Sunday, 16 August 2009

Torture, Learned Helplessness, Psyhological Trauma and the CIA

Brand Killer Robots reveals::
I have been researching the self-inflicted affects of torture on the human soul and i came across this article by David Dobbs who was writing about Dr Vaughn Bell's comments relating to the psychological impact of torture and the results of "learned helplessness". My interest in his article was particulary acute when he introduced the notion that depression is really the result of a process of "learned helplessness". Having suffered years of "self-torture" where my mind constantly remined me i was just about to die, which finally ended in a complete emotional and intellectual breakdown, i really can see the similarities between a largely self-imposed torture by the ego and the torture administered by the CIA.

Here is the article.
Amid my flu frenzy I missed Vaughn Bell's excellent consideration of CIA psychology through the declassified memos:
I've been reading the recently released CIA memos on the interrogation of 'war on terror' detainees. The memos make clear that the psychological impact of the process is the most important aim of interrogation, from the moment the detainee is captured through the various phases of interrogation.
Although disturbing, they're interesting for what they reveal about the CIA's psychologists and their approach to interrogation.
As Vaughn notes,
A couple of the memos note that the whole interrogation procedure and environment is designed "to create a state of 'learned helplessness'.. This is a concept originally developed by psychologist Martin Seligman who found that dogs given inescapable electric shocks would eventually just give up trying to avoid them and remain passive while electrocuted. The theory was related to depression where people with no control over their unpleasant lives supposedly just learnt to be withdrawn and passive.
Vaughn points out that while the concept is not particularly well validated, "if it was and you were an interrogator, you'd want to avoid learned helplessness at all costs, because the detainee would see no point in co-operating."
I'd add another point: Some studies have shown "learned helplessness" to be an apt model for major depression from both a behavioral and even a neurological perspective. In a sense, then, to intentionally produce it in someone by causing them pain and distress in a situation they are powerless to change is to inflict on them a mental illness.

You can argue that depression is not a mental illness (i'd argue back). But the point here is that the prevailing medical view is that depression is a mental illness, and that it may be defined (among other ways) as a state of learned helplessness, despondency, and hopelessness. It follows that intentionally producing that state through torture is to intentionally make someone quite ill. And regardless of the ridiculous arguments over whether waterboarding and beating and hanging by the arms for days is torture, the act of making intentionally making someone sick -- indeed, seeking to give them an illness known to carry a risk of death (by suicide) -- would seem rather not okay.

Wednesday, 12 August 2009

Hacker Intelligence: You have 3 Choices in Hacker Life.

Brand Killer Robots Reports:
I listened to this person explain the concept and feeling of enlightenment.

After i finished hearing it, i understood that there were three paths i could follow.

1. I could sit in a cupboard all day and do nothing. Because being enlightened is a place where there is no concept of anything. Just an awareness. So sitting doing nothing is what i'd do.

2. I could live life "IN" the "CONTENT" of life - through the imagination.

3. I could dart between Enlightenment and Content.

I chose number 3, because there is not enough action in Enlightenment.



Chuvakin wades in on 'so called' Security Experts.

Hacker Intelligence Reports:
Ok, in the spirit of disruptive naughtieness i thought i'd publish this report by Anton A. Chuvakin Phd considering the Myth of the Security Expert. Whilst i don't necessarily agree in what he says about "how security experts must be accorded authority and status by their peers or the public in order to be credible", i do agree with him that Security Experts should try to develop their careers around one particular area of specialism. I also understand the dilema that security people face where clients expect generalist all round knowhow. My own advice being for security people to develop a broad perspective on the security and intelligence world, but concentrate more accutely down one particular line.

Anyways, here is Anton's report.

In the future, it will become clear why I am writing this... For now, please treat this as some random analysis of our profession as well as of the dreaded definition of “a security expert.” Some might say it is a rant, but I prefer to tag it as “musings.”

Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang Institute for Theoretical Physics who would self-identify as “a scientist” or, for that matter, even as “a physicist.” It is overwhelmingly more likely that he would say “quantum chromodynamics” or “lepton number violation in electroweak gauge theories” or “self-ionization of the vacuum” or some such fun thing :-) However, as we all know, some folks in our industry have no shame introducing themselves to a colleague as “security experts.”

So, you are “a security expert.” Awesome, happy to hear it! Please let me know whether you are Case A or Case B.

Case A: you know more than an average person on the street about every single area (or many, many areas) of information security: from ISO27001 to secure coding in Ruby?

or

Case B: you know more than your peers in security about one particular area (or a few areas) of information security: log management, Java security code review, penetration testing, NIDS/NIPS rule creation, firewall management, wireless scanning, etc?

Let’s see which one is consistent with how people in other professions define “expertise.” The obvious start is Wikipedia. As of today, http://en.wikipedia.org/wiki/Expert entry says:

“An expert is someone widely recognized as a reliable source of technique or skill whose faculty for judging or deciding rightly, justly, or wisely is accorded authority and status by their peers or the public in a specific well distinguished domain. An expert, more generally, is a person with extensive knowledge or ability in a particular area of study.”

Other sources (such as Google “define:expert”) present similar results; expert can only be an expert in a specific narrow area.

Now, notice that the farther you are from a certain area, the more it seems like a narrow one (example: “science” to a average janitor is a narrow area). On the contrary, the deeper you are inside a particular area , the more it seems like a wide area (example: “brain tumor surgery” to a neurosurgeon is a broad area or “quantum gravity” to a physicist).

Despite such relativism, other professions somehow managed to converge on their definitions of “an expert.” After all, you don’t get to “enjoy” a neurosurgery from somebody who “knows more about medicine than an average layperson.” However, as we all know, many organizations “enjoy” having their NIDS tuned by a just-hired CISSP (aka proof of being “a light-year wide and a nanometer deep” in security :-)). What’s up with that?

I think this has a lot to do with the fact that the area of security is too new and too fuzzy. However, my point here is that a little common sense goes a long way even at this stage of our industry development. In light of this, next time you meet “a security expert,” ask him what is his area of expertise. If the answer is “security”, run! :-)

Finally, career advice for those new to information security: don’t be a generalist. If you have to be a security generalist, be a “generalist specialist;” namely, know a bit about everything PLUS know a lot about something OR know a lot about “several somethings.” If you ONLY know “a bit about everything,” you’d probably die hungry...

http://chuvakin.blogspot.com/2009/08/myth-of-expert-generalist.html

http://www.chuvakin.org/



Tuesday, 11 August 2009

White Hat Report: Scareware” neting $34Million Per month?

Hacker Intelligence Reports:
Here is a report from zanasser on the enormous money mountain, derived from what some are calling "scareware".

I received a very nice phone call a couple of weeks back from a very kindly gentleman in India who seemed concerned that one of my computers was calling him up and apparently screaming help, help, help down the phone line.

He said my PC was reporting a fault and numerous infections and that as he as the head of the Internet Cybercrime Department would take care of it so long as i sent him $29.99 to cover the work. Suffice to say that since i had half an hour to kill i let him explain to me (in roundabout terms) just how this scam was supposed to work.

Anyway, i thought this report would give some background to this new line in crackery.

According to a study by Panda Security, fraudsters are making approximately $34 million per month through what is being called “scareware attacks”. These are scams designed to trick surfers into purchasing rogue security packages supposedly needed to deal with threats which don’t really exist. Also termed as “rogueware”, distributors of such software are successfully infecting 35 million machines a month.

Utilizing the concept of social engineering, whereby information on such fake security software is marketed through social networking sites and tools, user are tricked into visiting sites hosting scareware software, downloading it and telling a friend.

Other tactics to find users include manipulating the search engine rank of pages hosting scareware.
Panda Security believes that there are over 200 different families of rogueware, with more new variants coming on stream all the time. The technical director at Panda Labs explains that "Rogueware is so popular among cyber-criminals primarily because they do not need to steal users' personal information like passwords or account numbers in order to profit from their victims.

