They bagged the kid who was responsible
April 19, 2000 4:30 PM   Subscribe

My personal opinion is that attacks like this should be not an issue of the attacker, but the irresponsible sys admins and OS/PC distributors that have all possible services running on the boxes/defaul-installs that they provide. It is like giving a kid with no training a loaded gun with a bullet in the chamber and the safety off. That would be obvious, but computing is new and a little more complex, so it isn't as easy to just look at the big picture and say >oh! it's obviously the Dad's fault that little Johnny shot his brother< or something like that....
posted by greyscale at 4:48 PM on April 19, 2000

Blame Canada! Blame Canada!

(sorry, couldn't resist)
posted by mathowie at 4:48 PM on April 19, 2000

I don't think you can extradite a minor child. Any lawyers here?
posted by sperare at 5:26 PM on April 19, 2000

I did see talk of extradition, but I don't remember where. (CNN? I think that's the only article I read.)

My guess, discounting the minor issue, is that extradition will mostly concern the discussions between Canada and the US, which will hopefully be relatively friendly :-) There just ain't no precedent for this sort of thing that I've ever heard of.
posted by Jeremy Bowers at 5:36 PM on April 19, 2000

Erm, this has to be one of the most overblown stories I've ever heard. So somebody couldn't get into Yahoo for a few hours. DoS attacks are pointless, temporary, and don't cause any real harm. There's no reason to do them, and no reason to care about them anyway (and if the victims were smart, they'd build protection into their servers w/ mod_perl or something anyway, wouldn't be hard.)
posted by sonofsamiam at 6:17 PM on April 19, 2000

I agree with the last post, it's a bit overblown, but then again, what is yahoo doing being effected by a 15 year old ? can't their billions even protect them?
posted by tiaka at 6:23 PM on April 19, 2000

Yeah, greyscale, and when somebody's house is burglarized, they should put the OWNER in jail for not locking his doors!
[sarcasm off]

As for extradition, certainly that could happen. The US and Canada have one of the most cordial relationships of neighbors anywhere in the world, partly because of cooperation on law enforcement issues. This extradition info page suggests there are four criteria: was the crime committed under the jurisdiction of the country requesting extradition? was the act a crime under that country's laws? was the act a crime under Canadian law? and it must be a type of crime listed in the treaty. The last might be the biggest sticking point -- computer crimes being new and hard to define. Is it vandalism? fraud? theft of services? It may depend on the investigation.

Extradition requests are frequently routine, almost as simple as the requests that US states send each other all the time. Very rarely, there will be a political reason for preventing extradition, e.g. death penalty crimes have been a problem because Canada does not have a death penalty. To be fair, this is also a problem from time to time between US states.

My guess is that Canadian authorities will prosecute him under Canadian law.

sonofsamiam, obviously you are not living in the real world where you have any kind of responsibility for an employer. This may not be a "serious" crime, but it should be prosecuted nonetheless.
posted by dhartung at 8:31 PM on April 19, 2000

ok, dhartung, but I don't think the insurance is gonna pay if the doors weren't locked. guess my point sailed, well, nevermind............ should I just leave my car parked and running the next time I drive to Pike Place Market for some fresh fish? I suppose it's hard to imagine there's something of more substance (or a bigger problem) in this topic than whether some kid gets punished or not, and by whom.
posted by greyscale at 9:15 PM on April 19, 2000

As to the four criteria, the question I was asking is essentially, "where was the crime committed?"

Was it committed at the site which received the DOS (in the US) or was it committed at the PC which initated the attack (in Canada)? If it is judged to have been committed in Canada, then it isn't under the jurisdiction of the US, and the US could not ask for extradition.

As to it "not doing any harm", you're forgetting that one of the targets was Charles Schwab's online web site which lots of people were trying to use to perform stock trades. Schwab itself lost the fees from several hours of stock trades (and that's millions of dollars worth), and its clients may have lost countless millions of dollars by not being able to sell before prices fell, or by not being able to buy before prices rose.

In fact, the economic damage was considerable.

If in fact the kid gets extradited to the US, he'd probably be tried as an adult, and in that case they'd throw the book at him.
posted by Steven Den Beste at 10:49 PM on April 19, 2000

There is "something of more substance (or a bigger problem) in this topic"--http://www.villagevoice.com/issues/0007/vest.shtml
posted by mrpalomar at 7:42 AM on April 20, 2000

And they should throw the book at him, too.

"It was unlocked" is not sufficient excuse for stealing things from the {house,car,boat}. And I'm a Libertarian.

By rights, I should be saying: let's let the stockholders who lost millions on the market deal with him. All at once. In, say, the Kingdome?

:-)
posted by baylink at 8:55 AM on April 20, 2000

Oh, and one other thing I forgot to point out: later repors suggest that they're only holding him for the *CNN* DOS attacks, not the earlier eBay and related stuff.
posted by baylink at 8:56 AM on April 20, 2000

Has any major "computer criminal" who didn't brag about his activities ever been caught?
posted by harmful at 2:20 PM on April 20, 2000

I don't think that DOS attacks are analogous to theft, and comparing the two isn't fair.

The Brick & Mortar equivalant of a DOS attack would be something akin to putting glue into a store's lock, so the owner (or person opening the store that day) can't unlock the door, and therefore loses a day's worth of business.

I'm unsure of the legal aspects of this, but something like that sounds more like a misdemeanor than a felony.

Mafiaboy didn't walk away with anything from his attack(s) other than the Right To Strut, whereas a thief walks away with something potentially valuable.
posted by cCranium at 2:57 PM on April 20, 2000

So if I burn down a building belonging to someone else, then I shouldn't be punished because I got no personal gain from it?

Please.

A crime is about harm to someone else, not about gain to oneself. The severity of the crime is proportional to how much it harms someone else.
posted by Steven Den Beste at 4:06 PM on April 20, 2000

Steven's right. I had my truck broken into recently, and the thief stole about 20 CDs. He probably netted maybe 50 bucks in drug money if he was lucky. Me? Replacement cost $300, plus $200 for the window.

I'm not saying this kid is the devil incarnate, but I'm really tired of the old "hacker ethic" rhetoric that's so prevalent on the net.

Greyscale, you're right in that sysadmins have got to take greater responsibility. But I don't know of that many sysadmins that are underworked.
posted by dhartung at 6:53 PM on April 20, 2000

I didn't say it wasn't a crime, and I certainly didn't mean to imply it. What I did say is that Denial of Service attacks aren't theft, and that comparing the two was wrong.
posted by cCranium at 3:59 PM on April 21, 2000

Theft (more properly, conversion) is taking from someone valuables that aren't yours to take... so you're correct (somewhat to my chagrin; I started off to contradict you :-). Theft isn't the proper term. However, as Steven points out, while *you* don't profit, someone else does lose.

OTOH, any Heinlein Fans in the audience? Read Friday lately? Maybe whomever lost Schwab all that money was bankrolled by one of Schwab's competitors...
posted by baylink at 12:06 PM on April 23, 2000