The courtcase has been followed closely by the Danish media, especially the tech-savvy version2.dk that has had a reporter in the courtroom every day of the trial. It has caused quite a stir as all sorts of problems with CSC, the prosecutor and police investigation came to light during the hearings. Some highlights:
- CSC, that handles a large part of Danish infrastructure including social security numbers, police backend, etc. has dismal security. They don't even update their software as security patches become available. Warg had access to their mainframe for 9 months without them having a clue about it. The only reason they found out was because the Swedish police called them and told them.
- username/password pairs for CSC's server were readily available on one of their subsites(!)
- Warg turned off the logs on the CSC mainframe, and they didn't notice. It appears that logs were turned off for months. As a result CSC doesn't know whether data has been altered. We're talking about all police systems, social security systems, and more.
- The police have not had their own investigative team at CSC, and haven't looked at the technical evidence. This has been done by CSC, which is an obvious problem.
- The Danish police was contacted by Swedish police three times during 2012 because the evidence from a Swedish case turned up files from CSC, and the Danish police didn't respond as they apparently didn't find the information important. During the courtcase the Danish police's chief IT investigator was caught lying about this.
- The prosecutor and judge were clueless, bordering on the hilarious, about technical issues. For instance the prosecutor refused to acknowledge that other user accounts except Wargs existed on the computer (there were 5 accounts), tried to paint putty as a hacking tool that only criminals would use, tried to establish Jacob Applebaum and Warg as friends because Applebaum retweeted one of Wargs tweets (only friends do that!), etc. etc.
This case is all over the Danish tech media and it is very hard to judge the technical quality of the underlaying police work; though I am pretty sure that it is much better than what the "internet" gives police credit for.
The troubles the lawyers had with the tech is noted even by the lawyers themselves:
"Hacker case plagued by complex technical evidence" - all in Danish.
What is clear is that Warg's computer was used and contained the stolen records. And JT succesfully denied police access to his encrypted computer. The police were unable to prove his involvement beyond aiding.
Applebaum was an expert witness called in to testify on how a computer could be remote controlled, and the prosecutor tried to have him dismissed based on the retweet. He ended up testifying, so I guess the attempt wasn't successful.
I don't think that's a technically ignorant argument for a prosecutor to make. There's certainly a factual inference that could (but does not necessarily have to be drawn) between retweeting and being friends. Especially in the context of getting someone disqualified based on conflict of interest.
There are many people I retweet whom I have no connection to whatsoever. I like what they wrote and I think it's relevant to or interesting for my followers.
Generally, information that has absolutely no merit in a court case isn't allowed in the courtroom because (I presume) it can subconsciously alter a person's judgement of the proceedings.
Assuming a retweet is the full extent of their "friendship", this is the real-world equivalent of dismissing an expert witness because the defendant quoted them in a paper once.
Something like a tweet is context dependent. Some people tweet mostly to their friends and a lot of retweets are in fact indicative of a personal relationship. It will often be easy to estimate for a twitter user, but very hard to make objective enough to work as evidence in court.
Do they have just 12 or 12000 followers? Are they tweeting personal tidbits or politics & jokes? etc. These things can add up to an very informed guess.
In the U.S. The admissibility of evidence is based on relevance.[1] The modern formulation asks: does consideration of a piece of evidence increase or decrease the probability of some material fact being true?
A retweet is certainly relevant. The evidence makes it more likely that two people are friends than the baseline where there is no retweet.
Isn't that litany of vandalism enough to convict? He's meddled with public safety systems. No less serious than destroying traffic signs or cutting the phone lines to the fire department. Lack of security isn't any kind of defense e.g. just because phone lines are not hardened against tampering doesn't mean its OK to cut them.
Random guesses from a Dane about tomorrow where the length of the sentence is to be determined. You can come back in 24 hours and vote based on the real outcome of a couple of these points, hehe:
- Anakata will get a sentence somewhere in the upper middle. My guess is 4-5 years of which he has already served some.
- JT will get a somewhat mild sentence of nothing higher than 1 year. The case against him is pretty weak, compared to Anakata.
- The case will almost instantly be appealed by Anakata.
- JT may not want to appeal if the sentence is somewhere in the middle of the 2 years window. The reason is the extra jail time he has served will be compensated by the state and the state might be seeking a sentence in the middle to "encourage" him not to appeal. Appealing might increase the sentence and you would be paid less.
The case might go all the way to højestreret, which is the highest court in Denmark. There is also a chance the case could end up in ECHR (European Court of Human Rights), though I feel that chance is slighter. It would depend on the sentence of JT. If it ends up being a conditional sentence, then the jail time he has served is definitely going to have been unfair. As for Anakata, it is a bit more bleak I feel, since the argument of flight from the country applies, like it did in Sweden.
