That's the question now hanging over the trial of alleged LulzSec participant Jeremy Hammond, who's accused of masterminding the December 2011 attack against Stratfor (a.k.a. Strategic Forecasting), hacking the Arizona Department of Public Safety website, and facilitating $700,000 in fraudulent charges using credit card data stolen from Stratfor. In May 2012, Hammond pled not guilty to all of the charges.
According to the complaint against Hammond handed down in May 2012, those charges include one count of conspiracy to commit computing hacking -- allegedly accomplished while using various aliases, including Anarchaos, sup_g, burn, yohoho, POW, tylerknowsthis, and crediblethreat -- one count of computer hacking, and one count of conspiracy to commit access device fraud. Per the conspiracy charge, if Hammond facilitated any of the alleged $700,000 credit card fraud, he could be found guilty of the fraud. "That's why in a bank robbery, the getaway driver is guilty of robbery too, even though he sat in the car," says white collar crime attorney David B. Deitch, who's with Ifrah Law, speaking by phone.
Last week, U.S. District Court chief judge Loretta Preska warned Hammond during a bail hearing in a Southern District of New York federal courtroom that if convicted of every charge, he faces a jail term of between more than 30 years and life imprisonment. That's based on the maximum sentence -- or "statutory maximum" -- for the crimes for which Hammond has been accused. "The point [Preska] was making was, there was a possibility -- it might be very small -- that he could get that severe a sentence," says Deitch. That possibility led the judge to consider Hammond a flight risk and deny him bail.
[ For more on the LulzSec case, see Accused LulzSec Hacker Could Face Life Imprisonment. ]
Still, does a statutory maximum of over 30 years to life seem like it fits the alleged crimes? A Thursday tweet from the AnonymousIRC channel said: "This should never be asked: Why are rapists, murderers and child molestors (sic) charged with less prison time than Jeremy?"
To be clear, Hammond hasn't been sentenced with prison time, but if convicted, his sentence could be severe. "It certainly does seem like an extreme amount of time for his alleged crimes," says Sean Sullivan, security advisor at F-Secure Labs, via email. For comparison's sake, he points to the case of Nikolay Garifulin, who was prosecuted by the U.S. attorney for the southern district of New York, Preet Bharara, over what the Department of Justice described as "his involvement in a global bank fraud scheme that used hundreds of phony bank accounts to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks," and which also saw him smuggle $150,000 to Russia to help pay for hackers.
Garifulin was charged with one count of bank fraud, which carries a maximum sentence of 30 years. Earlier this year, he pled guilty to the charge, receiving a jail sentence of two years, to be followed by three years of supervised release, the forfeiture of $100,000, and an agreement to pay $192,123.122 in restitution. So instead of serving 30 years, Garifulin will serve, at most, just two.
If Hammond's case goes to trial, his defense lawyer has indicated that she plans to argue that the FBI entrapped her client, who was allegedly working with LulzSec leader Sabu, whose real name is Hector Xavier Monsegur. Monsegur was arrested by the FBI in June 2012, six months before the hack of Stratfor was executed.
After his arrest, Monsegur immediately began working nonstop as a government informer and fully cooperating with the bureau, which monitored his every online move. In fact, Monsegur provided the Stratfor attacker, who authorities said used the online handle "sup_g," with a server to help store all of the data being extracted from Stratfor. Interestingly, the server was located in the Southern District of New York, which suggests that it wasn't just provided by Monsegur but also controlled by the FBI. In addition, the bureau has also released excerpts of IRC chats between sup_g and Sabu/Monsegur, which appear to document the reconnaissance, hacking, and data breaches associated with the Stratfor site.
But even though Monsegur was cooperating with authorities, entrapment might be difficult to prove, since in 2007, Hammond pled guilty to hacking the Protest Warrior website, for which he received a two-year sentence. "Someone who's entrapped is saying, 'I would never commit a crime of this sort, except the person convinced me to do it,'" Deitch said. "If this guy is a hacker, and he's self-professed, it makes it much harder for him to claim that he was somehow entrapped into hacking."
On the other hand, to make its case, the government will need more than Monsegur's word. "The key will be having evidence that corroborates the cooperator. Because when a cooperator goes into court, he or she has every reason to lie. I'm not saying all cooperators lie, but the problem is they have a very strong motivation to lie, because they're trying to save themselves," said Deitch.
Of course, a good defense attorney will hammer away at a cooperator's true motivations. "So the key for a prosecutor is to have as much information that corroborates the cooperator as possible. If there are technical records or some type of documentary proof, that gives the guy more credibility," said Deitch.
If the case does go to trial, one interesting -- and as yet answered -- question is this: If the FBI provided the server on which the stolen Stratfor data was extracted, why didn't the bureau step in sooner to prevent personal information on 860,000 Stratfor customers, 60,000 credit card numbers, and a massive trove of emails between the so-called global intelligence firm and its sources, not to mention customers, which included 50,000 people with global and military email addresses, from being leaked?
In other words, not only Hammond, but also Monsegur and the bureau's handling of the Stratfor incident, may soon be on trial.
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)