A Poorly Locked Door Is Still Locked

Introduction

One of the most persistent myths surrounding the Gary McKinnon case is that discovering weak security somehow transformed unauthorised access into a form of public service. Because McKinnon and many of his supporters pointed to poorly protected military and NASA systems, the debate often drifted from “Was the access authorised?” to “Should those systems have been so easy to enter?” Those are different questions.

Within the broader dispute over UFO motives versus cybercrime consequences, weak passwords became part of the public narrative because they suggested institutional failure. Yet poor security does not create permission. A badly protected system may reveal negligence by its owner, but it does not convert an outsider into an authorised researcher. The distinction matters because modern cybersecurity relies on clear boundaries between discovering vulnerabilities, reporting them responsibly, and exploiting them without consent. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon, of London, England, was indicted in Alexandri…

How Weak Systems Shaped the Public Narrative

A striking feature of the McKinnon story was how unsophisticated some of the alleged access methods appeared. Contemporary reporting described systems that were vulnerable because administrators had failed to follow basic security practices, including leaving default passwords unchanged. McKinnon himself described finding systems with blank or weak administrator credentials and using readily available remote-access tools. [The Guardian+2Wikipedia]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — The biggest loopholes had been created by users who fai…

This created a powerful public impression. Many observers expected military and space-agency networks to be protected by sophisticated defences. When reports emerged that some systems could allegedly be reached through weak passwords or poorly configured software, attention shifted toward the organisations that had failed to secure them. [The Guardian]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — The biggest loopholes had been created by users who fai…

Supporters sometimes argued that the ease of access proved something important:

• The institutions had neglected basic cybersecurity.
• The intrusions exposed weaknesses that needed fixing.
• Someone with malicious intent could have done far worse.

Those arguments contain a partial truth. Weak passwords and default credentials are genuine security failures. Cybersecurity professionals routinely treat them as serious risks because they can allow attackers to move through networks with little effort. [The Guardian]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — The biggest loopholes had been created by users who fai…

However, recognising a security failure and authorising an outsider to exploit it are separate matters. The fact that a door is poorly locked may reveal bad security management, but it does not grant a stranger the right to enter.

Why Bad Security Is Not Consent

The central misconception is that vulnerability equals permission.

In law, authorisation comes from the system owner or a recognised legal framework, not from the quality of the security controls. A network can be protected by advanced authentication, a weak password, or even a careless configuration. The question remains the same: was the user permitted to access it?

This distinction appears repeatedly in debates about McKinnon. Some supporters argued that he effectively demonstrated security flaws that governments should have addressed. Yet prosecutors did not base their case on whether the security was good or bad. Their allegation was that systems were accessed and damaged without authorisation. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon, of London, England, was indicted in Alexandri…

The analogy often used by security experts is physical trespass. An unlocked building is still private property. Entering it without permission may be easier than forcing a locked door, but the lack of a lock does not create an invitation. Similar arguments surfaced in public discussions of the McKinnon case, where commentators debated whether access through blank passwords should count as “real hacking”. The legal issue, however, remained unauthorised entry rather than technical sophistication. [xiphias.livejournal.com]xiphias.livejournal.comSo – Gary Mc KinnonSo – Gary McKinnon - xiphias - LiveJournal10 May 2006 — Frankly, I've got to ask – if you're running Windows, and you don't actually se…Published: May 2006

The distinction becomes even clearer when considering consequences. Once an unknown person enters a sensitive network, administrators cannot reliably determine the intruder’s intentions. A person claiming to search for UFO evidence may be indistinguishable, at the technical level, from someone gathering intelligence, planting malware or preparing future attacks. From the defender’s perspective, the risk is created by the intrusion itself.

The Problem With the “I Was Helping” Defence

Another recurring claim in cybercrime cases is that the intruder was helping by exposing weaknesses.

This argument can be attractive because it reframes the intruder as a whistleblower, researcher or accidental auditor. In the McKinnon debate, some political supporters even suggested that his actions benefited the United States by revealing vulnerabilities that otherwise might have remained undiscovered. [Hansard]hansard.parliament.ukHansard Gary Mc Kinnon (ExtraditionGary McKinnon (Extradition) - Hansard - UK Parliament1 Dec 2009 — Had he not masterfully broken through their security systems, th…

The difficulty is that such claims are usually made after access has already occurred.

If a person enters a system without permission and later argues that the objective was educational or beneficial, several problems arise:

This is why cybersecurity distinguishes between authorised testing and unauthorised intrusion. Good intentions do not eliminate the operational consequences of a breach.

The McKinnon case illustrates this tension particularly well. His supporters often emphasised motive and curiosity, while prosecutors focused on access, passwords, software installation, network compromise and alleged damage. Those are fundamentally different ways of evaluating the same events. [Department of Justice+2UK Parliament]justice.govDepartment of Justice British National Charged with Hacking Into N.Jaddition, the Indictment charges that on Sept. 23, 2001, McKinnon again broke into the NWS Earle computer network by accessin…

What Responsible Disclosure Would Require

The modern cybersecurity community has developed practices specifically designed to avoid the confusion between research and intrusion.