What is really likely to push this to ECHR however, is the inhumane isolation jail treatment and harsh conditions they've both received. It is not at all clear in any way to me why they satisfied the criterion for that at all.
In case anyone's interested: You've got it mostly right. Warg was sentenced to 3.5 years. The sentence was appealed on the spot, but they're not going to release him as they think it's likely he's going to flee the country.
JT was sentenced to 6 months, so he's entitled to compensation.
Although the details of this story are interesting and compelling, my initial read of this story left me thinking, "Six years is lengthy, eh? I don't think that's considered 'lengthy' in the USA."
I would not wish a prison sentence on my (personal) worst enemies. Locking someone up for years should be an absolute last resort. I can't really imagine a worse thing than essentially becoming a slave to some prison for years. No freedom.
This is the main issue I have with "jail the bankers!" narratives: Just take away their money, putting them in jail doesn't accomplish anything.
This seems to be a big issue with American mentality in particular though. Such a big thirst for vengeance.
If there was no jail time, then everyone would try to do that (What could be the worst scenario - just losing all your stolen money). That wouldn't work.
The worst case scenario, at least in many european countries, would actually be that you loose all your stolen money and that your future income above a state-defined 'existence minimum' is automatically seized.
Prison, on the other hand, means that society spends a lot of money to make your live worse without any obvious advantage, at least for non-violent crimes.
> The worst case scenario, at least in many european countries, would actually be that you loose all your stolen money and that your future income above a state-defined 'existence minimum' is automatically seized
Do you have studies to back up the fact that you just questioned what he said?
Seriously, this "do you have studies" BS is getting out of hand. He made an argument (which btw includes more context than what you quoted), and stated his opinion of what would happen in a hypothetical situation. And it's also obvious to everyone who has ever casually conversed that "everyone" in this context means "many people", not literally everyone.
You can disagree and say "That's not what's going to happen because ...", or even "Study such and such shows that this not necessarily happens...".
Asking for studies to back up his thinking is BS. This is not some peer reviewed journal, nor is he writing a thesis. This is a simple conversation. And even if he gave 4-5 studies there would be absolutely no guarantees that those studies aren't crap, aren't invalidated by subsequent studies, aren't only describing what works in some specific cultural context, etc.
This is sociology and human behavior, not physics or math to have some be all end all studies answering specific questions.
What's the longest anyone's actually served in custody for breaking into computers in the US, and what's the median sentence actually served? I don't have the data at my fingertips but if I had to bet, I'd bet that it's much less than 6 years.
Google: [popehat whale sushi]. One reason you're terrified is that our system (idiotically) goes out of its way to deceptively terrify people. It is in practice not as bad as it (idiotically) tries to make itself seem.
Six years is a long time for what this offense appears to be, though.
('at-fates-hands has more or less refuted this comment, though the whale sushi post is still very much worth reading.)
Up until this week it was Albert Gonzalez for got 20 years for his role in the TJX retail break in. Remember, these are federal sentencing guidelines so no time off for good behavior. You get sentenced to 20 years, you do 20 years, period.
>>> Six years is a long time for what this offense appears to be, though.
This guy is also a repeat offender. In the US, I'm pretty sure with prior offenses with computers, they'd go for a 20-30 year sentence.
The parent may have confused good behavior with parole. The federal system does not have parole, so you can expect to serve at least 90% or so of your sentence, even with good behavior.
I find it hard to believe that a guy as smart as Gottfrid would "hack" a government computer in 2012 when he's obviously extremely aware of the magnifying glass that's on him from governments and companies all over the world.
> the pair downloaded police and social security files.
What exactly are those? and what would he even want them for?
> In a separate trial in 2013, Mr Warg and accomplice were found guilty of breaking into the computer systems of computer services firm Logica, which was doing work for Sweden's tax office and a bank.
Again, why would he hack into a bank knowing so many eyes are on him?
That's a reasonable concern to have, but it's worth being aware that it's the exact same concern people had about Hans Reiser. Intelligence and judgement are orthogonal, and sometimes even in slight opposition.
If you want to consider a different perspective: I'm an example of someone who does not have a hard time understand how someone who has enjoyed the rush of getting over on the entire media industry from behind a computer screen might find it harmless or at least personally safe to hack into some dumb server on the Internet and read documents off it.
I've been a pentester for the last 10 years and in my experience, taking advantage of the knowledge of how to break into an application is an urge that takes some energy to suppress.
