It's widely known that internal staff are the biggest threat to IT security, but what about your computer repairman? After a hard drive was stolen from Real Living Action Realty in Pennsylvania, the company called Kevin Andrew Lutes, who had done repair work for them in the past, to fix the machine. He told them he could retrieve the files, but the owner later called the computer manufacturer and learned that it's impossible to do this... without the hard drive. Oh, and the police learned that Lutes' car -- computer repair sticker and all -- was spotted outside the office on the night of the break-in. When he returned a few days later with the stolen hard drive back inside the computer and tried to charge the company $2000 for the "repair," Lutes was arrested and charged with theft. You'd think that with potential access to the machine, he could have done something a little more subtle or sinister, but, lucky for the company, their repairman turned out to be a pretty dumb criminal. Someone should let him know that basing a business model on artificial scarcity is a bad idea...

It seems like a decade or so ago, it was pretty easy to find a friend who had a story about their car window being smashed and their stereo stolen. But the FBI says that car-stereo thefts have dropped by about 60 percent since 1994, thanks mainly to technology and economics (via Engadget). Fewer people are replacing their car stereos these days, as the quality of factory units has improved, but also as features like CD players have diffused throughout the auto population. Most thieves won't bother stealing factory stereos because their resale value is so low: they have to find a buyer who needs to replace the same model, and that's much harder than reselling a radar detector or GPS unit that will work in any car. What's more, the cost of aftermarket equipment has dropped significantly, squeezing stereo-stealers' margins even more. Usually when we talk about unintended consequences, it's in reference to something with decent intentions that delivers some negative unexpected outcome, but it's nice to see sometimes things work the other way, too.

A few years back, there were some stories about how some scammers had found online manuals for popular ATMs, which included a default password, which was rarely changed (yes, that's an amazingly stupid design). This meant that it was fairly easy to program the ATM to believe that it held different denomination bills. For example, you could program it to think that it held $5 bills when it actually held $20s -- and then if you took out "$40" you would be given 8 bills -- or $160. Not surprisingly, other hackers have replicated this scam a bunch of times -- aided in large part by ATM owners who still haven't changed the default password.

Still, if you were a scammer pulling such a scam, you might think that it would make sense not to pull it at the same store multiple times. But, that's exactly what two guys did last year, where they tried to hit a local restaurant's ATM for the fourth time. By that point, the manager had been alerted to look out for them, and called the police on them when they came in again. There was a bit of a mess after that, as the manager tried to pull a gun on the scammers, and there was some sort of scuffle, a gunshot, and then a car chase... but eventually the guys were arrested. So, once again: ATM makers: stop offering machines with default passwords. ATM owners: change the default password on your machines. Scammers: don't be so dumb as to try to rip off the same place multiple times (or, maybe that's what we want, since it makes them easier to catch... but it's still dumb).

It's been over five years ago since we pointed out how silly the world would be if we started bringing real world justice into virtual worlds. It sets up a ridiculous situation, since the way any virtual world works is based on how it's programmed. If there's a problem with an action, it should be up to whoever controls the game to fix the problem, rather than the real world police. If you start setting a precedent where the "theft" of a virtual item in a video game is considered theft, then how do you deal with online worlds where theft is a part of the game? If the game allows it, then it should be a part of the game.

Even with plenty of people warning about how ridiculous it would be for police to get involved in searching for a stolen magic sword, it seems that hasn't stopped people from going to the police. In the past, the lawsuits have usually been for other crimes besides theft, though. We had one for illegal computer access, after a woman logged into a boyfriend's account and deleted his virtual objects. In another case, someone was charged with copyright infringement for "copying" weapons.

However, now we have a case of an actual theft charge in the Netherlands. Two kids have been convicted of theft of a (I kid you not) "virtual amulet and a virtual mask" in the game Runescape. The details are pretty scarce, but apparently the two kids "coerced" another kid to hand over the items, and to the court that's as good as theft:

"These virtual goods are goods (under Dutch law), so this is theft."

I have to admit I don't know much about Runescape, but a quick look at the website mentions that it can involve "fights to the death." Does that mean we'll soon have murder charges stemming from the game? Update: Some folks in the comments have helpfully filled in some of the details that were lacking from the original article. The two kids in this case apparently beat up and threatened at knifepoint (in real life) the other kid in order to get him to give them the virtual amulet. As others in the comments point out, it sounds like they should have been charged with assault and battery, but still not theft.

