Slashdot Mirror
Another NASA Hacker Indicted
eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."
If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?
Why bring the monetary damage (I'd be interested to see how it was calculated in the first place) into the equation at all? These are trifling amounts of money on the scale of government spending. 100k from the Navy and US Department of Energy? Yeah I'm sure they're feeling the 'loss'. Hacking into government systems should be enough of a crime without throwing this wacky money figure into it all.
If you ever went to the websites that this "Victor" character hosted their "hacks" on you could see what kind of geniuses they were. The "White Hat Team" as they called themselves were/are a bunch of clueless script kiddies. They would host their website (www.whitehat.ro) on hacked servers, so it would frequently go down and be reuploaded elsewhere. They flat out told you this on their ugly poorly designed webpage. On top of that they had tons of screen shots of various systems they compromised accounts on (and sometimes gained root). It was fully of typos, bad commands, and just other terribly embarassing things.
Honestly, I feel bad for this guy (and probably the rest of the team when they're indicted), not because he's been arrested, but because he is such a moron! Hackers... not at all. White hats.. nope (about as smart as the Ironic on). Morons..yes.
Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft
I can just see one of the guys standing outside NASA JSC yelling up at the sky, "How Ya'll doin up there?"
What are you talking about? NASA had to hire hundreds of people to write the communications out by hand in binary and send over 200,000 pigeons to deliver it to the spacecraft (where they had significant issues with packet loss).
Those numbers are extremely conservative!
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
of glorifying such stunts and of the FBI refusing to even consider something for which there isn't at least $25,000 worth of damages.
Glorifying such fool pranks I would consider the same as glorifying cutting brake lines on school buses. Really quite funny when the bus driver tries to stop. How could it possibly hurt anyone because any bus driver is going to notice what is wrong long before the first child sets foot on the bus. Right. Keep thinking that way. Of course, what these folks did was just for fun and it didn't really hurt anyone, now did it?
The FBI putting a dollar floor on damages ensures that nothing is ever done when these kids do something minor. Rather than someone identifying them and giving them a warning nothing happens. When you were 16 if you were never, ever caught shoplifting would your escapades advance to other, higher-price objects? Of course. Which is exactly what is happening here.
ISPs refuse to identify or even forward communication from people complaining about attacks. So your only choices are to either wait for $25,000 in damages to bring in the FBI (who is the only possible law enforcement agency with jursidiction) or you decide to spend lots of your own money to file suit against some 16 year olds to "teach them a lesson". Of course, you end up with the "lesson" because they will be laughing at you when you find out you can't sue a kid in Romainia.
Read Bruce Sterling's "The Hacker Crackdown" for how these spurious figures are calculated. The examples are old but so is the mindset behind this. The author has put the entire book online.
I agree with hacking into US goverment machines. I have no plans of spending the next 10 years in a federal prison or Gitmo for that matter. But, who is then responsible for testing the security of our critical systems? Is that no our duty as programming and security professionals? Please explain to me why such machines were connected to the internet again? That's like walking outside the door in the morning without a pair of pants.
my mom posts on slashdot.
Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft...
.sig here"
Did they use an a hitchhiker style Sub-Etha Sens-O-Matic electronic thumb or just a towel?
Dequeue
"Insert witty
...if you can't do the time, don't do the crime. And "if you can't pay the fine, don't do the crime" works too.
Most people seem to be bringing up the lack of security on NASA systems or the inflated monetary loss estimates. Totally irrelevant. If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid but that still does not give you the right to enter my house without my permission.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
I was there too. I worked as a contractor at JPL for a little over 3 years, on various projects, building what I'll call "mission support software" in the interest of brevity.
What I learned after being there long enough (and it took me a long time) is that one of the main reasons computer security at NASA sucks is funding; or really a lack of it. Bear with me as I explain...
The IT security people (and really, IT people in general) are considered about the lowest form of life at places like JPL, because we are ancillary to the mission. We are overhead. Our work, while helpful, is not viewed as "critical" to mission success. This is an unfortunate and incorrect perception. Try launching anything remotely complex without a computer or a network to support the mission and see what happens.
Most of the science people at NASA just want to get their work done, get the mission to fly, get their science data back, and do their analyses. The problem is that they don't value network/computer security like IT people do. They just have their narrow view of their narrow area of responsibility. This tunnel vision prevents them from caring about security until Something Bad happens and they lose mission data. Then get ready to hear the screaming. IT people get fired. Heads roll. Memos are written. Policies changed.
And then everything goes back to exactly how it was, again.
Underlying all of this is the fact that IT, because of how it is perceived, is poorly funded and therefore understaffed. Without enough staff, they can't respond to all the incoming requests for IT work.
Remember those science people? They will not accept anything getting in their way, least of all some sorry excuses from the IT department about how they can't get to your server today.
Consider this conversation:
IT: "I'm sorry, we're backlogged right now and I won't be able to do that for you today."
ScienceGuy: "No, you'll fix my server today or the lab director (basically the president of JPL) will hear about it and you'll lose your job because I won't be able to talk to the Mars rover today."
IT: "Uh, ok. You're the 5th person to threaten my job today. Looks like I'm getting fired. What would you like me to do?"
ScienceGuy: "Just give me the root password and I'll do it myself. I use a Mac with OS X, so I am a Unix Genius."
IT: "Sure thing. The password is p198*#&$S(s. Have a great day!"
ScienceGuy: "Thanks for being a team player! I'll make sure to write a memo to your boss about how you helped us."
And so, in order to "stay out of the way" of the science people, the IT people have to give away a lot of system administration duties. For this they are rewarded.
Now, remember that those science people don't care about security? And they don't let anything get in their way? Think they'll do goofy things to make their server or data more easily accessible? You bet they will, regardless of the policies. And you know what? That is why places like JPL are so successful. The science people are dedicated, and will generally stop at nothing to make their missions successful. Most of them are what I would call True Believers. They really are there because they believe in what they do. Unfortunately, they often work within very limited budgets, and within the institutional limitations like limited funding for IT staff.
http://www.gutenberg.org/etext/101