Slashdot Mirror
6-Month Sentence for NASA Cracker
lunartik noted an AP story running on a 6-month sentence given to
Gregory Aaron Herns for cracking into the computer system at NASA's Goddard Space Flight Center. 'Herns told federal agents he was looking for computer space to store movies he'd downloaded. It took hours for technicians to find the problem, fix it and patch the system's security holes.'"
I'm surprised this wasn't posted under YRO.
Support the First Amendment. Read at -1
NASA are claiming it was $200k. It'd be nice to see how much of that was spent on fixing the security holes he uncovered.
Slashdot: News for Nerds, Stuff that matters only to them
6 months in prison because he was too cheap to buy a hard drive...
Now if he'd just uploaded LOTR:ROTK instead of Legally Blonde....
"If, therefore, any be unhappy, let him remember that he is unhappy by reason of himself alone."
~Epictetus
Let's just download some movies. Oh wait, I've run out of space.
LETS HACK NASA!
Step 1: Download movies.
Step 2: ???
Step 3: HACK NASA!
"It would be like clearing a sidewalk full of spectators with a fire hose so you can walk through it," said Assistant U.S. Attorney Greg Nyhus.
More like breaking into a bank vault to store the bicycle you just stole.
Smoke me a kipper, I'll be back for breakfast.
"It took hours for technicians to find the problem, fix it and patch the system's security holes'"
That's so obviously the cracker's fault...
This is how the system is supposed to work.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
NASA should be allowed use these idiots in their experiments. I'm thinking 'Effects on subject A when parachutes fail to deploy on capsule dropped from 50,000 feet' or 'Impact determination of Subject A foolishly slashing open his space suit in LEO" sort of stuff.
NASA could get valuable data, some small furry woonland creatures would be saved this fate and the world would have a few idiots less. Win all round scenario.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Could you please post your address, I'd like to show you how clever I could be at breaking into your house.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Tacit approval of this sort of thing (cracking) paints us all with the same unsavory brush. If we do not start policing our own, the "geek/nerd" stigma will deepen. We are professionals, let's act like it.
Ignorance is curable, stupid is forever.
With hard disk space nearing $0.50 / gigabyte why on earth would you crack into NASA computers to store you movies?
Im dreaming ofa big bndwdth, That can resist the
"It's not like firing up your Macintosh or your Apple where you push a button and wait six minutes for the thing to boot."
;)
He must be talking about Windows
Oh boy, this one again!
I disagree.
Cracking == Breaking or "cracking" any type of computer security, weather it be software or a server.
Hacking == Programing.
I do. With real world breaking and entering, you don't need to bring down a mission-critical server to reimage the driver for to ensure security. You just change the locks.
The Yasashii Syndicate ||
Actually, that's not it at all. According to 'purists', hacking is a term used to denote someone who programs (e.g. hacking code is programming) whereas cracking is breaking into a system with malicious intent, although the term hacker has been demonized by the media and government (e.g. Kevin Mitnick's story).
Lets switch the word "computer" to "lockpicking".
Lets see...
"Here we have a person that is very much talented towards lockpicking..."
Does a lockpicker know much how to build efficient locks actualy?
Does a computer security breaker know much how to actualy build secured systems?
Is that much different?
Léa Gris
I well remember the days of downloading pr0n off of illegitimate ftp servers setup, on you guessed it, NASA computers. This was back in the day when 3 GB was a fantastic amount of data. And why yes it was busty asian pr0n.
... after the accused stole my $3.59 flowerpot, I had to spend hundreds of dollars putting locks on all of my doors.
We want this "friendly geek" out of prison while we demand that spammers are put behind bars? This doesn't make sense...
Break into one government computer, go to jail. Break into tens of thousands of personal computers, ....
.
:| )
Herns was ordered to pay restitution for the damage he caused and will have limited access to computers for the next three years. After the judge outlined the terms of Herns' restricted computer use, Levine pointed out how hard those conditions will be for a man who does everything online, including paying his bills.
