I know kids will be just guilt-tripped admitting menial stuff like "you looked at how your teacher peck-typed her password and changing her wallpaper", "you found out that the school Administrator account has the password `admin`" or "you downloaded a movie", I've seen such nasty manipulation happen. A lot of adults are really petty when their incompetence is revealed, due to that they probably have no proof and this "Please confess for less punishment" lie is their only way in actually messing up kid's lives.
This only feels like a weak attempt at making gullible young people make a mistake (from their perspective) by admitting they've done something illegal (from the accuser's perspective). Especially given there's no legal protection and there's condescension and prejudiced when whitehat ways are picked, that should be fixed first. I hope this endeavor fails because it's just nasty.
> this "Please confess for less punishment" lie is their only way in actually messing up kid's lives.
There's no indication that the intervention is predicated on confessing. I think you might be looking at this from the perspective of a legal system where plea bargains are a thing. In most of Europe, promising less punishment for a confession doesn't work, because the prosecutor doesn't have the right to interfere with the judge's decision, and therefore can't credibly promise that the punishment will be less.
E.g. the Dutch article I linked in another comment mentions the following case:
The police expected to roll up a large criminal organization, but eventually ended up in a boys' room somewhere in the Netherlands. “We noticed from cyber crime officers that they often saw things like this, in which the young people did not realize how serious the fact is that they were committing. The officers did not know which intervention would be best for them. After all, the perpetrators have done something very serious, but they are still young and often deviate from the traditional perpetrators, "explains Van Dijk.
Dows that sound like petty adults using nasty manipulation to mess up kid's lives?
> There's no indication that the intervention is predicated on confessing.
The article basically says that an admission of guilt is required. Otherwise the person would stay a suspect not a participant of the program.
> the perpetrators have done something very serious
And what is "the perpetrators have done something very serious"? By law piracy is very serious, changing a wallpaper can be very serious (there's a nice US case about that, but that's not incredibly relevant).
> Dows that sound like petty adults using nasty manipulation to mess up kid's lives?
It isn't maybe written like that, but it's going to be like that. Especially given the concerns I raised in the original comment, for example the issue of laws criminalizing menial things.
> The article basically says that an admission of guilt is required.
So it does. I'm not sure where they're getting that, maybe from the requirement to apologize to one's victims that's part of https://www.halt.nl/en/halt-programme/ ?
> And what is "the perpetrators have done something very serious"?
In the case they mention, it was infiltrating an ISP's network:
Jansen gives an example of a boy who hacked a large internet service provider. To watch free videos, he tried out how far he could penetrate the system. Due to an update error, he had access to the company's routers. As a result, he was able to lay down eighty percent of all internet and telephone traffic in the Netherlands. He chose not to do anything with this information, but boasted about his findings online.
For what it's worth, I obtained a way to bypass any rate limiting and quota/Fair Use systems, and basically have unlimited Internet speed and no data cap on any SIM card of one carrier. I reported the finding to them, after many escalations they in the end gave me an expensive phone as a gift and fixed the issue. It was in Serbia, so I'm not sure how relevant that is to the EU.
One case is infiltrating an ISP's network, that's really rare. DDoSing your own school or messing with that infrastructure is way more common, that probably is serious enough for administration but in reality absolutely not worth putting someone in front of a judge for or threaten them with a prison sentence (the Dutch article mentions it's not out of question) but now there's a nice excuse to hand it over to the police to deal with. And I must bring up how whitehat behaviour is basically illegal as well, imagine getting a criminal record for that as a kid :/
"In order to qualify for the program, suspects must confess to their actions, not have a remarkable criminal history and be prepared to change their behavior."
wait wait wait, you can't mention a case of changing someones wallpaper and describe it as very serious and not share details! Is there a criminal case about a changed desktop background?
I think this is a great idea, young people will always push the envelope in terms of risky behaviour. A 'scare' with a structured process that includes mentorship could harnesses a young hacking talent and be positive outcome for the youngster and society in general.
Over the long term I wonder if this will give Europe an edge in cybersecurity relative to the US?
> Over the long term I wonder if this will give Europe an edge in cybersecurity relative to the US?
No. The headline is misleading. This isn't "Europe" doing it (as though Europe were uniform, rather than wildly different from Germany to Lithuania to Bulgaria to Russia to Italy to Spain to Belarus). The article is pitching an artificially wide premise, as a form of clickbait. It's not "European authorities," it's police in the UK and Netherlands.
It won't make any consequential difference at a global industrial scale. $1 trillion in venture capital - leading to the creation of the largest cybersecurity tech companies - every 10 years and paying extremely high salaries to attract the best talent, is all that moves the needle on cybersecurity. Everything else is a blip at best.
