6-Month Sentence for NASA Cracker

lunartik noted an AP story running on a 6-month sentence given to Gregory Aaron Herns for cracking into the computer system at NASA's Goddard Space Flight Center. 'Herns told federal agents he was looking for computer space to store movies he'd downloaded. It took hours for technicians to find the problem, fix it and patch the system's security holes.'"

With the direction Slashdot has been going lately,

[Chess_the_cat]

I'm surprised this wasn't posted under YRO.

I'd love to see a breakdown of the damages

[Nine+Tenths+of+The+W]

NASA are claiming it was $200k. It'd be nice to see how much of that was spent on fixing the security holes he uncovered.

Re:I'd love to see a breakdown of the damages

[mordors9]

So would I, it didn't really sound like he did any actual damage, just used some storage space. And no I am not condoning what he did. I still am amused by this blowing up of damages every time one of these cases come about. I just wonder what the sentence would have been if he broke into a local warehouse and stored some stuff there. He gets 6 months here and then the additional sentence of limited computer use for 3 years. Pretty tough sentence on a CS major.

Re:I'd love to see a breakdown of the damages

Pretty tough sentence on a CS major, but not so tough on a FUCKING CRIMINAL! You can't fuck with other people's stuff, especially when that stuff is owned by the government (i.e. collectively owned by all the U.S. citizens). This guy hacked us, we throw him in prison.

Re:I'd love to see a breakdown of the damages

[sporty]

Agreed. I'd like to see how much money was lost or required to fix damages versus the cost of fixing the security holes that should be fixed anyway.

Re:I'd love to see a breakdown of the damages

[Richard_at_work]

He said he broke in to use storage space. Are you going to take him at face value and continue using the system as is, after patching the security hole that let him in? Or are you going to forever view that system as 'dirty', with the costs associated with replacing that system and the data on it? This isnt a simple case of 'change the locks, add more CCTV', as you would with a physical wharehouse, you cant 'distrust' a physical building, there is a lot more he could do with a compromised computer system, including hiding unwanted code.

Re:I'd love to see a breakdown of the damages

[NoOneInParticular]

The more apt analogy would be a world where warehouses are used by burglers both for storing stuff and for putting poison in the stored food. When you find someone storing warez in such a house, are you still going to sell the crackers?

Re:I'd love to see a breakdown of the damages

[More+Trouble]

Are you going to take him at face value and continue using the system as is, after patching the security hole that let him in?

Am I a competent sysadmin in this scenario? If "yes," then I guess I'm probably running a tripwire of some sort. So I boot from CD, take a look at what's been changed, and fix it. If I'm really on the ball, I'm using something like radmind, in which case I still boot from CD, but I let radmind reverse any damage that had been done.

:w

Re:I'd love to see a breakdown of the damages

1. Don't fix security holes.
2. Let someone break in.
3. Sue hacker and use money to fix security holes.
4. ???
5. Profit!

Re:I'd love to see a breakdown of the damages

you must not have been paying attention to other breakins, $200k is very small compared to the millions other companies claim. I can see it costing $200k for NASA. Don't ask how, go work for a big instutition and you will immediately realize how long it takes to change processes, and write reports. This breakin definitely required some changes to their process in terms of security, and reports for management, not to add the cost of investigation, fixing and dealing with authorities, plus perhaps press activity. $200k is reasonable. .segmond

Re:I'd love to see a breakdown of the damages

[dhilvert]

More to the point, fixing security problems cannot reasonably be considered damages unless the problems were caused in some way by the unauthorized access (compromised utilities, etc.).

Re:I'd love to see a breakdown of the damages

Detection and patching of problem: $2000

Lawyers fees: $3000

Paperwork: $500

Lost productivity due to downtime: $75

Bullshit: $196,225

Claiming 5100% damages in court and winning: Priceless.

Re:I'd love to see a breakdown of the damages

"It took hours for technicians to find the problem, fix it and patch the system's security holes." Not minutes, but entire hours! $200K buys an awful lot of hours. Actually, this is probably the breakdown: fix the problem, $1k (a few hours work for a couple of people); lawyers' fees $199K.

Re:I'd love to see a breakdown of the damages

[Jozer99]

Wow! If it took them several hours to fix, I would love to be the IT guy there!

Well now, you had a port open on your firewall, and "pswrd" as as the password for root, so, it took me 1/2 hour to fix, plus 3 1/2 to get through security, so at $50,000 an hour, that will be 200k! I take personal checks...

Re:I'd love to see a breakdown of the damages

[Peden]

"Pretty tough sentence on a CS major" Why does his education have anything to do with the sentence?

Re:I'd love to see a breakdown of the damages

[Oligonicella]

And that will guarantee that you got everything right? To the point of trusting billion dollar vehicles and people? Sure.

Re:I'd love to see a breakdown of the damages

[Oligonicella]

Bullshit. It cost to investigate and fix. Simple as that. Those are damages from an economic view.

Re:I'd love to see a breakdown of the damages

[Oligonicella]

Well now AC jackass. You didn't include the time that the computer was unavailable for processing its data. Not to mention the delay in the task, which delayed the overarching tasks, which delayed the final reports. All of which accrue costs.

But, what to expect from juniors who simply think that systems are a couple of "big" programs hooked together.

Re:I'd love to see a breakdown of the damages

[Timmmm]

And that will guarantee that you got everything right? To the point of trusting billion dollar vehicles and people? Sure.

Unless he had some way of faking md5sums, sure.

Re:I'd love to see a breakdown of the damages

Yes, but NASA patches are made of carbon fiber and kevlar. Do you know how hard it is to make a software patch out of carbon fiber and kevlar?

Re:I'd love to see a breakdown of the damages

[Detritus]

It costs a substantial amount of time and money to take the system off-line, preserve the evidence, attempt to determine what was exploited, format the disk, reinstall the operating system, applications, patches, and restore user data. Then you have to write reports and try to determine if other systems were compromised. All the while, you are not doing your regular job.

Re:I'd love to see a breakdown of the damages

[Twanfox]

The safest and most reliable way to 100% be assured that you have wiped all trace of actions done is to roll back to a prior backup. While yes, Tripwire is a great program and yes, while using it myself I conceed that it does in fact trap file alterations well, I seem to recall there was a story not too long ago about generating two files of the same MD5 hash. If that is even remotely possible, then you cannot trust life and death situations and billions of dollars to a system that can still be compromised just because you didn't want to take the time to roll back the system to a known 'sane' version.

It's just a matter of principle in high value systems. What happens if he replaced the policy and key files for tripwire, masking his trail? What happens if he knew the passphrase to use the local and site keys? Even if you know he could not, it just isn't worth the risk. Either take your time to drill down and dig out the pieces, or take the same time to wipe and reinstall. For my money, I feel more secure about wiping and reinstalling.

Re:I'd love to see a breakdown of the damages

[IO+ERROR]

I get the security holes emailed to me every day and fix them on an ongoing basis. This is a normal course-of-business expense, and charging the expense to someone else is...well...just a little bit gray ethically. NASA should have been fixing their security holes rather than waiting for someone to come along and try to pass the expense off on.

I'm not at all saying the cracker was right to break into NASA's systems. What I am saying is NASA has a responsibility to keep its systems secure, and spend the required $$$ to do so, and they failed. That they failed does not give them the right to charge that expense to the next person to walk through the door.

Re:I'd love to see a breakdown of the damages

[Twanfox]

So would I, it didn't really sound like he did any actual damage, just used some storage space.

This is what he says he was seeking. What he intended to do, or what access he sold off to others may be different. I could tell you all day that I was breaking into your machine in order to fix things. However, I've already committed one illegal act. If I really wanted to make the shuttle go boom, why would I honestly tell you that and get myself into more trouble? I'd make up some story that sounded good at the time to keep myself from going to prison for 15 years, instead of 6 months. See how that works?

As for your 'actual damage' and 'blowing up of damages' statements, consider that it's not necessarily financial cost in the system that he broke into that they count. It's the Technician's time to investigate and repair the system, the cost to NASA of the system being unusable (if it was a core system, and their next launch must be delayed because of the intrusion, that is a valid consideration), and the cost of redeploying a sane image on the system to bring it back online. It's recovery cost and time in a case like this that determines the financial charges.

Re:I'd love to see a breakdown of the damages

[fatboy]

I'm not at all saying the cracker was right to break into NASA's systems. What I am saying is NASA has a responsibility to keep its systems secure, and spend the required $$$ to do so, and they failed.

I/O, This is true, but you must remember at many educational and scientific institutions there are a lot of undocumented machines that sit back in the corners and closets that are not properly patched. This is because the institution does not want to seem fashist about their "computer policies" that could hamper research.

That they failed does not give them the right to charge that expense to the next person to walk through the door.

Pass the expense of patching on to whom? I'm afraid I am not following your logic. (As you know, I am a little dense at times ;) )Can you elaborate?

Re:I'd love to see a breakdown of the damages

[codegen]

While tripwire and radmind may have some utility in protecting system files, it does little to protect data. In a research lab you may be generating large data sets and if the intruder installs a root kit, the modified libc (and other libs that are installed) may have bugs or be incompatible with large simulations that are running (many of which are multi step). Thus the intrusion may in fact compromise serious work that is being done on the machine.

Re:I'd love to see a breakdown of the damages

[Fortun+L'Escrot]

i would agree with this. but imagine if this we're a malicious kid. or some foreign government.

we've all watched CSI: they always make up theories that explain the evidence. if your prints or DNA show up at a crime scene your are implicated. they will take you in, ask you questions until their are satisfied that you were just passing by earlier and had nothing to do with the crime.

what it seems NASA did is ask the kid what he did, he told them what he did and probably how he did it. they didnt need to locate the problem because they know where it is. they just fix and patch it. and the patching is something they should have done as part of their securing-the-system policy regardless of what this kid did. im sorry but the if-it-aint-broke-dont-fix policy is for poor poor poor as in 3rd world poor IT depts.

but nasa didnt stop there: they had to ensure the system was not contaminated. this is where i can understand all those damages. but honestly: this should again have been part of the normal policy. what really scares me is that just normal maintenance seems to cost so much. this looks like an outrageous fixed cost if you ask me.

ok, while verifying your entire system might not be a foolproof method, it works well enough that you could tell if a system was contaminated or not. unless some other cracker piggy backed on this kids work, and then caused some damages nasa could not directly pin on the kid so they fatten the cost. if they had not reason to believe the system was further compromised why does it still cost so much?

i guess if you are a crime scene and even after your investigation has found the murder weapon and the murderer and you have explained all the relevant details every suspect is a suspect and they should be detained right? when your methodology makes you constantly paranoid of your own systems i think there is a problem here. i dont know how but im sure your paranoia will be your downfall.

Re:I'd love to see a breakdown of the damages

[_Sprocket_]

A few years ago, I was sitting in on a meeting for Infosec activities at a NASA Center. One of the first presentations was a rather nicely done outline of recent vulnerabilities and exploits admins should be taking action on. A look around the room saw a vast majority of glazed-over gazes. The next presentation was from our local FBI agent who discussed a recent compromise and the actions being taken to apprehend the perpetrator. The room was alive.

There was much appreciation for the progress being made on the case. Apparently, the FBI had their suspect and were busy building an air-tight case for prosecution. There was a general air of victory. But what many failed to realize was the whole exercise was a signal of defeat. The incident represented potential compromise of data. It involved considerable man hours spent on investigation and recovery of the system. It also represented loss of equipment removed from the budget-strapped lab to support forensics activities.

This represents a couple different problems with the common view of information security at NASA.

It shows a lack of understanding of infosec issues. Instead of approaching infosec as a technical problem, the issue often gets far more attention as a legal / law enforcement issue. This is attitude calls for action after the damage has been done.

It shows a inappropriate focus on funding. All IT budgets are stressed. NASA is no different, and perhapses even more thinly spread than others. That means infosec activities tend to get cut in favor of other IT activities. Yet there is no perceived issue in later spending considerable resources to prosecute each infosec incident.

It may be worth stressing that this meeting happened several years ago. And there have been changes in how NASA, and the US Government in general, now perceive information security. So my observations do not represent an all-inclusive view of infosec at NASA (and those observations are my opinion and not policy of my employers). None the less, these observations are still applicable today.

One side observation to anyone considering taking a stab at *.nasa.gov space. Historical statistics show that you'll find suitable targets and manage to compromise a system. But keep in mind, for the US Government that is just the beginning. The FBI views a case as making progress over several years of investigation and finally prosecution. So the compromise of a system that takes minutes, and the abuse of that system over a period of weeks or months may mean that years later you'll find yourself in court.

Re:I'd love to see a breakdown of the damages

[m50d]

But the fixing was necessary anyway. It's like getting burgled and then trying to claim extra damages from the burglar to buy more secure locks.

Re:I'd love to see a breakdown of the damages

[Firethorn]

If you make a sentence for say, a welder, that includes "no welding", you've just taken away his most salable job skill. This increases the odds that he'll be unemployed, and the chance that the job he will be able to get is a McJob. This should be and probably was taken into account by the judge when he did the sentencing.

I'm not saying that it's an unjust sentence, but then again, I tend to think that sentences should be harsh.

Re:I'd love to see a breakdown of the damages

[helioquake]

200K? Probably all of it. This figure of the punitive damage is drastically underestimated. While this cracking incident was on-going, there were several disruption on front-end routers and switches that goes in and out of Goddard Space Flight Center. In turn this led to disruption of work by researchers and administrators while the problem was being looked at and fixed.

That said, NASA is seeking a punitive damage that is actually payable by the defendant.

-b
ps. I was there while that hacking took place. Not involved in fixing the problem, though.

Re:I'd love to see a breakdown of the damages

[databyss]

not so much because of his education, more so of his future (post jail).

A car theif isn't banned from using cars once he's out of jail. Why? Because a car is an integral part of society (in most places), and nearly required for having a job.

It could be argued that a computer is an integral part of most jobs today. I'm not talking about the extremists claiming that he won't be able to use a watch or VCR or TV or something, but a general purpose PC.

Re:I'd love to see a breakdown of the damages

[nboscia]

$200 seems a little low. Any intrusion requires weeks, if not months, of investigation and forensic work. If the intruder connected to any other system, those need identified, users contacted, and systems "cleaned up" as well. The cost also should reflect if any system or service had to be pulled offline and if projects got delayed due to the incident. There's also the post-intrustion work which includes lessons learned -- implementing new password policies, stricter firewall rules, perhaps new hardware. I'd be more interested to see how much time was spent on this, including the work of security, system administrators, public relations, and all those fun meetings with management. I bet if they included that, it'd be more than $200k.

