I posted far too much on Schneier’s Blog about Gary McKinnon. I started to get curious after reading other comments that asked what exactly was going on…so here’s my uneducated perspective:

Well, now that Harald is doing my work for me on historical facts, I thought I’d post some the details documented in the appeal:

http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm

Page two has the UK courts’ opinion:

“As the Divisional Court itself pointed out (at para 34), the gravity of the offences alleged against the appellant should not be understated: the equivalent domestic offences include an offence under section 12 of the Aviation and Maritime Security Act 1990 for which the maximum sentence is life imprisonment.”

I suppose they are referring to the fact that he interfered with military systems:

“Having gained access to these computers the appellant deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours, significantly disrupting Governmental functions; 2,455 user accounts on a US Army computer that controlled access to an Army computer network, causing these computers to reboot and become inoperable; and logs from computers at US Naval Weapons Station Earle, one of which was used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, deletion of these files rendering the Base’s entire network of over 300 computers inoperable at a critical time immediately following 11 September 2001 and thereafter leaving the network vulnerable to other intruders.”

Understated? What about the risk they are being overstated? Seriously. I have seen numerous global companies go inoperable for 24 hours due to a fat-finger internal error and watched execs just shrug it off as the cost of doing business. Try to sell a redundancy or security solution and some would say they’d rather pay for downtime.

The range of US estimates for damages appear to have been all over the place. Someplace between hundreds of thousands of dollars and millions was the cost to restore Windows to less than 100 systems? Or is the Pentagon saying that a corrupt windows system with no redundancy/backup and connected to the Internet is to be considered mission critical. Seems like it should be one way or the other, no? Were these systems so critical that they had proper redundancy, or were they so irrelevant that they could be replaced for a nominal fee. If there is something else going on, is that really the fault of an attacker or is there negligence also at work?

I guess my point is that the cost estimate reminds me of a $640 DoD toilet-seat story. And then there was the $1 trillion missing story in 2005

http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/05/18/MN251738.DTL&type=printable

Would you really trust those guys with a damage/cost estimate, especially when they are embarrassed publicly?

The actual cost of re-installing a Windows OS and restoring a backup might be something in the order of a few hundred dollars per system, but it probably required endless paperwork and bureaucracy…plus it happened around the time of 9/11 and clearly ticked off the Army and Navy. And I doubt it helped that he supposedly left behind one taunting text message.

Anyway, the appeal text says the accused scanned over 73,000 systems but damaged or accessed just 97 of them. If we take a $700K estimate of repair in paragraph 15 that comes out to a repair cost per system of $7216.50. Given a hard figure, I wonder how that stands up to disaster recovery program estimates and the cost of downtime.

In other words the “damages” very well may have been trumped up in an overly rigid system to the point where prosecutors hope the Angelos case above is what McKinnon is going to face if/when he arrives in court in America.

Angelos, like McKinnon, backed away from a plea bargain arrangement with angry officials, then got the book thrown at him, and ended up with a life sentence for selling marijuana.

The Slate article discussed how the judge said “his hands were tied” when he handed out the sentence. Bad sign for America’s justice system, no? I think that’s what should have been addressed in the appeals document, instead of a comparison of bargaining rights, but I’m not a lawyer.

Nope, not a lawyer. Never been one. I think the Guardian already said what I meant already anyway. I just had to read the source and write up my notes if you know what I mean.