In order to understand why this incident was even more shocking than usual, one just needs to read this snippet
The arrest shocked friends of Mr. Swartz, as well as
M.I.T. alumni. Brewster Kahle, an M.I.T. graduate and
founder of the digital library Internet Archive, where
Mr. Swartz gave programming assistance, wrote: “When I
was at M.I.T., if someone went to hack the system, say
by downloading databases to play with them, might be
called a hero, get a degree, and start a company. But
they called the cops on him. Cops.”
I find the change of perspective - from hero to criminal - from MIT quite astonishing. I wonder if this incident makes current students wary about the change in MIT ethos.
I wonder if this incident makes current students wary about the change in MIT ethos.
As an alum, I don't see a change in ethos. During my time there ('91 to '95) things were open, but if you were doing something that the institute considered improper they asked you to stop. If you persisted in the behavior, they escalated the response. In my four years there, I witnessed this philosophy applied to drinking, trespassing in forbidden places (roofs for example), harassing behavior and yes, behavior on the network.
Students often "explored" the network (myself included) but it was possible to go too far.
(no, I don't think Swartz's transgressions warranted multiple years in prison and the whole situation is a tragedy)
I don't think this is only MIT. It's just a new ecosystem growing up. I remember when spoofing a superior's email was fun. I remember when accessing other people's emails via misconfiguration, etc. was 'fun'. I remember when very few paces had any kind of firewall.
None of these things are true any longer. As things mature, they take on a new importance and are treated as such.
When the first aeroplanes were around, did one need to get a pilot's license (no), could you buzz buildings (yes)? When the first autos came about, where there any traffic regulations? Nope. They were both freewheeling till they took on importance.
There does seem to have been a change in the culture at MIT though. I can't find the article now, but I recall reading years ago about the student body being vocally opposed to one administrator in particular who didn't seem to grok the culture there.
So clearly there's been some discussion a sea change in the culture at MIT. If true -- if it is even perceived to be true -- that will really be a problem for the school, as its status among technical universities owes a lot to its cultural respect for all forms of hacking.
Brewster Kahle was at MIT in 1982. I get the impression that MIT was gradually locked down. For example, prof Jerry Lettvin said, "Up to about 1950's there was a kind of freedom in the scientific world — certainly at MIT — that allowed you to play games of all sorts. As two or three decades went by MIT was taken over by managers." (http://www.tengerresearch.com/learn/interviews/jeromelettvin...)
And as the internet became important to business interests, it's not that surprising that these crimes became more harshly punished. (Though there's the argument that these punishments should be relaxed in some cases because elite CEOs and technologists have been guilty of them as part of their educations. Like Steve Jobs, Tufte, etc. Not unlike presidents getting away with drug use. And there's a conflict between businesses about intellectual property; Google probably would be happy if they could open up books.)
"At 9:44 a.m. the M.I.T. police were called in; by 10:30 a.m., the Cambridge police were en route, and by 11 a.m., Michael Pickett, a Secret Service agent and expert on computer crime, was on the scene. "
Less than 1.5 hours from campus cops to Secret Service on scene.
The Secret Service office in Boston is a 2 mile drive from MIT. Once you decide to bring in the police, it makes sense that they'll contact specialist law enforcement that focus on computer crimes, especially since the Secret Service is so close.
Per his own LinkedIn [1], Michael Picket, the Secret Service agent, is a member of the New England Electronic Crimes Task Force Forensic Laboratory. Their website [2] has long role for the lab, but it a) supports local law enforcement (like Cambridge PD), and b) includes seven area universities (Harvard, Dartmouth, and Babson are the three mentioned; MIT was not, but doesn't necessarily exclude them).
My guess is it wasn't so much the Secret Service getting involved, but this DHS agency mandated by the USA PATRIOT act [3] made themselves available to major local organizations. Wouldn't be surprised if ECTF spent its first couple of years just meeting individual orgs one at a time for meets/greets.
"Have a computer crime that isn't just your usual Craigslist scam? Give Mike over at the Boston ECTF a call, and he can help you out."
If I were a USSS officer specializing in computer crime and MIT called me after discovering a laptop that was used in an ongoing crime, I'd run like hell because I wouldn't want decisions to be made by the local Cambridge cops since they don't know anything about computer crimes. I mean, if you think the laptop represents a crime scene, you really don't want non-specialists handling it right?
If MIT does research related to military/defense technology, the possibility that such information was involved is probably enough to get the Feds interested, especially in the beginning.
What would a verbal warning have been useful for? He already knew his behavior was unwanted, and that's what verbal warnings are for. He wasn't stupid, so the verbal warnings wouldn't have been the first time that he learned that there were actual laws against unauthorized network access.
