Web hacker 'Alfabeto Virtual' thrown in the clink for 3 months by US judge who wanted to 'send a message' A US judge this week sentenced website hacker Billy Anderson to three months behind bars, refusing his lawyer's request not to put him in jail, in order to "send a message" to others. Anderson, 42, of Torrance, California, targeted thousands of websites under the hacker name AlfabetoVirtual, and boasted about his efforts on a …
Three months is just long enough to cost someone their job. Twelve months would likely cost them their house and family, and render them effectively unable to find employment. A troublesome hacker goes in, and an angry hacker with a grudge against the government, a new set of criminal connections and nothing left to lose comes out. Sometimes long prison terms can be counterproductive.
If the hacks were just web defacements, exploiting known old* bugs, then a minor slap on the wrist is fine (also IMHO "hacker" should not be charged for "costs" of patching etc - any hack that works due to an old* vulnerability is a sign of bad patch management / security of that web site, those patches should have been applied. A bit like my insurance will not repay me for burglary losses if burglary happens because I went out and left the house unoccupied with the door open.
A bit of defacement using old* vulns is, in many ways, a helpful wake up call to the site owner to get their act together. Irritating but no data lost / stolen, just a bit of lost pride.
Someone using zero day exploits is a different matter as there is not much can be done to stop them and so I would regard that as far more malicious
*old - more than a couple of weeks - be generous exclude anything ultra recent as legit to have a bit of a patch deploy lag as do need to test if patch breaks anything as they sometimes do.
"test if patch breaks anything as they sometimes do."
Sometimes?
Don't forget, the patch usually comes from the same people / company who created the thing that needed patching, I wouldn't have high expectations. Then expect the patch to fix the patch
The new rolling software model where everything is in a constant state of beta, we do get a helpful feedback button, but no bandage for the injured head after banging it against the desk or financial recompense for lost productivity
Anderson was ordered to pay a total of $12,804 to cover the costs of getting the two government websites patched and back online.
Er, isn't half the problem that their sysadmins should have been doing that patching anyhow and that's part of the reason they had a problem in the first place !!
Doesn't this send the wrong message to lazy companies that they can still bill for doing a rubbish job in the first place.
Actually two messages... if you're a "hacker"* you get off light. If you're a company, someone else will pay for patching. In reality, the company should be fined for failing to do due diligence. As an example, I doubt a jewelry store could get compensation from the theft of jewelry because the lock on the door was broken.
*I use the term "hacker" here very loosely as the term implies certain skill sets beyond a scrip kiddie.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
