, Funny)

    by Devil's BSD ( 562630 ) on Saturday November 02, 2002 @11:28AM (#4583803) Homepage
    Maybe the courts should just start calling the parties H4X0R and H4X0R3D...

  • yep (Score:5, Insightful)

    by Sacarino ( 619753 ) on Saturday November 02, 2002 @11:29AM (#4583806) Homepage
    Nothing beats security through denial.

    "Uh, I wasn't hacked, nope. Must have been Corporation X."

    And WTF is this?
    Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

    Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

    • Re:yep (Score:4, Insightful)

      by FreeLinux ( 555387 ) on Saturday November 02, 2002 @11:46AM (#4583870)
      Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

      Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

      True dat. This little gem is popping up more and more frequently. It is utter BS but, as more people hear it in more places they will accept it as fact. It is total BS!! NO corporation is paying extortion money to hackers. Unless they are counting the dollars wasted on "Security Consultants".
      • +1 Insightful (vorpal)
        I suppose it is possible that someone is paying extortion money; it seems like the hardest way for a hack to generate cash, to me.

      • Re:yep (Score:5, Interesting)

        by karlm ( 158591 ) on Saturday November 02, 2002 @01:17PM (#4584227) Homepage
        I think it's often a grey issue. It's "Gee.. I found a hole in your site.. I can do the whole full disclosure thing, or you can hire me as a security consultant. Your call."

        You're right in that it's stupid to pay script kiddies to un-deface sites, and Idon't think anyone does that.

        I think it's most often extortion in the form of "security consulting fees" for unsolicited "security audits". Occasionally it's "We have your entire credit card databasebase and all of your loyal customers will never trust you again if we post them to usenet, so pay up." I heard ofsomeone trying to do this to a Minnesota comapny maybe 3 years ago, but the company basically said "screw you" and went to the FBI. Nobody knows how oftn companies pay up... It's like estimating the percentage of unreported rapes. It's just data that you don't ahve and isreally hard to estimate.

        • Re:yep (Score:3, Insightful)

          by commodoresloat ( 172735 )
          It's just data that you don't ahve and isreally hard to estimate.

          Same with the number of invisible gay werewolves in Omaha, Nebraska - it's data you don't have, so you can't estimate it. Is there any evidence at all that this kind of extortion has ever been successful? I understand the security fees scenario, but I find it hard to believe that any company would hire someone who just hacked their network and threatened to break things or otherwise cause illegal damage. Do you want such a person on your staff? But if all they're doing is saying "Do you know your network is vulnerable to exploit X, our company can help you for a modest fee," then I'm not sure this belongs in the category of extortion.

    • Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

      Prove it? Who's going to admit to it? The companies want to stay out of the spotlight, remember?

    • Re:yep (Score:5, Interesting)

      by mitchell_pgh ( 536538 ) on Saturday November 02, 2002 @11:59AM (#4583912)
      Unfortunately, this is a serious issue. If your position at an online banking environment is "Director of Network Security" and you are hacked for say $5,000 and you plug the security vulnerability, the only people that know are you, your boss, and perhaps some people from the accounting department. Is the negative PR you will receive over the hack to your "secure" system worth $5,000?

      If you lost one account over this hack, it wouldn't be worth it. I think the FBI is trying to inform the public that they understand "HI!, We are from the FBI. We are here regarding the security breach of your trusted online banking system" isn't acceptable in every situation.
    • Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

      While I'm not up for offering proof, I'm thinking a slightly more plausible scenario would be "Oh, Mr. CIO....I've got this database of customer information, some of it quite sensitive. Would you like to give me some money, or would you like me to publish it (and where I got it) all over the Internet? That would do wonders for your customer relations, wouldn't it?"

  • This is bad, wrong, and just brain dead.
    If the company can't keep it's information secure, why should I own any of that company's stock then?

    Information crimes should be treated the same way as a real robbery (just we have a smarter crook to deal with).

