World's Biggest Hacker Held

Hieronymus Howard writes "The London Evening Standard is reporting that the "worlds biggest computer hacker" has been arrested in London. Gary McKinnon, 39, was seized by the Met's extradition unit at his Wood Green home. The unemployed former computer engineer is accused of causing the U.S. government $1 billion of damage by breaking into its most secure computers at the Pentagon and NASA. He is likely to be extradited to America to face eight counts of computer crime in 14 states and could be jailed for 70 years. Apparently he broke into U.S. military computers to hunt for evidence of a UFO cover-up."

what?

[professorhojo]

$1 billion damages? honestly - how do they come up with these figures?

they'd do better hiring this guy to teach their sysadmins a thing or two.

Re:what?

[jandrese]

From what I've been able to tell over the years, the damages in these cases is almost completely made up. The FBI loves to post huge numbers on cases like these because it makes them look important. More realistic estimates based on administrator time and business lost due to the servers being unavailable tend to be far lower.

Re:what?

[Smidge204]

To be fair, the cost of finding and fixing trhe holes should not be included. After all, it was broken before he got there.

Not to mention that they should be found and fixed regardless of any intrusions.
=Smidge=

Re:what?

[the_bard17]

Not to mention trying to figure out where all those holes in security came from and patching them.

Yeah, that makes sense. Pawn the cost of fixing your security holes on the guy who found them.

If my house ever gets burglarized, I'm going to try to get the burglar to pay the contractor to fix the "hole" the burglar got in through.

Re:what?

[rokzy]

>Not to mention trying to figure out where all those holes in security came from and patching them.

that's BS. you didn't see Ford suing its customers that discovered the flaws in their cars and forced fixes did you?

counter argument: Ford's customers paid for something and were then endanged.

counter counter argument: citizens pay taxes to be protected and the government fails at this job when it uses crap systems.

Re:what?

[danheskett]

That's your complete speculation, with no basis in established fact.

Let's say you have 100,000 users, and 1300 are lost. You can't just go back to the previous backup and overwrite any of the password changes, profile changes, etc that 100,000 users may have made in the last, say, 8 hrs. It would be very, very disruptive. So you have to first find just the deleted accounts, pull those from the backup, and then restore just those. Depending on your system/platform/application, that may not be possible. So okay, you write a script to insert the users back into the system. Great. But chances are some stuff is lost: passwords, password history, etc. Now you have to hand hold 1300 users resetting passwords, etc. And maybe that links to hundreds of different systems across the network. You really have no idea.

It could be a 5 minute deal, or it could take some skilled programmers days or weeks to properly fix. It all depends on many thousands of variables.

Just saying "go back to tape!" isn't always a viable option.

Re:what?

[greg_barton]

The FBI loves to post huge numbers on cases like these because it makes them look important.

That, and it may help in budget appropriations. Your budget is likely to be cut if you don't spend all of the money in a year. If you're behind on spending, say by $100 mil, you could say "but this hacker cost us $1 billion in damages! We're only going to charge $100 mil for our trouble, though..."

World's biggest hacker

Hey, is this a world's biggest hacker story about the world's biggest hacker? How many times can you say world's biggest hacker in one headline? World's biggest hacker!

Re:Smart? Yes. A Nut? Perhaps. How about both?

[markild]

LOL..

If you're that good you're doomed to either be retarded or wacko.

This obviously proves it ;)

1 billion $ damage?

[vidarlo]

How does they measure the damage done by a single person. 1 billion sounds awful, and if it is this single person that has done so much damage, one must ask how he can do that. I have a feeling it falls back to relaxed security, lazy sysadins and such. And how does they compute how much damage he has done? I guess some corps use the chance to do changes when restoring, so they might in fact get a lot new, which might be incorporated into the costs. Also, destroying a solution that costed $1M to make does not mean it'll cost $1M to reimplement it... So my guess is that those costs is a bit bogus, at best.

Most secure?

