Slashdot Mirror
Another NASA Hacker Indicted
eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."
If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?
Why bring the monetary damage (I'd be interested to see how it was calculated in the first place) into the equation at all? These are trifling amounts of money on the scale of government spending. 100k from the Navy and US Department of Energy? Yeah I'm sure they're feeling the 'loss'. Hacking into government systems should be enough of a crime without throwing this wacky money figure into it all.
Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said.
I smell a false inflation of damages, much like Motorola in the Mitnick case.
If you ever went to the websites that this "Victor" character hosted their "hacks" on you could see what kind of geniuses they were. The "White Hat Team" as they called themselves were/are a bunch of clueless script kiddies. They would host their website (www.whitehat.ro) on hacked servers, so it would frequently go down and be reuploaded elsewhere. They flat out told you this on their ugly poorly designed webpage. On top of that they had tons of screen shots of various systems they compromised accounts on (and sometimes gained root). It was fully of typos, bad commands, and just other terribly embarassing things.
Honestly, I feel bad for this guy (and probably the rest of the team when they're indicted), not because he's been arrested, but because he is such a moron! Hackers... not at all. White hats.. nope (about as smart as the Ironic on). Morons..yes.
Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft
I can just see one of the guys standing outside NASA JSC yelling up at the sky, "How Ya'll doin up there?"
of glorifying such stunts and of the FBI refusing to even consider something for which there isn't at least $25,000 worth of damages.
Glorifying such fool pranks I would consider the same as glorifying cutting brake lines on school buses. Really quite funny when the bus driver tries to stop. How could it possibly hurt anyone because any bus driver is going to notice what is wrong long before the first child sets foot on the bus. Right. Keep thinking that way. Of course, what these folks did was just for fun and it didn't really hurt anyone, now did it?
The FBI putting a dollar floor on damages ensures that nothing is ever done when these kids do something minor. Rather than someone identifying them and giving them a warning nothing happens. When you were 16 if you were never, ever caught shoplifting would your escapades advance to other, higher-price objects? Of course. Which is exactly what is happening here.
ISPs refuse to identify or even forward communication from people complaining about attacks. So your only choices are to either wait for $25,000 in damages to bring in the FBI (who is the only possible law enforcement agency with jursidiction) or you decide to spend lots of your own money to file suit against some 16 year olds to "teach them a lesson". Of course, you end up with the "lesson" because they will be laughing at you when you find out you can't sue a kid in Romainia.
Read Bruce Sterling's "The Hacker Crackdown" for how these spurious figures are calculated. The examples are old but so is the mindset behind this. The author has put the entire book online.
I agree with hacking into US goverment machines. I have no plans of spending the next 10 years in a federal prison or Gitmo for that matter. But, who is then responsible for testing the security of our critical systems? Is that no our duty as programming and security professionals? Please explain to me why such machines were connected to the internet again? That's like walking outside the door in the morning without a pair of pants.
my mom posts on slashdot.
Keep in mind that these guys did 150 computers, the NASA problems were only NASA's reports of their 'hacking.' It could be that he was part of a team that was trying everything to get at government computers (pretexting/social engineering, hacking, you name it) and that this guy was the only one who actually physically went to a facility and illegally accessed data. I think if you're smart enough to hack into a NASA system, you should be smart enough to cover your tracks--so maybe this guy just waltzed in and presented real ID but just lied about who he was or representing?
So before you call NASA stupid for leaving those computers connected to the internet, I would wait until you find out what they're actually accusing this guy of--it could be another case as with Gary McKinnon where the person wasn't some steller computer genius, he was just really good at gaining trust from people and lying his way into facilities.
My work here is dung.
That these three have been caught is almost incidental, when you consider the probability that there are possibly several orders of magnitude more people who have not. Those who have been were not doing anything significant, except insofar that it was possible to do at all. Nobody - least of all NASA - knows what those who have NOT been caught are doing. We're constantly being reminded about how dangerous the world is and how important it is to track kitty litter as it comes into the country. Assuming the claims have any merit at all, I'd be just a little more concerned with what the Government itself is openly, passively and willingly handing out to whoever asks out there in that "dangerous world". If it's so bloody dangerous, shouldn't the Government be doing at least the very basic minimum?
(If, however, the real reason is that NASA isn't doing anything mission-critical and that all information it has has no value whatsoever, then just shut the bloody thing down and put the money into education. I think NASA is worthwhile, but then I'd have kicked their security into shape within the first five minutes of having the authority to do so. They aren't, so they clearly don't.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft...
.sig here"
Did they use an a hitchhiker style Sub-Etha Sens-O-Matic electronic thumb or just a towel?
Dequeue
"Insert witty
Instead of tossing out a "guess-timate", they should not give a quote without all the facts present.
