
Teenage hackers are offered a second chance under European experiment - ga-vu
https://www.cyberscoop.com/teenage-hackers-police-britain-netherlands/
======
Avamander
I know kids will be just guilt-tripped admitting menial stuff like "you looked
at how your teacher peck-typed her password and changing her wallpaper", "you
found out that the school Administrator account has the password `admin`" or
"you downloaded a movie", I've seen such nasty manipulation happen. A lot of
adults are really petty when their incompetence is revealed, due to that they
probably have no proof and this "Please confess for less punishment" lie is
their only way in actually messing up kid's lives.

This only feels like a weak attempt at making gullible young people make a
mistake (from their perspective) by admitting they've done something illegal
(from the accuser's perspective). Especially given there's no legal protection
and there's condescension and prejudiced when whitehat ways are picked, that
should be fixed first. I hope this endeavor fails because it's just nasty.

~~~
yorwba
> this "Please confess for less punishment" lie is their only way in actually
> messing up kid's lives.

There's no indication that the intervention is predicated on confessing. I
think you might be looking at this from the perspective of a legal system
where plea bargains are a thing. In most of Europe, promising less punishment
for a confession doesn't work, because the prosecutor doesn't have the right
to interfere with the judge's decision, and therefore can't credibly promise
that the punishment will be less.

E.g. the Dutch article I linked in another comment mentions the following
case:

 _The police expected to roll up a large criminal organization, but eventually
ended up in a boys ' room somewhere in the Netherlands. “We noticed from cyber
crime officers that they often saw things like this, in which the young people
did not realize how serious the fact is that they were committing. The
officers did not know which intervention would be best for them. After all,
the perpetrators have done something very serious, but they are still young
and often deviate from the traditional perpetrators, "explains Van Dijk._

Dows that sound like petty adults using nasty manipulation to mess up kid's
lives?

~~~
Avamander
> There's no indication that the intervention is predicated on confessing.

The article basically says that an admission of guilt is required. Otherwise
the person would stay a suspect not a participant of the program.

> the perpetrators have done something very serious

And what is "the perpetrators have done something very serious"? By law piracy
is very serious, changing a wallpaper can be very serious (there's a nice US
case about that, but that's not incredibly relevant).

> Dows that sound like petty adults using nasty manipulation to mess up kid's
> lives?

It isn't maybe written like that, but it's going to be like that. Especially
given the concerns I raised in the original comment, for example the issue of
laws criminalizing menial things.

~~~
yorwba
> The article basically says that an admission of guilt is required.

So it does. I'm not sure where they're getting that, maybe from the
requirement to apologize to one's victims that's part of
[https://www.halt.nl/en/halt-programme/](https://www.halt.nl/en/halt-
programme/) ?

> And what is "the perpetrators have done something very serious"?

In the case they mention, it was infiltrating an ISP's network:

 _Jansen gives an example of a boy who hacked a large internet service
provider. To watch free videos, he tried out how far he could penetrate the
system. Due to an update error, he had access to the company 's routers. As a
result, he was able to lay down eighty percent of all internet and telephone
traffic in the Netherlands. He chose not to do anything with this information,
but boasted about his findings online._

~~~
milankragujevic
For what it's worth, I obtained a way to bypass any rate limiting and
quota/Fair Use systems, and basically have unlimited Internet speed and no
data cap on any SIM card of one carrier. I reported the finding to them, after
many escalations they in the end gave me an expensive phone as a gift and
fixed the issue. It was in Serbia, so I'm not sure how relevant that is to the
EU.

------
icu
I think this is a great idea, young people will always push the envelope in
terms of risky behaviour. A 'scare' with a structured process that includes
mentorship could harnesses a young hacking talent and be positive outcome for
the youngster and society in general.

Over the long term I wonder if this will give Europe an edge in cybersecurity
relative to the US?

~~~
adventured
> Over the long term I wonder if this will give Europe an edge in
> cybersecurity relative to the US?

No. The headline is misleading. This isn't "Europe" doing it (as though Europe
were uniform, rather than wildly different from Germany to Lithuania to
Bulgaria to Russia to Italy to Spain to Belarus). The article is pitching an
artificially wide premise, as a form of clickbait. It's not "European
authorities," it's police in the UK and Netherlands.

It won't make any consequential difference at a global industrial scale. $1
trillion in venture capital - leading to the creation of the largest
cybersecurity tech companies - every 10 years and paying extremely high
salaries to attract the best talent, is all that moves the needle on
cybersecurity. Everything else is a blip at best.

On what matters, Western Europe - Europe as a whole in fact, the rest of
Europe is even further behind - can't or won't compete, save for a few rare
exceptions. Only the US and China are on the field. Everybody else is watching
from the sidelines.

~~~
jplayer01
> Only the US and China are on the field

Is this really the case? Most of what I see in US news is how yet another
adolescent or teenage hacker was caught and faced stiff penalties and
consequences, far out of balance to what the hacker actually did to make an
example of him. If there's a thriving cybersecurity scene in the US, I'd say
it's largely due to the private sector and not anything the US government or
any of its institutions (on a federal or state or local level) have done to
encourage exploration into hacking. Which is unfortunate, because it's
increasingly an important topic in the modern environment.

