Slashdot Mirror
6-Month Sentence for NASA Cracker
lunartik noted an AP story running on a 6-month sentence given to
Gregory Aaron Herns for cracking into the computer system at NASA's Goddard Space Flight Center. 'Herns told federal agents he was looking for computer space to store movies he'd downloaded. It took hours for technicians to find the problem, fix it and patch the system's security holes.'"
6 months in prison because he was too cheap to buy a hard drive...
This is how the system is supposed to work.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Could you please post your address, I'd like to show you how clever I could be at breaking into your house.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Tacit approval of this sort of thing (cracking) paints us all with the same unsavory brush. If we do not start policing our own, the "geek/nerd" stigma will deepen. We are professionals, let's act like it.
Ignorance is curable, stupid is forever.
With hard disk space nearing $0.50 / gigabyte why on earth would you crack into NASA computers to store you movies?
Im dreaming ofa big bndwdth, That can resist the
I do. With real world breaking and entering, you don't need to bring down a mission-critical server to reimage the driver for to ensure security. You just change the locks.
The Yasashii Syndicate ||
He said he broke in to use storage space. Are you going to take him at face value and continue using the system as is, after patching the security hole that let him in? Or are you going to forever view that system as 'dirty', with the costs associated with replacing that system and the data on it? This isnt a simple case of 'change the locks, add more CCTV', as you would with a physical wharehouse, you cant 'distrust' a physical building, there is a lot more he could do with a compromised computer system, including hiding unwanted code.
Lets switch the word "computer" to "lockpicking".
Lets see...
"Here we have a person that is very much talented towards lockpicking..."
Does a lockpicker know much how to build efficient locks actualy?
Does a computer security breaker know much how to actualy build secured systems?
Is that much different?
Léa Gris
... after the accused stole my $3.59 flowerpot, I had to spend hundreds of dollars putting locks on all of my doors.
The more apt analogy would be a world where warehouses are used by burglers both for storing stuff and for putting poison in the stored food. When you find someone storing warez in such a house, are you still going to sell the crackers?
We want this "friendly geek" out of prison while we demand that spammers are put behind bars? This doesn't make sense...
Break into one government computer, go to jail. Break into tens of thousands of personal computers, ....
.
:| )
Herns was ordered to pay restitution for the damage he caused and will have limited access to computers for the next three years. After the judge outlined the terms of Herns' restricted computer use, Levine pointed out how hard those conditions will be for a man who does everything online, including paying his bills.
"He's going to get to learn," Brown said. "There are other ways to live."
The Canadian government has declared internet connectivity to be (I forget the exact term) a "necessity" or something.
If you rob a bank, do they forbid you from walking into any type of business establishment for the entire duration of your parole? No! It would be idiotic - everyone needs a bank account or groceries in today's society, and there are already tons of other perfectly good laws to deal with the individual should they commit a crime in a bank or other "place of business" again.
If you commit a traffic violation, do they forbid you from getting into any vehicle on any road? No! They might prevent you from driving, but they still let you get in as a passenger in other people's vehicles or take the bus.
Judges are going to eventually have to stop throwing out blanket "computer bans" as minor parole conditions - and realize that they have to handle it differently. PCs may/can be the basis of entire home entertainment centers, your library, your photo album, your telephone, etc etc.
What they should do (and what would be more effective) is to ban the user from say spending more than 30 minutes at a time on a PC, or making an IP connection to a class of third parties, or posessing any tools or software that could be used for illicit purposes - and then have the parole officers make unannounced audits and/or taps.
This goes along the lines of what kind of an effect would it have on you and your life if the police seized your computer in the midst of an investigation (not even an investigation into you, say your webcam caught some images of a crime). My PC is all of the things I listed above and more. And remember, saying "make backups" doesn't cut it, they always take your backups too and withholding those could get you in even worse trouble.
To put it another way - the police need to develop methods that don't "deny you use of your entire house just to check the window for fingerprints".
If they want to ghost the drive and look at the inside of the system before they leave, that's fine. But taking the entire thing for an indefinite period - unacceptable. (I'm talking about when I'm not the suspected murder or something
"There are other ways to live", indeed. He's already had three or four years for the enormity of his crime to sink in, and now a few more of his career-making years will be pissed away flipping burgers for a lesson he probably already learned at 17. This is not to the greater good, in my opinion.
I don't buy for a second that he was doing it to find space for movies. It just makes no sense at all.
Let's assume for a moment that all of his movies were DivX-encoded at 650 MB each, just for the sake of argument.
* Hard drives four years ago were still relatively inexpensive. By working at McDonald's part-time for three weeks or so he could have had a new hard drive.
* Even if he had so many movies that he required an additional hard drive, why could these movies not have been burned to CD-R instead? CD writers were available for less than $100 and CD-Rs could have been found for less than 50 cents a piece. He could have had virtually unlimited space as long as he purchased a new spindle now and then. (See afformentioned McDonald's reference.)
* Most importantly, what did he expect to do with those movies? Unless he had a T3 or something equivalent to his house, he would have had to wait hours to both upload for storage and download to view. I've had 1.5 Mb/sec DSL for four years, so I know that it would have been feasible back then, but it still would have been far less effort to burn them to CD-R. And at least then they would have been portable, far more so than a hard drive.
