Attacks/Breaches
11/29/2012
02:02 PM
50%
50%

Should LulzSec Suspect Face Life In Prison?

Computer hacking, identity theft, and fraudulent credit card charges could add up to 30 years to life for alleged Stratfor hacker Jeremy Hammond.

Should the Stratfor hacker be jailed for life?

That's the question now hanging over the trial of alleged LulzSec participant Jeremy Hammond, who's accused of masterminding the December 2011 attack against Stratfor (a.k.a. Strategic Forecasting), hacking the Arizona Department of Public Safety website, and facilitating $700,000 in fraudulent charges using credit card data stolen from Stratfor. In May 2012, Hammond pled not guilty to all of the charges.

According to the complaint against Hammond handed down in May 2012, those charges include one count of conspiracy to commit computing hacking -- allegedly accomplished while using various aliases, including Anarchaos, sup_g, burn, yohoho, POW, tylerknowsthis, and crediblethreat -- one count of computer hacking, and one count of conspiracy to commit access device fraud. Per the conspiracy charge, if Hammond facilitated any of the alleged $700,000 credit card fraud, he could be found guilty of the fraud. "That's why in a bank robbery, the getaway driver is guilty of robbery too, even though he sat in the car," says white collar crime attorney David B. Deitch, who's with Ifrah Law, speaking by phone.

Last week, U.S. District Court chief judge Loretta Preska warned Hammond during a bail hearing in a Southern District of New York federal courtroom that if convicted of every charge, he faces a jail term of between more than 30 years and life imprisonment. That's based on the maximum sentence -- or "statutory maximum" -- for the crimes for which Hammond has been accused. "The point [Preska] was making was, there was a possibility -- it might be very small -- that he could get that severe a sentence," says Deitch. That possibility led the judge to consider Hammond a flight risk and deny him bail.

[ For more on the LulzSec case, see Accused LulzSec Hacker Could Face Life Imprisonment. ]

Still, does a statutory maximum of over 30 years to life seem like it fits the alleged crimes? A Thursday tweet from the AnonymousIRC channel said: "This should never be asked: Why are rapists, murderers and child molestors (sic) charged with less prison time than Jeremy?"

To be clear, Hammond hasn't been sentenced with prison time, but if convicted, his sentence could be severe. "It certainly does seem like an extreme amount of time for his alleged crimes," says Sean Sullivan, security advisor at F-Secure Labs, via email. For comparison's sake, he points to the case of Nikolay Garifulin, who was prosecuted by the U.S. attorney for the southern district of New York, Preet Bharara, over what the Department of Justice described as "his involvement in a global bank fraud scheme that used hundreds of phony bank accounts to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks," and which also saw him smuggle $150,000 to Russia to help pay for hackers.

Garifulin was charged with one count of bank fraud, which carries a maximum sentence of 30 years. Earlier this year, he pled guilty to the charge, receiving a jail sentence of two years, to be followed by three years of supervised release, the forfeiture of $100,000, and an agreement to pay $192,123.122 in restitution. So instead of serving 30 years, Garifulin will serve, at most, just two.

If Hammond's case goes to trial, his defense lawyer has indicated that she plans to argue that the FBI entrapped her client, who was allegedly working with LulzSec leader Sabu, whose real name is Hector Xavier Monsegur. Monsegur was arrested by the FBI in June 2012, six months before the hack of Stratfor was executed.

After his arrest, Monsegur immediately began working nonstop as a government informer and fully cooperating with the bureau, which monitored his every online move. In fact, Monsegur provided the Stratfor attacker, who authorities said used the online handle "sup_g," with a server to help store all of the data being extracted from Stratfor. Interestingly, the server was located in the Southern District of New York, which suggests that it wasn't just provided by Monsegur but also controlled by the FBI. In addition, the bureau has also released excerpts of IRC chats between sup_g and Sabu/Monsegur, which appear to document the reconnaissance, hacking, and data breaches associated with the Stratfor site.

But even though Monsegur was cooperating with authorities, entrapment might be difficult to prove, since in 2007, Hammond pled guilty to hacking the Protest Warrior website, for which he received a two-year sentence. "Someone who's entrapped is saying, 'I would never commit a crime of this sort, except the person convinced me to do it,'" Deitch said. "If this guy is a hacker, and he's self-professed, it makes it much harder for him to claim that he was somehow entrapped into hacking."