"He's going to get to learn," Brown said. "There are other ways to live."
The Canadian government has declared internet connectivity to be (I forget the exact term) a "necessity" or something.
If you rob a bank, do they forbid you from walking into any type of business establishment for the entire duration of your parole? No! It would be idiotic - everyone needs a bank account or groceries in today's society, and there are already tons of other perfectly good laws to deal with the individual should they commit a crime in a bank or other "place of business" again.
If you commit a traffic violation, do they forbid you from getting into any vehicle on any road? No! They might prevent you from driving, but they still let you get in as a passenger in other people's vehicles or take the bus.
Judges are going to eventually have to stop throwing out blanket "computer bans" as minor parole conditions - and realize that they have to handle it differently. PCs may/can be the basis of entire home entertainment centers, your library, your photo album, your telephone, etc etc.
What they should do (and what would be more effective) is to ban the user from say spending more than 30 minutes at a time on a PC, or making an IP connection to a class of third parties, or posessing any tools or software that could be used for illicit purposes - and then have the parole officers make unannounced audits and/or taps.
This goes along the lines of what kind of an effect would it have on you and your life if the police seized your computer in the midst of an investigation (not even an investigation into you, say your webcam caught some images of a crime). My PC is all of the things I listed above and more. And remember, saying "make backups" doesn't cut it, they always take your backups too and withholding those could get you in even worse trouble.
To put it another way - the police need to develop methods that don't "deny you use of your entire house just to check the window for fingerprints".
If they want to ghost the drive and look at the inside of the system before they leave, that's fine. But taking the entire thing for an indefinite period - unacceptable. (I'm talking about when I'm not the suspected murder or something
I don't buy for a second that he was doing it to find space for movies. It just makes no sense at all.
Let's assume for a moment that all of his movies were DivX-encoded at 650 MB each, just for the sake of argument.
* Hard drives four years ago were still relatively inexpensive. By working at McDonald's part-time for three weeks or so he could have had a new hard drive.
* Even if he had so many movies that he required an additional hard drive, why could these movies not have been burned to CD-R instead? CD writers were available for less than $100 and CD-Rs could have been found for less than 50 cents a piece. He could have had virtually unlimited space as long as he purchased a new spindle now and then. (See afformentioned McDonald's reference.)
* Most importantly, what did he expect to do with those movies? Unless he had a T3 or something equivalent to his house, he would have had to wait hours to both upload for storage and download to view. I've had 1.5 Mb/sec DSL for four years, so I know that it would have been feasible back then, but it still would have been far less effort to burn them to CD-R. And at least then they would have been portable, far more so than a hard drive.
* Assuming 1.5 Mb/sec broadband, it would have taken almost an hour just to download one movie. So, he would have taken an hour to download, an hour to upload (at the VERY least since most broadband companies don't use the same upload/download speed), and another hour to download when he wants to watch it? Was he planning on installing a streaming media server as well?
* Why NASA? Why not find some schlep on his ISP who wasn't running a firewall, had lots of space, and store the data there? A Joe-Clueless-User would have been far less able to determine who was storing data on his system than NASA.
I'm sorry, but I just dont buy the "he was looking for computer space to store movies he'd downloaded" line. It makes absolutely no sense whatsoever. Sounds more to me like he was doing something nefarious and was hiding it or he was just looking for ego points and got nabbed in the process.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
Insightful ? Wow, do you guys know anything about security? How about him leaving behind several trojan horses for his buddies? Yes you take the drive, especially if it has sensitive information, and incinerate it. Dumbass, this is national security we're discussing, not your quicken data.
"I believe today that my conduct is in accordance with the will of the Almighty Creator"-Adolf Hitler or George W Bush?
I applaud the judge for his great insight - giving a Computer Science student a computer ban.
And 200k of damages? Er, did he delete research papers or something? (If he did, to make room for his movies, he does deserve it, though).