On what matters, Western Europe - Europe as a whole in fact, the rest of Europe is even further behind - can't or won't compete, save for a few rare exceptions. Only the US and China are on the field. Everybody else is watching from the sidelines.
Is this really the case? Most of what I see in US news is how yet another adolescent or teenage hacker was caught and faced stiff penalties and consequences, far out of balance to what the hacker actually did to make an example of him. If there's a thriving cybersecurity scene in the US, I'd say it's largely due to the private sector and not anything the US government or any of its institutions (on a federal or state or local level) have done to encourage exploration into hacking. Which is unfortunate, because it's increasingly an important topic in the modern environment.
Not sure why you're getting downvoted, I think you have a point. Perhaps it's because folks could be skeptical that $1T will lead to the the creation of next gen good cybersecurity tech companies rather than abject cash grabs that ultimately fail.
Regardless, infrastructural tooling for usable organizational and societal level security is still not where it could be, and I don't know what it will take to get it there. Just throwing a wild gut feeling out there, it feels a bit like healthcare to me. There needs to be some kind of standardization and some kind of a standards body (likely governmental) that coordinates security as if it's an existential societal risk if done poorly, in the same way that epidemiology is done with respect to public health. Security hygiene and literacy needs to become a basic part of societal culture for any of this to change; not just that, but catastrophic adverse events that occur as a result of infosec braches ought to be rectified more thoroughly, and insurance taken out to fully indemnify against them. I don't see any of that happening, so I don't really see the foundation for any change towards a more digitally secure society. I hope I'm wrong.
> Over the long term I wonder if this will give Europe an edge in cybersecurity relative to the US?
It won't because the article is misleading wrt to the "European" approach, in that, there is no such agreed EU-wide approach. For example, this bit below:
> Bulgarian police last week released a 20-year-old security specialist accused of hacking the country’s National Revenue Agency, and accessing information about 5 million people, most of Bulgaria’s population
is actually just false. Bulgarian police released the guy on bail and then proceeded to charge him with cyber terrorism (15 years in prison). They also arrested his supervisor, issued a European Arrest Warrant for owner of the company he works for (who is apparently abroad on unrelated business) and raided the offices of the company, taking all computers and IT equipment and essentially destroying the business. It's currently unclear on what evidence they decided to nuke the company.
The people this has been aimed at are those who pay $10 a month to boot someone's ip offline or to buy some half-assed malware program (most don't manage to even do the payment without getting caught, see link), so it's not exactly Einstein we're saving from prison time here.
It's worth pointing out that the Netherlands already had programs and the legal foundations for more lenient punishments for 12~23 year olds, which I imagine might be why this experiment started in the Netherlands (with, by the looks of it, support from some EU agency).
It seems like it would make sense to list the crimes that would fall under the "second chance" agreement to provide more information.
Like, some dingus 'hacking' into their school to change their sick days is very different than the criminal context of a 16 year old buying stolen credit cards online and using them to sell stuff on Instagram.
The type of kid that would fall into the police's 'naive-idiot' hacker criteria for this program is also probably not someone that would fare well in prison either.
If anyone can remind me of the name of this software used to lock down windows 98 machines I'd appreciate it. It was IBM I think. Blue background for student. Green for teacher. Red for admin.
I learned how to bypass it and discovered winpopup. I messaged every computer in the school district with my account like an idiot 9th grader. I then learned a lot about getting caught, punished, and second chances. I was lucky that the powers that be didn't overblow what I did.
The concept here is crucial — respond to adventurous behaviour with clear-headed guidance.
I 'hacked' my school as a teenager and disclosed my findings — I received a 'thank you' and a free pass to skip the helpdesk and talk to the sysadmins whenever I wanted.
I wonder if someday laws will be based on a formal moral foundation instead of making things illegal just because 80% of people don't like those things.
I think hacking is one of those things that are illegal because people don't like them. Ultimately, hacking is just sending messages through a wire. Objectively speaking, it isn't much different from hitting the like button on a Youtube video. Formally speaking, all messages sent over the Internet are numbers, so "anti-hacking laws" are essentially laws that make some arbitrary and undisclosed set of numbers illegal to send.
Shooting people is just pulling a small lever. Objectively speaking, it's not much different from driving a car. Formally speaking, it's the same as making physical labor illegal.
Just because you can do something doesn't mean you should. Just because you can pick the lock on my apartment door, doesn't mean that I shouldn't have an issue with it. Just because lockpicking is technically just sticking a 'key' into a lock, and turning the bolt doesn't mean it's the same bloody thing.