    This is on the same level has cooked books IMHO.

    • Re:Bad Idea (Score:3, Informative)

      by vicviper ( 140480 )
      The analogy in the article with a teller and a bank applies here. The idea is to encourage victims to step forward so law enforcement can catch the bad guys. The point here is that either way, as a stock holder you wouldn't know that security was comprimised(at least the company isn't going to publish the info), but if ACME Co. can have some assurances that their name won't be in the headlines the next day, they may be more willing to come forward.
    • The SEC is pretty clear that a company must report significant losses to stockholders. If a company is hacked and has millions of dollars in damages, aren't they committing a crime by not reporting that to their stockholders? (reminds me of the Mitnick trial).
  • This is an excellent idea. The amount of information that disappears down a black hole due to copmanies keeping quiet must be gigantic.

    A good idea from the FBI..? Next thing you know, the CIA will start acting intelligently and the government will start governing...
    • You wanted the black hole? Here it is:

      He cited congressional efforts, supported by the Bush administration, to exempt from the Freedom of Information Act any details that companies might disclose to the proposed Department of Homeland Security about vulnerabilities in their operations. He said amending the law could be helpful "in case there is a concern that reports of hacks or intrusions in federal records might find their way into the hands of those who would use that information against us."

      This scares me....

  • How is secret victims going to work? (Score:3, Insightful)

    by The Creator ( 4611 ) on Saturday November 02, 2002 @11:32AM (#4583814) Homepage Journal
    them: "Someone has testified against you, we wont tell you who it is, and we can't tell you what they said either".
    you: "Umh ok".
    • RTFA, this is not remvoing the rights of the accused at trial. Rather, it's probably more like gagging the criminal after a deal has been struck while at the same time law enforcement doing their best to keep the company's name out of the public.

  • Is this a good thing? (Score:5, Insightful)

    by skaffen42 ( 579313 ) on Saturday November 02, 2002 @11:34AM (#4583821)
    I agree that confidentiality is important in some crimes. For example a woman who has been raped shouldn't have to have her name splashed on the front page.

    But... if my bank or credit card company has a habit of getting hacked (ie. lax securtity) I figure I have a right to know about it.

    Just my $.02.

  • Double sceret arrest (Score:5, Funny)

    by banzai51 ( 140396 ) on Saturday November 02, 2002 @11:35AM (#4583827) Journal
    Hi. We're from the FBI. You're under arrest for hacking. We cannot disclose what you did or who you hacked. Just jump into our jail.


    • We cannot disclose what you did or who you hacked. Just jump into our jail.


      .."you do not pass GO, and you will not be allowed to participate in the next 4 mayor DOS attacks"..


      -now where's that darn "get out of jail free" card when you need it?

    • Triple Sceret Arrest (Score:5, Funny)

      by ackthpt ( 218170 ) on Saturday November 02, 2002 @12:05PM (#4583929) Homepage Journal
      "Hi. We're from an agency of a government

      don't tell them that!

      What, the bit about an agency or a government?

      any of it!

      Right. You're under arrest for hacking.

      don't tell them what they're under arrest for!

      We can't just arrest them, can we?

      we do it all the time!

      But that's what morally corrupt dictatorships do and we're not one of those, we're from a democracy, right?

      oh, great, next you'll give the whole thing about where we are from away, just why don't you wave the flag, show 'em a picture of your mom and ask if they'd like some apple pie! fer chrissake!

      Ok, we cannot disclose who you are, what you did or who you did it to, who we are, what we are here for, what you may or may not be charged with, where we are taking you or anything else. We're not even sure if we are at the right address, but just come with us.

      quietly.

  • There must be a dozen or so sites in each country that take a list of recentltly defaced web sites, I guess this isn't as severe as screwing up millions of credit card numbers.

    Shouldn't the consumer be aware if someone who they gave there credit card details has been hacked and now they are exposed? It comes down to, if your a victim, you want to know.