The local police force here has a test to see if you 'have what it takes' to be a part of their cyber security squad or whatever they call it. On a lark I took part in it (the test was pretty simple, at least, that's what I thought). After taking the test (and knowing full well I had no intention to follow through on applying for a job with them, I just can't look at puzzles without getting this itch to solve them) I realized I may have just given out some information that I had better keep to myself, which is to advertise a capability.
Having a capability and advertising it is already stupid in my book, and more the fool I am I slipped up there. But having such a capability, subsequently approaching machines that you have no permission for, repeatedly attempting to gain access, succeeding at that and then to actually retrieve data that you have no right to when you're already in a position of extreme suspicion with the authorities to me borders on the insane. I really can't understand even for one second why someone as gifted as this would act in this way, it is something I've been wondering about with a lot of these so called hackers. What drives them to do this, obviously the downsides of successfully showing off their skill end up in a head-on collision with forces they can't possibly hope to defeat.
It's all fun and games until the SWAT team arrives.
Have there been any studies on the psychology of people that are pathologically drawn to breaking in to other people's computer systems?
Easy: breaking into computers is very, very fun, and when something feels like a game, it's easy to treat it that way.
If you have a hard time believing anyone would do something like this, look at the 1990s: we got a book practically every year about one hacking group or another breaking into phone switches, credit reporting agencies, government and military networks, and financial institutions. If you can do it, and you're unlikely to get caught --- and you are very unlikely to ever get caught --- why not? Plenty of smart people did stuff like this. Plenty of them.
The most interesting stories from that era did not get written up. Kevin Mitnick didn't write the TCP sequencer. Kevin Mitnick couldn't sequence an ordered array of integers if it was #defined for him in advance.
I know, I know a couple of them. I just don't understand them. Why cross that line? Why risk jail, your career, a whole pile of hardship? The real life consequences is what I'm wondering about, it's as if there is some kind of disconnect there between action and subsequent consequences.
If it is only because it is 'unlikely that you're ever going to get caught' then that's a gamblers argument. (I don't understand gamblers either, so that might be an explanation right there.)
To some extent I think it’s ”wired in”. Individuals vary a lot when it comes to risk awareness and risk tolerance. Take drugs for example. Some people will order new synthetic drugs from shady webshops without without batting an eye. Others will never touch anything else than alcohol.
> Why cross that line? Why risk jail, your career, a whole pile of hardship?
I think part of it is age, maybe. Or rather life-experience, if you will.
I remember back in my early 20s what always stopped me was basic paranoia about getting caught. But that's just how I'm wired personally (and I was probably slightly irrational about the odds). I love breaking, bending and toying with the rules, but too chicken to pull through if it involved anything more serious than a silly prank on friends.
Nowadays (mid-30s), the first thing that stops me is a much more solid sense of what's right and wrong. I prefer it that way, because unlike fear of getting caught, it's a much more solid foundation to depend on.
I live in Phnom Penh and I know some people who were acquainted with Gottfried. Without gossiping too much about him, some stories I've heard definitely characterize his behavior as "bordering on the insane".
I am not judging him at all. He sounds like someone I would like a lot. I have had addiction problems in the past, and so some of my past behavior could have rightly been called insane too.
Could not agree more. There's always that voice in the back of your head wondering why you got a funky error message when your input contained an apostrophe; it doesn't take a lot to tip over the edge into something risky, even if you're conscious of the attention on you.
Yep. You train a lot of app pentesters and you get used to warning them: do not try this at home. You know you can just edit a URL in your browser by just a couple characters and poof be an admin. It should would be interesting to find out what it's like to be an admin on this site... oh, wait, if I do that I might end up talking to a prosecutor.
That's obviously not a normative description. I don't think it's good that the world works like that, although I probably blame different people than most of HN.
Anyways, point being: the assumption that a very smart person wouldn't dream of breaking into a government server: does not at all square with my experience. Doesn't make the assumption wrong; it's just a data point.
>> the pair downloaded police and social security files.> What exactly are those? and what would he even want them for?
The mainframe logs show that a dataset containing a copy of the Schengen SIS was downloaded from the hacked mainframe. I don't know if the file was even found on mr Svartholm's computer. The prosecutors just concluded that they couldn't tell what happened with the datat that had been copied out from the system and therefore mr Svartholm probably did something evil with it.
So what's in Schengen SIS? It's a list of personal details for more than 1 million(!!) people that are either wanted by participating states, under surveillance or people that just lost their passports or other identity documents. You can read more here:
https://en.wikipedia.org/wiki/Schengen_Information_System#Da...
The government of course would like to claim that the data managed in Schengen SIS is extremly sensitive. Meanwhile they ship this data over the internet with plaintext FTP to various entities participating in Schengen SIS on a monthly basis (updates etc).
