Original URL: http://www.theregister.co.uk/2008/09/03/mckinnon_bevan_interview_analysis/

McKinnon a 'scapegoat for Pentagon insecurity'

US mil still wide open to attack, says reformed hacker

By John Leyden

Posted in Security, 3rd September 2008 08:02 GMT

As accused Pentagon hacker Gary McKinnon hopes against hope to avoid being extradited to the US, another reformed military systems meddler considers his own case - and how different the outcome was.

McKinnon is probably days away from extradition. Only a last minute plea to the Home Secretary "Wacky" Jacqui Smith - based on McKinnon's recent diagnosis with Asperger Syndrome - now stands between the Scot and a US trial for hacking into US government and military systems. Friends and family staged a demonstration outside the Home Office on Tuesday in a bid to draw attention to McKinnon's plight.

The handling of McKinnon's case is in marked contrast to how US authorities handled a similar one ten years ago. Like McKinnon, reformed computer hacker Mathew Bevan was charged with breaking into US military computer systems. Bevan was also curious about searching for evidence that the US military had harvested technology from crashed UFOs. Bevan's alleged crimes were cited as examples of cyberterrorism at Senate hearings in 1996.

But no attempt was ever made to extradite Bevan to the US. Instead he was prosecuted in the UK. The case eventually fell apart after 18 months, when prosecutors decided not to proceed.

Bevan put the legal fight behind him and has since gone on to become an ethical hacker and security consultant. Speaking exclusively to El Reg, Bevan said McKinnon is being used in a political game that has more to do with securing funds than deterring or preventing attacks.

"Clearly, lessons have not been learned since I breached similar systems and as I have always suggested - perhaps stopping the intrusions is not the goal of the administration," Bevan said. "Tacitly allowing access to machines by ensuring that default passwords or in fact access methods without passwords is suggestive of a system that really does not care too much about many of the machines connected to it."

Bevan questions why Windows PCs on US military networks are connected to the internet via direct IPs. Thousands of attackers regularly use the same remote access port accessed during McKinnon's hack, but little or no action has been taken in their cases, Bevan adds.

McKinnon has said that many other hackers had gained access to the same systems he was accessing, questioning why US authorities singled him out for prosecution. The fact that McKinnon did nothing to disguise his tracks and lived in a country with a friendly extradition regime probably has a fair bit to do with this.

Bevan supports McKinnon's contention that he was far from alone in rooting around US military systems. "You ask any military hacker about the machines they broke in to and they will tell you they were not the only people on those systems. Of course, they weren't the only people, as there were great numbers of people whiling away their time hacking computers."

Pork barrel ploy

McKinnon, according to Bevan, was far more than simply unlucky.

"Why is it that only a tiny number of those people ever face prosecution? It is clearly not because the others cannot be found. You cannot believe that out of so many people, Gary just happened to be caught."

McKinnon is being used as a scapegoat in a bid to secure extra funding to protect US military networks, according to Bevan, who reckons a commercial organisation would never get away with such trickery.

"I think it's all about timing and whether or not the hacker will make a good scapegoat whilst allowing the administration to request further money. The fear machine can keep churning out propaganda as per normal, but don't expect those machines to actually get better security. They are not businesses, have no shareholders and therefore do not have to answer to the same stringent rules and tests that the computer systems of corporations would."

Bevan compared hacking attacks to an infestation by pests. Both stem from a failure to follow basic housekeeping rules, he argued.

"My cynical side believes that those 'pesky hackers' are treated just like any bug infestation, the odd one or two or even a handful is not much of an issue until the place becomes overrun. It is then that you can call in the exterminators and make a big fuss about the problem, of course it never addresses that the usual problem with an infestation is someone has not been keeping their place tidy. You leave scraps around for rats to find and in a short time you will have many, many more rats sniffing around for the goodies."

With such lax security, the US authorities are lucky that McKinnon only had peaceful intentions in mind, Bevan noted.

"Gary is a self-confessed stoner and perpetrated the 'biggest military hack of all time' whilst completely wasted. This is clearly a sign of how lax the security of these systems was. If Gary had been clear minded and deliberate about what he wanted to achieve and was a malicious person rather than the pacifist he is - where exactly would we be now?"