If these people realized how much effort went into fixing the damage they caused, maybe their conscience would stop them from doing so beforehand.. yeah, who am I fooling.

Re:I'd love to see a breakdown of the damages

[owlstead]

The MD5 hack only works for pre-calculated values. There is no way yet (and unlikely to be found in the near future) that calculates a collistion for a particular hash. So while using SHA-1 or newer is better, it would not make a difference in this case. So tripwire is still safe, unless you compromise it deliberately in advance.

Re:I'd love to see a breakdown of the damages

Can I see a show of hands?

How many people feel alright with idea of consuming Government Cheese?"

Re:I'd love to see a breakdown of the damages

[bckrispi]

To say nothing of the fact that he was sentenced to federal pound-me-in-the-ass prison for a property crime he committed as a juvenile.

Re:I'd love to see a breakdown of the damages

[jschottm]

That, and there's a chance he installed a keylogger and/or fed the password file into a cracker, so now you have to determine which other systems might be tainted as well and do an analysis of each one as well. Not what most IT staff want to spend their weekends doing.

Re:I'd love to see a breakdown of the damages

[Wavicle]

He said he broke in to use storage space. Are you going to take him at face value

Well said. You've got to admit, that is a ridiculous excuse. I suspect the reason his punishment was "harsh" (I personally find it light) was because the judge believed the guy was lying through his teeth.

When we compare the time, cost and risk required to store a movie (typically what? 700-1400MB for divx or 2000-3000MB for dvdr?) on another computer with the time, cost and risk required to store a movie on a $0.10 CD-R - I don't see how anybody would reasonably believe "storage" was anything approaching the truth.

CS majors breaking into government computers are giving the rest of us a really bad public image. We should lobby for harsher sentences for these *ssholes.

Re:I'd love to see a breakdown of the damages

[KUHurdler]

I suspect he wasn't storing them for himself. He was probably trying to make them publicly available on a high bandwidth server.

Wow...

[Flaming_cows]

6 months in prison because he was too cheap to buy a hard drive...

Re:Wow...

im fairly certain he was kidding

Re:Wow...

[mirko]

It should at least have been 6 months of collectivity-related work.
If the guy was technically decent, it's a shame he'd be sent to a federal fuckodrome... :(

Re:Wow...

[Trailwalker]

This isn't funny, its the truth.

"He's going to get to learn," Brown said. "There are other ways to live."

And he will find them.

Re:Wow...

But it's like an anti-virus company hiring a virus writer. How can you be sure he won't crack stuff anymore? This guy's a moron, I wouldn't trust him and I don't think the gov does either.

Re:Wow...

[mirko]

You invented the ISO9xxx certification so that whatever this guys do could be traced if he's an insider... so use it or dump it if you don't trust it.

Re:Wow...

[asdfghjklqwertyuiop]

6 months in prison because he was too cheap to buy a hard drive...

It was the bandwidth he was probably after. He was probably setting up a place to exchange with others.

Re:Wow...

[Sj0]

I was thinking something similar; He wated to keep the stuff he downloaded...so...he...

Put it on another remote server?

If you're going to download something, it seems counterproductive to store it on a remote server.

Re:Wow...

[the+grace+of+R'hllor]

Warez boards make use of 'public FTPs', or directories with write access. Sometimes this write access is acquired through use of bugs or exploits. Then you upload your crap to the public FTP, post the address for people to use, and people will snag it for as long as it lasts.

There's a self-deterioration effect, though, since if *you* can write stuff there, other people can write stuff there too, and they can delete stuff, which is a lot quicker than uploading it.

Re:Wow...

[Detritus]

I had something similar happen to one of my systems at work. They filled it up with porn movies and used the site's large amount of bandwidth to distribute them to lusers all over the world. For months afterward, I could see unsuccessful attempts to download the files in the logs.

Re:Wow...

[matt-fu]

I had that happen on a system of mine. Someone had uploaded site mirrors of ideepthroat.com and suicidegirls.com and posted the URL to a message group. My log size tripled within a week. After taking it down I put up some midget porn in it's place for a week.

Bad movies

[Red+Warrior]

Now if he'd just uploaded LOTR:ROTK instead of Legally Blonde....

Re:Bad movies

[bersl2]

Oh, so he has bad taste in addition to being a frickin' idiot?

Re:Bad movies

[JustinXB]

Chick in skirts vs hobbit: What would you pick?

Re:Bad movies

[bersl2]

If I want to see chicks on my computer, I'll get some pr0n thankyouverymuch.

Great idea

Let's just download some movies. Oh wait, I've run out of space.

LETS HACK NASA!

Step 1: Download movies.
Step 2: ???
Step 3: HACK NASA!

Re:Great idea

[djsmiley]

If you dont mod this up you have gotta be as brain dead as the guy who tried it.

I mean seriously, parent is right. If you really really needed some space that bad, record some damn CDs?

Anyway how fast he manage to upload them? Surely it would of taken a few hours and STILL nasa took how long?

If your gonna hack someone for some space, why not try on a few of these v.cheap web hosting companys, i've heard enough people who tried this and ended up helping out the company, maybe even with jobs. (yes i know its an urban ledgend, but it really happened to my mate and the fucker put MY name on the site he "owned").

Peace out and watch out the whitehouse, some kids need space for their games...

Re:Great idea

[TFGeditor]

But where's the Profit? There's gotta be Profit. You can't have a 3-step program without Profit. Profit makes the world go 'round. We like Profit...oh, wait...

Re:Great idea

[knipknap]

Who has more expierience solving space problems than the NASA?

Re:Great idea

Well, he saved $50, because he didn't have to buy a hard disk.

I haven't RTFA yet, but I bet he isn't really this stupid. Nobody that clever takes the risk to save $50. They do it because it's 133t.

Re:Great idea

Eh, not as long as you'd think.
On average(meaning, not LOTR or anything), a movie is released at about 2 cds. thats 2x700mb
thats about 1400mB, we can assume nasa has atleast a 100mbit link, and so should anyone who can hack nasa.
100mbit = 12mB/s
1400 / 12 = 116 = just under 2 minutes.
Or if those two 100mbits are too far away (which is likely, most good warez ftpsites are outside the US), lets say he fills only 5mB/s, which is about average from what i've seen.
1400 / 5 = 280 =~ 4mins. Still easily hidden.

--someone who'd know. [290d1f9bc7085f7d6948538474b88426]

Re:Great idea

[wik]

Puns aside, don't forget that the Mars Rover had serious space issues on their 32MB flash volume that caused repeated reboots.

Re:Great idea

[myke113]

Isn't this the same organization who has lost 40% of their shuttle fleet, 50% on launch, 50% on landing?

Mmm. No.

[Ligur]

"It would be like clearing a sidewalk full of spectators with a fire hose so you can walk through it," said Assistant U.S. Attorney Greg Nyhus.
More like breaking into a bank vault to store the bicycle you just stole.

Re:Mmm. No.

I would liken it to silently waltzing into a sock warehouse to secretly store your stolen socks.

Re:Mmm. No.

[djdavetrouble]

yeah, yours is better and funnier. He should step down immediately !

****FOR IMMEDIATE RELEASE****

Longtime Slashdot.org member Ligur (453963) has been selected to replace Assistant U.S. Attorneey Greg Nyhus. Nyhus, although promising, proved unable to form relevent analogies in meetings with the press. Ligur, although not formally trained in law (a condition known as IANAL) is highly knowledgeable in general subjects, has excellent karma, and is frequently moderated to +5 funny.

Re:Mmm. No.

Attorneey.

Dear friends. I promise to stop getting high and posting bizarre comments on slashdot.

Re:Mmm. No.

[autocracy]

I work for a fire department. I'd kill for a day when spectators were in my way and refused to move. After all, if you park in front of a fire hydrant, policy's to run the hose THROUGH your car. In a fire lane? We'll use your car as support for the ladder truck's rigging. Don't think it hasn't happened before.

Re:Mmm. No.

note to self. don't taunt firemen.

Re:Mmm. No.

[dhilvert]

'More like breaking into a bank vault to store the bicycle you just stole.'

... or the set of encyclopedias you just copied.

Re:Mmm. No.

[neoform]

on a side note:

"It's not like firing up your Macintosh or your Apple where you push a button and wait six minutes for the thing to boot."

who has a 6 minute load time?! takes about 30 seconds. not even my G3 takes that long to load up OSX..

Re:Mmm. No.

[drsquare]

I work for a fire department. I'd kill for a day when spectators were in my way and refused to move. After all, if you park in front of a fire hydrant, policy's to run the hose THROUGH your car.

Around here, it's policy to throw bricks at firemen.

Makes perfect sense!?!

[AcidPhish]

Lets see...

Here we have a person that is very much talented towards computers, a person who knows a lot and a person who could potentially bring big innovations and discoveries to mankind.

Lets all beat the hell out of him before he unfolds something that should be kept hidden... Or better yet, so he never gets to be anything the 'general' public is...

Is the 'law' still protecting the public or beginning to get in the way of technological advancement?

Re:Makes perfect sense!?!

[Anita+Coney]

Could you please post your address, I'd like to show you how clever I could be at breaking into your house.

Re:Makes perfect sense!?!

[Flaming_cows]

At the risk of stating the obvious; hacking into NASA is not technological advancement. Furthermore, it's 6 months in prison, and some computer restrictions, they're not exactly branding him with a giant forehead stamp that says "DANGEROUS HACKER - DO NOT ASSOCIATE WITH OR HIRE, OSTRACIZE WHEN POSSIBLE".

Re:Makes perfect sense!?!

[La+Gris]

Lets switch the word "computer" to "lockpicking".

Lets see...

"Here we have a person that is very much talented towards lockpicking..."

Does a lockpicker know much how to build efficient locks actualy?

Does a computer security breaker know much how to actualy build secured systems?

Is that much different?

Re:Makes perfect sense!?!

Bull fucking shit...

Each and every one of us has the potential to bring big innovations and discoveries to mankind.

We all make choices. He made the choice to ignore the law. He made the choice to get in the way of potential technological advancement.

While there were no human damage involved, what if you had a great scientist. He is working on AIDS research...has a theory that can only be plied upon folks by killing a few to test the theory. He does this. Should he be thrown in jail the rest of his life or should we allow him to fulfill his potential and stay out of the way of technological advancement?

Again, not comparable in terms of human suffering, but it follows the logical conclusion that if one is acceptable, the other should be as well.

All in all, life would be so much easier if we weren't constrained to follow laws, or if maybe some of us that are smarter and better than others can perchance ignore these laws because we might effect the future.

Again I say, Bull fucking shit. You sir are an idiot.

Re:Makes perfect sense!?!

That is precisely what the "Have you been convicted of one or more felonies" portion of the job application is about. The big thing he's got going for him is that he was 17 at the time and might be able to explain things away somewhat, but he won't even have the opportunity to find a job that matches his livelihood for three years -- and then his skills will be stale when he can.

"There are other ways to live", indeed. He's already had three or four years for the enormity of his crime to sink in, and now a few more of his career-making years will be pissed away flipping burgers for a lesson he probably already learned at 17. This is not to the greater good, in my opinion.

Re:Makes perfect sense!?!

20 years later, and I still agree.

Law is not just about punishment, but mercy, and reform. A society that is not gentle has already started to not exist.

There are a long line of legal principles that fully agree with what I am saying, including making the punishment fit the crime, and asking what real damages were done, and who was the victim. In this case, considering NASA isn't even a person, but an organization owned by the people, where is the victim?

Yes, I expect to see posts that will disagree. I have no sympathy anymore. Day after day, year after year, the elite in the government or media get away with crimes known to be crimes, and these same posters never say a word. A kid jaywalks, and its a life sentence. There seems to be a purpose here, somehow walking hand in hand with fascism, where the same "law and order crowd" or whatever badge they wear in whatever crowd they appear, are partial and biased, and will never go with any energy or zeal after an elite, but a grandma they will.

Let these posters go after some of our known crimes by major elite groups, such as the pedophile scandal which has been criminally covered up by the Roman Catholic church and involve thousands of priests. THEN they can start talking about lesser matters.

Re:Makes perfect sense!?!

[jacksonj04]

Generally speaking, yes and yes. You can't pick locks without knowing how they work (it's not a matter of sticking a bent paperclip in and wiggling it around - trust me).

Likewise, you can't hack a computer as easily as you can in films. "login root" doesn't work in real life, but if you know how the security works then you can find a way around it, or patch the holes.

Re:Makes perfect sense!?!

[Oligonicella]

THIS bullshit is insightful???

Perhaps thinking before committing one of those felonies would have done him some good.

Seventeen is plenty old enough to know good and goddamn well that what he thought of, planned, and executed was fucking illegal. If he didn't, then I sure's hell don't want him further educated in his abilities.

He and only he pissed away his career-making years. Tuff shit.

Re:Makes perfect sense!?!

[Oligonicella]

"yes and yes"

Bzzzt! Wrongo. What he said was...
"Does a lockpicker know much how to build efficient locks actualy?

Does a computer security breaker know much how to actualy build secured systems?

Building that effecient lock and secured system is about designing same, not about assembling components, ala Tinker Toy.

Also, you can buy books on how to pick locks and find bookoo info on exploiting security holes. Your straw just burnt up.

Re:Makes perfect sense!?!

[Oligonicella]

"Day after day, year after year, the elite in the government or media get away with crimes known to be crimes, and these same posters never say a word. "

Must be your first time on /.

Re:Makes perfect sense!?!

[PhoenixFlare]

Here we have a person that is very much talented towards computers, a person who knows a lot and a person who could potentially bring big innovations and discoveries to mankind.

No, here we have a first-class idiot that felt breaking into a NASA system to illegally use their storage space (likely to set up a public FTP full of pirated movies) was preferable to something semi-sane like buying another hard drive or server.

I guarantee you there's plenty of law-abiding people out there that vastly outclass this kid in terms of bringing "big innovations and discoveries to mankind."

Lets all beat the hell out of him before he unfolds something that should be kept hidden... Or better yet, so he never gets to be anything the 'general' public is...