Intent matters. Outcome matters. Somebody lockpicking my door, to save my cat from a fire, or to deal with a burst pipe, or to respond to an emergency call is one thing. Somebody lockpicking my door, to have a look at my stuff, can, and should fuck off straight to prison. Or, at least, a couple of hundred hours of community service.
I never said that anything we can do should be legal. I said that there should be a consistent moral framework upon which all laws should be based. And I think that laws should be defined objectively, not based in intent or outcome, but in facts.
> Shooting people is just pulling a small lever. Objectively speaking, it's not much different from driving a car.
Shooting people is more like throwing stones at them. If you own a gun, you're responsible for knowing that pulling the lever implies shooting projectiles at them.
I think throwing projectiles at someone should be illegal (above some reasonable threshold of momentum. e.g (5 g * 2 m/s)).
Picking someone's lock can be considered handling someone else's property without permission. (Physically) handling someone else's property without permission should also be illegal.
All of these things are physical actions. The state should care about the physical actions of their citizens, but not about ideas, concepts, intent, or arbitrary abstractions. Those abstractions are the citizen's business, and legislating them is arbitrary and unfair.
If I have a mental breakdown every time someone says hello to me, then should we make it illegal to say hello to me? After all, they're causing me severe mental distress and maybe I could lose my job because of these people.
In my opinion, it would be unfair to ban "hello" because one person doesn't like it. It's my problem to have a mental breakdown because of specific messages, not yours or the state's.
Same principle applies to software. If your website has a breakdown every time I send specific IP packets, that's your problem, not mine or the state's.
> If you own a gun, you're responsible for knowing that pulling the lever implies shooting projectiles at them.
If you own a computer with the ability to send packets over TCP/IP, you're responsible for knowing what sending particular kinds of packets implies.
Hacking a server you don't own is handling someone's property without permission. When I host a web service, I grant the public permission for very particular kinds of access to it. I do not grant the public permission to try to break into it.
> All of these things are physical actions. The state should care about the physical actions of their citizens, but not about ideas, concepts, intent, or arbitrary abstractions. Those abstractions are the citizen's business, and legislating them is arbitrary and unfair.
Your understanding of the world is incompatible with centuries of civil, criminal code, as well as millenia of common sense.
Intent absolutely matters. Consider why mens rea is a thing. Consider why fraud is a thing. Consider the difference between accident, ignorance, and malice.
> If I have a mental breakdown every time someone says hello to me,
Are you seriously drawing an equivalence between breaking into a webserver with 'having a mental breakdown every time someone says hello'?
> Same principle applies to software. If your website has a breakdown every time I send specific IP packets, that's your problem, not mine or the state's.
Yes, you are. Good lord.
I take it you also don't take issue with people stealing the contents of vending machines, either? After all, there's no possible way to infer what the implied contract of a vending machine is! Sure, everyone with the intellectual maturity of a five year old understands that you're supposed to put money in, in exchange for its contents... But it's the owner's fault that if I happen to tilt it over a certain way, stuff comes out of it - without me putting any money in! I'm just manipulating it in a creative way!
You both have good arguments, but I would tend to agree with lone_haxx0r, even if his idea is maybe not practical.
He is comparing sending IP messages to freedom of speech. The debate is : are you for full freedom of speech or not?
In many countries with high level of freedom of speech, you can still be sued for just saying things : wrongly accusing someone, sending death threats, disclosing under NDA, etc
The logic of lone_haxx0r is noting that, physically killing someone is already illegal and punished, so why is sending death threats also illegal ?
We all know that it's for peace of mind of people, and also probably based on statistical evidences that some jokes may have turned bad.
Anyway, this pseudo freedom of speech is beneficial for rich people and big corporations as you can just throw more money to defend yourself with more words, and attack anyone who have a valuable piece of knowledge to your organization.
Snowden and Assange are good examples of why we should further liberate freedom of speech. Their intent was to inform people of a danger, but what they did (hacking) is so far considered illegal.
So, yes, we can charge people based on their intents, but in practice (for example if someone isn't able to express their intents, or in case of a government secret agency) it doesn't respect freedom of people.
lone_haxx0r is not making an argument about free speech. He is just demonstrating his utter lack of knowledge about law, philosophy, society, and politics.
Where does this distinction between physical and "digital" actions come from? Breaking into a server is an action, it's not speech. There's a big difference between sending a chat message (x no. of TCP packages) and sending C&C commands (also x no. of TCP packages). Just because you're technically only sending "information", doesn't demolish the action-speech distinction. Heck, there are theories in physics basically stating that our whole physical world is best understood as only a bunch of information. But that doesn't make the action-speech distinction mute.