There are a bunch of news stories showing up about how some scammers apparently were skimming some money from the online bank account of French President Nicolas Sarkozy. According to the report, the scammers probably only had account numbers and login info, and they didn't even realize from whom they were stealing. That said, what's more interesting is the government's response to the theft. Rather than suggesting banks should improve their security, the secretary of state for consumer affairs notes that an investigation is under way to see how the government can improve the security of the banking system. While it does seem quite rare for a government to take responsibility for problems, in this case, it seems a bit misplaced. It's not clear what role the government had in this scam whatsoever.

Almost exactly two years ago, a story made the rounds of how easy it was to reprogram ATMs to believe it had a different denomination. Thus, if it actually had $20 bills, you could convince it that it really had $1 or $5 bills. Then when you took out money from the machine, you would get the $20 bills, making a tidy profit. The reason this hack was so easy was that many ATM owners simply left the default passwords on the machines -- and those passwords were easily found online. Last year, we noted that, despite the publicity around this easy hack, many ATM owners still had not changed the default password. Apparently, that's still the case, as two men have been arrested for using the hack to steal thousands of dollars. Still, it's worth noting that the only reason they seem to have been caught was they hit the same store multiple times (and, apparently, the owner of that store still hadn't changed the default password).

Slashdot points us to the amusing story of technology "solving" a theft of an irrigation controller on a farm, thanks to a wireless connection. The irrigation controller was stolen, which was first noticed when it sent an error message to the guy who runs them. A few weeks later, though, he was surprised to get a signal from the controller, and he was able to communicate with the device and get the company that supplied the wireless connection to triangulate and reveal the general location of the unit (the guy had the maker of the controller, who obviously contracts with the wireless provider, request this info to make sure the request was legit). From that, the guy used Google Earth to figure out where the controller must be -- and went to the local police. After investigating the person whose property it ended up on, the controller went missing again... only to turn back up in its original location a few weeks later.

While it's a neat story of technology thwarting a theft, there are a few questions raised by the story. To be honest, the full writeup so pumps up this particular brand of irrigation controller system, that it almost sounds like an apocryphal story made up to hype up how much better this controller is than competitors (look, it's theft proof!). Also, despite the "happy ending" -- the actual thieves were not apprehended, and future thieves will simply learn to disable the wireless communications ability. In the meantime, though, it's a reminder that technology is making the job of the ordinary thief somewhat more difficult these days.

It's been many, many years since we first asked the question of whether or not piggybacking on an open WiFi network was a crime. Since then, we've seen plenty of people arrested, and wide ranging discussions on the ethics of WiFi piggybacking -- with various ethicists noting that simply using an open WiFi network doesn't seem unethical, assuming you don't significantly slow down the connection by uploading or downloading large files. However, we still see people falsely referring to it as "theft".

The latest comes in a short column for Time Magazine, where the author admits that he was a WiFi "thief" for many years in his old apartment. In the article, he claims that it is against the law, noting one of the stories of someone being arrested, while quoting Title 18, Part 1, Chapter 47 of the United States Code, which deals with anybody who "intentionally accesses a computer without authorization or exceeds authorized access." Well, that sounds good, but there's a big problem with it. If the owner of the WiFi access point left it open, then they have, by default, authorized access to that device. So it can't possibly be a violation of that law.

Of course, there will be those who say that the owners didn't intend for the network to be open -- but that's really besides the point here. The only information a user has is does the network say: "you're welcome here" or not. If it's open, it sends out an invite that specifically says: this network is open, come use it. That's authorization, and using such a network is not "theft" in any sense.

Now, we all know that Rep. Howard Berman, who represents a district right next door to Hollywood is in favor of strengthening intellectual property laws. He's made absolutely no secret of that. It's quite questionable then, as to why he should be considered an impartial overseer of intellectual property laws. But, in a talk on Friday he made some very bizarre statements that make it clear he doesn't care at all what those who disagree with him think. First, he claims that there's not much controversy concerning the PRO IP bill, which is a huge understatement. However, the real kicker, is that when asked about the groups (like the EFF) opposing the bill, he brushes them off as follows:

"There are people who want to steal intellectual property. Their lobby is distributed, diffuse, but unfortunately very popular."