  • Ahhh Security through Obsurity! (Score:4, Funny)

    by Cytlid ( 95255 ) on Saturday November 02, 2002 @11:37AM (#4583836)
    Isn't this sort of like the family who's teenage daughter gets pregnant and they don't want anyone to know because "what will the neighbors say?!?!"?

    • Bad (Score:1)

      by gr8_phk ( 621180 )
      Does this mean people will be tried in secret? They do mention Homeland Security. Does this mean hacking is terrorism? How do they protect the identities of children who are victims? The media often understands their need for privacy, but does a publicly held corporation need that protection? This simply illustrates that stock prices are too dependant on corporate image and not real value.

  • FBI discretion (Score:4, Interesting)

    by Triple Helix ( 202044 ) on Saturday November 02, 2002 @11:41AM (#4583851)
    My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

    In my experience, the FBI can be extremely discrete when they want to be. I work for a company that provided some important information to the FBI after September 11 last year. There would on occasion be two or three agents in our office, who always showed up driving an unmarked car, and wore casual attire. Most of the people in our office had no idea the FBI was even present.

  • Right to face one's accuser...easy out at court (Score:5, Interesting)

    by Nonac ( 132029 ) on Saturday November 02, 2002 @11:43AM (#4583863) Journal
    This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

    The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

    • Come one... We know the FBI isn't only concernced about convicting hackers in court when companies come forward. They want companies to responsibly help the FBI find hackers. Sure, the hackers won't be prosecuted for that individual crime. Instead, they'll have the FBI looking into every aspect of their lives. Let's face it. Most individuals that hack into company systems do it more than once.
    • This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

      The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?

      They will be willing to plea if the evidence against them is so good that their lawyer says "You will loose at trial, and they'll throw the book at you." I find it hard to believe that a suspect in this case wouldn't know that he had the option to go to trial. Mind, that at trial the accused will face the accusing party.

    • Re:Right to face one's accuser...easy out at court (Score:5, Interesting)

      by incog8723 ( 579923 ) on Saturday November 02, 2002 @12:29PM (#4584032)
      This steps all over your right to confront your accuser [cornell.edu]. If the company refuses to be identified in public, all the suspect has to do is claim her right to face his accuser at trial. If she is denied and convicted, she has excellent grounds to have the conviction overturned on appeal.

      This is true. However:

      1) Most people who get slapped with a FEDERAL charge (which is a lot different than a state charge), don't have the money to retain an attorney (on the order of at least $10,000 dollars, and that's not even to go to trial--more like 20,000 if you plead not guilty).

      2) The feds won't even press charges unless they KNOW they can convict you, and unless they KNOW you won't win. I was convicted of a federal crime, and it wasn't even a big time thing. However, the mountain of evidence that my public defender showed me was about a FOOT high (paper, mind you), and that's not counting the wiretap evidence.

      3) The way the plea bargaining system works in federal court is that the Federal prosecutor ALWAYS tacks on extra charges. This is so that some can be removed if the defendant wants to plea.

      4) The stress involved from being charged with a federal crime *almost* always dictates that the defendant will plead guilty, because of [1], and [2]. Federal sentencing guidelines DICTATE that if there is a mountain of evidence against you, and you try to FIGHT it and LOSE, then you will get a HELL of a lot more time in prison than if you just plead guilty in the first place.

      Just my experience.

    • But note well that the article also talks about using gag orders. They're not keeping you from confrnoting your accuser, they're just keeping it out of the papers, so no, this doesn't violate our fine legal system.

      This sort of technique is actually used a lot, but usually to protect the identities of minors who are prosecuted as such for high-profile crimes. Personally, I think there is a great deal of sense to it. Sometimes the identities of the victims OR the perpetrators of crimes do need to be protected, but I think that in most cases of this type doing so is unfair to investors, shareholders, and clients.

