Extra jail time for criminals using proxies

manadren · Post by **manadren** » Thu Mar 19, 2009 9:32 pm

Sentencing commission ponders extra jail time for proxy users
http://arstechnica.com/tech-policy/news/20...proxy-users.ars

The US sentencing commission considers whether computer criminals who use proxy servers and anonymizing tools deserve stiffer sentences.
By Julian Sanchez | Last updated March 19, 2009 1:41 PM CT

I'm betting Michael DuBose, chief of the Justice Department's Computer Crime & Intellectual Propety Section, is a Steven Seagal fan. At a hearing held Tuesday by the US Sentencing Commission, Dubose warned that "cyber-criminals are increasingly using sophisticated technological tools like 'proxies' to evade detection and prosecution." Naturally, I immediately thought of Under Siege 2: Dark Territory, in which the flabbifying action hero must track down nefarious hacker Travis Dane (playwright Eric Bogosian slumming for a paycheck), who has seized control of a government satellite weapon. Just when the grim-faced folks in the government command center think they've got a lock on the hijacked bird—bang!—the screens are filled with 50 "ghost" satellites Dane has created to throw them off the trail. Proxies!

In reality, of course, proxy servers and anonymous routing are not l33t haxx0r tools, but rather a feature of modern Internet use so commonplace and banal that Web surfers in corporate or university environments routinely make use of proxied connections without even knowing it. But the Justice Department is urging the Sentencing Commission to recognize proxies as "sophisticated means" automatically meriting stiffer penalties when used in the course of a computer crime.

Pursuant to the Identity Theft Enforcement and Restitution Act of 2008 (which wound up passing in September as a component of the Former Vice President Protection Act—ah, Washington!), the Commission's recommended penalties are supposed to take into account "the level of sophistication and planning" involved in a computer crime. Someone who makes use of "special skills" or "sophisticated means" to break the law gets their offense bumped by two "levels" of severity (out of a total of 43) when it comes time for sentencing. Though a complex table determines exactly what that means in a specific case, in general an increase of two levels seems to be worth an additional four to six months in prison.

The current guidelines offer some examples of what count as "sophisticated means": attempting to confound law enforcement by setting up shell corporations, establishing offices in multiple jurisdictions, or spreading ill-gotten gains among offshore accounts. A proposed amendment to the commission's guidelines would lump in proxy servers and anonymizers with such tactics:

In a scheme involving computers, using any technology or software to conceal the identity or geographic location of the perpetrator ordinarily indicates sophisticated means.

DuBose, who repeatedly sought to equate proxies with botnets, arguing that they are "often created by infecting victim computers with malicious software that permits the cyber-criminal to use the victim computer as a proxy without the owner’s knowledge or consent." The broad language proposed—which, of course, would cover all proxies, not just clearly illicit tools like botnets—was necessary to give guidance to computer-illiterate prosecutors and judges, DuBose averred, and would "prevent any confusion by reflecting the Commission’s unambiguous intent to include such sophisticated techniques within the scope of the [sentencing] enhancement."

Several other witnesses, however, cast doubt on DuBose's characterization of anonymizing technologies. Seth Schoen, staff technologist for the Electronic Frontier Foundation, said that these tools "do not necessarily require technical sophistication or indicate unusual expertise; they do not necessarily contribute to avoiding detecting; and they do not necessarily indicate premeditation or a commitment to a course of criminal conduct." He noted that he himself had authored a manual explaining how any ordinary computer user could make use of proxies to avoid Web filtering or censorship. He also urged the commission against conflating the sophistication of a tool itself—citing the anonymous and encrypted Tor routing system as an example—with the sophistication required to use it.

Attorney Jennifer Coffin, speaking on behalf of federal public defenders, concurred that a tool's sophistication "does not mean that an individual using it has himself done anything intricate or complex," noting that "most web browsers allow a person to route Internet activity through a proxy with just a few clicks of a mouse." Precisely because the technology is in such wide use, and for a variety of legitimate purposes, Coffin urged that a blanket sentencing rule made little sense, and that judges should determine on a case-by-case basis whether a criminal had used sufficiently unusual and elaborate means to merit a harsher penalty.

More generally, she argued, the deterrent effect of more severe penalties is typically dwarfed by that of the criminal's estimate of the probability of capture and conviction—and computer criminals tend to have relatively low recidivism rates once they are captured. Increasing punishment for criminals who use proxies, therefore, would be unlikely to either discourage their use or appreciably lower crime rates by keeping convicts off the street longer.

Symantec executive Vincent Weafer, who also testified, did not explicitly take a position on the proposed amendment. He did, however, advocate "a behavioral approach that focuses on punishing bad behavior vs. regulating the technology."

That's probably sound advice, but if the Commission does decide to define all anonymizing tools as scary "sophisticated means" by default, I modestly propose that they follow their cinematic inspiration all the way, and sentence convicted hackers to be dropped from helicopters by ponytailed martial artists. If we don't stop them now, after all, the only result can be Global Thermonuclear War.

Archived topic from Anythingforums, old topic ID:3900, old post ID:68530

manadren · Post by **manadren** » Thu Mar 19, 2009 9:38 pm

Figured I'd post something today.

I hope this doesn't go through. Mind you criminals need to be punished, but this guy obviously doesn't know his stuff, proxy usage is far from uncommon, and using one is far from sophisticated hacking skill. Mind you if you proxies are compromised computers, switch every 3 seconds, and bounce your data around the world 3 times before it hits the target, maybe, but this broad language is just plain ignorant.

Archived topic from Anythingforums, old topic ID:3900, old post ID:68531

Post by **Red Squirrel** » Fri Mar 20, 2009 7:03 pm

lol wow this is why law makers should not be allowed to make laws on computers, because they know nothing.

Proxies can be used for good, such as web filtering proxies, etc.

Now, "zombie" computers should be penalized. In fact, the owner of the "Zombie" computers should be the ones held responsible. Rather then figure out how to trace the hacker, just trace to the PC that an attack comes from, prove it's that PC, procecute the owner of the building that the PC is in.

People seriously have to learn to secure their crap, and this could help. It's 2009. Securing a computer is not rocket science, and is equivalent to locking your door.

Less zombie computers = much harder for hackers to hide themselves and perform large scale attacks such as DDoSes.

Archived topic from Anythingforums, old topic ID:3900, old post ID:68535