I posted far too much on Schneier’s Blog about Gary McKinnon. I started to get curious after reading other comments that asked what exactly was going on…so here’s my uneducated perspective:

Well, now that Harald is doing my work for me on historical facts, I thought I’d post some the details documented in the appeal:

http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm

Page two has the UK courts’ opinion:

“As the Divisional Court itself pointed out (at para 34), the gravity of the offences alleged against the appellant should not be understated: the equivalent domestic offences include an offence under section 12 of the Aviation and Maritime Security Act 1990 for which the maximum sentence is life imprisonment.”

I suppose they are referring to the fact that he interfered with military systems:

“Having gained access to these computers the appellant deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours, significantly disrupting Governmental functions; 2,455 user accounts on a US Army computer that controlled access to an Army computer network, causing these computers to reboot and become inoperable; and logs from computers at US Naval Weapons Station Earle, one of which was used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, deletion of these files rendering the Base’s entire network of over 300 computers inoperable at a critical time immediately following 11 September 2001 and thereafter leaving the network vulnerable to other intruders.”

Understated? What about the risk they are being overstated? Seriously. I have seen numerous global companies go inoperable for 24 hours due to a fat-finger internal error and watched execs just shrug it off as the cost of doing business. Try to sell a redundancy or security solution and some would say they’d rather pay for downtime.

The range of US estimates for damages appear to have been all over the place. Someplace between hundreds of thousands of dollars and millions was the cost to restore Windows to less than 100 systems? Or is the Pentagon saying that a corrupt windows system with no redundancy/backup and connected to the Internet is to be considered mission critical. Seems like it should be one way or the other, no? Were these systems so critical that they had proper redundancy, or were they so irrelevant that they could be replaced for a nominal fee. If there is something else going on, is that really the fault of an attacker or is there negligence also at work?

I guess my point is that the cost estimate reminds me of a $640 DoD toilet-seat story. And then there was the $1 trillion missing story in 2005

http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/05/18/MN251738.DTL&type=printable

Would you really trust those guys with a damage/cost estimate, especially when they are embarrassed publicly?

The actual cost of re-installing a Windows OS and restoring a backup might be something in the order of a few hundred dollars per system, but it probably required endless paperwork and bureaucracy…plus it happened around the time of 9/11 and clearly ticked off the Army and Navy. And I doubt it helped that he supposedly left behind one taunting text message.

Anyway, the appeal text says the accused scanned over 73,000 systems but damaged or accessed just 97 of them. If we take a $700K estimate of repair in paragraph 15 that comes out to a repair cost per system of $7216.50. Given a hard figure, I wonder how that stands up to disaster recovery program estimates and the cost of downtime.

In other words the “damages” very well may have been trumped up in an overly rigid system to the point where prosecutors hope the Angelos case above is what McKinnon is going to face if/when he arrives in court in America.

Angelos, like McKinnon, backed away from a plea bargain arrangement with angry officials, then got the book thrown at him, and ended up with a life sentence for selling marijuana.

The Slate article discussed how the judge said “his hands were tied” when he handed out the sentence. Bad sign for America’s justice system, no? I think that’s what should have been addressed in the appeals document, instead of a comparison of bargaining rights, but I’m not a lawyer.

Nope, not a lawyer. Never been one. I think the Guardian already said what I meant already anyway. I just had to read the source and write up my notes if you know what I mean.

The controversy reveals a brewing battle over governance by a private testing firm of its own methods:

An attorney representing ETS conceded that it was impossible to know whether students took advantage of the poor proctoring at the high school to cheat, but said it would be unfair to other AP test takers throughout the nation to allow their scores to stand.

“ETS is a testing service, not a law enforcement agency,” ETS attorney Bruce M. Berman wrote in a letter sent Monday to the attorney representing the students. “Thus, it is not required to prove that test takers cheated as a prerequisite to canceling scores. . . . . Individual attestations of innocence are irrelevant.”

Do they charge for a re-test? Was it the fault of the school, the proctor, or the testing group that gaps were found in security during the test?

There is something really sad and ironic about the title “Countrywide Breach”. But the facts are the facts. There has been a Countrywide Breach in America. Two men are accused of conspicuously downloading all the CountryWide customer records over two years and selling them for relatively little ($70K).

The former employee, Rene L. Rebollo Jr., 36, of Pasadena, was charged with exceeding authorized access to the computer of a financial institution, the FBI said in a statement.

[…]

Rebollo would go into work on Sunday afternoons, log onto his company’s network and download the data onto flash drives, the complaint said.

Investigators believe he was selling the information to Siddiqi, who allegedly acted as a middle man for the companies that bought it, the complaint said.

The FBI says this was unauthorized and therefore a criminal act. That makes me wonder. I get notices about privacy practices all the time from CountryWide, (unfortunately) being a (vulnerable) customer of theirs, where they repeatedly warn me that if I do not actively tell them to protect my records they may be sold to other firms. I mean I am tempted to ask whether Rebollo is considered unauthorized only because he did not bother to pay Countrywide a portion of his revenue?

Are you surprised that the accused worked with the subprime mortgages:

Rebollo had access to Countrywide client information when he worked as a senior financial analyst for the subprime mortgage division, known as Full Spectrum Lending, according to the criminal complaint.

The bottom line here is that approximately 2 million records were sold (for $0.025/each, $500 for 20,000) over a 2 year period. The fact that this was done all via a flash drive on Sunday afternoons suggests it could have been detected easily and early. Was it an insider? A contractor? An outsider with inside connections? Who really cares about the perimeter anymore? The data flowed and the access was higher than roles apparently should have allowed over a long period of time.

Also interesting to note that Countrywide claims only 19,000 identities have really been compromised so far…but given 2 million records leaking over 2 years who would trust their own detection and accounting numbers?

Perhaps that’s too much sarcasm for this morning. Need coffee…

Following on the heels of my post last week about the ongoing violence in America and the confusing definition of domestic terrorism, attackers in Santa Cruz have been quickly identified by local police as a candidate:

Santa Cruz police officials said Sunday the case will be handed to the FBI to investigate as domestic terrorism while local authorities explore additional security measures for the 13 UCSC researchers listed in a threatening animal-rights pamphlet found in a downtown coffee shop last week.

“The FBI has additional resources and intelligence into groups and individuals that might have the proclivity to carry out this kind of activity,” police Capt. Steve Clark said. “The FBI has a whole other toolbox of tools for this kind of investigation.”

Nice quote Mr. Clark. I will have to remember to watch out for the toolbox of tools. That’s different than the toolbox of rubber ducks and fake mustaches that they use for cases deemed not to be terrorist related.