Responsible vulnerability research generally involves one or more of the following:

These principles exist because genuine security research depends on consent. Researchers are not expected to prove that a system is vulnerable by taking control of it indefinitely or exploring unrelated information inside it.

The contrast with the popular image of the McKinnon case is important. If the goal had been solely to demonstrate weak passwords, responsible disclosure would have required notifying the organisations involved rather than continuing to access networks and systems. The difference is not merely procedural; it is what separates authorised security work from unauthorised access. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon, of London, England, was indicted in Alexandri…

A Poorly Locked Door Is Still Locked

The lasting lesson from this aspect of the McKinnon story is not that government systems were perfectly secure. Evidence from the period suggests that at least some systems suffered from weak security practices and default or poorly managed credentials. [The Guardian+2LinkedIn]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — The biggest loopholes had been created by users who fai…

But exposing weakness and possessing authority are not the same thing.

The UFO dimension of the case often encouraged a romantic narrative of a curious outsider uncovering hidden truths inside carelessly protected networks. Yet the existence of weak passwords does not create a licence to investigate. Poor security may explain how access occurred; it does not transform unauthorised access into authorised research. That distinction remains one of the clearest lessons to emerge from the debate surrounding Gary McKinnon and the wider question of motive versus consequence in cybercrime. [Department of Justice+2The Guardian]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon, of London, England, was indicted in Alexandri…

Amazon book picks

Further Reading

Books and field guides related to A Poorly Locked Door Is Still Locked. Use these as the next step if you want deeper reading beyond the article.

Book

Ghost in the Wires

By Kevin Mitnick

Shows that exploitable systems are not invitations.

See on Amazon

Book

The Cuckoo's Egg

By Cliff Stoll

Rating: 4.5/5 from 8 Google Books ratings

Demonstrates consequences of weak security and unauthorized access.

See on Amazon

Book

Cybersecurity and Cyberwar

By P.W. Singer, Allan Friedman

Explains vulnerability management and responsibility.

See on Amazon

Book

Kingpin

By Kevin Poulsen

Rating: 4.5/5 from 6 Google Books ratings

Shows how motives differ from consequences.

See on Amazon

Browse more on Amazon: Ghost in the Wires The Cuckoo's Egg Cybersecurity and Cyberwar

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Shop location

Using USA USA USAUKCanadaAustraliaIreland

Example eBay listing

Cow Abduction UFO Metal Phone Sticker With 3M Sticky Backing

Search eBay.co.uk: UFO sticker

Browse similar on eBay.co.uk

Example eBay listing

Alien UFO Aliens Stickers 50pcs Waterproof Skateboard Scrapbook Laptop Luggage

Search eBay.co.uk: UFO sticker

Browse similar on eBay.co.uk

Example eBay listing

Alien Head Flouro Yellow Sticker, Campervan JDM Dub Laptop UFO Martian

Search eBay.co.uk: UFO sticker

Browse similar on eBay.co.uk

Example eBay listing

UFO Alien Spaceship Outer Space Flying Saucer Self Adhesive Sticker

Search eBay.co.uk: UFO sticker

Browse similar on eBay.co.uk

Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

1. Source: justice.gov
   Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm
   Source snippet

   Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...Gary McKinnon, of London, England, was indicted in Alexandri...

2. Source: Wikipedia
   Title: Gary [Mc Kinnon]({{ ‘mc-kinnon/’ | relative_url }})
   Link: https://it.wikipedia.org/wiki/Gary_McKinnon

3. Source: linkedin.com
   Title: Linked In Hacker: Gary Mc Kinnon
   Link: https://www.linkedin.com/pulse/hacker-gary-mckinnon-searching-little-green-men-andrew-cardwell-wvqne
   Source snippet

   Hacker: Gary McKinnon - Searching for Little Green MenDefault admin/administrator account passwords unchanged from factory settings over...

4. Source: Wikipedia
   Title: Password strength
   Link: https://en.wikipedia.org/wiki/Password_strength

5. Source: justice.gov
   Title: Department of Justice British National Charged with Hacking Into N.J
   Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict2.htm
   Source snippet

   addition, the [Indictment]({{ 'indictment/' | relative_url }}) charges that on Sept. 23, 2001, McKinnon again broke into the NWS Earle computer network by accessin...

6. Source: xiphias.livejournal.com
   Title: So – Gary Mc Kinnon
   Link: https://xiphias.livejournal.com/316036.html
   Source snippet

   So -- Gary McKinnon - xiphias - LiveJournal10 May 2006 — Frankly, I've got to ask -- if you're running Windows, and you don't actually se...

   Published: May 2006

7. Source: hansard.parliament.uk
   Title: Hansard Gary Mc Kinnon (Extradition)
   Link: https://hansard.parliament.uk/commons/2009-12-01/debates/09120144000002/GaryMckinnon%28Extradition%29
   Source snippet

   Gary McKinnon (Extradition) - Hansard - UK Parliament1 Dec 2009 — Had he not masterfully broken through their security systems, th...