Besides, what's there to warn him about, he's 100% right in what he was doing, wasn't he? To hear it from the hacktivists, he did nothing wrong (and so there's nothing to warn him about). If he did do something to warrant a warning then he was already past the point of needing one.
First, by talking to him, MIT would have revealed that they knew who he was. That alone might have dissuaded him, as he was clearly acting under the assumption that he had successfully hidden his identity (or otherwise he would not have bothered to hide his face from the camera).
Second, they might have learned his motives and either found another way for him to achieve his objective (perhaps through some sort of compromise) or persuaded him to stop.
Third, they could have made clear to him what the penalties the government was ready to use against him in this case were, and that they had enough evidence to take him to court if he persisted.
Any of these might have been enough to lead to a less tragic outcome than what wound up happening when they immediately threw the book at him.
That's definitely not true. Everybody knows that speeding is a crime. But cops give warnings all the time if you didn't harm anybody and they think you're a reasonable person who will listen to them.
"Counsel for the government understands that a number of external connections
were made and/or attempted to the Acer laptop between January 4, 2011 and
January 6, 2011, including from a Linux server at MIT and from China."
("Attempted" means his laptop probably had a public ip address assigned through dhcp and someone was knocking on ports from China. This "attempt" happens constantly 24/7 and is nothing to write home about.)
"7. Exculpatory Evidence. In paragraph H of the government's letter, the
government described but refused to provide almost all of certain exculpatory
evidence, including evidence that, during the period covered by the indictment,
persons other than Mr. Swartz at Harvard, MIT and China accessed the Acer
laptop that was seized by the government, and persons other than Mr. Swartz at
MIT and elsewhere were engaging in "journal spidering" of JSTOR data using a
"virtual computer" that can be hosted by anyone at MIT. The government has no
basis for withholding the electronic evidence described as exculpatory in its
letter."
Why did MIT call in the secret service right away?
The answer must lie with certain Charles M. Vest who, in 1990, became president of MIT and served in that position until December 2004. He is now MIT professor and president emeritus.
He also happens to be a key member of the board of trustees of Ithaka, the owners of JSTOR.
I would not hold out my breath for MIT investigation criticising its own President Emeritus.
I think it's a bigger change than with JSTOR specifically, so I'm skeptical that connection is the root cause. Another example, completely unrelated to IP, is that MIT used to quasi-tolerate tunnel/roof exploration, and in any case certainly didn't report students to the cops for it. But now they charge students with felonies for doing it: http://tech.mit.edu/V127/N4/hackers.html
When the email intrusion was investigated for that top military general was not secret service called in conjunction with the FBI? Although I think Secret Service and FBI overlap in covering domestic computer break-ins
So, is there anything in this story that we didn't know from the indictment? Or any bits of the indictment that have been confirmed by NYT reporters talking to sources who were there? If the NYT is just summarizing the indictment, this doesn't seem very helpful at all.
"At the meeting, Chancellor Phillip L. Clay PhD ’75 told the faculty that administrators were working with the district attorney’s office to move the felony trials out of the Cambridge court system to an internal Committee on Discipline process.
The charges against the students were dropped on Feb. 28, when the prosecution filed nolle prosequi orders for the three students, indicating that they would not move forward on the charges."
My personal opinion is that following identification by MIT and clarification of his intent, this should have been dealt with internally. While it was totally within the power of the prosecution to persist and press charges, the article shows an example where top MIT management did the right thing and insisted upon dealing with this internally (again: my opinion).
As an MIT student, it worries me that a measured response was not achieved by MIT management in this case. Whether that means MIT should not have called the police and allow uncontrollable escalation or should have done a better job in convincing the prosecution to not press on, I cannot be sure.
It is of course also possible that what happened is just a reflection of the prosecution's resolve to treat this with the full force of the law and whatever MIT management may have said fell into deaf ears.
I am unsure what weight each of those has in this sad case and I deeply appreciate President Reif's initiative to carry an internal investigation into MIT's response.
However, two other things bother me with regard to this case. First, it strikes me that the Computer Fraud and Abuse Act is inadequately broad and allows for dangerous interpretations. Second, it is very scary to think that individuals in the prosecution are insentivized to press for the maximum amount of charges, with little to no regard for proportionality. I can only hope for a system in which sentences are not used as a metric for a prosecutor's competence.
It seems to me that the concept of proportionality -as it is applied in armed conflict- is an essential one when talking about this whole issue. I fear that it is the root failing in this affair both in MIT's inability to treat this internally and later, in the prosecution's attitude towards the case.
People run all the time. When you get caught it's a fight or flight response. It doesn't have to be entirely rational. Usually it isn't (few people actually out-run the cops).
This has been known for a while. It was reported (and discussed on HN) when he was first arrested.