By taking advantage of the fear of malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream."
And the figures support the concern that this trend is growing. In the second quarter of 2009, four times more new strains were created than in the whole of 2008, primarily to avoid signature-based detection by proper security packages. Another technique, behavior-based detection, is an approach that works well with Trojans and worms, but is limited when applied against scareware packages.

The real issue now emerging is how sacreware is emerging as an organized crime. There are dedicated software creators and distributors of scraeware. They go through a set of procedures: writing the rogue applications, establishing distribution platforms, payment gateways, and any other back office services.

There are also affiliates (distributors) tasked with the job of distributing scareware to as many victims as possible in the fastest possible time.
Stay out of this cycle. Don’t be ‘scared’ into downloading anything. Only obtain well-known industry standard security software. Forget about small, unknown vendors. Just applying common sense is the best protection against scareware, rogueware or any kind of new ‘threatware’.

http://zeidnasser.blogspot.com/2009/08/scareware-is-big-business.html
Zeid Nasser's Tech Blog

Monday, 10 August 2009

Defense Department eyes hacker Defcon for more Gary Mckinnon's

Hacker Intelligence Reports:
We thought this report by IDG News was very ironic in more ways than one. The US Air Force are recruiting hackers at the same time as attempting to extradite Gary Mckinnon for acts of a similar nature. Perhaps the intelligence agencies have finally realised that a lot of these guys do want to help and that guys like Gary Mckinnon are better off being listened to rather than abused.

Here is the report.

The Air Force recruited 60 at last year's hacker conference; this year it's back for more.

The U.S. Air Force has found an unlikely source of new recruits: The yearly Defcon hacking conference, which runs Thursday through Sunday in Las Vegas.

Col. Michael Convertino came to Defcon for the first time last year, and after finding about 60 good candidates for both enlisted and civilian positions decided to come back again.

"The principal reason that I'm here is to recruit," said Convertino, commander of the U.S. Air Force's 318th Information Operations Group, speaking Thursday during a panel discussion at Defcon's sister conference, Black Hat. "We have many empty jobs, empty slots that we can't fill."

Federal agencies have only recently begun embracing the hacker crowd. When U.S. Department of Defense (DoD) director of futures exploration Jim Christy hosted his first Defcon "Meet the Fed" panel on 1999, he was one of two people onstage. At this week's Defcon, there may be several thousand federal employees in attendance, he said.

Federal government employees first started coming to Defcon to get information and build relationships from the hacker community, Christy said during an interview, but now it is becoming more acceptable to find new recruits at the show, despite its reputation as a subversive hacking conference. "The character of Defcon has changed over the years," he said in an interview. "Ninety-five percent of the people here are good guys."

And federal agencies have changed too, particularly since the terrorist attacks of Sept. 11, 2001, said Linton Wells II, the former CIO of the U.S. Department of Defense (DoD), now a research professor with the National Defense University in Washington D.C. "The federal government has engaged with a lot of people they wouldn't have even talked to before 9/11," he said.

Christy expects that a couple of hundred of this year's attendees will be recruited by federal agencies, but no one is recruiting more aggressively than the Air Force. "The Air Force has always been the leader in this area," he said.

Convertino's efforts reflect a government-wide effort to step up cyber-security recruiting. On Monday, the DoD co-sponsored an effort to recruit 10,000 young computer through a series of cyber-contests, known as the U.S. Cyber Challenge

In an interview, Convertino said that by next year many of his recruits will have completed the hiring process and will be able to attend the conference and encourage others to enlist.

The federal government has long had a hard time attracting and keeping top computer security talent, even at the very top.

Although the Obama administration created a new high level cyber security advisor position earlier this year, it remains unfilled. According to a Forbes Magazine report, the job has already been turned down by several qualified candidates.

