March 25, 2005

Overzealous sentencing leads to reduction in security

Yet another disproportionate sentence was handed down for what amounts to a bunch of misdemeanours in the US of A. Adam reports and google has lots of articles on a hacker that spent too much time cracking into various places. In the stated case, he abused access to a customer's site (so it wasn't hacking) and the even the plea submission agreed he didn't do anything with the information:

"Baas committed a crime when he exceeded his authorized access, looked for and downloaded an encrypted password file, and ran a password cracking program against the file,"
,,,
The statement of facts says Baas illegally obtained about 300 passwords, including one that acted like a "master key" and allowed him to download files that belonged to other Acxiom customers. The downloaded files contained personal identification information. The data stolen by Baas was not used for criminal or commercial purposes.

The prosecution filed an indirect damages claim of $5.9 million but the chances of that being inflated for effect are high. Against that, the guy was already in the pokey for some other cracks, and he boasted to his buddies about his exploits.

For that he got 4 years. This is hardle proportional, and the unintended consequences of putting the fear of God and the Federal Penitentiary into systems administrators is likely to be lower overall security: you can "do it by the book,", or you can have security, but you can't have both.

Posted by iang at March 25, 2005 05:11 PM | TrackBack
Comments
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.