>> In a separate trial in 2013, Mr Warg and accomplice were found guilty of breaking into the computer systems of computer services firm Logica, which was doing work for Sweden's tax office and a bank.> Again, why would he hack into a bank knowing so many eyes are on him?
He was completely acquitted of the charges involving Nordea Bank in the Court of Appeals (Hovratten).
Prior to the trial against The Pirate Bay, when the police raided the ISP he was running with some partners, he was online and complained about it on a Swedish forum for web masters. Basically bragging about how they would never find any dirt on him, how the prosecutor was stupid, police were stupid and that "torrent linking site" just happened to be colocated on his servers.
I could link to it, but it's in Swedish and pseudonyms were used so you probably wouldn't get so much out of it.
My point is that complaining about your equipment being seized on an internet forum is not a smart thing to do.
Actually, it's not hard to believe as Gottfrid is Anakata aka early '90s swedish scene / old school #hackse@efnet. This background along with his anti-government/privacy/free speech philosophies ultimately lead to founding of the swedish bulletproof ISP - PeRiQuito AB - ie. The Pirate Bay, Sunshine Press (WikiLeaks) and the North American Man/Boy Love Association.
Wow.. so in Sweden he first got 2 years, reduced to one. Imagine that being in the united states. What, 25 to life? Just saying, it's interesting how this concept of "justice" is treated so subjectively depending on where on this planet you are located. Nothing new under the sun, but still.
North Korea have a network of internment camps where regime opponents are imprisoned - nobody really knows what the imprisonment rate is, but estimates[0] are 250,000-300,000 people.
On a per capita rate, they would be about even with the United States (around 700 per 100k[1]) at the top end of estimates - which is worrying considering North Korea also practice a policy of "three generations of punishment" where entire families are collectively punished and you have children being born in camps.
The land of the free and the most totalitarian state in the world with a horrible history of human rights abuses - it really shouldn't even be a contest as to who is worse, but unfortunately it is.
[1] Doesn't include territories, juveniles, military prison or immigration detention. Including those on parole or probation it increases to 3.2% of the population.
Though I don't see anything definite on prison rates. Hard to get precise info out of N Korea. This absolute dismal circumstances the prisoners suffer is clear though.
You don't think that does it justice? I don't know the details of the case, but imagine being locked up for two years yourself, regardless of the crime. I'm 21 and I know I would feel like it's forever. I'd do anything to better my life after that. At least that's what I tell myself now, never having been imprisoned.
Now the person being tried here is not 21 anymore and he is actually guilty of something and should be punished... but 25 years, really?
To put this in context, for a violent crime you would probably not get more than 2 years in Sweden either as a first time offender, which makes his sentence extremely harsh actually.
This is the part where I make a long statement urging apolitical youth to give a shit. Facts first.
CSC is a core part of the military industrial complex. They make mass surveillance databases and military systems and are active globally.
Gottfrid pissed off the both the MPAA and the US military/government. Look what they did to kimdotcom in total violation of law ... the NZ PM had to apologise personally. Gottfrid was illegally extradited from Cambodia. We're yet to see any evidence to the contrary, despite claims his visa was up apparently it wasn't, and this sort of put-on-plane-back-home treatment is not normal.. also, a fat Swedish aid package to Cambodia went through just after his extradition.
Gottfrid's mother is an academic and has documented the strange behaviour of her own (Swedish) government around his arrest and treatment.
Denmark is a place where it's almost impossible to use cash, where the ex-king kept a harem (it's now a bakery/hotel: I stayed in it), and where the authorities don't need a warrant to track your phone's location over the last year.
The accusation is that, sitting in Cambodia, Gottfrid broke in to some computers for no apparent reason causing zero harm. The reality is that he was mistreated against any notion of personal rights, dragged halfway around the world and locked up in solitary confinement which is generally considered torture under UN definitions. He has been passed from state to state being mistreated. There is still no proof he did anything wrong or harmed anyone. However, there seems to be evidence he helped Assange decrypt the embarassing US military video 'collateral damage'.
The only thing I conclude from this ruling is that the west in general is only a downward spiral in to totalitarianism, and that there is now an inter-state, overt attempt to suppress resistance (Assange, Dotcom, Anakata, etc.) with extreme media coverage to try to influence the rest of us.
Where are we to go? How are we to resist? There is the west and its fall-in-line economic treadmill, or the hinterlands and their available extra-judicial means of extradition (ala Anakata) or oppression. Assange's warning about a transnational dystopia seems ever-more pertinent. You know what I think after having met him? Anakata was trying to understand what's going on in Europe and the world at large, and his heart was in the right place. It fits with his character. After all, his mother is an academic, he was raised to ask questions.