Cyber-security is becoming a hot-button issue, which means more congressional interference, and for people in the field more time spent responding to political pressures instead of real security threats.

The recruitment process is long and tedious -- obtaining a security clearance can take 18 months -- and the pay is generally lower than in the private sector.

But the challenges are unique and at Defcon this week the DoD's chief security officer made a recruiting pitch to attendees, describing it as a place where geeks could develop world-class cyber security skills. "I have never seen in my entire career a more concerted effort.... to focus on this are area of education, training and awareness," CSO Robert Lentz told conference attendees. "Any one of you in this room who want to seek positions in the government…. the opportunities are there; the resources are there. "

There might be one other reason why a government job could appeal to Defcon attendees.

The feds like to talk about developing cyber-security capabilities to protect the nation's infrastructure, but they may also be spending time at Defcon looking for people who know how to attack systems as well, said Mikko Hypponen, chief research officer with security vendor F-Secure. "If you want people who know how to attack, this is the place."

The IDG News Service is a Network World affiliate.

http://www.networkworld.com/news/2009/080109-defense-deparment-eyes-hacker-con.html

South Korean Local police stations to get cyber crime experts

Hacker Intelligence Reports:
The police are bracing themselves for online security breaches, particularly intentional cyber attacks like those that occurred recently.

The National Police Agency will allocate professional cyber investigation agents in individual police stations to collect, analyze and report the use or leakage of illicit intelligence information on the internet, according to officials yesterday.

So far, as such agents were only available in the NPA and regional police agencies, police stations required assistance from central organizations in investigating complex cyber crimes.

The NPA's plans followed the DDoS cyber attacks that brought down several major online networks last month.

As an attempt to secure the cyber investigation workforce in each station, the NPA also added a clause in the regulations preventing cyber security agents from being transferred to other departments.

The NPA will set up inspection committees in order to thoroughly select qualified experts in the online security and cyber crimes, said officials.

The NPA will also invest in educating the selected agents into veteran cyber troops, said officials.

"We have come up with a reinforced cyber police intelligence system to guard ourselves against the North's cyber attacks and any other online crimes," said an NPA official.

The police suspect that North Korea, possibly in coordination with other groups, initiated the DDoS attacks to put pressure on the South.

(tellme@heraldm.com)

By Bae Hyun-jung

http://www.koreaherald.co.kr

Friday, 7 August 2009

Government Recruits Geeks to Blunt Cybersecurity Threats

Hacker Intelligence report:
We thought you might like this report from USNews.com discussing what we have been talking about for years.

That of the value of hackers in securing our nation(s) from cyberthreats. It is time that governments realised that they can no longer rely on corporate suits to defend the nation state. Its time to start trusting the creative mind.

The U.S. Cyber Challenge aims to identify 10,000 patriotic geeks and make them experts

The potential threats against the United States from malicious foreign hackers are as poorly understood as they are scary. China's military has trained more than 60,000 "information troops," and its official doctrine calls for pre-emptive strikes on networks of nations it sees as a threat. Russian hackers—probably with Kremlin support—have attacked Internet sites in pro-Western Estonia and Georgia. And a mysterious "worm," Conficker, infects an estimated 5 million computers around the world. Authorities don't know who controls it; cyberintelligence expert Jeffrey Carr calls it "the equivalent of a nuclear bomb" that could shut down the entire Internet.

It's the kind of shadowy, nonstate threat that the U.S. defense and intelligence bureaucracies are traditionally ill equipped to fight, but a new initiative announced last week aims to try. A consortium of government agencies and private organizations has set up a series of competitions, called the U.S. Cyber Challenge, to identify up to 10,000 patriotic geeks and then nurture them to become "top guns," as the Cyber Challenge organizers call them, at the Pentagon, the National Security Agency, and elsewhere.