      I fully realize that there is no such thing as perfect security, nor will there ever be. But investors, shareholders, and clients of a given company have the right to know how their money/data was comprimised, and what the company is doing to correct the problem, and ensure it never happens again. But then again, it's also important to realize that when there IS a security compromise (as there inevitably will be) that the company is going to go to the appropriate authorities. I read someone else's comment comparing this to robbing a bank. I sure as hell want the bank president to call the sherrif when a whole bunch of money gets taken.

      This is definitely going into some stick ground. But then again, most legal matters ARE very sticky buisiness.
  • And they wonder why no one comes forward? I'd much rather deal with the guy that hacked my home www serv in my OWN way. Why let the FBI lock him up in Club Fed?

    Clearly I still have some issues to work through...

    -Sazarac
    "He who joyfully marches in rank and file has already earned my contempt. He has been given a large brain by mistake, since for him the spinal cord would suffice." --Albert Einstein

  • How Convenient! (Score:2, Insightful)

    by ackthpt ( 218170 )
    Won't this encourage companies to leave themselves vulnerable, if potential customers and investors are unaware of such lapses?

    Case in point... AbiWord vs. PayPal.

    I'd certainly like to know that the California State agency which kept my personal information had been hacked into. Same for anywhere I have or might be placing sensitive information.

    Bad policy, bad! No treat for you!

  • This is clearly not to improve securty, only push up the FBI's arrest count.

    Do these poor guys ever get there equipment back, Ive never heard any stoires of guys getting back stuff from the FBI after theyve taken it away for investigation?

  • Mixed feelings. (Score:3, Interesting)

    by JKConsult ( 598845 ) on Saturday November 02, 2002 @11:56AM (#4583900)
    On one hand, I perfectly respect the need for anonymous reporting for publicly traded companies and/or companies that spend an appropriate amount on network security. It obviously can be very damaging to their reputations if they happen to be on the front end of the vulnerability cycle and get hit before the exploit has been disseminated to the masses. The average stockholder doesn't recognize that sometimes shit happens, and perfect network security is a pipe-dream (especially if those same stockholders want costs cut, meaning the infosec department is running on a shoestring.)

    However, in the case of companies that don't spend an appropriate amount on infosec, fear of public knowledge of their lack of security is often the only impetus to spend any money at all. Case in point: as the only "computer guy" (read:webmaster) at work, any problems with systems, be they internal or external, get blamed on me. I've fought tooth and nail for training (nope), a new network architecture (confidential documents, including employee data and customer financials, are stored on a Win2k box that has no firewall, no A/V, nothing), even just the ability to install freeware solutions (fuck spending an appropriate amount of money, just let me spend some time, please) have all gone by the wayside. The only time I can get approval for anything is when I lay out specific scenarios of stolen data being released publicly and the ensuing customer backlash over the lack of security. Without that hammer, I've got nothing. And since the only infosec experience I have is that which I can get for free, on my own time, I need all the hammers I can get.

  • Double standard. (Score:5, Insightful)

    by FrankieBoy ( 452356 ) on Saturday November 02, 2002 @11:59AM (#4583910)
    Wait a minute, I'm confused here. The government is doing everything it can to protect the names of companies that have deployed inadequate network security practices from getting out but they're also making it their mission to expose companies that have employed deceptive accounting practices like Enron and MCI. The bottom line is that they both point to problems with the running of the company and if the company is publicly held then this information should be exposed and the incompetence dealt with.
    • It's easy to pick out egregious failures. Naturally, incompetent people in positions of responsibility and thieves should be "called on the carpet". These organizations and people are statistically infrequent.

      There are many organizations doing the best they can to manage their systems competently and get hacked anyway.

      In my opinion, it's a good idea to give such organizations the opportunity to improve their techniques and technology before dragging their names through the public mud. The Public can be very judgmental...