* Assuming 1.5 Mb/sec broadband, it would have taken almost an hour just to download one movie. So, he would have taken an hour to download, an hour to upload (at the VERY least since most broadband companies don't use the same upload/download speed), and another hour to download when he wants to watch it? Was he planning on installing a streaming media server as well?
* Why NASA? Why not find some schlep on his ISP who wasn't running a firewall, had lots of space, and store the data there? A Joe-Clueless-User would have been far less able to determine who was storing data on his system than NASA.
I'm sorry, but I just dont buy the "he was looking for computer space to store movies he'd downloaded" line. It makes absolutely no sense whatsoever. Sounds more to me like he was doing something nefarious and was hiding it or he was just looking for ego points and got nabbed in the process.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
Insightful ? Wow, do you guys know anything about security? How about him leaving behind several trojan horses for his buddies? Yes you take the drive, especially if it has sensitive information, and incinerate it. Dumbass, this is national security we're discussing, not your quicken data.
"I believe today that my conduct is in accordance with the will of the Almighty Creator"-Adolf Hitler or George W Bush?
I applaud the judge for his great insight - giving a Computer Science student a computer ban.
And 200k of damages? Er, did he delete research papers or something? (If he did, to make room for his movies, he does deserve it, though).
Sounds more like 200k to finally get their asses moving to fix some security holes, which were there in the first place.
He went into my house, through the big holes in my fence, climed through my dried-up moat, opened the door with the broken lock, and then stole my potted plant. It cost me a fortune to replace the lock, refill the moat and fix the fence.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
I guess he should have thought about that before HACKING A BOX AT *NASA* for pete's sake - and to do what, use it for Divx movies?
This guy was an idiot and got what he deserved. Sorry. Perhaps he should have though first before compromising a piece of United States Government property.
Detection and patching of problem: $2000
Lawyers fees: $3000
Paperwork: $500
Lost productivity due to downtime: $75
Bullshit: $196,225
Claiming 5100% damages in court and winning: Priceless.
Cracking into NASA is one thing. You're up against propellor-heads and zoomies, nice people who think space is neat. Cracking into the NSA is a whole 'nother ballgame. Those folks are professional paranoids, and while they don't kill people, they certainly know people who do.
This next song is very sad. Please clap along. -- Robin Zander
Here we have a person that is very much talented towards computers, a person who knows a lot and a person who could potentially bring big innovations and discoveries to mankind.
No, here we have a first-class idiot that felt breaking into a NASA system to illegally use their storage space (likely to set up a public FTP full of pirated movies) was preferable to something semi-sane like buying another hard drive or server.
I guarantee you there's plenty of law-abiding people out there that vastly outclass this kid in terms of bringing "big innovations and discoveries to mankind."
Lets all beat the hell out of him before he unfolds something that should be kept hidden... Or better yet, so he never gets to be anything the 'general' public is...
What does breaking into a government system to store pirated movies have to do with what you're insinuating?
Is the 'law' still protecting the public or beginning to get in the way of technological advancement?
People manage to find, report, and fix security holes without unlawfully breaking into government computer systems. Imagine that, eh?
Not to mention the fact that, yet again, he wasn't trying to expose security holes, he was trying to save money by storing pirated movies on someone else's space.
I'm not at all saying the cracker was right to break into NASA's systems. What I am saying is NASA has a responsibility to keep its systems secure, and spend the required $$$ to do so, and they failed.
;) )Can you elaborate?
I/O, This is true, but you must remember at many educational and scientific institutions there are a lot of undocumented machines that sit back in the corners and closets that are not properly patched. This is because the institution does not want to seem fashist about their "computer policies" that could hamper research.
That they failed does not give them the right to charge that expense to the next person to walk through the door.
Pass the expense of patching on to whom? I'm afraid I am not following your logic. (As you know, I am a little dense at times
--fatboy
say a vulnerability is posted on the web and it happens to affect your systems. how much does it cost you to get your IT department to locate, fix, and patch the problem?
let's further assume that the party that posted the vulnerability is being purposefully uncooperative. but they agreed to get the vulnerability tested independently by a third party who also happens to be uncooperative. how much does it cost your IT department?
i havent got a clue. but 200k seems like a lot. it would seem that keeping a network secure is very expensive business. and i agree that this is true for physical installations, but digital? i mean seriously. unless of course you are over working your staff who also answer all the phones for tech support in-house making it impossible to manage their time or actually do the work they were hired for in the first place. but 200k for a bug? jesus.
i feel really bad for nasa. no matter what system you use there will be bugs and even when that is not the case a system can be badly configured. if each of these issues costs on average 100k (just a guess) to "locate, fix, and patch" can you imagine how much money is going into IT departments right now? or how much money is going into the IT industry? its like paying the plumber 4 times (just a guess) more than his already expensive rates (apparently there is a shortage of plumbers) and honestly believing that this is the way the world should work.
