Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another NASA Hacker Indicted

Posted by kdawson on from the white-hats-provide-poor-cover dept.

eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."

25 of 164 comments (clear)

  1. Teh Interwebs by foldingstock · · Score: 5, Insightful

    If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?

    1. Re:Teh Interwebs by The+Zon · · Score: 5, Funny

      It's NASA 2.0. They're looking for input from the community.

      --
      Some attitudes replaced or by cgi optimizes
    2. Re:Teh Interwebs by nEoN+nOoDlE · · Score: 3, Funny

      so that the people manning the system can check their Gmail in between shuttle launches.

      --
      Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
    3. Re:Teh Interwebs by cyclone96 · · Score: 4, Informative

      If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?

      Indeed. The article is pretty thin on what was actually compromised and what "manually communicating with spacecraft" really meant. Rule number 1 with mission critical systems at NASA (I work for them, but not at the locations attacked) is that they are *completely* walled off from the outside.

      Now, there are some mission associated systems that are accessible from the internet which are storing spacecraft data. Here's one that has datasets from the acceleration system on the International Space Station:

      http://pims.grc.nasa.gov/html/ISSAccelerationArchi ve.html

      It's out there because that's the easiest way to get the data to researchers, many of whom are at universities around the world. I suppose if that server ended up hacked, it would hit the news as "Hacker brings down Space Station support system!". Sounds bad, but it's not like you can actually gain control of the spacecraft. I suspect the machines affected were used for this sort of purpose.

      --
      Worst...sig...ever!
    4. Re:Teh Interwebs by wximagery95 · · Score: 5, Interesting

      I work for Lockheed Martin on a classified contract for the USAF and our entire classified network infrastructure is not accessible from the outside (no VPN, no dial in, no nothing). It's a completely isolated AND encrypted network. It's a pain to work on/maintain, but it's the only way you can guarantee no one other than an insider can compromise the system by manually copying data to removable media and taking it with them. Leaked information at this level could causer serious harm to nation's national security.

      When I read articles like this one, it makes me wonder what classification of information was compromised. I highly doubt it's DoD Secret or greater and if it's less than that, the damage caused by this information landing in the wrong hands is probably minimal, though disconcerting.

  2. $1.3? $100k?! by elysiuan · · Score: 4, Insightful

    Why bring the monetary damage (I'd be interested to see how it was calculated in the first place) into the equation at all? These are trifling amounts of money on the scale of government spending. 100k from the Navy and US Department of Energy? Yeah I'm sure they're feeling the 'loss'. Hacking into government systems should be enough of a crime without throwing this wacky money figure into it all.

    1. Re:$1.3? $100k?! by h2g2bob · · Score: 3, Informative

      For extradition, there's often a minimum amount of damage (in $$$) that is required before someone can be extradited.

  3. Prove it by Anonymous Coward · · Score: 3, Insightful

    Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said.

    I smell a false inflation of damages, much like Motorola in the Mitnick case.

    1. Re:Prove it by loraksus · · Score: 5, Funny

      What are you talking about? NASA had to hire hundreds of people to write the communications out by hand in binary and send over 200,000 pigeons to deliver it to the spacecraft (where they had significant issues with packet loss).
      Those numbers are extremely conservative!

      --
      1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcfv gbhnjmk,l.;/
  4. Not very bright and certainl not "white hat" by madsheep · · Score: 5, Interesting

    If you ever went to the websites that this "Victor" character hosted their "hacks" on you could see what kind of geniuses they were. The "White Hat Team" as they called themselves were/are a bunch of clueless script kiddies. They would host their website (www.whitehat.ro) on hacked servers, so it would frequently go down and be reuploaded elsewhere. They flat out told you this on their ugly poorly designed webpage. On top of that they had tons of screen shots of various systems they compromised accounts on (and sometimes gained root). It was fully of typos, bad commands, and just other terribly embarassing things.
    Honestly, I feel bad for this guy (and probably the rest of the team when they're indicted), not because he's been arrested, but because he is such a moron! Hackers... not at all. White hats.. nope (about as smart as the Ironic on). Morons..yes.

    1. Re:Not very bright and certainl not "white hat" by Anonymous Coward · · Score: 5, Funny

      > It was fully of typos, bad commands, and just other terribly embarassing things.

      Sounds like he has a bright future right here, on slashdot.