What does breaking into a government system to store pirated movies have to do with what you're insinuating?

Is the 'law' still protecting the public or beginning to get in the way of technological advancement?

People manage to find, report, and fix security holes without unlawfully breaking into government computer systems. Imagine that, eh?

Not to mention the fact that, yet again, he wasn't trying to expose security holes, he was trying to save money by storing pirated movies on someone else's space.

Re:Makes perfect sense!?!

Here we have a person that is very much talented towards computers, a person who knows a lot and a person who could potentially bring big innovations and discoveries to mankind.

Here we also have a person with no judgement skills at all. Only on Slashdot do people seem to believe that shear brains and/or computer skills are the be all and the end all. To bring important discoveries to mankind, you need some kind of long term vision, or at least appreciation for the consequences of your invention. The same appreciation that would presumably tell you breaking into NASA to store your pirated movies is a horrible idea.

If this guy can't even see that pulling these stunts is very likely to result in prison time, do you really think there's any hope of him seeing that a b or c would have great benefits for mankind?

Re:Makes perfect sense!?!

Your post makes absolutely no sense at all. Seriously.

Re:Makes perfect sense!?!

[jfonseca]

Bits and bites are replaceable. Your front door isn't. In this type of situation it is NASA that should be punished, and this kid given community service for showing NASA that Al Qaida could have been using this for who knows how long unnoticed. You can't use real-world reasoning for digital crimes. Digitally robbing something does not take it away from the owner, it is a copyright and intellectual property issue, not a regular crime. I posted below : if this kid got porno into these NASA servers just imagine what Al Qaida could have been doing....

Re:Makes perfect sense!?!

[Caiwyn]

"Here we have a person that is very much talented towards computers, a person who knows a lot and a person who could potentially bring big innovations and discoveries to mankind."

Yeah. And someone who wasted that talent on downloading movies and breaking into NASA computer systems.

Do you have any sense of proportion, at all?

Re:Makes perfect sense!?!

You could also take a person who is very talented with chemicals, and who could also potentially bring big innovations to mankind.

He steals chemicals and made a small bomb to blow up a car in a parking lot.

Less people would fend for Mr Chemical genius

Re:Makes perfect sense!?!

[westlake]

Digitally robbing something does not take it away from the owner, it is a copyright and intellectual property issue, not a regular crime.

If the laws defines you actions as a felony or misdemeanor, you do the time, just as you would for any other crime.

Re:Makes perfect sense!?!

[devnull17]

That's retarded. Does it look bad for NASA? Definitely. But does that absolve the kid of what he did? Absolutely not. You can't even make the case that he was just trying to expose a vulnerability, because he didn't try to contact them about it. It was for personal gain, plain and simple.

I consider myself to be pretty skilled with computers, and I don't doubt that I could probably break into systems like this if I tried. Of course, I could also probably successfully conduct a bank robbery if I tried. The point is that I don't do either, because it's illegal and I'm aware that there are serious consequences.

Also, the line that some people tend to draw between the real world and the digital world is not as thick or as clear-cut as you seem to think. The technician that had to clean up the mess was being paid with--guess--that's right, real tax money. My money, and probably yours, too. Not to mention the fact that every time NASA launches a shuttle, peoples' lives are at stake. And if you think that innocuous, seemingly unrelated incidents can't cause serious system-wide problems, then you obviously haven't done much debugging.

What the kid did was wrong. You know it. I know it. And in this case, I think that the punishment is quite adequate. In six months, he can get out and get on with his life. In the meantime, perhaps it will deter someone equally foolish from making the same mistake.

Re:Makes perfect sense!?!

[lowe0]

Or perhaps we could send a message to other bright, talented individuals that the rest of the world's computers are not their own personal scratch disks.

Besides, just because the guy can exploit a few security holes doesn't make him Albert Fucking Einstein. He's not a genius or a hero; he's just a guy who doesn't understand the idea that you don't just help yourself to others' property because you don't want to pay for it yourself. I mean, he stole storage, for God's sake - yeah, not like you can't get that off the shelf at any fucking CompUSA in the country.

Re:Makes perfect sense!?!

[Gopal.V]

IANALP (*cough*) , but I guess a lock pick expert would know what other lock pickers can easily pick ?.

I am a part-time sysadmin at office and I'm pretty much the best cracker around as well. I therfore know how another cracker would go about breaking in and can take pre-emptive measures. I also know how vulnerable/unsafe these things are , so I take special steps for physical security and access to the box.

It takes a computer security breaker to "ensure" that the system is unbreakable to his talents. He's a unit test case ..

Re:Makes perfect sense!?!

[SurgeonGeneral]

This is not to the greater good, in my opinion.

Contrary to what people might think, lawyers have long ago decided that the purpose of law is not for the greater good. That is properly the realm of politics. The head counters in office create the laws, and lawyers interpret and apply them.

It falls to the legal community to maintain the rights of all and determine when conduct falls outside the sphere of protected liberty and causes harm to someone else. The boy committed an offense, and to give him any less of a punishment than any other person in a similar case recieved would not only be an offence to all those people, but would fly in the face of the fundemental principles of liberal democracy, namely EQUALITY BEFORE THE LAW.

crackers

"It took hours for technicians to find the problem, fix it and patch the system's security holes'"

That's so obviously the cracker's fault...

Re:crackers

[CK2004PA]

Yes it is his fault. Just like the guy who finds a way to disable home or car alarms, break in and steal stuff. Are you kidding me? You side with a criminal because the lock on some window wasn't good enough to stop a crowbar forced entry ? 6 monthes isn't enough, this caused far more damage than armed robbery and cost taxpayers more money than grand theft auto. I'd like to see what you think after someone commits a crime against you or a family member...we'll see you throw your "protect poor criminals because their cool" argument out the window. Hackers are losers who can't get chicks. Guys that protect us against hackers and clean up their mess, have chicks, thats why they need steady jobs. Moral of the story ? Get a girlfriend, loser.

Re:crackers

Honsetly is that is the most stupid thing I have ever heard. Wtf does having a gf have to do with anything? I really hope you do not post often.

Re:crackers

[Firethorn]

You side with a criminal because the lock on some window wasn't good enough to stop a crowbar forced entry?

What we're objecting to is the idea that part of the "damages" this thief is being charged with would be the installation of bars in the windows afterwords.

Sure, charge him for actual damages, such as cleanup & verification. But charging him for patching the holes?

Re:crackers

[CK2004PA]

No their charging him for re-formatting the drive and restoring from backup. This task is a must after a break-in on a government computer with possible national security data on it. So yes it is "clean up".

This is a good thing

[lorcha]

He was a cracker. He cracked and abused a system. He was convicted, and was given a reasonable and appropriate punishment.

This is how the system is supposed to work.

Re:This is a good thing

[bagel2ooo]

Can we find something more appropriate? The whole thing of having to come up with new labels for things just because they are online is silly and pointless. Is there not something like a vandal or other thing that is a stronger definitive that we can use for people who do this?

Re:This is a good thing

I thought the "system" was suppose to be by, for, and of the people. Isn't he people?

Re:This is a good thing

Yes, it would be a misdemenor tresspassing charge, with the curious additional charge that it occured on public property.

Re:This is a good thing

You think getting f**ked in the a** is reasonable punishment for hacking an insecure system? Whats the worst thing you ever did?

Re:This is a good thing

[downbad]

How is hacking a "secure" system any worse (or better)? This guy knew what he was getting himself into as soon as began to nmap NASA's IP range.

Re:This is a good thing

[jfonseca]

Yeah, you're right. Maybe he should have sold the secret to Bin Laden for 1 million bucks instead of showing NASA the secret.

Shame on NASA, they're the only ones to blame here. You know the US gov has a big problem admitting its own mistakes in the past 4.x years.....

Re:This is a good thing

[Frogbert]

A prison sentence? Why? He didn't pose any physical risk to society. Its not like people would likely be hurt should he remain on the streets with a hefty fine.

How was it exploited?

[Arkaic]

I'm curious about what kind of system he broke into and what the security hole was..... Dear God - Please tell me it wasn't a MS Windows system.

Hacking Vs Cracking

[Archon-X]

The age old terminology debate.
Cracking == bypassing software protection
Hacking == Bypassing server protection

Re:Hacking Vs Cracking

[MikeyVB]

Oh boy, this one again!

I disagree.

Cracking == Breaking or "cracking" any type of computer security, weather it be software or a server.

Hacking == Programing.

Re:Hacking Vs Cracking

[Flaming_cows]

Actually, that's not it at all. According to 'purists', hacking is a term used to denote someone who programs (e.g. hacking code is programming) whereas cracking is breaking into a system with malicious intent, although the term hacker has been demonized by the media and government (e.g. Kevin Mitnick's story).

Re:Hacking Vs Cracking

Cracking == Breaking or "cracking" any type of computer security, weather it be software or a server. Hacking == Programing. The double equals is a boolean operator, not a sign of equivalence.

Re:Hacking Vs Cracking

[The+Only+Druid]

That's nice, but as my last post (in a diff thread) mentioned, the REST of the world besides slashdot just says "hacker" means "computer criminal". Everyone needs to accept that only a tiny fraction of a percent of the world-wide population of english-speakers acknowledges any distinction between hacker/cracker. Its a dead distinction.

Re:Hacking Vs Cracking

[Archon-X]

Sure, but that's kinda archaeic.
If you're looking at the current 'scene', cracking is software, and hacking is online.

Some people love to use these terms in their original definition, and I'd say that they're quite welcome to - have a gay time!

Re:Hacking Vs Cracking

http://www.google.com/search?q=define%3Ahacker Whether you like it or not, the definition is what counts.

Re:Hacking Vs Cracking

[nkh]

But I don't care about the rest of the world. Even my teachers say "let's hack something to show you how this algorithm works". I don't need the rest of the world to spoon-feed me (remember this same rest of the world uses words like lol or a/s/l or even weather instead of whether, do you want to be like them?)

Re:Hacking Vs Cracking

[Archon-X]

Sure, I agree.
If you read those definitions, there are as many supporting ones as there are opposing ones. I guess it's more a case of the context, then.

Re:Hacking Vs Cracking

[The+Only+Druid]

Uh, no, the same world doesn't make those mistakes. I'm talking about the 99.9% of the english SPEAKING population of the world. I'm not even talking about their spelling skills, or anything they're doing online. I'm talking about their english lexicon: almost no one on the planet makes the distinction, which means its just a bit of jargon relative at best to one technical field. People in that field shouldn't expect the broad english-speaking world to use all their jargon. No other field has that same expectation.

Re:Hacking Vs Cracking

The double equals is a boolean operator, not a sign of equivalence.

Depends what language you're talking about. Single equals is an assignment operator, double equals is a comparison in some. Languages like Visual Basic just overload a single equals sign to do both.

Re:Hacking Vs Cracking

[WhatAmIDoingHere]

One guy around here, I don't remember his name, calls himself a "White Hat Code Wizard" to get around the Hack/Crack thing.

Re:Hacking Vs Cracking

[the_2nd_coming]

languages like VB are bastards and people who think they are programmers because they can use VB are idiots.

Re:Hacking Vs Cracking

And pasty white geeks such as yourself are still virgins even though you've polished the bishop to Jessica Simpson latest poster.

Re:Hacking Vs Cracking

Thank you. That is the age old terminology.

The hacker/cracker distinction championed by slashbots is a neology from the mid to late nineties.

Re:Hacking Vs Cracking

The age old response from the wider public, who simply don't care:

Hacker==person who fiddles with computers
Cracker==thing eaten with dip

Re:Hacking Vs Cracking

[RobinH]

languages like VB are bastards and people who think they are programmers because they can use VB are idiots.

...and companies who write quick user interfaces in C because it's 1337 usually don't stay in business past year 1. Use the right tool for the job.

If the customer wants a program that collects a couple choices from the user on his desktop machine, writes it to a file and FTPs it off to some central server, I use VB. If they want a server program that processes 3000 100k files every hour, and might process more in the future, I use C.

If I want to do some offline batch processing of files to sort out some useable information, I use Perl.

If I'm programming a machine, I use ladder logic for manual mode operations and alarming, or flowcharts for sequence, or function block diagrams for data flow. Then I drop into structured text to parse the data at the string level.

Don't be the guy who only has a hammer and thinks all problems are a nail.

Re:Hacking Vs Cracking

[dustinc20]

I'm going to agree, hacking does not mean anything close to just a programmer. Programmer = programmer. Hacking and cracking are two different things, but hacking is NOT programming.

"I'm not a nerd! I'm a HACKER!"
"No, you're a programmer. Nerd."

Re:Hacking Vs Cracking

[the_2nd_coming]

just because I do not soil my self by using VB does not mean I only have one tool in my belt.

there are other RAD tools that you can use for UIs. why not use them?

Re:Hacking Vs Cracking

clueless????

cracking == gaining access....

hacking = creating or modifying software and hardware.

script-kiddie = all these idiots that get cought, Kevin Mitnick for example.

ankle-biter = people like you , trying to look cool to others by talking about things that they really have no knowlege about.

please go rent your favorite movie "hackers" and leave the rest of us big buys alone.

Re:Hacking Vs Cracking

[ScrewMaster]

"Wrenches made out of anything but vanadium alloy are bastards, and people that think they're mechanics because they use wrenches made out of steel are idiots."

Do you use C#? Welcome to the world of VB, you pompous ass. Languages are tools, no more and no less, and part of being a good tool-using ex-primate is to know how to select the right tool for the job. I've seen C++ jocks spend a couple of weeks writing a GUI that could have been done in an hour in Visual BASIC, loudly proclaiming that VB "isn't really a programming language" and in complete denial all the way ... and yet you call all VB programmers "idiots". Amazing.

True programmers grow up and get past language bigotry early on. Something you'll learn eventually, after you get canned for inefficiency trying to pound that round peg into that square hole a few too many times.

Re:Hacking Vs Cracking

Where does hacking hardware fit in your alternate universe? (Kids, can't teach 'em nothing. All you can do is give 'em pre-cooked scripts.)

Re:Hacking Vs Cracking

+1

Re:Hacking Vs Cracking

[nondeterminism]

I was always told cracking was "criminal hacking"... kinda rolls off the tongue even if it isn't true.

