Slashdot Mirror
Reverse Hacker Awarded $4.3 Million
jcatcw writes "Shawn Carpenter was awarded a $4.3 million award — more than twice the amount he sought and money he thinks he'll never see. Carpenter worked for Sandia National Labs as an intrusion detection analyst. He anayzed. He detected. He reported. He was fired — in Janurary 2005 after sharing his results with the FBI and the U.S. Army. Computerworld asked him what he hoped to achieve in that investigation. Answer: 'In late May of 2004, one of my investigations turned up a large cache of stolen sensitive documents hidden on a server in South Korea. In addition to U.S. military information, there were hundreds of pages of detailed schematics and project information marked 'Lockheed Martin Proprietary Information — Export Controlled' that were associated with the Mars Reconnaissance Orbiter. ... It was a case of putting the interests of the corporation over those of the country.' Ira Winkler, author of Spies Among Us , said the verdict was 'incredibly justified. Frankly, I think people [at Sandia] should go to jail' for ignoring some of the security issues that Carpenter was trying to highlight with his investigation."
What he did was arguably in a gray area...on his own time, he used "hacker techniques" (not my preferred wording, sorry. Read the article.) to track down stolen data on foreign sites. That he turned his results over to the FBI is good, even if it screwed over Sandia.
Of course, the judgement against Sandia will get passed on to the US Government in a "cost plus" contract...
tasks(723) drafts(105) languages(484) examples(29106)
If it's "reverse" then he should pay $4.3 Million to hack.
Yeah, now he's laughing all the way to the bank
"I've got a plan so cunning you could put a tail on it and call it a weasel"
....the fact that a corporation was holding its own interests over that of its founding nation?
I mean, hey, great - I'm really glad this guy got the compensation very much due him. What worries me more is that the article didn't read "Corporation ignores serious national security concerns because there was no obvious profit."
I always wonder... do businesses really think they're immune to the affairs of their "mother country?" I'm quite sure any corporation that sees most of its factories razed would find their bottom line hit pretty hard.
Granted, I'm a teacher by trade, and I don't have that same mindset... but even as a human being, I'm going to tend to the security of the nation that keeps carbombs off my streets before I tend to the profits of fat-cat, tax-dodging boss.
Patriotism isn't an archaic concept; it's a survivalist one.
The ability to communicate well does not directly correspond to the ability to communicate intelligently.
Does he un-hack things? Every search result for this term only points to the same story appearing on every meme site.
Because if he's an offensive hacker -- e.g. one of "ours" to attack the enemy -- that doesn't make it "reverse" hacking.
Their contracts with the government allow them to pass court awarded punitive damages to the government? On TV doctor dramas, punitive damages are awarded if there is evidence of gross negligence. For what possible reason would the government enter such an agreement?
change. End a few careers and people will get the message.
let me give you my gut level response about what you've missed in a corporate level mindset. (bugs, bugs, they're crawling all over me now)
any end scenario that equates with annihalation/extinction of the company is not worth considering or planning for.
on a scale of 1-10, (1 being some hourly wage earner is caught taking 40$ from the till) a 5-8 embarrasement bad pr episode (security leak, court judgement, contracts broken) is a whole lot worse for the company than a 10 extinction, because at 100% corporation extinction/cessation of manufacturing, there is no one left to point fingers (other than history) in the internal squabbles.... a mid level manager would rather the company declare banktrupcy than one of his subs become a series of internal memos cc'd to legal...
every day http://en.wikipedia.org/wiki/Special:Random
It sounds like a delightful place to work, where other employees are afraid to talk to this guy now because they think their phones are wiretapped, and they would rather hide their problems than fix them. Just as well they never wanted to interview me.
You are reading a copy of my copyrighted post.
Not justifying, just 'splaining..
hypothetical.. a condo assocation decides to take snow removal from the outside company (which charges a whole lot, and comes out even when it's 1/8th of an inch, and the temp is expected to melt that off in 2 hours) to the management company, who will perform the action as needed... the management company has increased liability if someone falls on the snow-blowed sidewalk, and says the snow-blowing was insufficient/caused the accident.
the management company before agreeing to taking snow removal inhouse will likely insist on a shield from such lawsuits, and specifies 'absolute shield' as opposed to 'including gross negligence'
the problem with excluding gross negligence is- no one ever does when they are suing.. no one sues for actual damages, they always pursue gross negligence......
every day http://en.wikipedia.org/wiki/Special:Random
Sandia is government owned/contractor operated facility. The contractor is Lockheed-Martin. The relationship between defense contractors and the government is an odd one that goes back a long way in our history. Eisenhower (33rd President) bemoaned it and coined the term "military industrial complex".
You can think of it as a "closed economy" rather than a "market economy". The defense contractors operate on very low profit margins in exchange for a guarantee of income. It's not quite that simple but not far from the actuality.
"If all the American people want is security, let them live in prisons." Eisenhower
You can't consider enemy invader warplanes bombing your factories out of existence, even if through your companies actions, or inaction.
every day http://en.wikipedia.org/wiki/Special:Random
My uncle was an anayzer, you insensitive clod!
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Well.. He should start up his own company or maybe the CIA or FBI has a decent paying job for him. Screw Sandia Labs.