  5. Manually Communicate? by houstonbofh · · Score: 4, Funny

    Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft
    I can just see one of the guys standing outside NASA JSC yelling up at the sky, "How Ya'll doin up there?"

  6. This is the result by cdrguru · · Score: 4, Insightful

    of glorifying such stunts and of the FBI refusing to even consider something for which there isn't at least $25,000 worth of damages.

    Glorifying such fool pranks I would consider the same as glorifying cutting brake lines on school buses. Really quite funny when the bus driver tries to stop. How could it possibly hurt anyone because any bus driver is going to notice what is wrong long before the first child sets foot on the bus. Right. Keep thinking that way. Of course, what these folks did was just for fun and it didn't really hurt anyone, now did it?

    The FBI putting a dollar floor on damages ensures that nothing is ever done when these kids do something minor. Rather than someone identifying them and giving them a warning nothing happens. When you were 16 if you were never, ever caught shoplifting would your escapades advance to other, higher-price objects? Of course. Which is exactly what is happening here.

    ISPs refuse to identify or even forward communication from people complaining about attacks. So your only choices are to either wait for $25,000 in damages to bring in the FBI (who is the only possible law enforcement agency with jursidiction) or you decide to spend lots of your own money to file suit against some 16 year olds to "teach them a lesson". Of course, you end up with the "lesson" because they will be laughing at you when you find out you can't sue a kid in Romainia.

  7. Hacker Crackdown by dbIII · · Score: 4, Informative

    Read Bruce Sterling's "The Hacker Crackdown" for how these spurious figures are calculated. The examples are old but so is the mindset behind this. The author has put the entire book online.

  8. I'm not sayin'... by lazycam · · Score: 5, Interesting

    I agree with hacking into US goverment machines. I have no plans of spending the next 10 years in a federal prison or Gitmo for that matter. But, who is then responsible for testing the security of our critical systems? Is that no our duty as programming and security professionals? Please explain to me why such machines were connected to the internet again? That's like walking outside the door in the morning without a pair of pants.

    --
    my mom posts on slashdot.
  9. When I was there... by jd · · Score: 3, Insightful
    ...it was standard practice to put .rhosts files on all of the servers and desktops, so that nobody needed to log in more than once and so that shell scripts on remote sites could transfer data. Frankly, I'm less surprised that people have broken into mission-critical systems than in the fact that only three (the two mentioned and a file swapper) have ever been caught. I witnessed truly godawful ignorance on security issues, not least from those in charge of IT security. From the annual reviews of security, it would seem that things have improved and are now merely very sickeningly bad, but I cannot find any reason to excuse ANY weakness in a computer network (a) run by very bright people, and (b) containing a mix of extremely sensitive and/or utterly unique data.


    That these three have been caught is almost incidental, when you consider the probability that there are possibly several orders of magnitude more people who have not. Those who have been were not doing anything significant, except insofar that it was possible to do at all. Nobody - least of all NASA - knows what those who have NOT been caught are doing. We're constantly being reminded about how dangerous the world is and how important it is to track kitty litter as it comes into the country. Assuming the claims have any merit at all, I'd be just a little more concerned with what the Government itself is openly, passively and willingly handing out to whoever asks out there in that "dangerous world". If it's so bloody dangerous, shouldn't the Government be doing at least the very basic minimum?


    (If, however, the real reason is that NASA isn't doing anything mission-critical and that all information it has has no value whatsoever, then just shut the bloody thing down and put the money into education. I think NASA is worthwhile, but then I'd have kicked their security into shape within the first five minutes of having the authority to do so. They aren't, so they clearly don't.)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:When I was there... by dgm3574 · · Score: 5, Interesting

      I was there too. I worked as a contractor at JPL for a little over 3 years, on various projects, building what I'll call "mission support software" in the interest of brevity.

      What I learned after being there long enough (and it took me a long time) is that one of the main reasons computer security at NASA sucks is funding; or really a lack of it. Bear with me as I explain...

      The IT security people (and really, IT people in general) are considered about the lowest form of life at places like JPL, because we are ancillary to the mission. We are overhead. Our work, while helpful, is not viewed as "critical" to mission success. This is an unfortunate and incorrect perception. Try launching anything remotely complex without a computer or a network to support the mission and see what happens.