[Mille+Mots]

...The unemployed former computer engineer is accused of causing the US government $1billion of damage by breaking into its most secure computers at the Pentagon and Nasa...

Maybe it's just me, but any device connected to any other device is no longer to be considered as secure.

I would have guessed that the gubbermint's "most secure computers" would be airgapped, but apparently that is not the case. Or, perhaps, the author of TFA is being just a bit sensational and overdramatic. ;)

Odd facts in this case

[FunWithHeadlines]

What an incredibly odd story. Look at these quotes from the article:

"Most of the alleged hacking took place in 2001 and 2002. At one stage the US thought it was the work of the al Qaeda terror network. "

OK, so this must have been some serious stuff going down for them to think that he was al Qaeda. Or was it?

"Friends said that he broke into the networks from his home computer to try to prove his theory that the US was covering up the existence of UFOs. "

Uh oh, we're talking mentally off here.

"He is accused of a series of hacking offences including deleting "critical" files from military computers. The US authorities said the cost of tracking him down and correcting the alleged problems was more than £570,000. The offences could also see him fined up to £950,000 if found guilty on all charges. "

Here it comes, the big bill for this mentally off "al Qaeda" operative. "Lesse, captain, I spent my lunch hour running a scan." "Aha! We'll bill that time as worth £50,000!"

"Prosecutor Paul McNulty alleged that McKinnon, known online as "Solo," had perpetrated "the biggest hack of military computers ever". He was named as the chief suspect after a series of electronic break-ins occurred over 12 months at 92 separate US military and Nasa networks.

Ah, it gets better. This guy must have been hot stuff! They think he's some kind of master criminal or something. Or al Qaeda maybe.

"It is alleged that he used software available on the internet to scan tens of thousands of computers on US military networks from his home PC, looking for machines that might be exposed due to flaws in the Windows operating system.

Many of the computers he broke into were protected by easy-to-guess passwords, investigators said. In some cases, McKinnon allegedly shut down the computer systems he invaded. "

WHAT?! He's just a script kiddie??! All this fuss over some guy port scanning Windows boxes??

"The charge sheet alleges that he hacked into an army computer at Fort Myer, Virginia, where he obtained codes, information and commands before deleting about 1,300 user accounts.

Other systems he hacked into included the Pentagon's network and US army, navy and air force computers. "

So let me get this straight. Some nutcase into UFOs uses script kiddie technology to port scan Windows boxes and somehow manages to get into the Pentagon and the military? Are you kidding me? Either they are running Windows boxes with easy to guess passwords and insecure networks, or else they should have charged him with a lot worse stuff than standard port scanning. Or maybe the reporter has no clue what he did, but this doesn't add up.

The only thing that does make sense is the U.S. military thinking a script kiddie UFO chaser was a master criminal at work...

"Most secure computers" - I doubt it

[Lemming+Mark]

Unless the Pentagon and NASA have VERY VERY silly systems, their *really* important computers are simply *not* accessible to hackers. I really can't believe that truly ensitive systems wouldn't just be air-gapped from the world.

Sure, it's possible to hack intelligence agencies but it I'd put money on it failing to get you the really juicy stuff!

A Darwin Award nomination, say I!

[Dystopian+Rebel]

The guy is smart enough to cobble together scripts and guess passwords so he can get into computers run by US Military Intelligence ("The World's Biggest Oxymoron", by the way)...

And what does he look for? UFO information! Now he's facing 70 years in prison.

Come on, that must be the equivalent of tipping a Coca-Cola machine onto yourself.

Re:Smart? Yes. A Nut? Perhaps. How about both?

[kpansky]

Sorry. But snooping around a house, checking the door, finding it unlocked and entering without homeowner permission is still illegal.

One Beeelion Dollars!!!

[mojoNYC]

while i only stfa, the sum total of monetary damages seems to me to be RIAA-esque... meanwhile, why don't we hear about how much something like this costs?

3.9 Million Citigroup Customers' Data Lost

the corporate mentality never ceases to disillusion me--where's the class action lawsuit?