The Department of Defense trains only about 80 cybersecurity experts a year, far fewer than what are most likely needed. "People in the Pentagon know that the guy who looks good in a flight suit and can do 100 push-ups isn't necessarily the guy who will be the world's best hacker," says Noah Shachtman, editor of Wired magazine's Danger Room blog, who has briefed Pentagon officials on cyberwarfare. "So they know they have to reach out beyond traditional military recruiting models to find the top people. They're not sure exactly how to do it, though, and this is one attempt."

President Obama's announcement in May of a new cybersecurity initiative, including a cybersecurity coordinator who will report directly to the president, showed that the administration recognizes the threat from foreign hackers. "In today's world, acts of terror can come not only from a few extremists in suicide vests but from a few keystrokes on a computer—a weapon of mass disruption," Obama said in announcing the program. But two months on, the coordinator has yet to be named, and there is no information about the budget the office will have. "There are still huge questions about what it's going to do," Shachtman says.

And the Cyber Challenge only highlights a huge handicap Washington faces in its fight against cyberattacks: The hacking culture is antiestablishment, and the United States is the establishment, the Microsoft of geopolitics. That's a boon to Russian and Chinese government efforts to recruit hackers to their side, but it will hurt the United States, Carr says. A hacker wants "to align with the underdog against the big, bad U.S., and it's going to be hard to reverse that," he says. And there are signs the United States doesn't quite get it yet. The Cyber Challenge Web pages are laden with the kind of massive PowerPoint presentations that plague the Pentagon, "the most conventional, staid way to try to recruit innovative people," Shachtman says. Clearly, Washington is likely to face an uphill battle.

Joshua Kucera (08/06/2009)
http://www.usnews.com/articles/news/national/2009/08/06/government-recruits-geeks-to-blunt-cybersecurity-threats.html

Twitter taken down by denial-of-service attack

Hacker Intelligence Report:

The popular micro-blogging site was unavailable as the company defended itself against the attack.

The Twitter micro-blogging and social networking service was hit with a denial-of-service attack over night that rendered the site unavailable for users.

Twitter reported the attack in a post on its blog at about 3am local time and is continuing to deal with the problem.

"We are defending against this attack now and will continue to update our status blog as we continue to defend and later investigate," the company said in a blog posting by Twitter cofounder Biz Stone.

In a status report about an hour following its acknowledgement of the attack, Twitter reported that the site was back up, but users still were having trouble reaching it. The site itself was down for about two hours before it resumed service, although Twitter remained under attack and warned users in another status update that as it recovered, users would experience "some longer load times and slowness," as well as network timeouts.

A DoS attack is an attempt to make a website or service unavailable to intended users by flooding the service or site with incoming data requests, such as emails. Motives for DoS attacks vary, but perpetrators mostly target companies with high-profile, highly trafficked websites, and usually there is some kind of financial motivation for the attack.

Graham Cluley, a senior technology consultant with security software vendor Sophos, said it's unlikely money is the motive here, since Twitter does not have much of its own to part with because the business is not yet profitable.

DoS attacks also can be politically motivated, he said, and while some countries' governments don't like Twitter -- notably, Iran -- he doubts the attack is politically motivated. "It's most likely to be a teenager in a back bedroom somewhere showing off," Cluley said.

When a site is hit with a DoS attack, administrators will try to distinguish between valid requests to access the site and malicious ones, and redirect the malicious ones to another domain if possible, he said. As Twitter's site was up and running a couple of hours after the attack, it's likely the company was able to do this, or the hacker may have simply ended the DoS attack, Clulely said.

Twitter had not yet provided an update on where it thought the attack was coming from or how it was handling the attack as of Friday morning. The company's public relations team did not immediately respond to a request for comment Friday.

In just three years, Twitter has become an enormously popular internet service with about 30 million unique users and counting. In addition to being a social tool for people to share constant status updates about their activities, it also has become a tool for journalists, public relations specialists, businesses and public figures to share information with millions of users.

Like Facebook and Google, Twitter also has become an integral part of popular culture, with the slang word for posting something on Twitter, "tweet," becoming part of English vernacular.