On the other hand, to make its case, the government will need more than Monsegur's word. "The key will be having evidence that corroborates the cooperator. Because when a cooperator goes into court, he or she has every reason to lie. I'm not saying all cooperators lie, but the problem is they have a very strong motivation to lie, because they're trying to save themselves," said Deitch.

Of course, a good defense attorney will hammer away at a cooperator's true motivations. "So the key for a prosecutor is to have as much information that corroborates the cooperator as possible. If there are technical records or some type of documentary proof, that gives the guy more credibility," said Deitch.

If the case does go to trial, one interesting -- and as yet answered -- question is this: If the FBI provided the server on which the stolen Stratfor data was extracted, why didn't the bureau step in sooner to prevent personal information on 860,000 Stratfor customers, 60,000 credit card numbers, and a massive trove of emails between the so-called global intelligence firm and its sources, not to mention customers, which included 50,000 people with global and military email addresses, from being leaked?

In other words, not only Hammond, but also Monsegur and the bureau's handling of the Stratfor incident, may soon be on trial.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StygianAgenda
100%
0%
StygianAgenda,
User Rank: Strategist
1/2/2013 | 9:37:38 PM
re: Should LulzSec Suspect Face Life In Prison?
From the perspective of an Ethical Hacker, employed currently by the government, I have mixed feelings about this.

While I believe that this is a total misuse of intelligence, to call any hacker a moron is to invite an avalanche of cyber-attacks. Most *real* hackers (not script kiddies) are extremely intelligent people, although often more than just a bit anti-social.

My personal issue with this sort of activity is the harm it causes to others beyond the target, such as theft of credit card numbers that result in individual lives being affected due to ruined credit and all the nastiness that comes with that.

On the flip-side of this, I also feel that in this day and age of cyber-warfare, the rise of the surveillance-state, the loss of personal liberties (that were really privileges, not rights), and the intrusiveness of state-actors in the ongoing (so-called) war on terror... hacking skills are tantamount to survival skills in some ways... basically an evolution of self protection. But, that's where it all falls down because most of the people that have the skills that in turn use those skills to commit crimes are more often than not, doing so for personal gain (financial, glory, or what-have-you).

More often than not, law enforcement tends to handle hackers like they are mass-murderers, until it gets around to sentencing, and the perpetrator serving out their sentence... since these people are generally non-violent offenders, they tend to do less actual time than their sentence implies. But, the social effect carries over to the public mindset, effectively bringing out types like "OldUberGoober" (go figure) that are practically screaming "Burn the heretic!". The witch-hunt mentality at its finest.

So, no... I don't believe any hacker should face life imprisonment, unless their activities cause actual loss of life. Now... apply that to the creators of StuxNet, or any other government sponsored cyber warfare suite designed to cripple enemy infrastructure. Do you think that those employees or contractors at the NSA, CIA, and MOSAD deserve life imprisonment for creating those tools? What if those tools save millions of lives due to crippling a very anti-social regime's nuclear program? How is that any different than someone who is disenfranchised and oppressed, using the same types of tools and attacks to infiltrate what they perceive as their enemy? What? Is the common man any less important than the imposed government that oppresses him? No... while I don't believe we should give these people a pat on the back, or a slap on the wrists, I don't think we should treat their crimes along the same lines that we use for prosecuting physical world crimes. Unfortunately, this tit-for-tat warfare only serves the purposes of those who would oppress everyone's freedoms that much farther, because it gives justification for more and more draconian laws to be passed.

"Naturally, the common people don't want war, but they can always be brought to the bidding of the leaders. Tell them they are being attacked, and denounce the pacifist for lack of patriotism and endangering the country. It works the same in every country." - Herman Goering, Hitler's Reichsmarschall at the Nuremberg Trials
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/31/2012 | 8:29:16 AM
re: Should LulzSec Suspect Face Life In Prison?
Generally hackers are given a few years in prison, and then when released go into consulting where they do very similar to what you suggested. That being said, I believe more focus should be put on how he was able to carry out the attacks rather than who hacked the systems. If the FBI really wants to crack down on hacking, they need to be more fair with their punishments. The leader (Sabu/Hector Xavier Monsegur. Monsegur) has already been released after serving just a few months in prison. Sure he cooperated with authorities, but you shouldn't serve such a small punishment for someone that arguably has done more damage and then a 30 year penalty to someone simply because they hit a company with the proper connections.