Re:It MOST CERTAINLY is not!

[jellomizer]

Well diffence between hacking and breaking and entering are somewhat simular. The only diffence is no physical damage to system, and potentially no logical damage as well. But that is where the difference stops.

If I owned a shop and I closed the door and forgot to lock it and turn on the security system. But put the closed sign up at the end of the day and a guy walked in and robbed me blind. And the next day we found the theif he would still be arrested for stealing or if he read my books he would still be guilty of corprate esponage.

Or say I have a convirtible and I locked the door but left the top open. And he just reached around and unlocked my doors and hotwired my car (Or even if I left the keys in). He stole my car. If cought he would be tried for grand theft auto. Even if he returned the car at the end of the day he will still be arested for steeling my car.

Just because your victim is stupid it doesn't make comitting a crime right.

Re:Smart? Yes. A Nut? Perhaps. How about both?

He's a fucking idiot...let's stop puffing up this ilk of human with the "hacker" badge of honor.

Get a fucking job, loser.

Re:Smart? Yes. A Nut? Perhaps. How about both?

[jacem]

The sad thing that I see all the time is the easier it is to break the security system the harser the penalty.

This guy broke the military network for three days. Shouldn't it have been more secure.

I'm not saying what he did was right. What I'm asking is how much was spent on security before he took his tour. Shouldn't the people (companies whatever) that where responcible for security have some culpability?


JACEM

Re:UFO cover-up

[said_captain_said_wo]

There are cases of a secrets being kept:
Manhattan project
H bomb
B-2 Stealth bomber

If we could follow the money, we'd see how much goes into projects for which there is no public exposure.

Even if there is no UFO coverup, there are black projects being funded with many millions of dollars. Who decided where this money goes? Where is this money going? Is this a good use of our tax dollars?

Re:MOD PARENT UP

[Doc+Grimm]

Except that if it ISN'T a crime where I did the action is it still a crime? IE if I crack a US CD in the UK am I inviolation of the DMCA? What if that CD was in a drive on a PC in the USA? The question comes down to at which computer did the crime take place? The one he used, or the one he broke into? If the argument is the doing what he did at his computer is a crime, then UK should have jurisdiction with all the leagal-ese the comes with it. If, on the other hand, the crime takes place at the site of the infiltrated computer, how do you know what the laws are of a computer your using when you don't know physically where that computer is, and so can't really do anything with it, etc.

Re:Smart? Yes. A Nut? Perhaps. How about both?

[Lemmy+Caution]

Yep. It's still illegal. But while it's illegal for a burglar to enter your unlocked house, you're no less of an idiot for leaving it unlocked. And exaggerating the scope of the break-in ("he diabolically circumvented the integrity of the house by adjusting the rotational position of the entry affordance!") has as more to do with CYA (in the case of the homeowner, perhaps to collect insurance) than it has to do with the guilt of the burglar.

And remember:

[idonthack]

We have always been at war with Eastasia.

Good!

[Cervantes]

The little bastard deserves everything he gets. No defense coming from me here.

It's bastards like this that screw things up for grey-hats everywhere. Ok, you were curious, you wanted information, and the information wanted to be free... good enough. But you don't go deleting files and user accounts! How fraggin dumb can you be? "Hmm, I just hacked NASA and no-one knows.... I think I'll fuck things up!".

If he'd just gone looking for the information and gotten busted, I would have had sympathy for him. But he just went to wreck shit up. "Looking for UFOs" is just AOL-Speak for "Shit, I got caught being a dick and I need an excuse, quick!"

And my reply, if I were an editor would be

[Sycraft-fu]

Dear Person,

As it turns out, that is not correct. According to the Merriam-Webster Unabridged Dictionary, the American Heritage Dictionary, and the Oxford English Dictionary the word hacker has two meaning in relating to computers. One of them is a person who is an expert with computer and/or someone who peruses computer knowledge for its own sake, the other is a person who uses their skill with computers to gain unauthorized access to systems.

