via Expert challenges UFO hacker’s $700k bill | 22 Sep 2009 | ComputerWeekly.com.

The US inflated the $700,000 bill for damages it slapped on UFO hacker Gary McKinnon by stuffing it with costs incurred for patching the gaping holes the hacker had exposed in its computer security, according to a document filed with the Supreme Court.

The US had not taken reasonable steps to protect its security and now expects McKinnon to pick up the bill, said an expert witness statement made in McKinnon's ongoing appeal against a US extradition order.

Peter Sommer, professor of security at the London School of Economics, said damage assessments of computer security breaches should consider “whether the victims have taken reasonable steps to limit the damage”.

[…]

“Any firewall also ought to block the 'ports' [internet access points on a computer] used by Remotely Anywhere. On this basis, the costs claimed for are features that should have been there in the first place.”

Sommer, who once advised insurers underwriting the risks of computer damage, said hackers could not be held accountable for the “consequential loss” resulting from their intrusion into systems unprotected by “preventative measures for reasonably foreseeable hazards”.

“Insurers will not insure computers or computer-dependent businesses in the absence of reasonable levels of protection and means of recovery,” he said.

But security experts in the US said McKinnon should be liable for the full $700,000 of security checks performed in his wake.

Professor Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Indiana's Purdue University, said the victim of a cybercrime should not take the blame. If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door.

Anthony Reyes, a former cybercrime detective who helped develop the US Cyber Counter Terrorism Investigations Program, said, “Just because security is weak, it doesn't give you a red flag to go into a computer system and start browsing around.”

Count me with Peter Sommer on this one; I consider Reyes’ “red flag” quote to be specious, and respect Spaf as I greatly do, walking up to a door and through it regardless of a presumed “No Entry” sign does not constitute “breaking it down”; maybe faffing with buffer overflows does but having recently had 5 doors replaced at £200 per diem I am well aware of the difference between replacing broken doors and configuring a firewall properly.

Also: firewall rules do not need to be painted or weatherproofed, and they are more easily draught-proofed – at least, if they are not being installed by the US Military.

There is a perpetual tension in security analogies between the physical and virtual worlds, and all analogies break down eventually. My distribution of Crack back in the 90s was described as “handing out guns” (example response) – yet today it’s mostly forgotten, and the software which usurped it[1] is on the verge of being forgotten, too.

Nowadays there are just far too many other ways to hack, and the security challenge today exceeds the capabilities of the security generalist; that’s probably a good thing, it guarantees us all employment – 🙂 – but it also does increase the scope for bad analogy. NMap was bad and became good, Stumblers were evil – and WarChalking was the sigil of the beast, even if I never saw any – yet now every phone has a “Wifi Scanner” application.

It’s all a matter of getting over the neophobia.

—
[1] cloning Crack’s dictionary generation in the process – imitation is the sincerest, Solar? 😛