As Rick noted in yesterday’s news, UK ‘UFO Hacker’ Gary McKinnon has lost his appeal against extradition to the U.S. McKinnon had previously admitted to unlawfully accessing 97 US military and Nasa computers, but was fighting the extradition attempt by U.S. prosecutors.
You can find the text of the judgement here – it outlines the reasoning behind the decision, as well as lays out a few of the facts of the case:
Using his home computer the appellant, through the internet, identified US Government network computers with an open Microsoft Windows connection and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts he installed unauthorised remote access and administrative software called “remotely anywhere” that enabled him to access and alter data upon the American computers at any time and without detection by virtue of the programme masquerading as a Windows operating system. Once “remotely anywhere” was installed, he then installed software facilitating both further compromises to the computers and also the concealment of his own activities. Using this software he was able to scan over 73,000 US Government computers for other computers and networks susceptible to similar compromise. He was thus able to lever himself from network to network and into a number of significant Government computers in different parts of the USA.
…The 97 computers the appellant accessed were: 53 army computers, including computers based in Virginia and Washington that control the army’s military district of Washington network and are used in furtherance of national defence and security; 26 navy computers, including US Naval Weapons Station Earle, New Jersey, which was responsible for replenishing munitions and supplies for the deployed Atlantic fleet; 16 NASA computers; one Department of Defense computer; and one US Air Force computer.
…Having gained access to these computers the appellant deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours, significantly disrupting Governmental functions; 2,455 user accounts on a US Army computer that controlled access to an Army computer network, causing these computers to reboot and become inoperable; and logs from computers at US Naval Weapons Station Earle, one of which was used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, deletion of these files rendering the Base’s entire network of over 300 computers inoperable at a critical time immediately following 11 September 2001 and thereafter leaving the network vulnerable to other intruders.
The key element of the latest appeal was that the plea bargain offered by U.S. prosecutors was coercive. However, the judgement would seem to put paid to talk from McKinnon and his solicitors that he might be looking at 60 years in prison in the U.S. Instead, the judgement only says that if “the appellant chose not to cooperate, and were then extradited and convicted, he might expect to receive a sentence of 8-10 years, possibly longer, and would not be repatriated to the UK for any part of it.” It might be pertinent to note though the phrase “possibly longer”, and that this prison sentence had the possibility of being in a high security prison. There’s also the question of whether coercion was implied in other statements not addressed by the court, such as the claims by McKinnon’s solicitors that “New Jersey prosecutors expressed the intention to see Mr McKinnon ‘fry’.” I find it odd that this was not raised/discussed in the decision, considering the similarity of those alleged comments to the Canadian case cited as a possible precedent (you’ll have to read the judgement for details).
Further, McKinnon’s claims of being in over his head and not interested in vandalism – just in finding UFO evidence, and being on a “moral crusade” in searching for evidence of free energy technology – seem to be embroidering the truth a little. He allegedly left a message on one of the computers saying…
US foreign policy is akin to government-sponsored terrorism these days… It was not a mistake that there was a huge security stand down on September 11 last year… I am SOLO. I will continue to disrupt at the highest levels…
Threatening to “continue to disrupt” does not equate well with McKinnon’s claims today “I maintained a quiet presence”.
It seems like the no-brainer would have been to take the plea bargain and do the year in low-security in the U.S. However, (as shown in the judgement), there actually was no guarantee of a plea, with a proviso written in to the effect that the offered deal was “a prediction, not a promise, and is not binding on the United States, the probation office, or the Court.The United States makes no promise or representation concerning what sentence the defendant will receive, and the defendant cannot withdraw a guilty plea based upon the actual sentence.” McKinnon said in the BBC interview that he did initially agree to the extradition, but pulled out (on the advice of a U.S. lawyer) when this caveat came to light.
I also personally take issue with the hyping of what McKinnon did. Firstly, the constant repetition that he “was able to scan over 73,000 US Government computers” means nothing. Anybody can do that, it’s virtually just a matter of aiming the software and pulling the trigger. Any ‘script kiddie‘ can do it (and they do regularly). Secondly, the fact that McKinnon was able to gain access to *open systems* on the DoD and U.S. military is appalling – in a way, they should be thankful that he showed them how screwed their security was, as there are a lot more nefarious hackers out there than Gary McKinnon, who actually work for other governments/intelligence agencies.
And quoting $700,000 damage means nothing until we know how much of that figure of “damage” actually includes fixing things that needed to be fixed anyhow (that is, systems that needed their security fixed).
If McKinnon does end up in a U.S. court, we may see the full story of this saga come out, though it may be in the U.S. military’s best interest to avoid the court system (in the case that they have to present evidence), as happened in the Matthew Bevan case (notably though, Bevan was tried in the UK).
If this whole case wasn’t surreal enough, Wired also reported on the case today via a vitriolic attack on McKinnon from journalist Kevin Poulsen. The story is full of glossing over of facts and sarcasm from Poulsen, although he does point out some of the weaker points of McKinnon’s claims and defence. The strange part is, though, that Poulsen was once in McKinnon’s shoes. Objective journalism, or professional jealousy/contempt?