------
contravariant
It's worth pointing out that the Netherlands already had programs and the
legal foundations for more lenient punishments for 12~23 year olds, which I
imagine might be why this experiment started in the Netherlands (with, by the
looks of it, support from some EU agency).

I hope it succeeds.

~~~
coretx
One word: Kapotgepolderd.

------
siruncledrew
It seems like it would make sense to list the crimes that would fall under the
"second chance" agreement to provide more information.

Like, some dingus 'hacking' into their school to change their sick days is
very different than the criminal context of a 16 year old buying stolen credit
cards online and using them to sell stuff on Instagram.

The type of kid that would fall into the police's 'naive-idiot' hacker
criteria for this program is also probably not someone that would fare well in
prison either.

------
yorwba
More information on "Hack_Right" in Dutch:
[https://magazines.openbaarministerie.nl/opportuun/2018/02/ha...](https://magazines.openbaarministerie.nl/opportuun/2018/02/hackright)

Google Translate seems to do a reasonable job:
[https://translate.googleusercontent.com/translate_c?depth=2&...](https://translate.googleusercontent.com/translate_c?depth=2&rurl=translate.google.com&sl=auto&sp=nmt4&tl=en&u=https://magazines.openbaarministerie.nl/opportuun/2018/02/hackright&xid=17259,15700021,15700186,15700191,15700256,15700259,15700262,15700265&usg=ALkJrhiqHh7nlScakVIZpw53RP3tNoCAvA)

------
Waterluvian
If anyone can remind me of the name of this software used to lock down windows
98 machines I'd appreciate it. It was IBM I think. Blue background for
student. Green for teacher. Red for admin.

I learned how to bypass it and discovered winpopup. I messaged every computer
in the school district with my account like an idiot 9th grader. I then
learned a lot about getting caught, punished, and second chances. I was lucky
that the powers that be didn't overblow what I did.

~~~
coretx
That was called various names, winnuke being one of them. It was nothing but a
manually crafted TCP or UDP packet causing winsock to segfault.

------
thomasfedb
The concept here is crucial — respond to adventurous behaviour with clear-
headed guidance.

I 'hacked' my school as a teenager and disclosed my findings — I received a
'thank you' and a free pass to skip the helpdesk and talk to the sysadmins
whenever I wanted.

------
lone_haxx0r
I wonder if someday laws will be based on a formal moral foundation instead of
making things illegal just because 80% of people don't like those things.

I think hacking is one of those things that are illegal because people don't
like them. Ultimately, hacking is just sending messages through a wire.
Objectively speaking, it isn't much different from hitting the like button on
a Youtube video. Formally speaking, all messages sent over the Internet are
numbers, so "anti-hacking laws" are essentially laws that make some arbitrary
and undisclosed set of numbers illegal to send.

~~~
vkou
Shooting people is just pulling a small lever. Objectively speaking, it's not
much different from driving a car. Formally speaking, it's the same as making
physical labor illegal.

Just because you can do something doesn't mean you should. Just because you
can pick the lock on my apartment door, doesn't mean that I shouldn't have an
issue with it. Just because lockpicking is technically just sticking a 'key'
into a lock, and turning the bolt doesn't mean it's the same bloody thing.

Intent matters. Outcome matters. Somebody lockpicking my door, to save my cat
from a fire, or to deal with a burst pipe, or to respond to an emergency call
is one thing. Somebody lockpicking my door, to have a look at my stuff, can,
and should fuck off straight to prison. Or, at least, a couple of hundred
hours of community service.

~~~
lone_haxx0r
I never said that anything we can do should be legal. I said that there should
be a consistent moral framework upon which all laws should be based. And I
think that laws should be defined objectively, not based in intent or outcome,
but in facts.

> Shooting people is just pulling a small lever. Objectively speaking, it's
> not much different from driving a car.

Shooting people is more like throwing stones at them. If you own a gun, you're
responsible for knowing that pulling the lever implies shooting projectiles at
them.

I think throwing projectiles at someone should be illegal (above some
reasonable threshold of momentum. e.g (5 g * 2 m/s)).

Picking someone's lock can be considered handling someone else's property
without permission. (Physically) handling someone else's property without
permission should also be illegal.

All of these things are physical actions. The state should care about the
physical actions of their citizens, but not about ideas, concepts, intent, or
arbitrary abstractions. Those abstractions are the citizen's business, and
legislating them is arbitrary and unfair.

If I have a mental breakdown every time someone says hello to me, then should
we make it illegal to say hello to me? After all, they're causing me severe
mental distress and maybe I could lose my job because of these people.

In my opinion, it would be unfair to ban "hello" because one person doesn't
like it. It's _my_ problem to have a mental breakdown because of specific
messages, not yours or the state's.