There are already various theories of the (moral) foundations of law (see philosophy of law, jurisprudence). Talking about an "objective" foundation (whatever that means) that somehow needs to specify the speed of projectiles seems utterly impractical. We can just check whether harm has been done and what the intention of the perpetrator was (mens rea): Don't you think there should be a big legal difference between someone accidentally ramming a car and someone trying to murder the driver by ramming?
> If you own a computer with the ability to send packets over TCP/IP, you're responsible for knowing what sending particular kinds of packets implies.
Yes.
>Hacking a server you don't own is handling someone's property without permission.
I meant handling in the most literal sense: manipulating something with your hands/body. Sending a message to someone/something isn't handling them/it in that sense.
> When I host a web service, I grant the public permission for very particular kinds of access to it. I do not grant the public permission to try to break into it.
Morally speaking, I do not require your permission to do something that doesn't physically involve you or your property. The only relevant physical involvements here are between you and your ISP, and me and my ISP. Anything else is abstraction.
Under your permissions idea, I can go out and say "I grant the public permission to look at my face but not to say hello to me."
> Your understanding of the world is incompatible with centuries of civil, criminal code, as well as millenia of common sense.
Your understanding of the world is incompatible with freedom and justice.
> Intent absolutely matters. Consider why mens rea is a thing.
Something being a thing doesn't justify it morally. Slavery is a thing, you know? Murder is a thing, etc.
> I take it you also don't take issue with people stealing the contents of vending machines, either? After all, there's no possible way to infer what the implied contract of a vending machine is! Sure, everyone with the intellectual maturity of a five year old understands that you're supposed to put money in, in exchange for its contents... But it's the owner's fault that if I happen to tilt it over a certain way, stuff comes out of it - without me putting any money in! I'm just manipulating it in a creative way!
In a world with laws that make sense, it would be necessary to explicitly define the contract, because otherwise everyone would be handling someone else's property without permission. Simply state in the contract that people have to pay $x in order to take out their goods.
If the contract says "use this machine at will and take its contents". Then yes, you can tilt it all you want, who would have thought?
Manipulating something with your hands is a very arbitrary line to cross. What if you have gloves? What if you have prosthetic arms? What if you're remote controlling a robot to physically manipulate something on your behalf? Or is it the bare skin-to-material contact you'd make illegal? What if the person has a skin graft transplant on their hands?
Like the guy above said, intent matters. That is why stuff like attempted murder is illegal. You might not physically touch the victim but if you intend on killing someone, but happen to fail, you are clearly in the wrong imo.
Where does this arbitrary distinction between the physical and nonphysical realm come from? Who says that it would only be immoral to handle sth physically you don't have permission for? On what basis does this moral theory exclude the digital/nonphysical/nondirect way? Is someone remote operating a drone that kills a bunch of civilians not responsible?
> Something being a thing doesn't justify it morally. Slavery is a thing, you know? Murder is a thing, etc.
Instead of taking the contrarian route and coming up with wild theories, how about you first engage with any material from centuries of philosophy of law and jurisprudence? With any existing understandings? Your argument is extremely far out there and just demonstrates an utter lack of knowledge. It's not very respectful to then put the burden of "proof"/argument on all your discussion partners.
> The only relevant physical involvements here are between you and your ISP, and me and my ISP.
Forgive me, I may be wildly misunderstanding here, but are you saying that the hosted web service is fair game to you because you have no direct physical involvement with it? Because there's a middleman (your ISP talking to their ISP)?
The program doesn't even guarantee that, the Dutch article has a sentence like "With Hack_Right, other punishments, such as imprisonment, are not excluded." There's a chance Google Translate got the sentence wrong but I doubt it.
In many countries a 12 years old is not eligible for prison. All minors do silly things. It is expected. If they tell to the child that can put him/her in prison they are lying and they parents must talk with a lawyer ASAP.
All for this - and if it’s successful, I wonder if cybercrime will increase in this region as folks with few prospects take a shot at getting a good job via “non traditional” means
This is just fearshopping. Why to pay, when can scare them, coarce and make them fix their stuff for free or a candy? Laws are not the same for a minor.
Wasn't there a similar program long-ago in the US where the FBI/DOJ/USDC diverted first-time offenders into working with US-CERT instead of Aaron Swartzing them?
This only feels like a weak attempt at making gullible young people make a mistake (from their perspective) by admitting they've done something illegal (from the accuser's perspective). Especially given there's no legal protection and there's condescension and prejudiced when whitehat ways are picked, that should be fixed first. I hope this endeavor fails because it's just nasty.