Re:Hacking Vs Cracking

Totally. In fact, mnenomic languages like assembly and high-level languages like C and C++ are also bastards and people who think they are programmers because they can use an assembler or a compiler are idiots.

Programming isn't about using high-level tools to ease the repetition. It's about memorizing two hundred hex opcodes and being able to convert decimal to binary in your head.

Re:Hacking Vs Cracking

[RobinH]

Because the customer's standard is .Net, and C# is an abomination.

Put these morons to use

[Timesprout]

NASA should be allowed use these idiots in their experiments. I'm thinking 'Effects on subject A when parachutes fail to deploy on capsule dropped from 50,000 feet' or 'Impact determination of Subject A foolishly slashing open his space suit in LEO" sort of stuff.

NASA could get valuable data, some small furry woonland creatures would be saved this fate and the world would have a few idiots less. Win all round scenario.

Re:Put these morons to use

We could just make him President.... Naw, better to wait until after the head trauma.

Did you ever think you'd see the day where the conservative icon that played second fiddle to a monkey would like the intellectual?

Policing our own

[TFGeditor]

Tacit approval of this sort of thing (cracking) paints us all with the same unsavory brush. If we do not start policing our own, the "geek/nerd" stigma will deepen. We are professionals, let's act like it.

Re:Policing our own

Slashdot, Professional?

LOL!

Re:Policing our own

[Grey_14]

Stigma? I dont know about you, but I'm proud to be labelled a geek or nerd, and to take all that comes with that title.

Re:Policing our own

[back_pages]

Tacit approval of this sort of thing (cracking) paints us all with the same unsavory brush. If we do not start policing our own, the "geek/nerd" stigma will deepen. We are professionals, let's act like it.

Right, but I see you have a UID in the seven hundred thousands. You're new here! You see, you are absolutely correct - if we are professionals, then we should act like professionals. Unfortunately, the parent post is more correct - with the direction Slashdot has been going lately, I'm surprised that this wasn't posted under YRO.

Re:Policing our own

[Simonetta]

This young naïve fool should have just stood up and told the judge that he was working on a special secret project for national security and that he couldn't say any more about it.

Since the prosecuter wouldn't be able to prove him wrong, he would have gotten off and had the case dismissed.

Should this happen to you, I suggest that you try it. You have nothing to lose and every reason to believe that you can get away with it.

Re:Policing our own

[westlake]

You have nothing to lose and every reason to believe that you can get away with it.

Not a chance. The burden on the prosecution is proof beyond a reasonable doubt, you do not escape conviction by going into court with a defense that is laughably implausible.

Re:Policing our own

[SurgeonGeneral]

Actually, the judge directs the jury as to the posible defences that one might have with regard to the charge. A defence might be consent - NASA consented to the intrusion. There is the defense of lawful authority, however unfortunately for the original poster, the legal system DOES require proof. If you presented this as the only reason for your actions without proof, the jury would be instructed to ignore it and you would be left with no defense at all. An automatic finding of "guilty" would ensue.

Re:Policing our own

[Ahman_Ra]

isn't this purgery? And something funny to me, only 16 months for breaking into NASA? We have someone here in st. louis area that just got 9 years for getting into Lowes. Lowes the new home for undercover government issues now?

Maybe he hadnt checked pricewatch recently

[aardwolf204]

With hard disk space nearing $0.50 / gigabyte why on earth would you crack into NASA computers to store you movies?

Re:Maybe he hadnt checked pricewatch recently

Maybe because you don't want to have to download the X gigs of movies over your slow pipe, so you need some place with a fat pipe to store them online?

Re:Maybe he hadnt checked pricewatch recently

[saider]

Because this happened 4 years ago when a typical hard drive could only store a dozen movies or so. And a 17 year old is unlikely to be able to afford a large drive (I don't know if he was working or not).

Re:Maybe he hadnt checked pricewatch recently

What is a slow pipe to you? Nowadays with an average DSL connection, I can download a DivX movie in real time! You can almost watch it while you pump it, why would you need it faster?

Re:Maybe he hadnt checked pricewatch recently

Fast to me (and i'm not the original poster) is 100mbit. Acceptable is 45mbit. Slow is 10mbit.
You don't store them to watch them, you store them to trade them. You have to upload to get download credits, and if you can only upload at a whimpy .3mbit residential, you'll get about half a file before everyone else joins the race and finishes the rest.

Also, disk space isnt that cheap. Figure about $500 for a good raid card, * 5 250gig disks at $150 each.. I doubt that 17 year old has $1250 to blow on hardware he'd lose in a bust anyways. I know I don't.

Re:Maybe he hadnt checked pricewatch recently

[the_2nd_coming]

awww.pooor 17 year old kid......

please. the kid was not looking for hard drive space.

Re:Maybe he hadnt checked pricewatch recently

[BlainTheTrain]

Not that I condone his actions, but he did this 4 years ago when he was 17 years old. I bet he could not afford an extra drive - I know when I was 17, I couldn't afford a drive big enough to play all the games I wanted to. Just my .02.

Re:With the direction Slashdot has been going late

[kngthdn]

That's not offtopic, that's just funny...

Tip to future crackers...

[Anita+Coney]

...who need hard drive space. Hard drives are VERY cheap nowadays! My god. How many movies did this guy have?!

Re:Tip to future crackers...

Tip to future Anita Coney posters:

RTFA. This happened in 2001. NewEgg's pricing may have been different then.

Hacking NASA as simple as downloading a movie onli

[after]

..ne

I just think it's kind of wierd that NASA was hacked, in a way that makes it seem so simple to do. Like this is what happends when hackers need computer space -- they hack a government server.

I just think it makes "Hacking NASA" the thing that's "In" for hackers.

Just my .$95

How about...

"More like breaking into the observatory to store the bicycle you just stole."

Huh?

[Pheonix5000]

"It's not like firing up your Macintosh or your Apple where you push a button and wait six minutes for the thing to boot."

He must be talking about Windows ;)

Re:Huh?

[ejohnsty]

Yeah, I really loved that one...

Re:6 Month Sentence for NASA Cracker

[Nicholas+Evans]

I do. With real world breaking and entering, you don't need to bring down a mission-critical server to reimage the driver for to ensure security. You just change the locks.

This isn't the place for this.

[Lord+Kano]

What does this have to do with nerds? Nothing. It doesn't belong here.

LK

Re:This isn't the place for this.

How does your post meet that qualification? It does not. That makes you a hypocrite.

I don't know

[ElMiguel]

A prison sentence seems a bit excessive for what he did.

Re:I don't know

[nkh]

We want this "friendly geek" out of prison while we demand that spammers are put behind bars? This doesn't make sense...

Re:I don't know

[m50d]

Spammers cause me a lot more unhappiness than losing a bit, or even all of, my hard drive space would.

Well it's not exactly new....

I well remember the days of downloading pr0n off of illegitimate ftp servers setup, on you guessed it, NASA computers. This was back in the day when 3 GB was a fantastic amount of data. And why yes it was busty asian pr0n.

Re:Well it's not exactly new....

[Lord+Kano]

And why yes it was busty asian pr0n.

Like pennies from heaven.

LK

In space nobody can ...

.. hear you take it up the arse in prison.

Oh the irony, he runs out of "SPACE" and therefore has to hack NASA. oh dear.

NASA sure has "SPACE"

What a loon.

Re:In space nobody can ...

[the_2nd_coming]

a 6 month sentence will likely be done in a minimum security prison since it is less than 3 years.

Re:In space nobody can ...

[downbad]

not to mention that it'll be a federal prison, which is a walk in the park.

Re:In space nobody can ...

[the_2nd_coming]

umm... federal prisons are better maintained, but they are hardly walks in the park. go visit one and tell me that you would love to be locked up in one of those places.

Re:6 Month Sentence for NASA Cracker

[Vellmont]

Yah, that's probbably pretty accurate. His sentence seems to be within the federal sentencing guidelines for criminal trespass. Check it out here
The sentence seems a bit much considering the intent of the crime (stupid attempt at finding DL/UL site), but not really unduly harsh.

Yes, your honor ...

[dhilvert]

... after the accused stole my $3.59 flowerpot, I had to spend hundreds of dollars putting locks on all of my doors.

Re:Yes, your honor ...

No. Your honor, what really happened was the criminal broke down my door walked around. went through my undie drawer, left a floater in my bathroom and ate my snackie smores in the fridge.

Nice

[jmcharry]

Break into one government computer, go to jail. Break into tens of thousands of personal computers, ....

Re:Nice

Break into tens of thousands of personal computers and start botnets to terrorize non-profit irc networks... but that's a personal beef, being an IRC Admin myself.

Re:Nice

He broke into NASA. Its not like he broke into some other governmental department. Nasa does really cool things like satelites and rovers on Mars. If he had broken into the president's computer he probably would have helped by running a spell checker while he was at it, but NASA IS COOL for us geeks and nerds.

That is why he should be punished. ;)

Re:Nice

[theTerribleRobbo]

... run successful spyware company.

Restricted access to computers -- has to change

[ckedge]

.
Herns was ordered to pay restitution for the damage he caused and will have limited access to computers for the next three years. After the judge outlined the terms of Herns' restricted computer use, Levine pointed out how hard those conditions will be for a man who does everything online, including paying his bills.

"He's going to get to learn," Brown said. "There are other ways to live."

The Canadian government has declared internet connectivity to be (I forget the exact term) a "necessity" or something.

If you rob a bank, do they forbid you from walking into any type of business establishment for the entire duration of your parole? No! It would be idiotic - everyone needs a bank account or groceries in today's society, and there are already tons of other perfectly good laws to deal with the individual should they commit a crime in a bank or other "place of business" again.

If you commit a traffic violation, do they forbid you from getting into any vehicle on any road? No! They might prevent you from driving, but they still let you get in as a passenger in other people's vehicles or take the bus.

Judges are going to eventually have to stop throwing out blanket "computer bans" as minor parole conditions - and realize that they have to handle it differently. PCs may/can be the basis of entire home entertainment centers, your library, your photo album, your telephone, etc etc.

What they should do (and what would be more effective) is to ban the user from say spending more than 30 minutes at a time on a PC, or making an IP connection to a class of third parties, or posessing any tools or software that could be used for illicit purposes - and then have the parole officers make unannounced audits and/or taps.

This goes along the lines of what kind of an effect would it have on you and your life if the police seized your computer in the midst of an investigation (not even an investigation into you, say your webcam caught some images of a crime). My PC is all of the things I listed above and more. And remember, saying "make backups" doesn't cut it, they always take your backups too and withholding those could get you in even worse trouble.

To put it another way - the police need to develop methods that don't "deny you use of your entire house just to check the window for fingerprints".

If they want to ghost the drive and look at the inside of the system before they leave, that's fine. But taking the entire thing for an indefinite period - unacceptable. (I'm talking about when I'm not the suspected murder or something :| )

Re:Restricted access to computers -- has to change

[codegen]

If you commit a traffic violation, do they forbid you from getting into any vehicle on any road? No! They might prevent you from driving, but they still let you get in as a passenger in other people's vehicles or take the bus.

Your analogy about cars is not even close. The ban does not stop someone else from using a computer on his behalf. He can go to the bank to pay his bills, and the bank teller will use a computer to pay the bills. Or he can use phone banking. You don't need a computer to live a full and active life. My mother and father do just fine thank you.

Judges are going to eventually have to stop throwing out blanket "computer bans" as minor parole conditions - and realize that they have to handle it differently. PCs may/can be the basis of entire home entertainment centers, your library, your photo album, your telephone, etc etc.

I think it is entirely appropriate. When you break the systems for others, the system should be broken for you. The punishment is much better than jail time and makes the point much better. Having been on the other side a breakin, it is not a lot of fun. Instead you often have no idea what is compromised. How much has to be reinstalled? Are any of the data files compromised? Compare them against backups? Have any of the files that have changed since the last backup been compromised? What happens if the system was compromised just before the last backup? Did that backup overwrite a previous backup and as a result you have no backup of the compromised data files? Has the system been used to break into another system? Is this the only one broken into, or are other system compromised?

Personally, I would be tempted to lock him up and throw away the key. But 3 years without significant computer access may be more effective and not as expensive as incarceration in a federal pen. Particularly since the lame excuse is that he was looking for storage for movies he had downloaded. Which means he would have to download them again from Goddard. Wouldn't it be more effective to download them again from the same place he got them in the first place? Or burn them to a DVD-R?

Re:Restricted access to computers -- has to change

[Lawrence_Bird]

IANAL, but if you do an armed robbery, you are unlikely to
be allowed to get a gun permit;

As you said, you might lose driving privledges under certain
circumstances. analogus to losing computer use. Unlike
your example of riding a bus, there is no practical way to
have somebody else do your driving on the PC for you.

A lot of damage can be done in 10 minutes, let alone 30.

What judges must determine is the intent. Was the hacker
intending to be malicious or intending to use a system not
his own for the commission of a crime? The case of
accidental 'breakage' should be treated differently, but
not given a get out of jail free card.

Personally I think the best 'sentence' for these type of
offenders is to be assigned to a domestic, non-combat job
for one of the military agencies. Restricted to base with
room and board provided but at least the tax payer gets
something of benefit out of it and maybe the offender will
learn some responsibility.

Re:Restricted access to computers -- has to change

[JustinXB]

The Canadian government has declared internet connectivity to be (I forget the exact term) a "necessity" or something.

The thing about that is no one cares about Canada, you damn hippie.

Re:Restricted access to computers -- has to change

[ChrisMaple]

or posessing any tools or software that could be used for illicit purposes

Such as a compiler?

Re:Restricted access to computers -- has to change

Hacking is a federal crime. It's not judged by the same juducial entity. There are federal prisons and civil ones.

Driving under the influence will get you a civil offense, and you can lose your right to drive. Stealing a bank is a federal offense but you can't be restricted from using one.

The fact that the hackers have restricted computer access just shows that skilled hackers are hard to stop, the easiest way is to take away their tools, the hard way would be to make secure gateways.

All in all, it's pretty obvious that this guy is lying on the reason of his crime. My guess is that he just did it to see if he could.

Re:Restricted access to computers -- has to change

Take away his computers and force him to use a webtv type setup through AOL. Use a .net/java setup with everything on the government server and the only thing needed by the unit is the ability to dial a phone, and connect to a specified system with it's OS in PROM. Nothing is stored on the local system and there isn't a possibility of storing stuff unless you use a USB memory stick.