Fast-track extradition is a one-way street

The US Congress has not ratified the fast-track extradition treaty between the UK and the US. UK prosecutors would need to present a compelling case before a US court before securing an extradition, whereas US authorities, as in the McKinnon case, have far fewer hurdles to clear.

"If it was an American hacker who had breached our computers - would we be fighting for extradition? I doubt it. In fact, we would most likely have to issue a public apology for our lapse in security and the media would be up-in-arms about how weak our defences are."

He added that the human factor is often ignored in the debate over McKinnon's fate, which is split between the 'burn him' camp and the 'deal with him here or let him go' lobby.

"People seem to forget that Gary is not just a meme or a 'hacker' - he is a real person. This guy has been waiting for six and a half years already. Now the chances are that if it had been dealt with over here he would have long served his time and be free to carry on his life.

"Due to political wranglings, all we are going to see is more time lumped on top of what has already been spent waiting in the wings and as many expect that time could be way in excess of the sentences for murder here."

According to papers submitted to his failed House of Lords appeal, McKinnon was offered a plea bargaining deal featuring a sentence of between three and four years in jail, if he cooperated with the US authorities and dropped his opposition to extradition against eight to ten years behind bars in a high-security prison after a US trial. Lawyers acting for McKinnon said that this deal might not be binding, and expressed concerns that McKinnon might be prosecuted by a US military rather than civilian court.

McKinnon (AKA Solo) has always admitted that he broke into US government computer systems but denies causing any damage. Bevan said McKinnon has not had enough credit in admitting responsibility for his misdeeds.

"Under UK law we are supposed to be more lenient on criminals who admit their crimes and accept the consequences. In this case, the effect appears to be the opposite - plead guilty then wait for the consequences. In the meantime have your charges upgraded as new laws are introduced and applied retrospectively."

Supporters of McKinnon argue that the prosecution may yet blow up in their faces by placing the security shortcomings of US government systems under the microscope, especially if the case goes to trial. Sysadmins may be faced with awkward questions about why their systems were so easy to infiltrate. Even if such questions fail to arise at trial, they might spark unwelcome Congressional scrutiny.

Stars and prison stripes

Bevan said McKinnon can expect to be treated harshly by a US court, especially if (as expected) he is tried in Virginia.

"Virginia is not exactly the most friendly state to foreigners and somehow I do not think that someone who 'attacked the United States' is going to be treated that well," Bevan said, adding there was a "high chances of abuse, torture, rape and drug abuse" in US prisons.

McKinnon's supporters argue the case has wider political implications involving the UK's willingness to deport suspects to the US and Europe without requiring evidence to be presented. Bevan is also critical of the fast-track deportation system.

"Is this the new way forward for the UK justice system, to allow citizens to be removed from the country without any evidence having to be presented? To allow them to go to a penal system which allows torture and brutality of its inmates is a clear violation of his human rights."

McKinnon has shown clear signs of remorse, according to Bevan, yet this has not counted in his favour. Bevan predicts that the case sets a pattern for how the prosecution of other UK hackers accused of committing offences in the US will be treated - marking a permanent move away from local prosecution to extradition as the preferred route.

"It saddens me that the USA can remove our citizens without any prima facie evidence, yet we cannot do the same when we wish to prosecute one of their citizens. This always felt like one of the main test cases and I am sure that we will see more people being treated in this way - guilty or not makes no difference," Bevan told El Reg. "If you do not have to argue your case or can justify closed hearings based on 'national security', we are clearly moving deeper into a system of control and away from any kind of democracy."

"People talk about 'Don't do the crime if you can't do the time', but what if the crime did not have the consequences at the time that it has now? When he was doing what he was doing, the extradition laws were not made and hacking was not a terrorist offence."

McKinnon was recently diagnosed with Asperger syndrome. Bevan is sceptical whether this, and more especially his heavy use of marijuana while hacking, will be counted as mitigating by the US court system.

"People clearly forget to consider that Gary has Aspergers, was using huge quantities of skunk. Is this a person that was thinking clearly?"

"Do you think that he had any real comprehension of what he was doing? The internet is 'not real' to many people, it's just stuff that happens somewhere else. It is here that people can do things they would never normally do in the real world and do not see the correlation between online activities and real world consequences. Someone who is wasted on weed can suffer many mental effects of doing so. Here, this would be taken into consideration, but in the States, he could be looking at ten years on top of his sentence for committing a crime under the influence of drugs." ®