Same principle applies to software. If your website has a breakdown every time
I send specific IP packets, that's your problem, not mine or the state's.

~~~
vkou
> If you own a gun, you're responsible for knowing that pulling the lever
> implies shooting projectiles at them.

If you own a computer with the ability to send packets over TCP/IP, you're
responsible for knowing what sending particular kinds of packets implies.

Hacking a server you don't own is handling someone's property without
permission. When I host a web service, I grant the public permission for very
particular kinds of access to it. I do not grant the public permission to try
to break into it.

> All of these things are physical actions. The state should care about the
> physical actions of their citizens, but not about ideas, concepts, intent,
> or arbitrary abstractions. Those abstractions are the citizen's business,
> and legislating them is arbitrary and unfair.

Your understanding of the world is incompatible with centuries of civil,
criminal code, as well as millenia of common sense.

Intent absolutely matters. Consider why mens rea is a thing. Consider why
fraud is a thing. Consider the difference between accident, ignorance, and
malice.

> If I have a mental breakdown every time someone says hello to me,

Are you seriously drawing an equivalence between breaking into a webserver
with 'having a mental breakdown every time someone says hello'?

> Same principle applies to software. If your website has a breakdown every
> time I send specific IP packets, that's your problem, not mine or the
> state's.

Yes, you are. Good lord.

I take it you also don't take issue with people stealing the contents of
vending machines, either? After all, there's no possible way to infer what the
implied contract of a vending machine is! Sure, everyone with the intellectual
maturity of a five year old understands that you're supposed to put money in,
in exchange for its contents... But it's the owner's fault that if I happen to
tilt it over a certain way, stuff comes out of it - without me putting any
money in! I'm just manipulating it in a creative way!

~~~
lone_haxx0r
> If you own a computer with the ability to send packets over TCP/IP, you're
> responsible for knowing what sending particular kinds of packets implies.

Yes.

>Hacking a server you don't own is handling someone's property without
permission.

I meant handling in the most literal sense: manipulating something with your
hands/body. Sending a message to someone/something isn't handling them/it in
that sense.

> When I host a web service, I grant the public permission for very particular
> kinds of access to it. I do not grant the public permission to try to break
> into it.

Morally speaking, I do not require your permission to do something that
doesn't physically involve you or your property. The only relevant physical
involvements here are between you and your ISP, and me and my ISP. Anything
else is abstraction.

Under your permissions idea, I can go out and say "I grant the public
permission to look at my face but not to say hello to me."

> Your understanding of the world is incompatible with centuries of civil,
> criminal code, as well as millenia of common sense.

Your understanding of the world is incompatible with freedom and justice.

> Intent absolutely matters. Consider why mens rea is a thing.

Something being a thing doesn't justify it morally. Slavery is a thing, you
know? Murder is a thing, etc.

> I take it you also don't take issue with people stealing the contents of
> vending machines, either? After all, there's no possible way to infer what
> the implied contract of a vending machine is! Sure, everyone with the
> intellectual maturity of a five year old understands that you're supposed to
> put money in, in exchange for its contents... But it's the owner's fault
> that if I happen to tilt it over a certain way, stuff comes out of it -
> without me putting any money in! I'm just manipulating it in a creative way!

In a world with laws that make sense, it would be necessary to explicitly
define the contract, because otherwise everyone would be handling someone
else's property without permission. Simply state in the contract that people
have to pay $x in order to take out their goods.

If the contract says "use this machine at will and take its contents". Then
yes, you can tilt it all you want, who would have thought?

~~~
httpsterio
Manipulating something with your hands is a very arbitrary line to cross. What
if you have gloves? What if you have prosthetic arms? What if you're remote
controlling a robot to physically manipulate something on your behalf? Or is
it the bare skin-to-material contact you'd make illegal? What if the person
has a skin graft transplant on their hands?

Like the guy above said, intent matters. That is why stuff like attempted
murder is illegal. You might not physically touch the victim but if you intend
on killing someone, but happen to fail, you are clearly in the wrong imo.

------
o_p
Wageslaving is better than prison, I guess.

~~~
Avamander
The program doesn't even guarantee that, the Dutch article has a sentence like
"With Hack_Right, other punishments, such as imprisonment, are not excluded."
There's a chance Google Translate got the sentence wrong but I doubt it.

------
bkohlmann
All for this - and if it’s successful, I wonder if cybercrime will increase in
this region as folks with few prospects take a shot at getting a good job via
“non traditional” means

------
solotronics
If the US wanted to take the cyber battlefield seriously they would recruit
all these kids and put their skills to work.

~~~
pvaldes
This is just fearshopping. Why to pay, when can scare them, coarce and make
them fix their stuff for free or a candy? Laws are not the same for a minor.

------
throwaway3627
Wasn't there a similar program long-ago in the US where the FBI/DOJ/USDC
diverted first-time offenders into working with US-CERT instead of Aaron
Swartzing them?

------
faissaloo
'Hack_Right', really? That's the best they could come up with?

------
dawhizkid
I wonder if the US will ever release Ross Ulbricht...no way it will happen
under Trump but possibly at the end of an 8-year term for a Democrat...