Hell AOL would love to have such a government contract to provide the dialup connectivity for this setup because they'd then be able to expand on their offerings. How about it AOL?

Viewing the movies

OK, so you upload movies to NASA. Now what do you do when you want to view them? You're not going to stream a high-quality video over the Internet. You need to spend several hours downloading each one. Why not just download it from the first place you got it from?

Re:confirmed: I just shat myself

Damn man, you're working on a Sunday?

This just doesn't make sense

[WidescreenFreak]

I don't buy for a second that he was doing it to find space for movies. It just makes no sense at all.

Let's assume for a moment that all of his movies were DivX-encoded at 650 MB each, just for the sake of argument.

* Hard drives four years ago were still relatively inexpensive. By working at McDonald's part-time for three weeks or so he could have had a new hard drive.

* Even if he had so many movies that he required an additional hard drive, why could these movies not have been burned to CD-R instead? CD writers were available for less than $100 and CD-Rs could have been found for less than 50 cents a piece. He could have had virtually unlimited space as long as he purchased a new spindle now and then. (See afformentioned McDonald's reference.)

* Most importantly, what did he expect to do with those movies? Unless he had a T3 or something equivalent to his house, he would have had to wait hours to both upload for storage and download to view. I've had 1.5 Mb/sec DSL for four years, so I know that it would have been feasible back then, but it still would have been far less effort to burn them to CD-R. And at least then they would have been portable, far more so than a hard drive.

* Assuming 1.5 Mb/sec broadband, it would have taken almost an hour just to download one movie. So, he would have taken an hour to download, an hour to upload (at the VERY least since most broadband companies don't use the same upload/download speed), and another hour to download when he wants to watch it? Was he planning on installing a streaming media server as well?

* Why NASA? Why not find some schlep on his ISP who wasn't running a firewall, had lots of space, and store the data there? A Joe-Clueless-User would have been far less able to determine who was storing data on his system than NASA.

I'm sorry, but I just dont buy the "he was looking for computer space to store movies he'd downloaded" line. It makes absolutely no sense whatsoever. Sounds more to me like he was doing something nefarious and was hiding it or he was just looking for ego points and got nabbed in the process.

Re:This just doesn't make sense

[Grey_14]

Ok, Lesse here....

*Hard Drives Are Cheap* - Sure, but so are most University Students,

*Burning to CD-R* - No, Means the movies are inaccessable from anywhere else, CD-R's rot, and you are assuming they are 650MB DivX's, what if they were not? What if, (God forbid) he wanted a little quality in his movies?

*What to do with them?* You get a little confusing here, and are mixing points, (Connection speed vs portability), Whats more portable than a server online? with basically assured 24/7 uptime?, As well, assuming he's getting these movies still, and they are not JUST things he has, there are warez sites/irc groups with T3's out there.

*Why Nasa? Why not Joe Schmoe?* Because Joe Schmoe is slower, and likely to get taken out by a virus any given day of the week,

And yeah, I admit, He made a stupid choice going with nasa, he would have been better to take on a web hosting company or something, even a university, NASA is a little too high profile, so I'd say he was going for ego points.

Re:This just doesn't make sense

He made a stupid choice going with nasa, he would have been better to take on a web hosting company or something, even a university, NASA is a little too high profile, so I'd say he was going for ego points.

WTF, are you actually suggesting that he's a fool for choosing the wrong target as opposed to breaking into a third party's systems and causing untold damage?
He's a fool for breaking the law, pure and simple, whether it's NASA or not. The fact that it's NASA only makes him reckless as well as foolish

Re:This just doesn't make sense

[ZorbaTHut]

No, it makes sense.

What he was doing wasn't just storing movies. It was storing movies in a place where others could download them. Having movies gives you points, but having movies on a really big internet connection and letting lots of other people download them gives you major points. Especially if you set it up as a trade system, so you *get* lots of movies and such at the same time.

NASA (like most companies) has lots of space on a big internet connection. There ya go.

Re:This just doesn't make sense

Oh boy, ./ not just for nerds anymore.

He was probably a 'scanner' for some IRC channel. You scan an IP-range for known exploits and if you find a vulnerable host set up an fserve to serve files in the channel. That's a widely auomated process with scripts.

And he did all this to get priviledged access to other fservs or maybe some group ftp.

Re:This just doesn't make sense

[Linker3000]

"CD writers were available for less than $100 "

No sh*t - I've just bought an NEC OEM 16x dual layer DVD+/- CD-R/RW burner for £36.00 ($70) from an online store. Hate to think what the profit margin was for all concerned.

Re:This just doesn't make sense

[khallow]

And the fact that it was NASA probably added to the alure.

Re:This just doesn't make sense

[gnovos]

Why NASA? Why not find some schlep on his ISP who wasn't running a firewall, had lots of space, and store the data there? A Joe-Clueless-User would have been far less able to determine who was storing data on his system than NASA.

You just have absolutely NO concept of what kind of wide-open whores the servers are at NASA. It's really quite shocking. It's difficult to even port-scan them without accedentally taking over thier entire network.

Re:This just doesn't make sense

It's obvious. He's a terrorist! Planting a software bomb on the next shuttle!
Lock him away!!

Re:This just doesn't make sense

* Most importantly, what did he expect to do with those movies? Unless he had a T3 or something equivalent to his house, he would have had to wait hours to both upload for storage and download to view. I've had 1.5 Mb/sec DSL for four years, so I know that it would have been feasible back then, but it still would have been far less effort to burn them to CD-R. And at least then they would have been portable, far more so than a hard drive.


We had T1/T3 at work, about 6 of them........ he's not as stupid as some of ya'll think. LoL it's funny to know him, and then see all these stupid responses from people who haven't a clue.

SELinux

And since SELinux is NASA's baby, can we trust it in light of this?

Re:SELinux

[david+duncan+scott]

No, SELinux is NSA's baby.

Cracking into NASA is one thing. You're up against propellor-heads and zoomies, nice people who think space is neat. Cracking into the NSA is a whole 'nother ballgame. Those folks are professional paranoids, and while they don't kill people, they certainly know people who do.

He was obviously incompetent.

[poopdeville]

The article mentioned that NASA technicians had to spend several restoring the system from backup. What did this kid do? He's either lying about his intentions -- he really wanted to cause damage -- or was just incompetent. Secretly keeping a few gigabytes on a big machine really isn't so hard. poopdeville

Really?

[lorcha]

Well, what do you feel would have been the appropriate punishment for breaking into a US Government computer system and using it to store illegally-downloaded movies?

It's not like it was 6 years or something.

Re:6 Month Sentence for NASA Cracker

[CK2004PA]

Insightful ? Wow, do you guys know anything about security? How about him leaving behind several trojan horses for his buddies? Yes you take the drive, especially if it has sensitive information, and incinerate it. Dumbass, this is national security we're discussing, not your quicken data.

Re:confirmed: I just shat myself

According to your posting history, you seem to be shitting your pants everyday! Now that's a problem...

Re:6 Month Sentence for NASA Cracker

[dosius]

What is cruel and unusual may vary depending on who you ask. For one, I would probably use monitoring to keep him off computers for several years. Some people would think that disappearing him is not cruel and unusual.

Moll.

Yeah - let's give the CS student a computer ban...

[CharonX]

I applaud the judge for his great insight - giving a Computer Science student a computer ban.

And 200k of damages? Er, did he delete research papers or something? (If he did, to make room for his movies, he does deserve it, though).
Sounds more like 200k to finally get their asses moving to fix some security holes, which were there in the first place.
He went into my house, through the big holes in my fence, climed through my dried-up moat, opened the door with the broken lock, and then stole my potted plant. It cost me a fortune to replace the lock, refill the moat and fix the fence.

Oh cry me a river.

[EvilStein]

I guess he should have thought about that before HACKING A BOX AT *NASA* for pete's sake - and to do what, use it for Divx movies?

This guy was an idiot and got what he deserved. Sorry. Perhaps he should have though first before compromising a piece of United States Government property.

Re:Oh cry me a river.

[lachlan76]

He is going to jail remember? FFS, isn't spending 6 months in a cage getting ass-raped on a regular basis enough punishment for uncovering security holes and embarrasing NASA, which is what this is all about?

Re:Oh cry me a river.

[Oligonicella]

"...for uncovering security holes and embarrasing NASA, which is what this is all about?"

Uh, no. Perhaps you aren't aware that breaking into government systems is illegal. Also, loading illegal movies onto them is illegal. It's about his being a criminal.

Re:Oh cry me a river.

[lachlan76]

If he broke into my computer, or some little workstation somewhere, he wouldn't be getting a punishment this stiff.

Re:Oh cry me a river.

[Class+Act+Dynamo]

You know what's ironic about the whole thing. He was breaking in to NASA computers because he did not have enough room to store illegal movies. Now some inmate is going to break into his prison cell because he needs to use this guy's butt to store a few things. I guess the punishment fits the crime.

Re:Oh cry me a river.

Well, you're not a government agency, are you? The "damages" he could have caused by breaking into Joe Shmoe's computer are a just a teensy bit little less than those caused by breaking into a large organization/government agency's, don't you think?

Re:Oh cry me a river.

[m50d]

So anyone who commits any kind of crime at all deserves a prison sentence?

Re:Oh cry me a river.

I guess he should have thought about that before HACKING A BOX AT *NASA* for pete's sake - and to do what, use it for Divx movies?

If he robbed a store and subsequently got banned from buying things, would you say the same thing? In a civilised society, just because you break the law, it doesn't mean the judge can make you do whatever he wants. A lot of peoples jobs depend on Internet access. Taking away the job he is most qualified to do is only going to increase the likelihood of him committing further offences once he is freed. Putting him in jail for the extra three years would have been a better option, as he wouldn't have to support himself in prison. If he can hack NASA for storage space, he can hack NASA for money.

This isn't about letting him off lightly, it's about recognising that some forms of punishment are a bad idea.

Re:Oh cry me a river.

[Jardine]

Well, you're not a government agency, are you? The "damages" he could have caused by breaking into Joe Shmoe's computer are a just a teensy bit little less than those caused by breaking into a large organization/government agency's, don't you think?

That's exactly the problem in computer crime cases. People are always being punished based on what they could have done.

"Your honor, upon searching the house of the accused, we found a substance that could have been C4 plastic explosive. Upon later analysis, it turned out not to be, but the fact that it could have been shows that the defendant is a danger to society."

Re:Oh cry me a river.

[zallus]

"Mr. President, upon searching the country of the accused, we found a substance that could have been WMDs. Upon later analysis, it turned out not to be, but the fact that it could have shows that the defendant is a danger to national security."

Re:Oh cry me a river.

[shwouchk]

although I totally agree he was very stupid, stupid people are also people, and are also protected by the same laws as everybody else...

Re:Oh cry me a river.

What sort of idiot are you? The twit broke into a computer owned by the US Government. That's illegal. They don't care why you did it, or how you did it, or if it embarrassed anybody. You break in, you get caught, you go to jail. It's made pretty damned clear if you're not supposed to be somewhere - if you don't have a password, they don't want you there.

He did the crime, now he's going to jail for it. Fair's fair.

Remember - if you don't like the laws, it's your choice to live there. You can live anywhere that'll have you.

Re:Oh cry me a river.

I fail to see the relevance of this comment with respect to the parent.

Re:Oh cry me a river.

[m50d]

What sort of idiot are you? The twit broke into a computer owned by the US Government. That's illegal. They don't care why you did it, or how you did it, or if it embarrassed anybody. You break in, you get caught, you go to jail.

Well, in this case it does look like they care if you embarrassed anyway. Because I'm pretty sure they wouldn't be giving a jail term if he hadn't. Yes, what he did was illegal. But should you go to jail if you're breaking the speed limit? Just because it's illegal doesn't mean he deserves jail time for it.

Remember - if you don't like the laws, it's your choice to live there. You can live anywhere that'll have you.

That's so ridiculous it's not even worth arguing with.

In other news

"It took hours for technicians to find the problem, fix it and patch the system's security holes" Technicians were quoted as saying "WAAAHHH We have to do our jobs and patch the holes in the system. WAAAHH"

Harsh

[My+Iron+Lung]

This seems a little harsh to me, this computer science student not only has to spend 6 months in prison, but has limited use of computers for the next three years. This really stunts his growth professionally, but also puts a very black mark on his record when being considered by future employers. NASA should be ashamed of themselves for not discovering these holes themselves, as it is a strong likelihood that this 17 year old high school student didn't -really- know what he was doing (storing movies on NASA's servers? what?). And if he really did know what he was doing, it seems to me NASA probably should have hired the boy to hack them constantly and reveal more security holes that should be mended. Instead of ruining the kid's future. Just my two cents.

Re:Harsh

[the_2nd_coming]

dude... he broke the law!!!!!

what do you think happens when some one does that? he is lucky he was not put away like mitnic.

Re:Harsh

[Renraku]

Less competition for the rest of us computer guys that haven't been caught yet!

Re:Harsh

[JustinXB]

What the hell? He broke the law! And you want to give him an award, some money, a party, and a job? No, no, no. He did the crime, he can do the time! Criminals shall not be rewarded.

Re:Harsh

[xjerky]

"This really stunts his growth professionally, but also puts a very black mark on his record when being considered by future employers."

Um....that's the point.

Re:Harsh

[My+Iron+Lung]

All I'm saying is that NASA is weak. It pretends not to be, but it is. He was just a kid, and he was probably just playing around. None of us really know the full details here, so only assumptions can be made. I'm not talking about rewarding him, but it is definitely something that has happened before, companies actually going as far as hiring hackers to exploit their weaknesses. The punishment in place is strict. Where I come from, they wouldn't even try a 17 year old for that kind of bologna. True, it is NASA and a government institution.. but shouldn't places like this simply be more secure? In my opinion, it could have been a lot worse for them.

Re:Harsh

[Trapperdan]

All I'm saying is that NASA is weak, then by that rational we should not punish those that exploit the elderly with phone scams, because they are weak. I think they are trying to send a message with this judgement, and that is DO NOT mess with fed. I'm suprised the judgement wasn't harsher considering they could have made it worse under the blanket of national security/terrorism in light of the Patriot Act.

Re:Harsh

[flosofl]

NASA probably should have...(blah blah blah)... Instead of ruining the kid's future.

