That's fucking stupid

The time is drawing to a close for Gary McKinnon who is waiting for the final final final final decision on if he will be extradited to the US to face charges for hacking into government computers and causing substantial damages. He stands to be extradited under the 2003 Extradition Act which formed into law the treaty made between the US and the UK in that year.

While the facts of the case are sketchy, and will remain so until a trial has been conducted, a few things that are known about this case raise concern. First of all the perception from his supporters is that he is being used as a political scapegoat and will not receive a fair trial, this stems from the fact that the US is stating that McKinnon caused damage to the computer systems amounting to $800,000 worth.

Once you rule out physical, or hardware damage (something that is not really possible using the remote access technology that McKinnon claims to have used) the software damage is limited to undoing the changes to the software that McKinnon made while infiltrating the systems. Even with an inadequate system in place for recovering systems to previous backups or resetting them to a known good state, $8,247 per computer is a lot of money to pay a consultant to undo the damage to each of the 97 computers that he accessed. I work for a major hardware vendor and have worked in the banking industry where security is taken considerably more seriously than in the military and in government*, the figures talked about here are more in line with the cost of work to improve the security after the discovery of obvious shortcomings. Some CIO type figure has gone to his boss and explained that $800,000 worth of damage was done while quietly spending most of that money on bringing the security up to the standard which it should have been at in order to prevent the attacks.

The second part is down to the extradition treaty itself. The treaty was not ratified in the US immediately, some sources will tell you that it has not been ratified at all, because the US wanted to remain a safe haven for terrorists. Irish Americans lobbied extensively to prevent the treaty being ratified for fear of facing extradition to the UK for supporting the Provisional IRA and several members of the PIRA fled to the US in the 80s to escape justice. The US likes to forget that it was a major source of funding for the terrorists who did stuff like this:

Since the treaty was ratified in the US this inequality has been relieved a little although the UK does not require the US (or Canada, Australia and New Zealand) to provide a case or body of evidence whereas the US is not required to allow their own citizens to be extradited unless the UK can provide a sufficient body of evidence against that person.

Yes, let’s just get that straight; the UK will extradite one of their own citizens to a country that still imposes the death penalty and has a recent record of using torture and all this without the need for that country to provide any evidence that the citizen in question is guilty of anything.

So what next for Gary? He’s currently trying to get the case tried in the UK because he will face a far lower sentence than he could expect in a political show trial abroad. He has confessed to the hack itself and if he is found guilty in the UK could be protected by the double jeopardy rules which prevent people being tried for the same crime twice. The question of jurisdiction comes into play here though and it’s not on his side. Although he was in the UK when he committed the crimes, the crimes took place in the US. His only real hope is for the new administration in the US to quietly forget this and let it go away because the people who were embarrased by the original hack probably moved on with the last administration. I don’t really care that much though, I met him at infosec a few years ago and he’s a bit of a dick.

*No really, it is. There have numerous leaks of sensitive information which have had no repercussions other than a little bit of blame skirting in the military and government but those that take place in Banking are often high profile and costly both financially and in terms of reputation. Some military organisations base their systems and controls on those used by the banking industry.