  • im sorry but when the fbi is at the Mayo Clinic [mayo.edu] when someone important is visting for something or another its quite obvious to pick them out... general fbi agents are the ones where you can see the sholder holster holding an armed oozi (spelling)


    is this how they are going to arive at peoples buisness?

  • The Men in Black (Score:3, Funny)

    by pommaq ( 527441 ) <<straffaren> <at> <spray.se>> on Saturday November 02, 2002 @12:07PM (#4583938) Homepage
    My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

    - Yes. I've been looking for you, Neo. I don't know if you're ready to see what I want to show you, but unfortunately you and I have run out of time. They're coming for you, Neo, and I don't know what they're going to do.
    - Who's coming for me?
    - Stand up and see for yourself.
    - What, right now?
    - Yes, now. Do it slowly. The elevator.
  • The Constitution on the US (CotUS) guarantees
    the accused the right to face the accuser.

    If the case gets to trial, the case is on
    the public record.

    So much for either the victim remaining
    anonymous or the CotUS.

    -- kjh
  • FedEx envelope delivered to IT manager's desk with an old, analog cell phone in it. IT manager takes it out, and answers it when it starts ringing...

    Then, of course, fifty FBI agents come bursting into his office.

    (Unfortunately, the agent who was working on this plan was transferred before he could perfect the "call him on the phone" part.)

  • More Oppfortunity For Hacker (Score:5, Interesting)

    by limekiller4 ( 451497 ) on Saturday November 02, 2002 @12:18PM (#4583984) Homepage
    This is of marginal value because while it may keep things under wraps while the hack is occurring, if the hacker is caught (the goal, after all), then they have the right (in the U.S. at least) to face their accusers. Barring a rather broad-sweeping gag order, the press will get wind of it. And given that the bait here is for the company to remain anonymous permanently so users of that company to not lose trust in that company, this is of dubious value.

    Plus, IF the hacker (remember a lot of jobs are done from the inside) catches wind that the FBI has been contacted and is being asked to be discrete, this is a new weapon. They now know that they have brand new button to push that the company would, for whatever reason, really not want pushed.

    Just a thought.
  • ...politically motivated attacks? There's lately been a big DDOS attack on www.freerepublic.com, the conservative discussion site, and I haven't heard that any law enforcement agency cares about protecting free speech.

    Of course, you may not agree with their politics, but...

  • Is hacking now worse than rape and murder? (Score:5, Interesting)

    by FearUncertaintyDoubt ( 578295 ) on Saturday November 02, 2002 @12:34PM (#4584049)
    Often rape victims are reluctant to come forward, yet their name has to become public information if they want to see their rapist convicted. And news media love to provide pictures and information about victims of grisly murders. The only exception that is normally made is when the victim is a child. AFAIK, it's pretty much accepted that you can't make victims of these crimes a secret (and still prosecute the offenders), no matter how much people would want such a thing.

    So is this saying that hacking is even more humiliating, more personally damaging, more vicious than rape or murder (or any number of other violent and cruel acts) -- so much so that we have to shield its victims from any public knowledge of their being victims? Or maybe are we saying that corporations get whatever they want from our justice system? (*cough* Microsoft penalty judgement *cough*)

  • Constitutional??? (Score:3, Insightful)

    by chuckw ( 15728 ) on Saturday November 02, 2002 @12:56PM (#4584143) Homepage Journal
    Ummmm, that isn't even constitutional. The accused has a right to confront their accuser. Do you really think the accuser is going to keep quiet about who the victim is? Doubt it, unless they give him some real incentive not to. Either way, with lawyers, relatives, friends etc, the true story is going to leak out somehow. If the FBI *REALLY* thinks this is going to remain secret, they have more than a few problems...
  • So now not only is the electronic "proof" easily faked, now you don't even have to tell the hacker whom he supposedly hacked?

    Great! The perfect infrastructure to put arbitary people in jail. You can frame anyone!