I hate to shine the harsh light of reality on your post, but NASA didn't ruin this kid's future. He ruined it all by himself.

Re:Harsh

Yeah, I think you're right. He was just playing around. It was an accident. He wasn't looking, thought he ran his browser, and instead of typing "www.hotmail.com" he accidentally cracked a NASA server and uploaded a crapload of movies there.

No, really. I'm sure that's what happened. He should be let go, and NASA should thank him that they've had an exploit revealed to them by a thorough investigation by the FBI. The boy should be grateful, too - NASA pointed out his mistake, that when he thought he was sending mail to someone, he was actually uploading gigs of movies.

Get a grip, man!! You're arguing that, because some server wasn't as secure as it could have been, it's alright to crack it! Is it OK to shoot someone, even if it's just a flesh wound, because they weren't wearing a kevlar vest?

The kid broke the law. It's that simple. He broke the law, he got caught, and now he's getting punished. The law is quite clear. Cracking a server isn't something you just accidentally do, any more than accidentally shooting someone from 150 feet away, at night, with a rifle, while looking through the telescopic sight.

Now, get the hell over it and stop feeling sympathy for a punk who committed a crime. There are plenty of others out there who deserve your sympathy.

Responsibility

[MichaelKaiserProScri]

Clearly he's responsible for any damage he did. But why is he responsible for fixing the security holes. He didn't cause them, but rather revealed them. Looks more like NASA owes him a consulting fee...

Re:Responsibility

[cdn-programmer]

I agree with you 100%. This is another case of shooting the messenger.

Re:Responsibility

[qw(name)]

I don't see how you can say that since his purpose was to illegally make use of someone else's assets. As someone else has pointed out, this is no different than having substandard locks on one's house. Just because someone can easily break into your house doesn't make the actions of the robber justified.

Saying that the robber broke in to store his couch in the basement just so he can point out the substandard locks is just stupid.

Re:Responsibility

[Eric604]

But he send the message unintentionly. There is a difference between (1) someone entering your house and telling you that your front door lock is broken and (2) someone that sneaks in and while secretly putting stuff in your basement wakes you up. Still I wouldn't trust the first person, why would anyone test front door locks?

Re:Responsibility

[m50d]

But if the robber breaks in and stores his couch in the basement, you can't charge him for the cost of new locks.

Re:Responsibility

[qw(name)]

That would depend on how good your lawyer is! ;-)

Re:Responsibility

But you can charge him for new locks if he breaks your old ones, the cost of the locksmith who installs them, and the carpenter who repairs your doors and windows, all broken by the robber on his way into your house.

Re:Responsibility

[m50d]

Indeed. But this guy didn't break anything. Let's say they were using an old vulnerable version of (for example) ssh. If he had uninstalled this then they'd be entitled to charge him for replacing it. But is he's just taken advantage of a hole in it (as I suspect is the case) there's no way they should be able to charge him for upgrading it, as he hasn't made them any worse off in regard to the version of ssh installed, just aware that they've got a hole.

Wow, the word 'hacker' wasnt abused, for once

[nurb432]

Nice to see term not used improperly for a change.

Sure its just a pet peeve of mine, the mis-use of the term 'hacker', but it doesn't lessen the annoyance factor for me.

Re:6 Month Sentence for NASA Cracker

[Darkn3ss]

Seems to me like he was a smart guy who just had to come up with an excuse to justify what he was doing. I doubt he was really looking to upload movies to a NASA computer, it doesn't make any sense. If your internet connection is fast enough to get a movie from NASA in a few seconds, then chances are you have enough money to buy a few large harddrives. That kind of bandwidth isn't cheap!

Re:Yeah - let's give the CS student a computer ban

[the_2nd_coming]

umm, why not? the kid fucked up and broke the law using a computer.

it is the kid's fault that he thought NASA was a good place to store his movies.

Who is "we"?

[ElMiguel]

I don't demand that spammers are jailed, even though they do a lot more damage than this guy.

My letter to NASA

[cdn-programmer]

After doing such a fantastic job with the Mars missions it is quite an about face to find that NASA cannot even secure its own servers and finds it just find to take a 17 year old prankster to court!

Please read this story:

http://it.slashdot.org/article.pl?sid=04/12/19/1 33 5243&tid=172&tid=123

NASA should appologise and request the court to eliminate the sentance. My gawd - but 6 months for basically nothing? This is clearly an issue of killing the messenger.

There are about 6 billion people on this planet and some of them are our enemies. This kid is not one of them. When you put a server on the net it is the same as attaching every keyboard in the world to your computer. This means you better know what you are doing.

Clearly NASA does not and seeks to hide behind the skirts of legal threats. Well folks - these threats do not work in countries like Iraq and Korea. Perhaps NASA is lucky that most of our enemies are not sophisticated enough to hack their systems. This will change. The future is a long time.

That young man did you a favour Sirs! If your techs are too incompetant to patch your servers then they are the ones who should be dealt with and not the pranksters that find the holes.

BTW. The main www.NASA.gov website is totally broken and does not even load in Mozilla. Is this another example of incompetance?

Thankyou.

Re:My letter to NASA

[JustinXB]

What kind of moron are you? He committed a crime! He broke the law! You just want to let him off the hook? Great idea, then I'll hack NASA just for the hell of it and get off to! Great idea, dumbass.

Re:My letter to NASA

[cdn-programmer]

You are the moron. What if the hacker was in Korea. Would you vote to attack the country in order to have him face a judge?

Re:My letter to NASA

www.nasa.gov loads just fine in firefox here...

Re:My letter to NASA

No, it's quite clearly you who are the moron.

So what if the cracker were in Korea? Would that make it any more legal? No, the crime would still have been commited. What if the cracker were English, or Australian? He would be extradited, and prosecuted.

The facts of the matter are that someone commited a crime, was then prosecuted for it, and next, he goes to jail.

So what if NASA's servers aren't as secure as they could be? America wasn't as secure as it could be when the terrorists crashed those planes into the World Trade Center, does this mean that you should thank them and their families for pointing out how insecure the American system really is.

Here's a quote from another message you wrote:

"They should not be punishing the messenger."

The messenger isn't the guy who cracked the system. The messenger could be the FBI, who tracked the guy down, or the messenger could be the guys who found the system had been exploited, and secured it.

The guy who caused the dispatch the messenger is the bad guy, and in this case, it's some dumb 17 year old who committed a crime and is now going to jail for it.

Seriously, just get over it. Or better yet, you hack NASA, then provide those arguments in court. Just let me know in advance, I want to be there to hear the laughter, and watch the other lawyers ridicule you with a line of questioning that'll let you make a fool of yourself.

Re:Yeah - let's give the CS student a computer ban

[Jozer99]

They didn't have any chairs to sit on in the server room while they fixed security holes, so they made a big pile of money and sat on that, and it worked almost as well. After the whole fiasco NASA is now researching a new more expensive type of money that is more easily convertable to a sitting appliance.

Re:6 Month Sentence for NASA Cracker

Is everyone here high? He was storing movies to share . i.e. Setting up a FTP server. That's how it works: You scan around the internet, hack into something that is open, upload your shit (from another FTP server) and then send out the logins to the new server to your peeps (i.e. IRC). Now you have an "asset" that can be used in barter. That's how it has worked for a long time now. Sometimes the hacked computer will figure it out, sometimes you can go for years on a box. He happened to pick the wrong one. It is even possible that someone in his position didn't even know it was a .gov box he was getting into.

Is there anyone here who isn't a 14 year old poser?

Re:6 Month Sentence for NASA Cracker

[lachlan76]

If the admin has any idea what he's doing he'll be running tripwire anyway.

Nice of you to ask

[ElMiguel]

Well, what do you feel would have been the appropriate punishment for breaking into a US Government computer system and using it to store illegally-downloaded movies?

A fine. After all he only caused economic damage, and not a lot, either. The criminals in Enron caused incomparably more damage and I don't think many (or any?) of them will be put behind bars anyway.

Re:Nice of you to ask

[lorcha]

A fine? You think a college student is in a position to pay a $240,000 fine to make NASA whole? I don't think so.

And that stuff you said about Enron, I'll do you the favor of ignoring. You don't even know the first thing about Enron, what the damage was, and who (if anyone) went to jail as a result. How is that an argument?

Just to give you an idea, first realize that the executives at Enron are hiding behind a corporate veil and a metric fuckload of high-powred attorneys. Then realize that Enron is not over with yet. Also realize that DOJ is offering bargains right and left in exchange for testimony against Lay. Even with all that advantage, last I checked, there have been 2 convictions for 5 and 10 years apiece and Justice is by no means finished. Lay will probably die in prison.

Your little college student buddy got 6 months, and that's fair. If he broke into your house and used your kitchen to store his smelly rodent collection, what do you think his punishment should be? 6 months?

Details, please

I'd love to hear the specifics of his entry into the system. Given his defense and the fact that he would, indeed, have been in high school in 2001, it sounds to me as though he just scanned a range of addresses and NASA was open, and was putting the movie(s) up there for an IRC fileserver or possibly a higher-ranking ftp dump. So to the people saying this makes no sense given HDD prices etc., consider he was probably trying to spread his 'moviez'.

Now, I can say that there are lists of ranges NEVER to scan that circulate in the relevant circles. Clearly this kid was too inexperienced to have gotten a hold of one yet, which means he probably did this all with automated tools. This, of course, leads one to laugh at NASA's security at the time - one can only hope they've learned since then.

Fire Hose Justice

[handy_vandal]

"It would be like clearing a sidewalk full of spectators with a fire hose so you can walk through it," said Assistant U.S. Attorney Greg Nyhus.

Which is fine, as long as Uncle Sam is holding the fire hose, and rioting citizens are taking the splash -- and not the other way around.

-kgj

Kevin Mitnick

So Kevin Mitnick hacks into a few phone systems, and has some fun like that... goes to jail for years, and years of computer bans.

This idiot hacks into a federal military computer network, to store movies and only gets 6 months?

Can you see anything wrong with this picture

Re:Kevin Mitnick

[cdn-programmer]

Yes - I see a lot wrong with this picture.

Kevin Mitnic hacked into Sun's systems and read some of the OS code. Before his sentance was up SUN OPEN SOURCED at least SOME of this code. Furthermore, Sun claimed millions in loses for this intrusion. Yet we can all see the sun is setting on SUN. The value is in millions of people having access to the source code so like a languge (english for instance) it can be used and improved apon and adapted to meet a wider range of needs. English for instance would have no value if it were locked up and used by a small group of preists... and this is what closed source is.

So the whole premise of Sun's claims against Mitnic are flawed right from the get go!

So yes, Kevin Mitnic is even a better example of punishing the messanger.

The judges in these cases should be embarrased with their ignorance. At least in the case of the Salem witch trials there is good evidence that their food was laced with Ergot, which is hallucenogenic... so they have an excuse. I cannot see much in the way of an excuse here.

If the judge ruled that NASA should simply fix its servers then perhaps people would wake up to the fact that when you connect a computer to the net, you need to accept responsibility to secure it. It is a fact that there are evil people in the world who will attack them and get in and perhaps create harm. Even if this kid or Mitnic was malicious, and there is ZERO evidence to support this, they should not face anything more than a small fine. They really did nothing more than what most teenage boys and some teenage girls dream of doing.

In the case of a bank, throwing the thief in jail is a deterant because the thief needs physical access. In the case of cracking a computer the physical access is to all people in the world and it occurs the instant it is connected to the net. There is no deterant in punishing one person because all the would be crackers are mostly invisible and often live in other countries... some of which are our enemies.

Any bank would consider it rather unacceptable to leave the door off the vault and place it in the parking lot with no supervision. As a customer I would not deal with a bank that does this. Yet on a daily basis many of the professionals I use regularly expose confidential data through their incompatence and unwillingness to hire competant IT professionals.

I stand by my original opinion. If NASA got cracked it was their own fault. They should punish themselves for their incompetance. They should not be punishing the messenger.

Furthermore the Judge in the case should recognise this and send the correct message.

Re:Kevin Mitnick

Yeah, and if Mr. Herns is subsequently A$$ Raped in Prison by some Big Hairy Pervert, then it will be Mr. Hern's fault for getting himself A$$ Raped for we shouldn't be blaming the messenger, huh?

Nice world you got, boy.

Now bend over, and take it like a little man!

Re:Kevin Mitnick

There is a difference between being able to do something (having the capability), and having the resposibility/respect/self control not to do it. This kid, I'm sorry to say, get's off alot easier than I would expect. It's not in the best interests of our country to go breaking into systems for ANY reason, save securing your own systems, and as both indirect and direct results, not in your own best interest to do it on others (esp. the gov't). It creates and perpetuates the distrust and stereotyping that I see us writing about every day, and yeah, while NASA being cracked is their own fault, that doesn't mean that this kid should be indemnified, or even made out to be some kind of martyr (referring to your "messenger" comment).

Re:Yeah - let's give the CS student a computer ban

True, but how poor was the security at NASA (a government agency that holds information of interest to any passing $EVIL_FOREIGNER) that allowed this nimrod access?
The judgement was so harsh purely because he made NASA, the DoD and, ultimately, the US government appear to be lying about 'protecting the security of our country', or at least to be utterly inept. Heads will roll over this at NASA, I imagine.
I'd expect a similar response here in the UK should Blair be similarly belittled.

'Find the problem'

[dhilvert]

'Herns told federal agents he was looking for computer space to store movies he'd downloaded. It took hours for technicians to find the problem, fix it and patch the system's security holes, officials said.'

What 'problem' is being referred to in this sentence? Does the reporter not have the backbone to take the most tentative steps toward investigating why unauthorized access had been allowed?

If a physical media copyright infringer had been habitually storing his wares in restricted areas of the Library of Congress, would the AP reporter have written, "It took LoC staff hours to find the problem, fix it and patch the library's security holes"?

Re:Forward trading is safer

Forward traders who made side money of order 500K$
on client information got fines of order 50K$
and no sentence at all. This was in wall st
journal last week.

Forward trading - the broker will trade for
himself the same stock, before trading those
stocks for a large client, thereby benefitting
from a few minutes of advanced knowlegde. This
is quite common and acceptable.

Grow up.

6 minutes to boot an apple?

[Eric604]

That's seems awfully long.

Re:6 minutes to boot an apple?