8. Source: publications.parliament.uk
   Title: mckinn 1
   Link: https://publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm
   Source snippet

   UK ParliamentMckinnon V Government of The United States of America...30 Jul 2008 — It damaged computers by impairing their integrity, av...

9. Source: Wikipedia
   Title: Gary Mc Kinnon
   Link: https://en.wikipedia.org/wiki/Gary_McKinnon
   Source snippet

   Gary McKinnonGary McKinnon (born February 1966) is a Scottish systems administrator and hacker who was accused by a US prosecutor in 2...

   Published: February 1966

10. Source: justice.gov
    Title: edva mckinnon indictment
    Link: https://www.justice.gov/archive/usao/nj/Press/files/pdffiles/Older/edva_mckinnon_indictment.pdf
    Source snippet

    IndictmentFrom in or about September 2001, through on or about March 19, 2002, within the Eastern District of Virginia, and elsewhere, th...

    Published: March 19, 2002

11. Source: theguardian.com
    Link: https://www.theguardian.com/uk/2007/apr/03/politics.usa
    Source snippet

    The GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — The biggest loopholes had been created by users who fai...

12. Source: theguardian.com
    Title: hacker gary mckinnon supreme court extradition
    Link: https://www.theguardian.com/world/2009/oct/09/hacker-gary-mckinnon-supreme-court-extradition
    Source snippet

    Computer hacker Gary McKinnon loses fight to stand trial in...9 Oct 2009 — McKinnon's lawyers and supporters argue his hacking was aimed...

13. Source: theguardian.com
    Link: https://www.theguardian.com/technology/2005/jul/27/hacking.internetcrime
    Source snippet

    Hacker 'left note on US army computer' | Hacking27 Jul 2005 — Mr McKinnon was initially indicted in 2002 by a federal grand jury on eight...

Additional References

1. Source: guinnessworldrecords.de
   Link: https://guinnessworldrecords.de/world-records/90133-biggest-military-computer-hack
   Source snippet

   Biggest military computer hackGary McKinnon, a 42-year old Englishman, is accused of hacking into 97 US military computers (53 US Army, 2...

2. Source: reddit.com
   Link: https://www.reddit.com/r/hacking/comments/1etqs6b/how_gary_mckinnon_did_what_he_did/

3. Source: rgu-repository.worktribe.com
   Title: hackers beware the cautionary story of gary mckinnon
   Link: https://rgu-repository.worktribe.com/output/248043/hackers-beware-the-cautionary-story-of-gary-mckinnon
   Source snippet

   beware: the cautionary story of Gary McKinnon.This article describes and analyses the facts and law surrounding the extradition of McKinn...

4. Source: pinsentmasons.com
   Title: british man faces extradition for us hacking trial
   Link: https://www.pinsentmasons.com/out-law/news/british-man-faces-extradition-for-us-hacking-trial
   Source snippet

   31 May 2005 — McKinnon was indicted in 2002 by a US grand jury on eight counts of computer-related crimes in 14 different states and was...

   Published: May 2005

5. Source: independent.co.uk
   Link: https://www.independent.co.uk/extras/big-question/the-big-question-what-exactly-did-gary-mckinnon-do-wrong-and-should-he-be-extradited-1766967.html
   Source snippet

   The Big Question: What exactly did Gary McKinnon do...4 Aug 2009 — McKinnon's supporters argue that this is proof of how he had no malic...

6. Source: eensaiosjuridicos.wordpress.com
   Title: 105571789 hackers that shook the world
   Link: https://eensaiosjuridicos.wordpress.com/wp-content/uploads/2017/04/105571789-hackers-that-shook-the-world.pdf
   Source snippet

   that shook the world.jpgGary McKinnon... The Scottish system administrator has also been accused of stealing passwords, account files, c...

7. Source: cybereason.com
   Title: Malicious Life Podcast: The U.S
   Link: https://www.cybereason.com/blog/malicious-life-podcast-the-u.s-vs.-gary-mckinnon
   Source snippet

   vs. Gary McKinnonGary McKinnon had managed to breach not just NASA, but nearly 100 computers from the U.S. Army, Air Force, and Departmen...

8. Source: futureintelligence.co.uk
   Title: Gary Mc Kinnon was unlucky
   Link: https://www.futureintelligence.co.uk/2012/10/18/gary-mckinnon-was-unlucky-hes-not-even-a-good-hacker/
   Source snippet

   He's not even a very good hacker18 Oct 2012 — McKinnon was unlucky enough to be searching for secret UFO files while he was being watched...

9. Source: housepricecrash.co.uk
   Link: https://www.housepricecrash.co.uk/forum/index.php?%2Ftopic%2F121439-gary-mckinnon-what-did-he-actually-uncover-while-hacking%2F=
   Source snippet

   He says he wrote a "perl script" to pick out default (blank) administrator passwords and worked his way up...

10. Source: open.edu
    Title: altformat ouxml
    Link: https://www.open.edu/openlearn/science-maths-technology/introduction-cyber-security-stay-safe-online/altformat-ouxml
    Source snippet

    [https://www.open.edu/openlearn/f8/...I](https://www.open.edu/openlearn/f8/...I) can also see that the default user name is "admin" and the password "1234".... You may need to e...