On Mon, Oct 01, 2001 at 05:41:27PM -0400, Benjamin Scott wrote: > On Mon, 1 Oct 2001, Derek D. Martin wrote: > > Yes, and I've glanced over the text of the bills too. > > Where can I find this? I've seen *lots* of rhetoric, all around, but > facts seem rather scarce...
First let me say that I've looked over the text of *some* of the proposed bills. I was forwarded links in e-mail which I don't have handy. If I have time later tonight I'll see what I can dig up... > >> While I agree website defacement should be punished harsh > > > > Why? Web site defacement is a crim akin in severity to spray-painting > > graffiti on a store front ... > > Spray-painting a store front has limited impact. If I spray paint my > local Osco Drug's windows, only a very small fraction of this customers are > impacted. Furthermore, I presumably have not broken into the store > itself. Even if you had, the penalty for crimes committed "in the real world" reletive to those computer-related crimes mentioned in various proposed bills (and some that have already passed, BTW) is extremely light, unless you're a repeat vandal, and even then... We're talking about life in prison here. > All I have done is deface the exterior of a single building. Their services > are not directly affected. O.k., so, if the person who defaces the website includes a link to their regular page, would that satisfy your definition of vandalism? After all, their services weren't REALLY impacted, since you could get to the site through the provided link... Oh, and if defacement means breaking the glass in all the store's doors and windows, I'd bet their services would be impacted. But that's still a misdemeanor offense, in most places, AFAIK. [IANAL applies here.] I.e. It would be breaking. It woudn't even be breaking and entering, if you didn't enter. Your teenager would get a slap on the wrist. Zero possibility of life in prison. Not so with computer crime, if this passes, even if the likelihood is low in practice. I would also argue that the impact should be quite a bit LESS for computer crime, since in most cases of website defacement, there is no permanent physical damage to property, and the affected site should be able to replace the trashed web server in about 15 minutes, IF they notice it's been trashed, and IF they have a proper disaster recovery plan. If you bust in all my windows, my store will probably be closed for days. There's probably more impact associated with a phone service outage caused by careless techs Verizon. But you don't see them getting life in prison for it... And let's consider other kinds of compromises, like root shell compromises through say, telnetd. If the angst-ridden teen comromises telnetd, has a look around, and leaves, what harm is really done? What is the DAMAGE associated with that act, and what should be the appropriate penalty for that level of damage? Life in prison? > On the other hand, if I deface Osco Drug's *website*, it is conceivable > that all of their customers could see it I'd grant that it's POSSIBLE that all of their customers would see it, but given that computers only exist in what, roughly 30% of our nation's homes, I'd say that's pretty unlikely. > or at least hear of it (in the news). Even then, unless you're inclined to pay attention to such reports, you'd probably not hear of it. Ask your mother or your insurance agent what websites she's heard of being defaced. If she could name even one, I'd be impressed. The only time such reports show up in mainstream news media is when there are numerous attacks, or when the target is very high profile, like a "high security" government site. > Furthermore, in order to do this, I will have to severely compromise > the security of their web server. Presumably, I could view or tamper with > other things while I am in there -- credit card numbers, prescription > records, and so on. Well that would certainly be a different crime than simply defacing their website, wouldn't it? Just because you COULD do something, doesn't mean you DID. I could throw a rock through Osco's front window, and then leave. Or, I could throw a rock through their window, and steal a bunch of stuff. > Other than the accident that both happen to use the word "deface" in their > description, how are these two crimes alike? Obviously the elctronic nature of computer crime makes it very different, in that regard, from conventional vandalism. But it's still basically vandalism. > > And, in the vast majority of cases, it's a very PREVENTABLE one. > > The fact that a crime is preventable in no way influences the fact that is > is *still a crime*. Agreed. But from the standpoint of the legal system, it does generally mitigate the penalty. IIRC from discussions in the one law class I did have in college, if a party who was the victim of some crime could have prevented the crime through normal means (like by locking the doors of the car), the criminal is likely to receive a lighter sentence, or in some cases even get off. This is especially true, IIRC, in civil cases. > > It also criminalizes probably a large percentage of the people on this > > list, who've ever been curious about what's going on with someone else's > > system. RETROACTIVELY. > > Odd. One would think the Attorney General would have read Section IX of > the US Constitution. Yes, and senators and congressmen never propose unconstitutional legislation either. It has, of course, never happened in the history of the United States. However, this bill does not criminalize particular actions retroactively. Instead it removes the statute of limitations on relevant crimes, retroactively. It could be argued that the ban of retroactive laws does not apply, though only time will tell how successfully. But this means that if you broke into Sun's web servers 15 years ago, and then published an exploit after the SoL ran out, you could now be prosecuted for that crime, if this measure passes. All I'm saying Ben, is that this bill makes no sense. It is labelling the misguided pranks of mostly harmless teenagers as acts of terrorism, and providing a means to essentially end their lives (whether or not it would actually be used to do that in practice; we can't know that until the law is applied). There are already laws which cover all of these computer crimes, and by and large their penalties are already sufficient, if not already too stern. Let's leave the terrorism to the terrorists. This is a knee-jerk reaction driven by fear, stemmed from a lack of understanding. -- --------------------------------------------------- Derek Martin | Unix/Linux geek [EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
