response 77 of 145:

Oct 2 07:19 UTC 2000

There's a few problems that occur in cases of this type:
Teenage geeks should not be put in prison for stupid computer tricks.
But they are with alarming frequency.
The DAMAGE done in these cases is often wildly overstated: Kevin Mitnick was
charged with doing $300,000,000 of damage - total nonsense.
The costs to FIX the damage are overstated and not germane to the case:
Let's assume there was a current tape backup of m-net.
The sysop reloads the system - poof! - and it's back to how it was before the
damage occurred. How much time is involved in typing a few lines to do that?
The proper punishment would be to make the VANDAL do something of service to
the community, like pick up trash for afew hours.
Time the system gods spend upgrading security is time they would have spent
ANYWAY, it's not because of the VANDAL, it's because it is a good and kindly
thing to do.
IRL, if you have no lock on your door, and someone walks in and steals your
frammistat, you can sue him to recover it (or its cost), but you'll never
prevail on the court to award you money to buy a lock.
But it seems that cyberdoors are treated differently in the current digital
red scare climate.

response 79 of 145:

Oct 2 12:12 UTC 2000

Mnet is indeed "grossly negligible," but I don't think they know it and 
I certainly don't think it's a crime.

response 81 of 145:

Oct 2 14:53 UTC 2000

Re 79.  Heh!

response 83 of 145:

Oct 2 17:30 UTC 2000

The problem with fixing vandal damage is not the same as the problem of
cleaning up after a regular disk disaster.  If it were just a failing
drive then, yes, restoring the last good backup is a fine strategy.  For
a vandal, however, it's *much* harder, because not only do you not
necessarily know when they broke in, but for the data they didn't tamper
with, you'd generally want to restore the newest data, even if it's
after the vandal broke in.  Even more importantly, you need to figure
out *how* the vandal broke in, or otherwise take effective steps to make
sure the vandal can't break in again, perhaps coupled with additional
logging stuff so that you can (hopefully) detect another break-in
attempt before they succeed.  There may be other less direct problems -
for instance, if the vandal stole user passwords (a common ploy) you may
need to worry about resetting user passwords, and users may have to not
only worry about getting a new password on m-net, they may also need to
change their passwords elsewhere.  (This is one reason why it's a bad
idea to use the same password in more than one place.) A lot of these
problems (figuring out what the vandal did/stole, dealing with possible
stolen passwords, etc.) are issues that don't arise with a simple
security upgrade.

response 85 of 145:

Oct 3 05:42 UTC 2000

jazz, you're saying it took one month to restore the system to its
uncompromised state? This is an important point ad far as the proper
punishment is concerned.
Also, regarding volunteer effort's value: the IRS says it has none.
If I do 10 hours of work for the Red Cross, and do not charge them the $1000
I could have earned elsewhere, I certainly can;t deduct it from my taxes as
a contribution. You CAN deduct expenes involved in travel, etc.
As for restoring a system before the point it was compromised: you can never
really be sure it wasn't done long ago, and this VANDAL just spotted the
opening. The only thing you can do (which you would have done eventually
anyway) is secure the system NOW and restore any data lost. Everyone is of
course responsible for their own password, and the staff passwords would all
be reset by the person fixing the system. Free users need to change their own,
and are responsible for their OWN backups. Ordinary user's passwords are not
a big deal for the sysops, as they have no extraordinary privileges. You use
a free system at your own risk.

response 87 of 145:

Oct 3 13:47 UTC 2000

don't you get tired of having sand in your ears?

response 91 of 145:

Oct 3 16:41 UTC 2000

alllrighty then.  no, i'm not going to give you any details.  they may or may
not ever see the light of day depending on what happens in court.

but, hey, why would anyone want to listen to jamie and me?  knock yourselves
out.  i'm done.

response 93 of 145:

Oct 3 18:01 UTC 2000

Did #91 smack vaguely of obstruction of justice via witholding evidence to
you, John?

response 95 of 145:

Oct 3 18:35 UTC 2000

Ah. Being nice to the dumb mother fuckers.
Sorry for being rude in response to your obvious gregariousness.

response 97 of 145:

Oct 3 19:40 UTC 2000

There seems to be a certain amount of confusion as to what is going on in this
trial.  I, for one, was under the impression that it was a *criminal*, not
a civil, trial.  The kid isn't being prosecuted because he did monetary damage
to m-net, but because he committed a crime.  
  If you rape someone, you don't generally cause them a great deal of
financial difficulty.  It can even be argued (occasionally; I'm certainly not
claiming this is the case for all or even a majority of rapes) that you don't
do any real damage to the victim.  It can even be, and has been, argued that
"she was asking for it."  Doesn't matter, it's still a crime and you're
(hopefully) still going to end up in jail for it.  
  IIRC, when you rob someone, the value of what was stolen is used to
determine how serious a crime it is (misdemeanor vs. felony), but, if I
understand correctly, that's a special rule that applies only to theft.  It
doesn't apply, for example, to assault.  ("The hospital bill was only $50,
your honor, so it shouldn't be a felony...")  
  In this case, I believe it to be the case that the law says that breaking
into a computer system without authorization is a felony.  End of story. 
Doesn't matter if it's a 386 or a supercomputer.  (I'm not sure I agree with
the law, but that's my understanding of what it says.)