Slashdot Mirror
6-Month Sentence for NASA Cracker
lunartik noted an AP story running on a 6-month sentence given to
Gregory Aaron Herns for cracking into the computer system at NASA's Goddard Space Flight Center. 'Herns told federal agents he was looking for computer space to store movies he'd downloaded. It took hours for technicians to find the problem, fix it and patch the system's security holes.'"
I'm surprised this wasn't posted under YRO.
Support the First Amendment. Read at -1
Let's just download some movies. Oh wait, I've run out of space.
LETS HACK NASA!
Step 1: Download movies.
Step 2: ???
Step 3: HACK NASA!
"It would be like clearing a sidewalk full of spectators with a fire hose so you can walk through it," said Assistant U.S. Attorney Greg Nyhus.
More like breaking into a bank vault to store the bicycle you just stole.
Smoke me a kipper, I'll be back for breakfast.
This is how the system is supposed to work.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Oh boy, this one again!
I disagree.
Cracking == Breaking or "cracking" any type of computer security, weather it be software or a server.
Hacking == Programing.
I don't buy for a second that he was doing it to find space for movies. It just makes no sense at all.
Let's assume for a moment that all of his movies were DivX-encoded at 650 MB each, just for the sake of argument.
* Hard drives four years ago were still relatively inexpensive. By working at McDonald's part-time for three weeks or so he could have had a new hard drive.
* Even if he had so many movies that he required an additional hard drive, why could these movies not have been burned to CD-R instead? CD writers were available for less than $100 and CD-Rs could have been found for less than 50 cents a piece. He could have had virtually unlimited space as long as he purchased a new spindle now and then. (See afformentioned McDonald's reference.)
* Most importantly, what did he expect to do with those movies? Unless he had a T3 or something equivalent to his house, he would have had to wait hours to both upload for storage and download to view. I've had 1.5 Mb/sec DSL for four years, so I know that it would have been feasible back then, but it still would have been far less effort to burn them to CD-R. And at least then they would have been portable, far more so than a hard drive.
* Assuming 1.5 Mb/sec broadband, it would have taken almost an hour just to download one movie. So, he would have taken an hour to download, an hour to upload (at the VERY least since most broadband companies don't use the same upload/download speed), and another hour to download when he wants to watch it? Was he planning on installing a streaming media server as well?
* Why NASA? Why not find some schlep on his ISP who wasn't running a firewall, had lots of space, and store the data there? A Joe-Clueless-User would have been far less able to determine who was storing data on his system than NASA.
I'm sorry, but I just dont buy the "he was looking for computer space to store movies he'd downloaded" line. It makes absolutely no sense whatsoever. Sounds more to me like he was doing something nefarious and was hiding it or he was just looking for ego points and got nabbed in the process.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
A few years ago, I was sitting in on a meeting for Infosec activities at a NASA Center. One of the first presentations was a rather nicely done outline of recent vulnerabilities and exploits admins should be taking action on. A look around the room saw a vast majority of glazed-over gazes. The next presentation was from our local FBI agent who discussed a recent compromise and the actions being taken to apprehend the perpetrator. The room was alive.
There was much appreciation for the progress being made on the case. Apparently, the FBI had their suspect and were busy building an air-tight case for prosecution. There was a general air of victory. But what many failed to realize was the whole exercise was a signal of defeat. The incident represented potential compromise of data. It involved considerable man hours spent on investigation and recovery of the system. It also represented loss of equipment removed from the budget-strapped lab to support forensics activities.
This represents a couple different problems with the common view of information security at NASA.
It shows a lack of understanding of infosec issues. Instead of approaching infosec as a technical problem, the issue often gets far more attention as a legal / law enforcement issue. This is attitude calls for action after the damage has been done.
It shows a inappropriate focus on funding. All IT budgets are stressed. NASA is no different, and perhapses even more thinly spread than others. That means infosec activities tend to get cut in favor of other IT activities. Yet there is no perceived issue in later spending considerable resources to prosecute each infosec incident.
It may be worth stressing that this meeting happened several years ago. And there have been changes in how NASA, and the US Government in general, now perceive information security. So my observations do not represent an all-inclusive view of infosec at NASA (and those observations are my opinion and not policy of my employers). None the less, these observations are still applicable today.
One side observation to anyone considering taking a stab at *.nasa.gov space. Historical statistics show that you'll find suitable targets and manage to compromise a system. But keep in mind, for the US Government that is just the beginning. The FBI views a case as making progress over several years of investigation and finally prosecution. So the compromise of a system that takes minutes, and the abuse of that system over a period of weeks or months may mean that years later you'll find yourself in court.