If you're running OS X under X-postfacto on a 1995 vintage 66MHz PPC 601 with 16MB of RAM, booting might stretch out to nearly six minutes...

Re:6 minutes to boot an apple?

Not very realistic

This cracker's biggest enemy = the KGB

[jfonseca]

Hey, if this kid got pr0n into these servers then foreign spies must have been using them for ages right under NASA's nose. Right now the KGB's of the world are insanely mad at this kid for showing NASA why they should patch a gaping security canyon.

6 months in jail and you make this kid an ex-con. He won't get a job anywhere decent, no credit, his chances in life even with a CS degree are 50%. The US has created another socially excluded propellerhead.

That's how inverted things are nowadays, and some here say this was fair punishment....NASA should be red-ashamed of allowing this kind of security hole open.

Makes you wonder if all the explanations we got for Challenger and Columbia aren't a pile of PR bullshit in the first place.

North Korea, Iran, anyone could have sabotaged these servers and all we get is the White House CNN pile of crap.

Gimme a break, free this kid, give him community service cleaning up spyware from gov computers and pay him the 200k for protecting americans against Al Qaida.

This judge obviously misunderstands the challenges of the 21st century. Ah, but so does the highest office of the US...

Re:This cracker's biggest enemy = the KGB

"He won't get a job anywhere decent, no credit, his chances in life even with a CS degree are 50%. The US has created another socially excluded propellerhead."

No, he turned himself into another socially excluded propellorhead. Breaking the law is not a mandatory part of CS courses...

"NASA should be red-ashamed of allowing this kind of security hole open."

Perhaps they are. That doesn't excuse what this kid did; its not as though he was white-hatting, he was exploiting a security hole and using resources that did not belong to him.

"Makes you wonder if all the explanations we got for Challenger and Columbia aren't a pile of PR bullshit in the first place."

They were. So? NASA deceives the public, that justifies someone gaining unauthorised access to a secure machines to store pirated movies? Three wrongs make a right, I see...

"[Mandatory mention of axis-of-evil omitted for brevity]"

You mean to say that North Korea, et al, could do more damage to the space program than three decades of mismangament has already done, considering that no mission critical hardware is connected to the web?

"...give him community service cleaning up spyware from gov computers..."

He's already demonstrated that he can't be trusted, amplified by the fact he's a CS student who really should know better (as if there's anyone studying CS who hasn't heard of Mitnik). Who the hell in their right mind would give someone who has already displayed criminal arrogance access to government servers? That's exactly the kind of person I DON'T want given access to my social security number or tax and medical records, thank you very much.

"This judge obviously misunderstands the challenges of the 21st century."

Perhaps, but judges aren't technical experts. Their expertise lies in determining such things as motive and intent, and clearly this kid's intent was to illegally use a server to store pirated material, motivated by sheer 1337 coolness (no, I don't buy the argument that hard drives are too expensive). He didn't report the hole, he exploited it, and that's criminal intent. Why should criminal intent be excusable simply on the grounds of nationality?

Re:This cracker's biggest enemy = the KGB

His sentence should in fact help others, specifically by spreading the "wear and tear" suffered by new inmates to an additional recipient. :)
Yes Prison Rape is funny.
Don't like it?
Stay out of jail.

Re:This cracker's biggest enemy = the KGB

[jfonseca]

You do make some good points. But we're not talking about a criminal here. He broke into a gun store and hid some porn from his parents behind the balcony, he didn't grab one of the guns and went out shooting.....

Re:This cracker's biggest enemy = the KGB

[Jim_Callahan]

Uh... actually, we are talking about a criminal here... It's quite illegal to compromise government property in this fashion, I'd think.

It's not like NASA hired this kid to test their security. He enterd illegally. Had he done this with a physical building, and been shot by a resident, it would have been written off as a case of self-defense. There is not a whole lot of legal protection in place for trespassers.

Also, given your analogy, I'd say that expensive checks to ensure that none of the guns had been sabotaged are entirely in order, and making the criminal pay for them is pretty much appropriate.

when you know there is a bug...

[Fortun+L'Escrot]

say a vulnerability is posted on the web and it happens to affect your systems. how much does it cost you to get your IT department to locate, fix, and patch the problem?

let's further assume that the party that posted the vulnerability is being purposefully uncooperative. but they agreed to get the vulnerability tested independently by a third party who also happens to be uncooperative. how much does it cost your IT department?

i havent got a clue. but 200k seems like a lot. it would seem that keeping a network secure is very expensive business. and i agree that this is true for physical installations, but digital? i mean seriously. unless of course you are over working your staff who also answer all the phones for tech support in-house making it impossible to manage their time or actually do the work they were hired for in the first place. but 200k for a bug? jesus.

i feel really bad for nasa. no matter what system you use there will be bugs and even when that is not the case a system can be badly configured. if each of these issues costs on average 100k (just a guess) to "locate, fix, and patch" can you imagine how much money is going into IT departments right now? or how much money is going into the IT industry? its like paying the plumber 4 times (just a guess) more than his already expensive rates (apparently there is a shortage of plumbers) and honestly believing that this is the way the world should work.

for crying out loud people. what exactly did this kid do? "shutdown -h now"? and it takes 15minutes to boot up? i mean sorry guys, but maybe you should be protecting your system a little better. i always tell myself. if a teenager can pull a prank like this one there are two things you should do. punish the teenager the way we punish any teenager for a prank like this (which they have sort of done). secondly, get some help securing your systems because a foreign nation will not be looking for space to store movies. they will be out there looking to cripple your systems and not necessarily permanently, 30mins could be critical for a crack squad tectical unit and if it is as easy as just shutting down a server......

ps. to be fair, it could be that restarting the system as part of their "locate, fix, and patch" program takes a lot of time (more than 10 minutes?). there again my friends i would suggest a better system to reduce your costs. this has nothing to do with me believing you shouldnt punish this guy. but quit posting damages that could have been avoided if you spent a little more time designing a better system that met your needs. if google can do it i am sure you can too.
if it takes so long to restart your system even during normal maintenance then build redudancy for your production environment. if this is really just about your personal inconvience then remember you are a plumber and that crap cloggin the pipe is your job.

how 'bout we drop "cracking" alltogether?

And just use "hack" with correct prepositions, objects and/or context? The whole "cracker" thing was just a response to the mainstreaming of the word. I'm just fine with:

Nice hack.

I hacked into NASA.

Let's hack up a demo.

I hacked together a neat little solution.

I hacked DeCSS yesterday.

I hacked Valve's copyright protection scheme yesterday.

And leave "crack" for "you're on crack." Which you are.

Re:how 'bout we drop "cracking" alltogether?

[Archon-X]

Forgive my crack-induced haze, but what about the scores of groups of crackers, who call themselves crackers, and who crack software protection.

Oh, and the websites distributing these cracks.

And the fact that it's commonly accepted, by anyone who isn't
a) a pedantic /. troll
b) anyone who knows a grain about cracking

Delude yourself, fine, but accept that some of us work in the real world.

Kevin Mitnick-Crimminal Celebrities.

"I stand by my original opinion. If NASA got cracked it was their own fault. They should punish themselves for their incompetance. They should not be punishing the messenger."

Hehe. What a world we've morphed into, when crimminals are considered canaries (messengers).

If someone murders another, what message are they alerting the world too?

If someone rapes a woman, what message are they alerting the world to?

If someone loots the corporate treasury, what message are they alerting the world to?

Wow, what a world we've morphed into? Politicall correct all the way. Crimminals are "just misunderstood". There is no room for "punishment" in the brave new world, of the "messenger". It's all your parents fault for not raising you right. It's all societies fault for not stopping you from acceding to your nature.

What a truely fucked up world we've become, were the crimminals have more rights than the victims. Let's show what's important in our worldview, by admiring the crimminal for a "good hack".

What a truely fucked up world, our descendents will inherit. Were crimminals are the new celebrities. Were as long as you can do your crime "with style" then all will be forgiven, and maybe a line of T-shirts will be made.

I hope we all remember this time with fondness, for it's downhill from here, and there will be no more victims, but merely "those that deserved it", and "those that delivered".

Wow

[Nimey]

I'm impressed that some rising-star prosecutor didn't get him sentenced to eight years of hard time. Maybe the system still works here and there.

Rational thought from a teenage mail?

[skoda]

You expect a teenage male in high school to use such a rational thought process?

Are you from a different planet?

Community Service??

[sciop101]

Community service would have been more appropriate, but is probably not an option in a federal crime.

This guy will be in good company. Every person in prison is innocent.

Re:6 Month Sentence for NASA Cracker

[aurispector]

What's the difference if you destroy my property by coming into my house and wrecking something versus doing so electronically? You argument seems to be that it's nasa's fault for not having perfect security. A lock or a firewall is only as good as the guy who's trying to defeat it. Is it my fault if someone robs my house because I "only" use a deadbolt and not a jimmy proof steel door? If the INTENT is to illegally enter someplace they don't belong, then it's no different from someone using your garage to sell pirated DVD's. Server space and bandwidth isn't free.

I'm a bit surprised my original post got rated flamebait but then again I'm not really in favor of flogging. It's not severe enough of a punishment.

Re:Yeah - let's give the CS student a computer ban

[WoBIX]

So by your reasoning, if someone can get into your house and clean it out, then it's your fault.

What's your address?

Merry Xmas.

...or NASA is being cautious?

"He's either lying about his intentions -- he really wanted to cause damage -- or was just incompetent."

Probably neither. Most likely NASA didn't want to run the risk of re-using a compromised machine, just in case there were backdoors installed they couldn't detect.

Essentially, you can prove that there IS malicious code running, but you can't prove that there ISN'T, merely that you can't detect any. In this circumstance restoring from a known good backup is the best option, considering the security imperative.

Re:...or NASA is being cautious?

[poopdeville]

Perhaps. Frankly, I don't see why NASA would make such a big deal out of a minor intrusion like this unless it was obviously malicious. NASA rarely handles classified aerospace projects anymore (and wouldn't be networking a machine with access to classified information) and in fact rents out time on their supercomputers. Considering the cost of storage -- even then -- stealing a few gigabytes amounts to petty shoplifting.

Re:...or NASA is being cautious?

What do you know about the NASA system that was compromised?

What do you know about the systems connected to it?

What do you know about the data that it contained? What about the passwords file - was it copied?

What was done on that machine? What other machines were probed and was the network mapped out?

The fact of the matter is, without actually having any knowledge of this computer, you really shouldn't say anything, because you'd have to be making it up.

Sorry officer...

[eMartin]

...I only broke into this back yard to bury these dead bodies.

Strange

wouldn't someone clever enough to break into nasa not do something stupid like put pirated movies in?

he islucky to get away with a 6 month sentence.He broke the law.

he didn't "help" anyone by exposing security flaws, he helped himself to server space

any dissection of the actual attack? :D

I think this says something about NASA

If the kid was stupid enough to want to store movies on a server, but he was still able to crack Nasa, I think we should be a lot more concerned about our nations computer security.

He was obviously in an FXP Group..

[J-B0nd]

Some of the comments here refer to why he would hack into a system to store his movies when disk space is so cheap. The answer is speed. NASA most likely has a fast connection to the internet. This guy was part of a FXP group, so what happened was that when a new movie was released, he would FXP the movie from a distro server to this NASA ftp, and then give other people in his group the login to the NASA ftp. Other s would do the same for him, so they all got new movies without all of them leeching off the original distro servers.

Give the "damages' cost to the hacker

[Simonetta]

If the government is serious about fixing problems in supposedly secure and sensitive systems, then they should reward not punish people who find holes.

Instead of going to the courts with a trumped up case about supposed damages in hundreds of thousands of dollars, they should give hundreds of thousands of dollars to the people who document holes in the security of sensitive systems.
And tax-free, too, if you please.
And give this kid the job of special intern for security at a decent salary. Loyal Americans and allies of the American corporate empire should be rewarded for tracking down, finding, and documenting security problems.
Suppose YOU found a hole in some NASA computer that allowed you to endanger a shuttle launch or mission. Suppose that if you took it to NASA there was a good chance that you would get thrown into some secret third-world hellhole prison like Guantanamo with no release or no record of your imprisonment. This might happen if you're Muslim instead of being some 18-year-old, rich, white, suburban, Computer Science community college student harmless geek.
Suppose that you mentioned your discovery to someone at the mosque and they came back a month later with an offer of several hundred thousand dollars for all the details on how to blow up a NASA mission along with a new identity and citizenship to some quiet Muslim community in a country not monitored by the FBI.

What would you do?

There are holes in every major on-line computer system. It is better that we have our geeks get rewarded for finding and reporting them, rather than have our enemies find them and use them to kill our people.

In other words, Homeland 'Security' agents, stop putting harmless hackers in jail for finding weaknesses in your chickenshit computer security systems.

There's a good chance that they didn't tell you everything that they found out about your pathetic security systems, and they won't be 'harmless hackers' when they get out of an American prison.

Dumb schmucks!

Re:Give the "damages' cost to the hacker

[_Sprocket_]

Instead of going to the courts with a trumped up case about supposed damages in hundreds of thousands of dollars, they should give hundreds of thousands of dollars to the people who document holes in the security of sensitive systems.

Perhapse you should go back and re-read my post. Especially pay attention to this part:

It shows a inappropriate focus on funding. All IT budgets are stressed. NASA is no different, and perhapses even more thinly spread than others. That means infosec activities tend to get cut in favor of other IT activities. Yet there is no perceived issue in later spending considerable resources to prosecute each infosec incident.

The money isn't there. It's not like NASA doesn't know what it needs to do, nor has any access to individuals that can provide that information. Its simply an issue of having the funds with which to pay people to do the work.

The only caveat to that is one of policy. Some centers are more infosec aware than others. As such, anyone who tracks this kind of thing will notice a difference in the frequency of compromises from Center to Center. So even if the proper funding existed, it wouldn't be the silver bullet solution in all cases.

There are holes in every major on-line computer system. It is better that we have our geeks get rewarded for finding and reporting them, rather than have our enemies find them and use them to kill our people.

Taking that one step further - it is even better to tighten up those systems in advance that it takes a considerable adversary to take advantage of those holes instead of the random budding geek kid. The current system that prosecutes some kid for what is a technically somphorish act years after the fact does little to remediate the situation, bennefit the future of the kid, nor does it help society in general.