Sounds more like 200k to finally get their asses moving to fix some security holes, which were there in the first place.
He went into my house, through the big holes in my fence, climed through my dried-up moat, opened the door with the broken lock, and then stole my potted plant. It cost me a fortune to replace the lock, refill the moat and fix the fence.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
I guess he should have thought about that before HACKING A BOX AT *NASA* for pete's sake - and to do what, use it for Divx movies?
This guy was an idiot and got what he deserved. Sorry. Perhaps he should have though first before compromising a piece of United States Government property.
a 6 month sentence will likely be done in a minimum security prison since it is less than 3 years.
I am the Alpha and the Omega-3
They didn't have any chairs to sit on in the server room while they fixed security holes, so they made a big pile of money and sat on that, and it worked almost as well. After the whole fiasco NASA is now researching a new more expensive type of money that is more easily convertable to a sitting appliance.
Cracking into NASA is one thing. You're up against propellor-heads and zoomies, nice people who think space is neat. Cracking into the NSA is a whole 'nother ballgame. Those folks are professional paranoids, and while they don't kill people, they certainly know people who do.
This next song is very sad. Please clap along. -- Robin Zander
Here we have a person that is very much talented towards computers, a person who knows a lot and a person who could potentially bring big innovations and discoveries to mankind.
No, here we have a first-class idiot that felt breaking into a NASA system to illegally use their storage space (likely to set up a public FTP full of pirated movies) was preferable to something semi-sane like buying another hard drive or server.
I guarantee you there's plenty of law-abiding people out there that vastly outclass this kid in terms of bringing "big innovations and discoveries to mankind."
Lets all beat the hell out of him before he unfolds something that should be kept hidden... Or better yet, so he never gets to be anything the 'general' public is...
What does breaking into a government system to store pirated movies have to do with what you're insinuating?
Is the 'law' still protecting the public or beginning to get in the way of technological advancement?
People manage to find, report, and fix security holes without unlawfully breaking into government computer systems. Imagine that, eh?
Not to mention the fact that, yet again, he wasn't trying to expose security holes, he was trying to save money by storing pirated movies on someone else's space.
Yes - I see a lot wrong with this picture.
Kevin Mitnic hacked into Sun's systems and read some of the OS code. Before his sentance was up SUN OPEN SOURCED at least SOME of this code. Furthermore, Sun claimed millions in loses for this intrusion. Yet we can all see the sun is setting on SUN. The value is in millions of people having access to the source code so like a languge (english for instance) it can be used and improved apon and adapted to meet a wider range of needs. English for instance would have no value if it were locked up and used by a small group of preists... and this is what closed source is.
So the whole premise of Sun's claims against Mitnic are flawed right from the get go!
So yes, Kevin Mitnic is even a better example of punishing the messanger.
The judges in these cases should be embarrased with their ignorance. At least in the case of the Salem witch trials there is good evidence that their food was laced with Ergot, which is hallucenogenic... so they have an excuse. I cannot see much in the way of an excuse here.
If the judge ruled that NASA should simply fix its servers then perhaps people would wake up to the fact that when you connect a computer to the net, you need to accept responsibility to secure it. It is a fact that there are evil people in the world who will attack them and get in and perhaps create harm. Even if this kid or Mitnic was malicious, and there is ZERO evidence to support this, they should not face anything more than a small fine. They really did nothing more than what most teenage boys and some teenage girls dream of doing.
In the case of a bank, throwing the thief in jail is a deterant because the thief needs physical access. In the case of cracking a computer the physical access is to all people in the world and it occurs the instant it is connected to the net. There is no deterant in punishing one person because all the would be crackers are mostly invisible and often live in other countries... some of which are our enemies.
Any bank would consider it rather unacceptable to leave the door off the vault and place it in the parking lot with no supervision. As a customer I would not deal with a bank that does this. Yet on a daily basis many of the professionals I use regularly expose confidential data through their incompatence and unwillingness to hire competant IT professionals.