      Most of the science people at NASA just want to get their work done, get the mission to fly, get their science data back, and do their analyses. The problem is that they don't value network/computer security like IT people do. They just have their narrow view of their narrow area of responsibility. This tunnel vision prevents them from caring about security until Something Bad happens and they lose mission data. Then get ready to hear the screaming. IT people get fired. Heads roll. Memos are written. Policies changed.

      And then everything goes back to exactly how it was, again.

      Underlying all of this is the fact that IT, because of how it is perceived, is poorly funded and therefore understaffed. Without enough staff, they can't respond to all the incoming requests for IT work.

      Remember those science people? They will not accept anything getting in their way, least of all some sorry excuses from the IT department about how they can't get to your server today.

      Consider this conversation:

      IT: "I'm sorry, we're backlogged right now and I won't be able to do that for you today."

      ScienceGuy: "No, you'll fix my server today or the lab director (basically the president of JPL) will hear about it and you'll lose your job because I won't be able to talk to the Mars rover today."

      IT: "Uh, ok. You're the 5th person to threaten my job today. Looks like I'm getting fired. What would you like me to do?"

      ScienceGuy: "Just give me the root password and I'll do it myself. I use a Mac with OS X, so I am a Unix Genius."

      IT: "Sure thing. The password is p198*#&$S(s. Have a great day!"

      ScienceGuy: "Thanks for being a team player! I'll make sure to write a memo to your boss about how you helped us."

      And so, in order to "stay out of the way" of the science people, the IT people have to give away a lot of system administration duties. For this they are rewarded.

      Now, remember that those science people don't care about security? And they don't let anything get in their way? Think they'll do goofy things to make their server or data more easily accessible? You bet they will, regardless of the policies. And you know what? That is why places like JPL are so successful. The science people are dedicated, and will generally stop at nothing to make their missions successful. Most of them are what I would call True Believers. They really are there because they believe in what they do. Unfortunately, they often work within very limited budgets, and within the institutional limitations like limited funding for IT staff.

  10. They can manually communicate with a spacecraft? by DeQueue · · Score: 4, Funny

    Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft...

    Did they use an a hitchhiker style Sub-Etha Sens-O-Matic electronic thumb or just a towel?
    Dequeue
    "Insert witty .sig here"

  11. Where did you get "guesstimate" ? by Infonaut · · Score: 3, Insightful

    Instead of tossing out a "guess-timate", they should not give a quote without all the facts present.

    If the government claims $1.36M + $100k in damage done, they have to submit evidence to the court as to why and how they came up with those numbers. Much of the reason cases involving economic damage take so long is that the discovery phase of the trial, when all of this information gets unearthed and shared among plaintiff and defendant, takes a lot of depositions, requests for information, requests for further information, and so on. You'd better believe that *if* the US successfully gets him extradited to the United States, his attorney will be issuing subpoenas for proof of those numbers. If the government can't substantiate them, it won't fly with the judge.

    --
    Read the EFF's Fair Use FAQ
  12. I'm a "White Hat" hacker too by Infonaut · · Score: 3, Funny

    I just hacked my way into the Bank of America, just to test its security. The fact that I managed to dowload millions of user account files with sensitive personal information I could sell to unscrupulous characters is *totally* beside the point of my wholly beneficial White Hat Crusade.

    Next week, I'll be mounting a White Hat Mission to test the security of Apple's online ordering system. If a few dozen dual core machines find their way to my house, it's a sacrifice I must make for the greater good!

    --
    Read the EFF's Fair Use FAQ
  13. Say it with me again folks... by davmoo · · Score: 4, Insightful

    ...if you can't do the time, don't do the crime. And "if you can't pay the fine, don't do the crime" works too.

    Most people seem to be bringing up the lack of security on NASA systems or the inflated monetary loss estimates. Totally irrelevant. If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid but that still does not give you the right to enter my house without my permission.

    --
    I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
    1. Re:Say it with me again folks... by _Sprocket_ · · Score: 3, Informative

      Various US Government Agencies have been slow to pick up information security. With few notable exceptions, the US Government just doesn't get infosec. But what the US Government does understand is law. Law is a relatively slow process compared to the hack. Some of these cases take years before the Feds are knocking on doors. If you're a script kiddie who's keen on a *.gov address for your IRC bot, keep that in mind. In the short term you may be successful. But you have no idea if the US Government actually did notice and are taking the long, drawn out process to bring you down via whatever Law allows it.