This is not an uncommon situation in English, for a word to have two related connotations, one positive and one negative: For example the word exploit. When used as a verb it can be used to mean a full positive use of something, such as to exploit one's talents means to make full use of your talents in a good way to achieve a goal. It can also be used in a negative way, such as to exploit illegal immigrant financial gain means to take unfair advantage of someone's position to your own selfish benefit. Both uses are not only accepted, but common. It is the context that dictates the meaning of the word.

The same is true with the word hacker. Your special interest sites like Slashdot do not set the stage for the English language, nor are they the authority on its correct usage. Thus in our article using hacker to describe someone who uses computer skill to gain illegal entry to systems is in every way as correct and accurate and a skilled programmer calling themselves a hacker. Thus we will not be issuing a correction, as there is nothing to correct.

In the future if you believe a word is being used incorrectly, I suggest you make a quick check with a dictionary to ensure that you are not confused. There are several online websites including www.dictionary.com, www.oed.com, and www.webster.com that will allow you to look up the definitions of words with ease.

Sincerely,

Editor-in-Chief person.

Re:And my reply, if I were an editor would be

[guitaristx]

Good thing you're not an editor. First, www.dictionary.com shows that the malicious definition of 'hacker' is deprecated. Next, www.webster.com shows both meanings, as you say, but (as with most lexicons) the more common or more proper definitions are listed first. Notice that the malicious definition is listed last. Furthermore, in the context of the offending article, the term 'hacker' is jargon, and is therefore subject to definition by the particular field to which the jargon term belongs: computer technology. Therefore, Webster, OED, and any other general-knowledge dictionaries' definitions of said term are superseded by the generally-understood meaning within the field of computer technology.

A respectful computer expert (that is, a computer expert that respects the skills, opinions, and decisions of other computer experts) would understand the distinction between the usual news article's use of the term 'hacker' and the more correct term as I have described it. However, the average lay-person will not understand the distinction, and will be left with a negative connotation whenever encountering the word 'hacker'. Therefore, as a hacker (in the non-malicious sense), it is my duty to defend myself, and others like me, by communicating to insensitive publications the inherent offensiveness of careless use of the term 'hacker'. If a publication receives a request like mine (see GP), and chooses to respond to it as you have, it is an indication of the publication's insensitivity and intentional alienation of a significant non-malicious worldwide subculture. Therefore, if I do receive a response from either of the publications I've contacted today, and it's similar to yours, I will do whatever is in my power to spread the word about their discriminatory practices. Not that I want to do that - I hope that my letters will incite changes in the treatment of the term 'hacker'. In any case, I'm doing my part to ensure that 'hacker' loses its negative connotation, since the correct definition of it describes me, and others like me, much better than 'computer expert', 'computer enthusiast', 'geek', 'nerd', 'programmer' (et. al.). If ethnic groups can be defensive about what they wish to be called, then subcultures should have the same right.

Re:Don't they mean cracker?

[RobotRunAmok]

The media will never start using "hacker" and "cracker" the way we'd like them to

"We?" What's all this "we" stuff? The adoption of "cracker" by the script-kiddies to mean something else in addition to saltine and Southern racist and illicit-vault-opener remains among the dopey-est linguistic forays of the past twenty years. For many of "us," "cracker" can't cease having any IT-related meaning fast enough.

Of course, if "war-driving" enters the popular lexicon of national newsrooms with any meaning beyond a description of what soldiers do in their Hummers, than "cracker" will finally be out-dopey-ified, but we've got our fingers crossed...

Unbalanced legal system

It was recently reported that Mark Hacking, who shot his wife in the head while she slept and dumped her body into a garbage bin, will receive 6 years for his crime.

McKinnon, on the other hand, who committed a nonviolent crime, could be jailed for 70 years. That's more than 10 times a murderer's sentence.

Apparently it's not such a big deal if you kill one of the common peasants, but they'll come down on you like a ton of bricks if you vandalize something belonging to the most high and holy government.