I stand by my original opinion. If NASA got cracked it was their own fault. They should punish themselves for their incompetance. They should not be punishing the messenger.
Furthermore the Judge in the case should recognise this and send the correct message.
say a vulnerability is posted on the web and it happens to affect your systems. how much does it cost you to get your IT department to locate, fix, and patch the problem?
let's further assume that the party that posted the vulnerability is being purposefully uncooperative. but they agreed to get the vulnerability tested independently by a third party who also happens to be uncooperative. how much does it cost your IT department?
i havent got a clue. but 200k seems like a lot. it would seem that keeping a network secure is very expensive business. and i agree that this is true for physical installations, but digital? i mean seriously. unless of course you are over working your staff who also answer all the phones for tech support in-house making it impossible to manage their time or actually do the work they were hired for in the first place. but 200k for a bug? jesus.
i feel really bad for nasa. no matter what system you use there will be bugs and even when that is not the case a system can be badly configured. if each of these issues costs on average 100k (just a guess) to "locate, fix, and patch" can you imagine how much money is going into IT departments right now? or how much money is going into the IT industry? its like paying the plumber 4 times (just a guess) more than his already expensive rates (apparently there is a shortage of plumbers) and honestly believing that this is the way the world should work.
for crying out loud people. what exactly did this kid do? "shutdown -h now"? and it takes 15minutes to boot up? i mean sorry guys, but maybe you should be protecting your system a little better. i always tell myself. if a teenager can pull a prank like this one there are two things you should do. punish the teenager the way we punish any teenager for a prank like this (which they have sort of done). secondly, get some help securing your systems because a foreign nation will not be looking for space to store movies. they will be out there looking to cripple your systems and not necessarily permanently, 30mins could be critical for a crack squad tectical unit and if it is as easy as just shutting down a server......
ps. to be fair, it could be that restarting the system as part of their "locate, fix, and patch" program takes a lot of time (more than 10 minutes?). there again my friends i would suggest a better system to reduce your costs. this has nothing to do with me believing you shouldnt punish this guy. but quit posting damages that could have been avoided if you spent a little more time designing a better system that met your needs. if google can do it i am sure you can too.
if it takes so long to restart your system even during normal maintenance then build redudancy for your production environment. if this is really just about your personal inconvience then remember you are a plumber and that crap cloggin the pipe is your job.
If the government is serious about fixing problems in supposedly secure and sensitive systems, then they should reward not punish people who find holes.
Instead of going to the courts with a trumped up case about supposed damages in hundreds of thousands of dollars, they should give hundreds of thousands of dollars to the people who document holes in the security of sensitive systems.
And tax-free, too, if you please.
And give this kid the job of special intern for security at a decent salary. Loyal Americans and allies of the American corporate empire should be rewarded for tracking down, finding, and documenting security problems.
Suppose YOU found a hole in some NASA computer that allowed you to endanger a shuttle launch or mission. Suppose that if you took it to NASA there was a good chance that you would get thrown into some secret third-world hellhole prison like Guantanamo with no release or no record of your imprisonment. This might happen if you're Muslim instead of being some 18-year-old, rich, white, suburban, Computer Science community college student harmless geek.
Suppose that you mentioned your discovery to someone at the mosque and they came back a month later with an offer of several hundred thousand dollars for all the details on how to blow up a NASA mission along with a new identity and citizenship to some quiet Muslim community in a country not monitored by the FBI.
What would you do?
There are holes in every major on-line computer system. It is better that we have our geeks get rewarded for finding and reporting them, rather than have our enemies find them and use them to kill our people.
In other words, Homeland 'Security' agents, stop putting harmless hackers in jail for finding weaknesses in your chickenshit computer security systems.
There's a good chance that they didn't tell you everything that they found out about your pathetic security systems, and they won't be 'harmless hackers' when they get out of an American prison.
Dumb schmucks!