On Fri, 2006-06-09 at 13:51 -0400, Paul wrote: > The FBI gives priority to cases where actual damages have exceeded X > dollars. That creates a problem because people building password lists > aren't investigated until the passwords actually get used in a way that > is costing the victim(s) money. I won't give the value of X here. Thye > tell me it's a budgetary problem. >
The statute in the US (18 USC 1030) requires that damages exceed $5000. Damage is a defined term and US v Middleton is the best resource for what is damage, basically its anything the victim thought was reasonable, but must be pecuinary loss (ie not reputational harm but actual loss, including lost sales, time spent restoring the system to its condition prior to the attack, etc but not time spent preparing for litigation or criminal prosecution). If you think it is reasonable to hire your brother at $5000/hr and he works for 1 hour you have your $5000 in 'damage'. The patriot act amended the hacking statute to include ATTEMPS, which means that if someone tries to break in but does not succeed, but if they had they would have caused $5000 in damage - they are guilty. All that requires is the 'victim' claiming that it is their best belief that had the person succeeded it sure would have cost $5000. On top of that the $5000 is aggregated over a 1 year period. Pre patriot act it was for each singular act, but now it is all acts combined, $5 in 'damage' to 1000 places now rises to the level of a federal crime. Initially the damage element was in place to allow only the most serious crimes to be federal everything else state. If that isnt bad enough the FBI claims world wide jurisdiction - how they do this is lets say that a guy in the UK hacks a box in Germany, in addition to Germany being able to prosecute, if that box in Germany has at one time been involved in commerce with just 1 US transaction (with voip it terminates *any* calls to the US, it has one US customer, 1 person from the US goes to its web server, it really doesnt take much) the FBI can seek extradition in addition to germany authorities, and BOTH can charge, convict and sentence the same person for the same crime. Double jeopardy wouldnt apply becuase its a seperate soverign entity and thus not double jeopardy. As you can see they really dont need much to go after anyone now, they used to need slightly more. > If someone reported that I was asking people to show me their > identification and credit cards in person, you can be sure that law > enforcement would arrive. They would look for any grounds suitable to > arrest me. If I do the same thing electronically, I probably won't be > pursued until after I have started using the credit card numbers. > That is a different statute, 18 USC 1029 does allow for attempted aquisition of 'access devices' of which credit card numbers qualify (but then so do email addresses and mobile phone numbers). Sheesh. -- Trixter http://www.0xdecafbad.com Bret McDanel Belfast IE +44 28 9099 6461 DE +49 801 777 555 3402 Utrecht NL +31 306 553058 US WA +1 360 207 0479 US NY +1 516 687 5200 FreeWorldDialup: 635378 http://www.trxtel.com we pay you to terminate calls with us!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
