Wednesday, September 23, 2009

Gary's $700,000 Damages Bill

Once again, we have somebody over here desperately trying to beat sense in to the amorphous "over there":

The US inflated the $700,000 bill for damages it slapped on UFO hacker Gary McKinnon by stuffing it with costs incurred for patching the gaping holes the hacker had exposed in its computer security, according to a document filed with the Supreme Court.

The US had not taken reasonable steps to protect its security and now expects McKinnon to pick up the bill, said an expert witness statement made in McKinnon's ongoing appeal against a US extradition order.

Peter Sommer, professor of security at the London School of Economics, said damage assessments of computer security breaches should consider "whether the victims have taken reasonable steps to limit the damage".

Now, I've not seen the details of the US damages bill but I have seen lots of guesstimates of clean-up costs after security breaches - $700k doesn't seem too bad in comparison with the hideous over-estimates for virus damages - if you think about it in purely work-terms, it is a less than 3 man years for a medium-grade consultant. Add in opportunity costs for your normal IT geekery and you could easily get to a large figure. Remember that it is not just the 97 computers that he got in to but you also have to check the others to see whether or not he had been at or into those.

However, we then have our colonial colleagues disagreeing:

But security experts in the US said McKinnon should be liable for the full $700,000 of security checks performed in his wake.

Professor Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Indiana's Purdue University, said the victim of a cybercrime should not take the blame. If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door.

Anthony Reyes, a former cybercrime detective who helped develop the US Cyber Counter Terrorism Investigations Program, said, "Just because security is weak, it doesn't give you a red flag to go into a computer system and start browsing around."

Spaff, a famous and capable security academic, however seizes the wrong analogy. If somebody opens an unlocked door to rob a store, it would be unusual to charge them for fitting an additional lock.

Reyes, who I have never heard of, is entirely accurate and completely irrelevant. I don't think that anybody is arguing that McKinnon did not do anything 'wrong'. (Ed notes: There are technical arguments as to whether what he did was illegal under the precise wording of various statutes - but what he did was illegal under the UK Computer Misuse Act where it is the unauthorised access that is illegal, regardless of the method you used to gain it, although the latter may be an additional offence.) The question at point is two-fold:
  • How much of the $700k claimed is for work that the DoD should have done regardless of McKinnon's intrusion? To look at Spaff's analogy - if somebody opened an unlocked door and, with the investigation, you realised that you only had a three-lever mortice on it, should they be charged for the five-lever lock?
  • Secondly, how much of the costs actually incurred should be mitigated because the DoD were negligent in their basic Information Assurance? To look at the insurance example - your contents insurance will have a clause in it about the house being unoccupied for an extended period, because this increases the risk. I am not a lawyer, and certainly not an American one, so I have no idea how this actually plays in the context of a criminal breach of US law. Badly, I suspect.

Monday, September 21, 2009

BCS - Security. Epic Fail

Well, attempting to log on to the "New British Computer Society" site, this morning (Ed notes: what happened to the perfectly acceptable old BCS and how much did that new logo cost?), I was presented with this rather over-informative error:

exception 'AmaxusSecurityException' with message 'Invalid token for request' in /mnt/amaxus4/private/inc/controller/Frontend/FrontendController.class.php:157
Stack trace:
#0 /mnt/amaxus4/private/inc/controller/Frontend/FrontendController.class.php(131): FrontendController->checkRequestToken()
#1 /mnt/amaxus4/private/inc/class/common/Controller.class.php(678): FrontendController->runAction('login')
#2 /mnt/amaxus4/private/inc/class/common/ControllerDispatcher.class.php(68): Controller->handleRequest()
#3 /mnt/amaxus4/private/inc/class/common/ControllerDispatcher.class.php(56): ControllerDispatcher->handleRequest(Object(UserController))
#4 /mnt/amaxus4/site/_server.php(92): ControllerDispatcher->dispatch(Object(ClientRequest))
#5 {main}

Not very good at all for the:

Saturday, September 19, 2009

Hannan actually called Obama a misogynist homophobe!

He did, look:

Like St Paul, he made a virtue of being all things to all men.

And, even being a Christian, I have to admit that St Paul is fairly well known, if not actually renowned, for having a downer on the fairer sex and a apocalyptic hatred of gayers. And Hannan clearly compares Obama to St Paul. Therefore, exercising my massive grasp of leftie logic, Hannan has accused Obama of all of Paul's flaws as well as the specific virtue he actually used. And then we have this nonsense from the media.

There have been enough comments from sensible people about the dog-whistle "you're a racist" tactics of the nu-Lab playground bullies so I point you the direction of Cranmer and go off on a rant instead.