    And how can the hacker prove to the judge that the alleged victim had something to gain from framing him? And it makes it impossible that someone can can read about the trial in the newspaper and help prove the hacker's innocence.

    Obviously they want to get rid of Kevin Mitnick for good this time.
  • Cyber armagedeon is coming...
    Companies can be assured of discretion when reporting computer crimes...
    Give the FBI more tax-dollars and everything will be ok. Can't have those horrible 'hacker' types extorting money from the system now can we?

    Give us your money...OR ELSE!

  • "Arriving Discreetly" (Score:5, Funny)

    by duck_prime ( 585628 ) on Saturday November 02, 2002 @01:02PM (#4584168)
    From the eds:
    My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
    They can pretend that they're showing up to arrest the CFO. Pretty good cover these days...
  • The reluctance most companies have to present evidence they have been jacked is not because they fear the effect it will have in their customers. This fear goes much deeper and touches the very soul of many companies. It is a problem of competence, knowledge, expertise and information control. Many companies control quite badly or don't have any control over the information exchanges ocurring inside their infrastructure. It is a mess that no one can get an hint of and no one really cares. While money keeps coming, they will not worry sharing its local network with third parties (some business centers work that way), sending tons of internal data through simple e-mails out to Internet (no cyphers, no filtering), sharing local networks with customer's ones (how many ISPs work like that?) and many, many more.

    It is curious to note that these cases are even more frequent among corporate strucutures, specially among holdings. And no one cares when one company gets sold and still keeps using the common corporate resources. And some do use these security breaches for their purposes.

    So why companies want to hide information? Because they don't want people to mess up in their "internal" affairs. Roughly this is the same type of story like the county sheriff meeting the feds in its town. He may know he has a problem but he will be more happy to see these suits outta there ASAP and leave people solve its own problems. The same goes to most companies. They will not invite feds because they fear publicity. They will not invite them because they prefer to leave the mess for themselves, instead of having some "outsiders" sniffing all around and giving too many questions.

    Not long ago I was in such situation. I came in in a "no publicity, no scandals, all confidential, internal and top secret" agreement. However, some guys didn't calm down until they smoked me outta the company. According to my recent data, they keep living exactly the same way as they did. While they fill their pockets, they don't care for shareholders, clients, partners or concurrents. And frankly it seems that their shareholders don't worry either.

  • Hothouse Flowers (Score:3, Insightful)

    by crucini ( 98210 ) on Saturday November 02, 2002 @02:41PM (#4584578)
    Criminalizing hacking is probably a mistake. It's a natural impulse to explore networks and work past barriers. It's no coincidence that the word "hacking" describes both creative programming and "malicious" network connections. They both stem from the impulse to explore systems.

    The Government is now voicing concern about our "National Information Infrastructure" and its vulnerability. Passing tough laws and increasing enforcement is exactly the worst thing we could do for that cause. It will merely grow "hothouse flowers" - vulnerable networks that will not be probed by ordinary people (because they're scared) and will remain vulnerable for cyber-terrorists or organized crime.

    Indulging the weakness of our corporate information security will be a never-ending spiral. Instead we should drag these hothouse flowers out into the real world and let natural selection take its course. In fact, the government could help most by offering bounties to people who hack into important facilities. Of course these bounties would be added to the tax bill of the corporation responsible for the security weakness. If most of the malicious hackers were reporting to the government, there'd be no way for "victims" to hide the incidents, and they could be publicized so customers and shareholders can react appropriately. That's how free markets are supposed to work - people buy and sell based on information.

    Small scale hackers and script kiddies are like the constant barrage of viruses that keeps our immune systems on their toes. If we manage to scare them all away, we become the "boy in the bubble".
  • Alright /. decide on the terms.

    Are we talking about hacking or cracking?