Twitter is no stranger to outage problems, although it had been starting to improve its availability level in the past year. According to a report by Pingdom released in February, Twitter recorded 84 hours of downtime in 2008, but 84% of that was in the first half of the year. The site finished 2008 with uptime of 99.04%, which still lagged behind other popular social-networking sites like Facebook and MySpace.

By Elizabeth Montalbano / Friday, August 07 2009
http://pcworld.co.nz/pcworld/pcw.nsf/feature/43D8B62B614BC3BDCC25760A007516F7

Free Web Application Security Testing Tool

Hacker Intelligence Report:
Automated Web Application Security Testing tools are in the core of modern penetrating testing practices. You cannot rely 100% on the results they produce, without considering seriously their limitations. However, because these tools are so good at picking the low-hanging fruit by employing force and repetition, they still have a place in our arsenal of penetrating testing equipment.

These tools are not unfamiliar to modern day penetration testers. In fact, there are plenty of them to choose from, ranging from low-grade command line utilities to high-end frameworks. There are plenty of commercial tools as well some of which are a lot better, in terms of features and false-positives rate, when compared to open source alternatives. People often choose what they are more familiar with. I prefer to use tools that are right for the job without discriminating a particular operating system, platform, and style.

Without further ado, I would like to introduce you yet another tool to compete in the market of automated web application security scanners (not only), released as part of our own Websecurify initiative. The tools is called Websecurify (big surprise) and it is written on the top of common web technologies, which provide significant benefit over other technologies used in open source and commercial alternative products.

Here are some of the key features of Websecurify:

  1. It is 100% open source, GPL, CC product, ready to benefit the open source movement
  2. The engine employs technologies, such as Web Workers, from the latest HTML5 specs
  3. Most of the code is written in JavaScript but many parts can be rewritten or extended with Python, Java and C
  4. The core engine can be taken out from the binary bundles and used as part of self-defending web applications. I will talk about this soon.
  5. The testing and reporting mechanisms are asynchronous. This means that the report is cooking while the test is performed. It also means that decisions are taken immediately, i.e. they are not scheduled.
  6. The tool is cross-platformed thanks to xulrunner
  7. Everything is written with extensibility in mind
  8. It can be extended in pretty much the same way you can extend Firefox and Thunderbird

There are many other features, which I am going to talk about soon.

At the moment the tool is only available as a MacOS DMG package and source code. The Windows and Linux versions will be released soon. In the future we are planning release all platform specific packages at the same time. Now is just an exception as we are mostly interested to get an early feedback. I am sure that that there will be a lot of bugs to fix and features to add/improve before we reach version 1.0.

Download Version 0.2 from http://code.google.com/p/websecurify/

Published by GnuCitizen on 7th August 2009
http://www.gnucitizen.org/blog/free-web-application-security-testing-tool

Monday, 3 August 2009

Boris Johnson in the Telegraph on Gary Mckinnon

Brand Killer Robots reveals::
Boris Johnson writes in the Telegraph
http://www.telegraph.co.uk/comment/columnists/borisjohnson/5963698/Stop-passing-the-buck-on-Gary-McKinnon-and-let-British-common-sense-prevail.html

Since it is now obvious that the British state is about to commit one of the most protoplasmic acts of self-abasement since Suez, and since the clock is now ticking to the moment when Gary McKinnon, 43, will be taken from his home in north London and put – if necessary by force – on a plane to America, it is time to pose the question everyone seems to have ignored. Leave aside, for a moment, the morality of exporting the Asperger’s sufferer for trial in America. Can I ask, what is the point of having a trial at all? I simply do not understand what proposition is to be so expensively tested in this American courtroom. Gary McKinnon is accused of hacking into American military computers.