Those who question are unjustly treated... the system is the problem. We can use the internet to create change. Don't let cryptocurrency abort as a foetus: it's being regulator-challenged to death. Don't let nominal democracy convince you to be placid. Ask your own questions, force some coverage for your discoveries, and change the world. Do it for Gottfrid.
> Defence lawyers said although the hack attacks were carried out using a computer owned by Mr Warg, he was not the person that used it to steal the files. Instead, they said, an unnamed hacker took over this machine and used it to carry out the attacks.
Given the circumstances, this claim seems obviously true. People who break into computers usually use broken-into computers as proxies.
Are you familiar with the evidence the court considered? Is it instead the case that you'd have a hard time convicting anyone of hacking-related crimes under any circumstances because of the possibility that someone else might have been pulling the strings?
Often when cases like this are reported, the evidentiary details don't make it into the story. It's easy to understand why someone would have a problem with a conviction when all the information they have is the BBC's 10,000ft summary.
What's worse is, that 10,000ft summary can bias you by framing the whole story in your mind. You're skeptical right off the bat. That's probably always healthy! But it's good to know how your mind is being primed to digest new information, too.
Obviously, sometimes you get the details and the case doesn't get less murky. The Aurenheimer case is an example; I don't have a clue what to think about it, and would like to think that whatever my prejudices are, I'd have been a not-guilty vote in a jury based on that doubt.
I've taken a look at the evidence, but the primary sources are in a foreign language so there's certainly a possibility I've missed something major.
There are kinds of evidence that I would find convincing. Testimony from police that he had certain things open on the screen at the moment of arrest (as in the Silk Road case). Or hidden-camera video of him at a terminal, doing something bad. Or an audio recording of a voice call in which he tries to do social engineering.
I haven't found anything like that. If someone posts a link, I'll certainly change my mind. But for know, all the evidence I know of is of a sort that one person could've forged.
> Is it instead the case that you'd have a hard time convicting anyone of hacking-related crimes under any circumstances because of the possibility that someone else might have been pulling the strings?
That is kind of a serious problem. It's like the "open WiFi" defense. It's completely plausible that someone else actually used your WiFi or compromised your computer, but at the same time some people have this visceral reaction to allowing it as a defense because it's so hard to disprove and can be used by anyone.
This comment should somehow be auto-posted into every HN thread about popular news accounts of criminal computer use. Maybe added to the HN guidelines. Or both.
> People who break into computers usually use broken-into computers as proxies.
That's possibly [1] true, but aren't those broken-into computers almost always the computers of ordinary users? How often do the people breaking into computers use broken-into computers belonging to a computer security expert who knows how to protect their systems from such break-ins?
How often do the people breaking into computers use broken-into computers belonging to a computer security expert who knows how to protect their systems from such break-ins?
I know it's counterintuitive, but all the time. Until only a few years ago, it was almost as if every security expert was being publicly owned constantly. Hackers hack each other.
The dirty secret that explains why they would hack those who can protect their systems: nobody knows how to protect their systems. The best firewall is not pissing off hackers.
In the 20+ year history of computer crime prosecution, outside of this disputed case, what is the next most likely case where a hacker effectively framed another hacker who was then successfully prosecuted for the offense?
- CSC, that handles a large part of Danish infrastructure including social security numbers, police backend, etc. has dismal security. They don't even update their software as security patches become available. Warg had access to their mainframe for 9 months without them having a clue about it. The only reason they found out was because the Swedish police called them and told them.
- username/password pairs for CSC's server were readily available on one of their subsites(!)
- Warg turned off the logs on the CSC mainframe, and they didn't notice. It appears that logs were turned off for months. As a result CSC doesn't know whether data has been altered. We're talking about all police systems, social security systems, and more.
- The police have not had their own investigative team at CSC, and haven't looked at the technical evidence. This has been done by CSC, which is an obvious problem.
- The Danish police was contacted by Swedish police three times during 2012 because the evidence from a Swedish case turned up files from CSC, and the Danish police didn't respond as they apparently didn't find the information important. During the courtcase the Danish police's chief IT investigator was caught lying about this.
- The prosecutor and judge were clueless, bordering on the hilarious, about technical issues. For instance the prosecutor refused to acknowledge that other user accounts except Wargs existed on the computer (there were 5 accounts), tried to paint putty as a hacking tool that only criminals would use, tried to establish Jacob Applebaum and Warg as friends because Applebaum retweeted one of Wargs tweets (only friends do that!), etc. etc.
These are just the highlights...