    The title talks about hacking crimes, and then uses cracking in the paragraph. So please /. decide on the style guide so we know what we are talking about.
  • It's important for us to realize that you have certain concerns as victim companies that we have to acknowledge," FBI (news - web sites) Director Robert Mueller said. He promised, for example, that FBI agents called to investigate hacking crimes will arrive at offices discretely without wearing official jackets with "FBI" emblazoned on them

    In other words, they are probably coming in "discreetly" to investigate the company that is hacked, not the hackers. Having a hoard of FBI agents mulling around your office is not the best publicity, worse at times than being hacked and having "J00 R 0WZ3R3D, PAY ME $1000000" tagged on to one's webpage...

    Having your webpage hacked, people know you have a security issue. Having the FBI swarm your office, people imagine for themselves what you have done to have them there. Anyone care to guess which is worse?

    When keeping a secret, make sure others do not even know you are keeping a secret, lest their own imaginations persue a worse scenario than reality - phorm

  • More business friendly legislation (Score:5, Informative)

    by gad_zuki! ( 70830 ) on Saturday November 02, 2002 @06:57PM (#4585517)
    at the cost of consumers of course.

    >along with any sensitive corporate disclosures that could prove embarrassing.

    Embarrassing? I'm sorry, but if my bank has an incompetent IT department, uses crappy software, has a poor security policy, etc then I should find about it in the paper alongside the police blotter which lists every drunk, domestic fight, and pot possession in the county.

    The meat packing industry is the same way. They can recall tons of dangerous product without telling the press who the meat was sent out to. For instance it was all sent to McDonalds or Subway then those companies have the choice to tell you. Your safety, and life in some cases, is second to their PR.

    Government is supposed to protect all interests without giving in to one side. Sadly, those with the resources get what they want and there isn't even a popular opposition party to call BS on laws like this.
  • At first, I was thinking in terms of a "rape victim's" perspective. Yes, it's "damaging to your reputation" to be seen as weak, vulnerable and insecure, but then again, this is PUBLIC INTEREST not PRIVATE INTEREST.

    People who are considering their position as share holder deserve to know the state of the company they own a share in. People who are considering buying into the a company deserve access to the information about what they're buying. As far as I'm concerned, it's a consumer right!

    Corporate secrecy and other shenanigans has been what has led to many of the problems our economy is suffering now.

    Another poster had another view from the perspective of the "accused" which I also feel for. It's the leverage of a plea. If a person is merely suspected, presenting proof isn't required? I'm sorry, but no! It's 100% necessary so that a person can adequately and fairly defend himself if unjustly accused. The only thing resenbling "fair" is when the accused is actually guilty and actually knows what he did... and even then the accused can't know for sure.

    This idea places too much balance in favor of government law enforcement and corporate interests and is completely against "the people." This shouldn't be happening.
    • What you've said about companies being accountable to their shareholders and the public in general is very true for publically traded companies, but most smaller companies (and some larger ones too) are privately owned. In other words, there's no need to publically disclose any information about their financial situation, as there's no way that Joe Random Citizen could buy shares if he wanted to. The company doesn't necessarily have a right to privacy, but they are not obliged to disclose information in the same way as publically traded companies.

      Of course, if the accused isn't even told exactly what they're accused of, then that's reason enough to reject the idea.

  • Culpability (Score:2, Insightful)

    by StikyPad ( 445176 )
    From the article:

    "Companies that worry too much about public response underestimate the public's ability to assess the situation with some sophistication," [the FBI spokesman] said. "If a bank robber sticks a gun in a teller's face, the public is not confused about who's fault that is."

    What about companies that provide little to no protection to their networks? Is that still the same as a robber sticking a gun in a teller's face, or would that be more akin to say, someone walking into the bank, into the unlocked vault, and walking out with everyone's valuables? And can the public still asses the difference with any level of sophistication?
  • Since when hacking is a crime? It's ***CRACKING*** that's the crime!!!

Slashdot Top Deals

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Close