Jay Simmons
Information Week Contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
12/11/2012 | 3:55:34 AM
re: Should LulzSec Suspect Face Life In Prison?
Someone, somewhere (referring to the judges) has to make an example out of a guy like this. Period.

What happens if you attack an Arizona DPS brick and mortar office? Wouldn't it be reasonable to apply the same sort of sentencing guidelines here?

What happens if you steal a corporate credit card number, without the use of a computer, and run up nearly 3/4ths of a million dollars in charges? Wouldn't it make sense for the same sentencing guidelines to apply here?

If you're smart enough to run a computer and perform these kinds of acts, I believe you're smart enough to know the difference between right and wrong. That said, this guy should spend the better part of his remaining natural born life in Leavenworth turning large rocks into small rocks, 16 hours a day, period.

Andrew Hornback
InformationWeek Contributor
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/3/2012 | 4:15:08 PM
re: Should LulzSec Suspect Face Life In Prison?
Interesting questions. So, there isn't any minimum sentence associated with these particular types of charges, and to be honest, the current norms are "it depends." If Hammond's case goes to trial, and a jury finds him guilty on one or more of the counts, at sentencing the judge could be lenient, or the judge could decide to set an example. The related sentencing guidelines are only guidelines.
macker490
50%
50%
macker490,
User Rank: Ninja
12/3/2012 | 11:44:13 AM
re: Should LulzSec Suspect Face Life In Prison?
hacking is a serious problem . but the larger problem is the insecure software that facilitates hacking . i would put him on probation with the terms being that he has to teach hacking at our universities . classes for students and practical demonstrations for professors and staff in what vulnerabilities are and how to build protection .

we generally agree that hack proof systems are going to be hard to build . but at the same time we observe the truth in this classic comment :

"Security is a function of the resources your adversary is willing to commit," said Julian Sanchez, an attorney with the Cato Institute in Washington, D.C.

perhaps we can't eliminate hacking but we should be able to reduce it to the point where it isn't a concern for those of us who choose to use the proper tools . if you think about this it is a critical sea change for us . corporations are pushing hard for e/commerce . without basic computer security all that e/commerce will do is exacerbate the hacking problem .

before you roast me here remember : hacking and hacking tools are sold on the "dark net" by the bad guys . only a fool refuses elightenment .
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
11/30/2012 | 10:14:40 PM
re: Should LulzSec Suspect Face Life In Prison?
The article indicates 30 to life as the maximum but fails to give the minimums he may be subject to. Other examples cited shows that the maximum will clearly be unlikely. And rather than comparing apples to oranges what was the day trader for the French bank that lost $7 billion, the Madoff ponzi scheme, or the UBS and Goldman Sachs losses of $2.2 billion each? These would seem to fit better than comparisons against rape, child molestation, murders, etc. I'm not a lawyer so tell us if these are offences for which concurrent sentences are the norm. The ill gotten gain needs to be striped, but the crime itself, well big business makes its profits exploiting weaknesses in competitors and in vague laws. Give him a sentence commensurate with others for the same offenses (if guilt is confirmed) and hope he will direct his talents more constructively in the future. Preska is most likely hoping for this result.
rjones2818
50%
50%
rjones2818,
User Rank: Moderator
11/30/2012 | 6:56:24 PM
re: Should LulzSec Suspect Face Life In Prison?
If the hacker's convicted, he should be sentenced to whatever the general going sentence is. It's just a shame that the IT people who weren't able to protect their online assets can't be tried and convicted as well.
Bryan K
50%
50%
Bryan K,
User Rank: Apprentice
11/30/2012 | 6:35:18 PM
re: Should LulzSec Suspect Face Life In Prison?
Lock the subhuman bastard up and throw away the key! Death to hackers!
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
11/30/2012 | 6:25:50 PM
re: Should LulzSec Suspect Face Life In Prison?
These jerks should have punishment commensurate with their crimes, and the costs to society caused by morons like this are astronomical. Punish them severely, and perhaps a few less will think its worth the risk. If you can't do the time, don't do the crime, as the old saying goes.

BTW, if AnonymousRC wants rapists and child molesters to be be punished more severely than hackers, I'm 100% OK with that too, but the solution is to increase their punishment rather than decrease the punishment of hackers.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.