This, ladies and gentleman, is the guy who's in charge of determining our intellectual property laws. He simply assumes that anyone who disagrees with him "wants to steal intellectual property" (which, of course, isn't possible -- you can infringe, but not steal it). But, even more to the point, the folks he's talking about are most certainly not even defending the infringement of copyrights. They're talking about trying to bring the laws more in line with what's reasonable. To paint them all with the brush of defending "stealing" isn't just wrong, it's rather obnoxious.

Jon Healy, whose writing for the LA Times I admire quite a bit, has written up a very balanced discussion concerning whether or not file sharing equals theft. He links to some of my writings on the subject, as well as pointing to the views of two Nobel Prize winning economists, F.A. Hayek and Milton Friedman, who both point out that copyright is not property, and treating it as such causes problems. He then presents the entertainment industry's view, which (of course) is that copyright is no different than traditional property. Then he brings in legal scholar Mark Lemley (of whose work I'm also a fan) who tries to bridge the gap by noting that copyright isn't property, but that infringing it "is wrong, and should be punished." However, Lemley also points out that most people recognize copyright isn't traditional property, and the entertainment industry's insistence that they're the same works against the industry, as most people recognize immediately that this argument is false, taking away credibility.

Healy comes out on the balanced side himself, suggesting that infringement is close enough to theft. He does so by comparing it to "theft of service" for cable companies, and noting that "you're still acquiring something of value without paying for it, and you're doing it without the seller's permission." This is a commonly used argument, and seems reasonable at a first pass, but I'd like to address why it's incorrect. Just because you acquire something of value for free (and without the original seller's permission) it doesn't automatically make it "theft." Let's run through some examples:

• I go to the pizza shop and they offer me a free soda with two slices. The soda has value, but I just got it for free, and did so without Coca-Cola granting permission. I don't think anyone would claim this is stealing or even wrong or immoral.
• My friend lets me borrow a book, which I read. The book has value. I got it for free, without the permission of the book author or publisher.
• I get on a train and pick up the newspaper that a passenger left behind. The newspaper has value. I got it for free, without the newspaper company granting permission. I don't think anyone would claim that's stealing.
• I go to the beach. The people sitting next to me are playing music on their stereo, that I can hear. The music has value, but I just got it for free, without the permission of the record label.
• I go see "Shakespeare in the Park." I get to see something of great value for free, without permission of William Shakespeare.
• Verizon sees that Sprint is going to announce an "all you can eat plan" and decides to introduce its own similar plan. Verizon got that idea for a bundle from Sprint for "free" and certainly without Sprint's permission. Yet, we call that competition, not stealing.

You can come up with your own examples. Now I'm sure people will start picking apart each of these examples. They'll say things like in the pizza/soda example, the pizza shop has implicit permission to resell the soda at any price they deem reasonable, since they paid for it in the first place. But, if that's the case, then we have another problem for those who claim that copyright is real property -- because the same thing isn't true with copyrighted material. Those who insist that copyright is the same as real property break their own rule by also insisting that they retain perpetual rights to the good, even after it's been sold. If copyright were like real property, after the creator sold it, the buyer could do whatever they want with it, including giving it out for free. Yet, it clearly is not like that. Coca-Cola sold soda to the pizza shop and the pizza shop can do whatever they want with it, including giving it out for free. So, if the entertainment industry wants to keep insisting that copyright is just like real property, and therefore infringement is theft, then they should also agree to let anyone who has bought their works do whatever they want with them, including give them away for free.

In fact, each "but, this is different because" explanation for the examples above can easily be turned around to prove the point that copyright is different than real property -- because it applies the same rules differently and deals with fundamentally different types of goods or services. What it really comes down to, yet again, is that this is a business model problem. For years, an industry that relied on artificial scarcity is discovering that it's hard to keep that artificial barrier in place. It can't pretend something is scarce when it's really infinite -- and trying to limit it will only backfire in the long run. What you need to do, instead, is figure out new business models that embrace the infinite nature of the goods, and focus on selling additional scarce goods, preferably additional scarce goods that are made even more valuable by freeing up the infinite good.