      I once attended an infosec meeting at a NASA center several years ago. The initial presentation was an analysis of an incident involving some Oganization's lab systems. It was well done and full of very handy technical information, lessons learned, and advice to other Orgs on how to avoid a simular incident. I looked around the room. Most eyes were well glazed over. Obviously the information was lost on an audience who should be taking notes. The next presentation came from our FBI representative. The rep. basically talked about the lab equipment that was confiscated... what was happening to the HDs during analysis... and the process of "getting the bad guys." The crowd lit up. Everyone was rather excited. They were going to get the bad guys. Few there seemed to realize that this was not "good news". Rather, it was a failure as the lab systems compromised represented lossess to already-tight budgets.

      Things have changed since that time. Infosec is changing... at least at NASA. There are new attitudes, new requirements, new regulations. I've still got my own concerns and criticisms of the state of things. It's far from perfect, to say the least. But there is change. We'll see how well it holds.

  14. Project Gutenberg by Anonymous Coward · · Score: 5, Informative

    http://www.gutenberg.org/etext/101

  15. There has been crime commited on both sides. by A+beautiful+mind · · Score: 3, Interesting

    The romanian kid is obviously a script kiddie and obviously he deserves some kind of punishment.

    Another crime is commited here though, which is denying this kid a fair trial.

    The previous case with the UK script kiddie was indication enough that things are terribly wrong. The FBI is banking on the general public's unawareness on computers. That Gary guy accessed some US govt. server with a default windows password or something like that, was it? Yeah fitting punishment of life in prison NOT. The FBI throws around ridicioulus numbers as to justify the harsher penalties, but the truth is, the guy is responsible for very little damage, even though the system had to be reinstalled etc, BECAUSE the system was so insecure in the first place that it should have been replaced in the first place! The wast majority of the costs are the due to their own stupidity. The equivalent case would be a car crashing into a skyscraper and the skyscraper collapsing. Yeah, sure the driver is at fault for driving badly, but he's no way responsible for the collapse of the skyscraper in any sense except direct physical!

    The amount of damages is seriously overinflated aswell, others have pointed to Bruce Schneier about it. You can't claim millions of dollars of damages when "you" (the FBI) went around and handled the whole thing the wrong way! Yeah, I might expect a citizen not to have a clue about computers and buy these stories, but the FBI has a responsibility not to talk out of its ass.

    Similarly, in this new case, damages are overinflated and, yeah the kid broke into the system, but the one who caused the damages which caused problems at NASA is the idiotic MORON who designed the system in the first place. These stupid hacker stories are designer/maintainer problems and the FBI should damn well recognize this, because they have the technical expertise in order to do so.

    But they are not doing this. In light of this I'm a pretty serious proponent in urging the non-US countries of the world of suspending ALL extradiction treaties (which should have happened right after Guantanamo rights abuses went public) with the USA until we can be sure that justice is served, not some scaremongering directed at the domestic public of the USA.

    It has to be mentioned that I'm pretty pissed about it, since it sort of hits home. Arad, where the guy is from is a historical hungarian town which now belongs to Romania. There is a good possibility that this guy has hungarian origins and as a hungarian I'm
    a.) scared about the bullying the USA comes up with
    b.) even if the guy extradited is an obvious moron. I would think he'd deserve something in the amount of 2 years probation judging by the cases I'm familiar with, not extradition to a foreign country and dumped in a pound-my-ass prison for life. The USA prison conditions are despicable, but that's another story.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  16. Chuckle, chuckle... by DaedalusHKX · · Score: 3, Funny

    I've worked both private and public research before, the reason that you can keep your network private, is because most privateers can simply buy government sponsored research that suits them, have it paid for by the government, and later have the results they bought "classified" as "top secret" or "of national security interest".

    I've been there, i've seen that, done that, got tshirt and beer mug... They're just crucifying kids, because inquisitive minds, for better or worse, when coupled with direct action (they didn't wait for 20 years for anyone's approval) scare the crap out of the dictatorial regimes of the world, our dear old US included.

    "In a democracy, you vote first, and take orders later, in a dictatorship, they spare you the trouble of choosing your tyrants and th wasted energy used up voting." ~unknown

    --
    " What luck for rulers that men do not think" - Adolf Hitler