Wednesday, September 16, 2009


The official, government registered, "Hello Kitty" Tartan:

Bloody Slow BBC

I first saw it here, posted "9/11/2009 01:47:00 PM", if you'll forgive the Yank failure to do dates properly.

So I was quite surprised to see this, just now:

It's a wee bit late, folks, hum?

Oh Noes! The 'R' Word

So, the great Peanut farmer has spoken - opposition to Obama's heathcare reform is racist.

Now, I don't doubt that there are people who do actually oppose President Obama on the grounds that he is black, as well as people who oppose him on the grounds that he is(n't) Kenyan and, I expect, black people who oppose him on the grounds (also racist) that he is mixed race. There are definitely black people who oppose him on the grounds that he is African not "African-American" and, not being the descendant of slaves (the sort carried to the colonies by evil white folks rather than the sort enslaved back home by evil black folks - 'cause there weren't any of the latter). I am sure, also, that on the fringes (at the very minimum) of any group opposing any Obama initiative, you will have some of the people who oppose him for more visceral reasons.

However ...

The last time a Democratic president tried for health care reform (something I, like most Europeans and even Daniel Hannan think the Yanks really need to have a go at), it didn't go down very well either. Why?

Well, clearly it was racism. I mean, wasn't Clinton (completely inaccurately) described as the "first black president"? Well, possibly not. It may be because Mrs Clinton was (and still is) the sort of do-gooding shrewish harpy that really gets the hairs on the skin next to your spine standing up - even if she is saying nothing more harmful than "Good Morning"? It may be because the Republican party are firmly in the pocket of big business and HMOs are very big business indeed. It may be because the tag "socialist" can be easily attached. It may even be because these are not desperately well thought out ideas (v.g. tick, standard government practice) and are going to cost a rather large fortune (ditto).

But opposing health care reform 'racist' - I really don't think, Jimbo, you've made the point.

Tuesday, September 15, 2009

Beyond even a Labour Minister

From my spam bin:

Dear Friend,

This might startle you a little as you might have seen or read about me but really don’t know me in person. Well, I am Rt. Hon Margaret Hodge MP. A British politician and Labour Party Member of Parliament for Banking. I was the first Minister for Children appointed in a newly created post with the Department for Education and Skills and presently Minister of State in the Department for culture, Media and Sport under Her Majesty, Queen Elizabeth of the United Kingdom.

I got your contact info via your country’s national directory and intend introducing a project concerning charity in your country and maybe neighbouring countries around you.

A few months ago, I was compelled to make an over estimation during a budget and set aside the sum of Six Million Three Hundred Thousand Great Britain Pounds (£6, 300,000.00GBP) with the sole intention of channeling it all into charity which I am delegating you to executed on my behalf with complete supervision of my Attorney as he will also be the one in charge of securing these funds into your custody.

This transaction will result to you being paid a commission of 11% of the investment capital and the balance, distributed to charity organizations of your choice or reinvested and the net income, used for rehabilitating charity organization in and around your country through you/your agency annually for the period of five years or a little more. The last time I orchestrated this sort of Grant, the individual in Australia succeeded in successfully setting up three standard orphanage homes in less than a year. I have never been so proud of such a noble individual. I hope we would have a reoccurrence in your case. If you are willing to execute this Humanitarian Project, You must understand that I desire absolute confidentiality and professionalism on this issue.

For security reasons as regards my reputation, I will not be able to communicate regularly with you; but my Attorney will take up the processing on my behalf and get these funds processed and released to you without any delay. I don’t plan on benefiting anything from this project, but will be absolutely fulfilled, if and only if you remain sincere to me on the handling of this project with utmost sincerity and confidentiality; and eventually utilize the funds for the purpose which I have explained to you above.

Kindly respond urgently if you are interested as the fund have been tied down for too long, so I can equip you with the necessary details, alongside my Attorney’s contact information, so as to commence the transaction properly; on the other hand, if you are not, please let your intentions be known or better still, Kindly relent from replying this email.

You could get personal info on me via my official website, but do not try contacting me via any personal information you may lay your hands upon on the internet as almost all my contact info are connected to the British House of Parliament data base except the ones I personally sent to you; as I don’t want our effort and my reputation, jeopardized.

Kindly send your response to this E-mail: <-------

:) Corrections for formatting only. All mistooks courtesy of the Lads from Lagos.

Monday, September 14, 2009

You just have to love weegies.

And here's to good old Glasgae,
The land of the bigot and the ned ...

It sort of runs out at that point but :)

Nickin' stuff off a pirate ship - that's cooler than having 3 machetes!
HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.