Re:Give the "damages' cost to the hacker

[krbvroc1]

If the government is serious about fixing problems in supposedly secure and sensitive systems, then they should reward not punish people who find holes.

So according to your logic, the 19 hijackers on 9/11/2001 should be rewarded, not punished? If the governemnt and airline industry was serious about fixing problems in in a supposedly secure and sensitive transportation system, then they should reward not punish people who find holes.

Part of the problem with your logic is that you somehow possess a 'crystal ball' that lets you devine a 'harmless hacker' from an intrusion designed to damage. You all you know the 'I'm just trying to get storage for my movies' is a cover story for an espionage assignment. In any case, I don't recall someone approaching NASA and advising them of the hole--he was caught after the fact. In fact there was no altruistic motive here, he was trying to store his warez / pirated movies.

Re:Give the "damages' cost to the hacker

[Infonaut]

Suppose YOU found a hole in some NASA computer that allowed you to endanger a shuttle launch or mission.

This presupposes that rummaging around inside a NASA system is somehow a virtuous activity. You don't accidentally find security holes when you're downloading pictures from the most recent Mars Rover mission. I don't buy the notion that somehow if while you are probing the defenses of a US government computer system for your own reasons (curiosity, sense of achievement, whatever) and you find a vulnerability, that makes you a stand-up citizen.

It's extremely easy to see NASA and other government agencies as being filled with incompetents, but most people who have never worked in government don't understand the competing pressures operating in such an environment. Time is tight, money is tight, politics is involved, and in government you can't just use money as you please. It makes for a torturous decision making process and an environment in which change comes slowly and only after great effort.

Now imagine that you operate in such an environment, and on top of all that you have people constantly trying to crack your systems. If you're an IT person at NASA, you don't care what the motivation of these people is, because it is making your already difficult job just that much more painful. You don't have a crystal ball, you can't read into someone's mind to find out if they have the intention of exposing these holes for the good of NASA, or they are just trying to get free hard drive space or perhaps some information they can sell to someone.

Not all geeks believe that snooping around in government systems is ethical, let alone useful for the government agencies affected by such behavior. If someone came up to your house at night with infrared goggles, snooped in all the windows, tried all the locks, tried wiggling the bricks in your chimney and watched your front door to find out when you'd left, would you be so sanguine?

Prison Rape

[lorcha]

Prison rape is not a laughing matter. It is a serious problem that needs immediate attention.

A 6 month timeout to think about what he did is very appropriate. The Circuit City credit card crackers got like 10 years! That is way out of whack. But 6 months seems fair to me.

As far as the worst thing I ever did? I stole a bunch of shit from a house that was under construction. It was insecure, as you say (no doors or windows yet). I felt bad about it and give the shit back a week or so later. Kids do dumb things. That's the worst thing I can think of at the moment.

"looking for computer space to store movies"

[motherjoe]

The IT staff will probably be enjoying Mr. Herns, "Donations", for quite some time.

Readable version

http://shit.slashdot.org/article.pl?sid=04/12/19/1 335243

Makes perfect sense!?!-Harm-less.

"No, here we have a first-class idiot that felt breaking into a NASA system to illegally use their storage space (likely to set up a public FTP full of pirated movies) was preferable to something semi-sane like buying another hard drive or server."

Hmmmm...I wonder what this does to the piracy hurts no one argument?

Re:With the direction Slashdot has been going late

[theM_xl]

But it IS posted under YRO. Well, it shows up there at least. That's where I came from.

Dilbert Theory...

[lxt]

...you never know - these idiots might follow the Dilbert theory, and get promoted up to the top of the NASA chain of command...they might move on to government next, and who knows what might happen.

Oh, wait.

Polly want a...

When i first read this, i thought they arrested a saltine. Wouldn't he be a hacker?

This is ridiculous

[i41Overlord]

If I really wanted to make the shuttle go boom, why would I honestly tell you that and get myself into more trouble?

How the hell is he going to blow up the Shuttle by hacking one of their systems? Statements like the one you just made are absolutely ridiculous. If NASA somehow set up their launch system so that you could blow up their rockets from the Internet, that would be ultra stupid and border on criminal negligence.

It seems that everyone wants to be the first to make doom and gloom "the sky is falling" type statements.

Also, if you've ever followed lawsuits, and I'm sure you have, you'd know that over-inflating damage estimates is the norm.

Re:This is ridiculous

[Twanfox]

It is called an example of the extremes. Basically, in terms that you would be more comfortable with:

If I went into NASA's systems to commit a crime that would land me in jail for decades, why would I tell you that and not something that would only put me away for 6 months?

Does that sound better to you?

Frankly, I have no clue as to what is possible in NASA's computer systems. Suppose that he had hacked into a ground guidance system while a mission was going on (if that's even possible)? It should be obvious at this point that the shuttle can be destroyed on reentry by something as stupid and simple as ice-encrusted foam that damages just a few tiles. What would happen if the angle was too steep into the atmosphere and the reentry velocity was too fast? How about if they were off on landing by just a few degrees? That thing handles like a falling brick with wings and if it doesn't come down just right, it may not come down in one piece. I would just hope that NASA's critical systems are on an isolated network not connected to the internet in any way. Whether that is the case or not...

In this case, I do not feel that 'damage estimates' that are putting him in jail for 6 months and restricting him from Computers for 3 years necessarily over-inflating. He broke into a someone else's computer system. If he was honestly that stupid to be looking for storage space for movies when DVD burners are cheaply available, than he needs to learn a reason why that is bad. This punishment seems as good as any.

Now, that is just dumb...

if it wasn't so true. An IT guy costs in giant government operations include his real salary, the hyper inflated cost of what he is charged out to others for, his boss'es secretaries salary (he doesn't get one), the cost of his boss to supervise him, the cost of his chair, ad infinitum...

The sad part is that the IT guy HAD NO say on how/what gets patched or priority, as it is strictly a budgetary issue made by a beureaucrat, and they have no influence on the IT budget!

He was 17 people!!!

[syousef]

Did anyone RTFA and realize this guy was 17 at the time? Yes he committed a crime and a crime is a crime but this isn't murder we're talking about people. This is a 17 year old nerd who did something stupid and is going to end up in jail for it 4 years later..

Yes at 21 he'll be going to be going to a federal prison where he can learn to be a real criminal. He's also being restricted in his use of computers for 3 years so he'll have to find employment in something else and cope with his computer addiction no doubt. He's bound to become bitter about it after 6 months of prison life and is going to be very likely to break the terms of his 3 year ban.

This is shear madness IMHO.

Re:He was 17 people!!!

[RzUpAnmsCwrds]

" Yes he committed a crime and a crime is a crime but this isn't murder we're talking about people. "

And he's not going to prison for 40+ years, either.

Re:He was 17 people!!!

[syousef]

And he's not going to prison for 40+ years, either.

You're right. 6 months is just long enough to be buggered blue, and gain enough exposure to the criminal element to become a criminal for life. Then once we've done that let's unleash him on society, just for fun.

Re:He was 17 people!!!

[SI285]

At 17 your old enough to know better...

Re:He was 17 people!!!

[syousef]

At 17 your old enough to know better...

I suppose at 17 you never did anything stupid and your judgement was perfect huh? You're either a very uncharitable person or you're doing this to stir. Either way end of conversation.

Re:He was 17 people!!!

[SI285]

No, I made plenty of mistakes but I was taught to respect other people and their property, consequently I only caused problems for myself because I was held accountable for my actions, and I learned from it.

Suppose his actions caused financial harm to You? Would you be so willing to let him off easy?

Not holding people accountable for their actions sends the wrong message. I hope his sentence deters other from trying the same thing.

Re:He was 17 people!!!

[syousef]

Suppose his actions caused financial harm to You? Would you be so willing to let him off easy?

I'd want him punished but I wouldn't want him raped nor would I want him to associate with criminals and become a hardened criminal. How the hell does this make things better for those who were harmed financially? This is NOT the way to punish him. Society is cutting off its nose despite its face.

Re:He was 17 people!!!

[SI285]

The fact is;
Breaking into something whether it's a house or a computer system is a CRIME!!! He was convicted of that crime. That makes him a CRIMINAL... He committed this crime to store illegally reproduced copyrighted material! Another CRIME!!!

I don't buy your assertion he will be raped, do you think everyone who goes to prison is raped? What do you base this statement on? If he is that much of a babe in the woods he'll get protective custody and spend time with other first time offenders and not the hardened criminals you speak of.

People must be held accountable for their actions as a detterent to the next person contemplating the same behavior. Seeing this they just might say "it's not worth it if I get caught".

Re:He was 17 people!!!

[syousef]

You're very naive if you think the authorities are going to place someone in protective custody with other first offenders when they go to prison. Prison systems world wide are rife with crime and corruption.

Also you'd be surprised how many crimes you commit every day.

Re:He was 17 people!!!

[SI285]

Plese tell me what makes you an expert on the US prison system!!!

We are not talking about prison systems world wide, we are talking about the Portland Oregon prison system. Again I ask you, What makes you an expert on the Oregon Prison system? Did you research the subject? If so post your results so I can understand... You make these statements of rape and abuse and offer nothing to back them up. Is the US prison system perfect? NO, But it's seems to be the safest/cleanest place to be jailed when compared to other countries.

He has a family doesn't he? Don't you think they will make sure he is treated correctly? If I were them I would, and if I saw abuse I would notify the authorities and then go to the media if it was not corrected.

Yes I do break the law, I drive too fast. The reason I drive fast is because the penalty is a small fine and a slap on the wrist. If the penalty was an overnight stay in jail I would not speed anymore...

While I don't agree with your opinion I do respect it, really.

Re:He was 17 people!!!

[syousef]

I am not an expert on any prison system. Nor am I naive enough to think its a fair just system where your family can make sure you're treated well.

Re:He was 17 people!!!

[SI285]

Don't you be so naive... You want a perfect system of justice and punishment. Well I got news for you...it's not going to happen. Not when one group (the guards) can exert so much control over another(the inmates).

The best anyone can ask for is for an "adequate" system of checks and balances which includes the family and media so the police don't end up policing themselves.

It's far from perfect but I'll bet it's a heck of a lot more than what people in other countries may have.

If you're so down on the justice system then why don't you do something to improve it instead of sitting on your butt arguing with me? Are you involved with any advocacy or watchdog groups?

If you feel that strongly do something instead of complaining...

I'm with you

[DesScorp]

I think they should peel his flesh, baste it in a nice barbeque sauce, and make him eat it.

Btw, I love your sig

Re:Yeah - let's give the CS student a computer ban

[burns210]

The kids hacked into a federal agency. That alone needs to have a significant bitch-slap associated, it doesn't matter to what end he took it, there needs to be a minimum ass kicking when you hack into the federal government.

If the kid was smart enough to hack into a server(s?), he is smart enough not to do it with federal equipment, as their are thousands of just as vulnerable and lower-profile systems out there.

The kid is an idiot for doing this, he deserves a good punishment. He brought it on himself.

sarcasm?

saying that you broke into nasa to store movies is like saying you broke into a vault to store some dvds. he had to have been being sarcastic.

oh, and of course:
imagine a beowolf cluster of nasa hard drives
In Soviet Russia, nasa hack YOU

I suppose I shouldn't find this funny...

but I DO. I suppose this reveals dark and unsavory facets of my character. . . Oh well.

What??

[vwjeff]

If he broke into my computer, or some little workstation somewhere, he wouldn't be getting a punishment this stiff.

How can you even make this comparision? This guy broke his way into a government production system. I don't think your workstation or mine has millions of dollars worth of data that took years to obtain. Since this was a government system we all pay for his dumbass actions. He should go to prison for 6 months and pay $200,000 in damages.

(In prison he should be cell mates with Bubba.)

Re:What??

[lachlan76]

millions of dollars worth of data that took years to obtain

Well, if they have millions of dollars worth of data on a system, and didn't back it up, then they're getting what they deserve.

Re:What??

Well, if you break into a protected governmental computer system, you don't have the skills to hide your intrusion, so you get jail time for it, then you're getting just what you deserve.

Most of us would argue that you'd deserve the time even if you didn't get caught, too.

Re:What??

[lachlan76]

For all you know, he might have turned himself in.

Completely fuzzy terms

[RedLaggedTeut]

It took hours for technicians to find the problem, fix it and patch the system's security holes. - now what does that mean? Did it take them 2 hours? 180 man-hours? 0.05 hours?

Re:Yeah - let's give the CS student a computer ban

True but what? There are no buts. Some brat willfully broke into a system, knowing that it was illegal, and then got caught. Now he has to suffer the consequences. You can't get any more fair than that.

You've heard the cliches many times - if you can't stand the heat, stay out of the kitchen. If you can't do the time, don't do the crime. Blah blah blah.

He got what he deserved. If you really think NASA is that insecure, then go on, crack them. I'll point and laugh when you're arrested.

MOD PARENT UP

[iammrjvo]

Thanks for putting it so well.

OMFG

[militiaMan]

FMLA = no jail time for stealing from single people

House Mortgage Dedutions = no jail time for >3k per year in theft from non-homeowners

Child Tax Credits = no jail time for 1k per year per child

Affirmative Action = no jail time for stealing someones lifetime earnings and intellectual enjoyment

Many many more examples...

Yet steal a few gigs (
YOU FUCKING NAZI BASTARDS GET WHAT YOU DESERVE FROM THESE PEOPLE AFTER THEY GET OUT OF YOU NAZI BRAINWASHING CAMPS. FREEDOM OR DEATH.

Correct me if im wrong

[g0bshiTe]

But the article said the crimes happened in 2001. It's now 2004. Why did it take this long to either A) find out who did it? or B) prosecute him? Also at the time he was 17 which means he was a minor and subject to punishment as a minor. Seems a slap on the wrist 6 months and resitution, compared to Mitnik.

Some Background (This was not his first "mistake")

The reason he was in the alternative school was the the first time the same federal agents arrested him. He was using stolen credit cards to get stuff delivered to vacant houses.

Since the feds do not prosecute minors normally, he was handled by the state/local system.

The second time around they are not so nice (actually I thought he was over 18 at the time of the second arrest).

Getting caught does not make you super-bright! He might or might not have had any real talent for cracking, but he sure has the mindset for committing crimes.

His prior(s) are not reported in the AP article, and the judge might not have been allowed to consider them, but the investigators knew him personally, so the prosecutor would have been more motivated.