[asterisk-biz] attempt on hacking us ?

Fri Jun 9 13:47:15 MST 2006

On Fri, 2006-06-09 at 13:51 -0400, Paul wrote:
> The FBI gives priority to cases where actual damages have exceeded X
> dollars. That creates a problem because people building password lists
> aren't investigated until the passwords actually get used in a way that
> is costing the victim(s) money. I won't give the value of X here. Thye
> tell me it's a budgetary problem.
> 

The statute in the US (18 USC 1030) requires that damages exceed $5000.
Damage is a defined term and US v Middleton is the best resource for
what is damage, basically its anything the victim thought was
reasonable, but must be pecuinary loss (ie not reputational harm but
actual loss, including lost sales, time spent restoring the system to
its condition prior to the attack, etc but not time spent preparing for
litigation or criminal prosecution).  If you think it is reasonable to
hire your brother at $5000/hr and he works for 1 hour you have your
$5000 in 'damage'.

The patriot act amended the hacking statute to include ATTEMPS, which
means that if someone tries to break in but does not succeed, but if
they had they would have caused $5000 in damage - they are guilty.  All
that requires is the 'victim' claiming that it is their best belief that
had the person succeeded it sure would have cost $5000.  

On top of that the $5000 is aggregated over a 1 year period.  Pre
patriot act it was for each singular act, but now it is all acts
combined, $5 in 'damage' to 1000 places now rises to the level of a
federal crime.  Initially the damage element was in place to allow only
the most serious crimes to be federal everything else state.

If that isnt bad enough the FBI claims world wide jurisdiction - how
they do this is lets say that a guy in the UK hacks a box in Germany, in
addition to Germany being able to prosecute, if that box in Germany has
at one time been involved in commerce with just 1 US transaction (with
voip it terminates *any* calls to the US, it has one US customer, 1
person from the US goes to its web server, it really doesnt take much)
the FBI can seek extradition in addition to germany authorities, and
BOTH can charge, convict and sentence the same person for the same
crime.  Double jeopardy wouldnt apply becuase its a seperate soverign
entity and thus not double jeopardy.

As you can see they really dont need much to go after anyone now, they
used to need slightly more. 

> If someone reported that I was asking people to show me their
> identification and credit cards in person, you can be sure that law
> enforcement would arrive. They would look for any grounds suitable to
> arrest me. If I do the same thing electronically, I probably won't be
> pursued until after I have started using the credit card numbers.
> 
That is a different statute, 18 USC 1029 does allow for attempted
aquisition of 'access devices' of which credit card numbers qualify (but
then so do email addresses and mobile phone numbers).  Sheesh.

-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
Belfast IE +44 28 9099 6461    DE +49 801 777 555 3402
Utrecht NL +31 306 553058      US WA +1 360 207 0479
US NY +1 516 687 5200          FreeWorldDialup: 635378
http://www.trxtel.com we pay you to terminate calls with us!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20060609/56d4ce1a/attachment.pgp