If the government claims $1.36M + $100k in damage done, they have to submit evidence to the court as to why and how they came up with those numbers. Much of the reason cases involving economic damage take so long is that the discovery phase of the trial, when all of this information gets unearthed and shared among plaintiff and defendant, takes a lot of depositions, requests for information, requests for further information, and so on. You'd better believe that *if* the US successfully gets him extradited to the United States, his attorney will be issuing subpoenas for proof of those numbers. If the government can't substantiate them, it won't fly with the judge.
Read the EFF's Fair Use FAQ
I just hacked my way into the Bank of America, just to test its security. The fact that I managed to dowload millions of user account files with sensitive personal information I could sell to unscrupulous characters is *totally* beside the point of my wholly beneficial White Hat Crusade.
Next week, I'll be mounting a White Hat Mission to test the security of Apple's online ordering system. If a few dozen dual core machines find their way to my house, it's a sacrifice I must make for the greater good!
Read the EFF's Fair Use FAQ
...if you can't do the time, don't do the crime. And "if you can't pay the fine, don't do the crime" works too.
Most people seem to be bringing up the lack of security on NASA systems or the inflated monetary loss estimates. Totally irrelevant. If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid but that still does not give you the right to enter my house without my permission.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Your Honor:
This kid broke into my house and stole a six pack of beer, but now I don't feel safe in my house anymore, so for actual damages I am including the cost of a house in a lower crime area with private security guards. The kid's dad originally bought the beer so I didn't include the cost of the beer in the total.
http://www.gutenberg.org/etext/101
The romanian kid is obviously a script kiddie and obviously he deserves some kind of punishment.
Another crime is commited here though, which is denying this kid a fair trial.
The previous case with the UK script kiddie was indication enough that things are terribly wrong. The FBI is banking on the general public's unawareness on computers. That Gary guy accessed some US govt. server with a default windows password or something like that, was it? Yeah fitting punishment of life in prison NOT. The FBI throws around ridicioulus numbers as to justify the harsher penalties, but the truth is, the guy is responsible for very little damage, even though the system had to be reinstalled etc, BECAUSE the system was so insecure in the first place that it should have been replaced in the first place! The wast majority of the costs are the due to their own stupidity. The equivalent case would be a car crashing into a skyscraper and the skyscraper collapsing. Yeah, sure the driver is at fault for driving badly, but he's no way responsible for the collapse of the skyscraper in any sense except direct physical!
The amount of damages is seriously overinflated aswell, others have pointed to Bruce Schneier about it. You can't claim millions of dollars of damages when "you" (the FBI) went around and handled the whole thing the wrong way! Yeah, I might expect a citizen not to have a clue about computers and buy these stories, but the FBI has a responsibility not to talk out of its ass.
Similarly, in this new case, damages are overinflated and, yeah the kid broke into the system, but the one who caused the damages which caused problems at NASA is the idiotic MORON who designed the system in the first place. These stupid hacker stories are designer/maintainer problems and the FBI should damn well recognize this, because they have the technical expertise in order to do so.
But they are not doing this. In light of this I'm a pretty serious proponent in urging the non-US countries of the world of suspending ALL extradiction treaties (which should have happened right after Guantanamo rights abuses went public) with the USA until we can be sure that justice is served, not some scaremongering directed at the domestic public of the USA.
It has to be mentioned that I'm pretty pissed about it, since it sort of hits home. Arad, where the guy is from is a historical hungarian town which now belongs to Romania. There is a good possibility that this guy has hungarian origins and as a hungarian I'm
a.) scared about the bullying the USA comes up with
b.) even if the guy extradited is an obvious moron. I would think he'd deserve something in the amount of 2 years probation judging by the cases I'm familiar with, not extradition to a foreign country and dumped in a pound-my-ass prison for life. The USA prison conditions are despicable, but that's another story.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I've worked both private and public research before, the reason that you can keep your network private, is because most privateers can simply buy government sponsored research that suits them, have it paid for by the government, and later have the results they bought "classified" as "top secret" or "of national security interest".
I've been there, i've seen that, done that, got tshirt and beer mug... They're just crucifying kids, because inquisitive minds, for better or worse, when coupled with direct action (they didn't wait for 20 years for anyone's approval) scare the crap out of the dictatorial regimes of the world, our dear old US included.
"In a democracy, you vote first, and take orders later, in a dictatorship, they spare you the trouble of choosing your tyrants and th wasted energy used up voting." ~unknown
" What luck for rulers that men do not think" - Adolf Hitler
It's simple -- you just don't hack government computers. Way too much trouble when you get caught for that. Everybody knows that.
At least everybody *should* take note of that.