for crying out loud people. what exactly did this kid do? "shutdown -h now"? and it takes 15minutes to boot up? i mean sorry guys, but maybe you should be protecting your system a little better. i always tell myself. if a teenager can pull a prank like this one there are two things you should do. punish the teenager the way we punish any teenager for a prank like this (which they have sort of done). secondly, get some help securing your systems because a foreign nation will not be looking for space to store movies. they will be out there looking to cripple your systems and not necessarily permanently, 30mins could be critical for a crack squad tectical unit and if it is as easy as just shutting down a server......
ps. to be fair, it could be that restarting the system as part of their "locate, fix, and patch" program takes a lot of time (more than 10 minutes?). there again my friends i would suggest a better system to reduce your costs. this has nothing to do with me believing you shouldnt punish this guy. but quit posting damages that could have been avoided if you spent a little more time designing a better system that met your needs. if google can do it i am sure you can too.
if it takes so long to restart your system even during normal maintenance then build redudancy for your production environment. if this is really just about your personal inconvience then remember you are a plumber and that crap cloggin the pipe is your job.
A few years ago, I was sitting in on a meeting for Infosec activities at a NASA Center. One of the first presentations was a rather nicely done outline of recent vulnerabilities and exploits admins should be taking action on. A look around the room saw a vast majority of glazed-over gazes. The next presentation was from our local FBI agent who discussed a recent compromise and the actions being taken to apprehend the perpetrator. The room was alive.
There was much appreciation for the progress being made on the case. Apparently, the FBI had their suspect and were busy building an air-tight case for prosecution. There was a general air of victory. But what many failed to realize was the whole exercise was a signal of defeat. The incident represented potential compromise of data. It involved considerable man hours spent on investigation and recovery of the system. It also represented loss of equipment removed from the budget-strapped lab to support forensics activities.
This represents a couple different problems with the common view of information security at NASA.
It shows a lack of understanding of infosec issues. Instead of approaching infosec as a technical problem, the issue often gets far more attention as a legal / law enforcement issue. This is attitude calls for action after the damage has been done.
It shows a inappropriate focus on funding. All IT budgets are stressed. NASA is no different, and perhapses even more thinly spread than others. That means infosec activities tend to get cut in favor of other IT activities. Yet there is no perceived issue in later spending considerable resources to prosecute each infosec incident.
It may be worth stressing that this meeting happened several years ago. And there have been changes in how NASA, and the US Government in general, now perceive information security. So my observations do not represent an all-inclusive view of infosec at NASA (and those observations are my opinion and not policy of my employers). None the less, these observations are still applicable today.
One side observation to anyone considering taking a stab at *.nasa.gov space. Historical statistics show that you'll find suitable targets and manage to compromise a system. But keep in mind, for the US Government that is just the beginning. The FBI views a case as making progress over several years of investigation and finally prosecution. So the compromise of a system that takes minutes, and the abuse of that system over a period of weeks or months may mean that years later you'll find yourself in court.
But the fixing was necessary anyway. It's like getting burgled and then trying to claim extra damages from the burglar to buy more secure locks.
I am trolling
If the government is serious about fixing problems in supposedly secure and sensitive systems, then they should reward not punish people who find holes.
Instead of going to the courts with a trumped up case about supposed damages in hundreds of thousands of dollars, they should give hundreds of thousands of dollars to the people who document holes in the security of sensitive systems.
And tax-free, too, if you please.
And give this kid the job of special intern for security at a decent salary. Loyal Americans and allies of the American corporate empire should be rewarded for tracking down, finding, and documenting security problems.
Suppose YOU found a hole in some NASA computer that allowed you to endanger a shuttle launch or mission. Suppose that if you took it to NASA there was a good chance that you would get thrown into some secret third-world hellhole prison like Guantanamo with no release or no record of your imprisonment. This might happen if you're Muslim instead of being some 18-year-old, rich, white, suburban, Computer Science community college student harmless geek.
Suppose that you mentioned your discovery to someone at the mosque and they came back a month later with an offer of several hundred thousand dollars for all the details on how to blow up a NASA mission along with a new identity and citizenship to some quiet Muslim community in a country not monitored by the FBI.
What would you do?
There are holes in every major on-line computer system. It is better that we have our geeks get rewarded for finding and reporting them, rather than have our enemies find them and use them to kill our people.
In other words, Homeland 'Security' agents, stop putting harmless hackers in jail for finding weaknesses in your chickenshit computer security systems.
There's a good chance that they didn't tell you everything that they found out about your pathetic security systems, and they won't be 'harmless hackers' when they get out of an American prison.
Dumb schmucks!
The reason he was in the alternative school was the the first time the same federal agents arrested him. He was using stolen credit cards to get stuff delivered to vacant houses.
Since the feds do not prosecute minors normally, he was handled by the state/local system.
The second time around they are not so nice (actually I thought he was over 18 at the time of the second arrest).
Getting caught does not make you super-bright! He might or might not have had any real talent for cracking, but he sure has the mindset for committing crimes.
His prior(s) are not reported in the AP article, and the judge might not have been allowed to consider them, but the investigators knew him personally, so the prosecutor would have been more motivated.