He is charged with roaming around the cyberspace of the Pentagon, and leaving such insulting spoor as “your security is cr-p”. He is accused of guessing passwords, and trying to view secret photos of unidentified flying objects in Nasa databanks. All this will be put to him in court by some brace-twanging prosecution counsel, as though it were the crux of the matter.
And yet Mr McKinnon has never denied it. He has always said that he hacked into American military computers, and that is because he earnestly believes that there is a conspiracy between Uncle Sam and Big Oil to cover up the interception of alien craft that are running on some kind of renewable energy.

For all I know he may be right.
It might just be that the Vulcans have discovered some way of making cucumbers from moonbeams, and then boiling those cucumbers up into bioethanol. It may be that he is right in thinking that alien life forms did land at Roswell. It may be that the securocrats of the Pentagon have for decades been concealing the fact that Elvis is alive and well, and living on Mars. If the trial were to get to the bottom of that or any other big UFO mystery, then it might be worth the admission. But, of course, the trial turns on no such question. The only point to be proven is whether or not Gary McKinnon did the hacking, and on that there is no doubt. He says he did. He says it freely. So the only questions remaining are: whether his actions constitute a crime that deserves the seven-year torture of the extradition process, whether he deserves the possibility of a 60-year jail sentence, and whether the British authorities are right to be engaged in this dog-like grovelling to America. To all those questions the answer must be an emphatic no. I do not believe for a moment that the Pentagon and Nasa sustained half a million pounds’ worth of damage to their systems, as they bleatingly allege.

But even if it were true, Gary McKinnon has performed a service that must be rated cheap at the price. He may be a crank, but then he is certainly no terrorist.
He may believe in little green men, but he was not operating as a fifth columnist on behalf of these Venusians. He was not trying to cripple American defences in preparation for an assault from outer space. He was simply following up a weird intuition that UFOs exist, with all the compulsiveness that he has exhibited since he was a child. In so doing, he has generously helped America to prepare against attack from a more sinister foe. If it was so ludicrously easy to penetrate these encryptions, then what could al-Qaeda have done? Just imagine if America’s defence establishment had commissioned IT consultants to probe their systems as exhaustively as Gary McKinnon.

The contract would have been worth far more than £500,000.
McKinnon did it without charge, sitting up all the night, hardly eating, smoking heavily and spending so long tap-tapping in his dressing gown that his girlfriend gave up on him. The Americans shouldn’t be threatening him with jail. They should be offering him consultancy. Even if you still believe – and I don’t – that there was some element of malice in his actions, that does not make him a fit person to be sent for trial and incarceration in America. The diagnosis of Asperger’s has been confirmed by the world’s leading expert in the field, Simon Baron-Cohen. He says that if this dreamer were to find himself in prison, there is a risk that he would take his own life. This 2003 extradition treaty – supposedly aimed at al-Qaeda – has caught the wrong man in its gin. My objection is not that the treaty is lopsided, though of course it is.

The crucial point is that Gary McKinnon is not some smooth-talking banker accused of fraud, nor is he a terrorist. He is a classic British nutjob, who passionately believes something that is irrational but cannot be easily controverted, and he is a prime candidate for the protection of the Government.


In a tortuous apologia for his decision to extradite, the Home Secretary yesterday wrote – as if it were a good thing – that “one of the most important features of the 2003 Act was the deliberate removal of any discretion the Home Secretary may have in relation to extradition”. On this account, we may wonder why we have elected politicians at all.
On this account, the treaty is like a kind of computer-assisted catapult that pings people across the Atlantic whenever the Americans require. In reality, the Home Office has no such excuse. It could easily have decided, on humanitarian grounds, that the extradition should not go ahead. The High Court has merely confirmed that its decision to ignore common sense and decency was not, in itself, illegal. It was just immoral.

I can identify at least one mysterious flying object over the skies of London, and that is the buck being passed, at high speed, by the Home Secretary.
Not since the waters retired from the face of the earth has there been such a display of blob-like invertebracy in Whitehall. Let us hope that a British court will have the courage in the next few days to stop this madness, shame the Government, and prevent the martyrdom of a harmless eccentric.