This brings up the often debated question, if you find a security flaw or hole in your organization (not to mention outside it), do you report it? And if you do, how do you report it to avoid getting fired, or even worse, getting prosecuted & jail for saying that the emperior has no clothes? I think that it is getting to the point where System Administrators have a "see no evil, hear no evil, speak no evil" attitude towards security flaws to simply keep their job. It's sad that it is getting to this point, and it is what the whistleblower laws were designed to solve.
Can someone please 'splain this to me.... "This whole thing is costing them nothing," Winkler said. "Whatever legal fees they are running up is just being passed back to the U.S. government," he said. Why?! The company got pwnd....The company lost Secret info....The company does something silly to try and cover their @ss, and now we pay for it? ....Whhhhhhhhhhhy?
Hmm.. I wrote a script that logs all the brute force hack attempts to my server, I get the ip address from the attempted /etc/hosts.deny file. Then... at night I unleash my attack scripts against those ip addresses.
connection and throw it in my
It's fun. Most of them are attempts from Asia. Those attempts are sent to the perps ISP. If there are any other attempts (I block anyway but I see the denied entries in my log) I will hack into their system, gather info about them, and then take that system out.
how do you think you improve on security? And the best way to get into the system is exploiting tcp.
Reverse hacker? As in rekcah? Sounds like a good tag!
Reviewing just the first hour of video games.
I personally consider this guy a Patriot for the USA. He should be awarded a medal for his efforts and offered a government job with the CIA or National Cyber Security Division of the Department of Homeland Security.
\
http://www.computerworld.com/action/article.do?co
It is passing strange how when salaried employees do something the corporation wants done after hours it is of course part of their work, that's why they get salary instead of hourly pay, but when they do what they should do and the company doesn't like it, well then that was not work-related.
Both may, but one must be wrong. Aren't you tired of some privileged entities in our society having everything both ways as they wish it when they wish it, and the rest of us unable to even have the laws of the nation enforced when they are favorable to our positions?
This is no longer even remotely a "nation of laws". Welcome to the banana republic. Thanks for making it possible, toadies.
This project was related to Mars and NASA? Than that money should goto the poor just like all the rest of the money we spend on the space program.
They need that money to get fat and die at the age of 43. That money could buy a lot of Ho-Hos and smokes and booze. We need to fatten up the poor with this money now! Shove those Twinkies into your mouth, homeless man.
PWN3D!
You must learn to never speak the many failings of Slashdot aloud!
That's nothing. If anyone even thinks about my IP in their browser, I hack into their mind with my leet ESP skillz and take thier mind out. Then I find out where the live, and go there and kick their puppy if they have one. Then, if they ever think about my IP address again I just kill them with my arsenal of atomic warheads I bought from Saddam over TCP.
He was awarded somewhere around $350.000. $4 mil was punitive damage (http://en.wikipedia.org/wiki/Punitive_damages)
Comment removed based on user account deletion
Sandia Labs is part of the US Department of Energy. It is run for the DOE by Lockheed-Martin just like the Jet Propulsion Lab is run for NASA by Cal.Tech. This sort of shit may lead to Lockheed losing its contract much the same way as the contract to run Los Alamos was lost by that other California University. That is probably why they tried to cover it up. This is millions per year and a conduit to Lockheed being involved in related government contracts.
I remember there was quite a large article in Time magazine about Carpenter, two years ago. http://www.time.com/time/printout/0,8816,1098961,0 0.html
Burn Karma, Burn
Actually no, we didn't. Obeying the law is not a requirement for any corporation as the "fines" levied from breaking any laws is simply the cost of doing business. If the profit gained by an action outweighs the consequences of legal action, then any legal punishment in the form of fines is the cost of doing business and "good for the shareholders".
Bingo. I don't know why people get their panties in so much of a bunch over what corporations do. They're almost always utterly predictable. The only times when they aren't predictable, is when they're dominated by a particular personality, and then they tend to take on the irrationalisms (for better or worse) of the controlling person.
But most major corporations, run by boards of directors and their appointees, will do whatever is profitable based on the information and best-guess assessments that they have available. They will do this without regard to Law or really to Ethics, except insofar as those feed into the risk/benefit decisions.
I have no doubt that if the enforcement of laws against organ harvesting was lax enough, to the point where a person could expect to get away with it, corporations would probably get into that business, too. It's a straightforward calculation: what is the risk of getting caught, times the consequences of getting caught, and is that greater or less than the chances of succeeding, times the possible payout. If the latter exceeds the former, and it's greater than the opportunity cost, then the corporation does it. (And if they don't, someone else will. There's no such thing as universal ethics; you can always find somebody who'll "go there" regardless of how repugnant the opportunity for profit might be.)
You can look at an illegal act in the same way that an insurance company might approach a significant new risk: what are the odds of the insured-against action happening, and what would we have to pay out if that happened, so what should we charge in premiums? Except in the acting-illegally case, the "premiums" are what you'd need to expect you'd be able to get out of doing the illegal act, in order to make it, on average, worth doing.
So when you see a corporation dumping toxic waste, don't bother being surprised. Somebody, somewhere, did a calculation (either literally or figuratively), and decided that the potential gain of the dumping, even when the risk of getting caught was factored into it, was profitable.
As corporations get bigger and bigger, this is only going to become more apparent. If a major multinational corporation breaks some laws, it's probably not going to end the company. In the future, it could get to a point where they're so much bigger than governments, that no amount of illegal action would ever be 'fatal,' and thus they would follow the risk/benefit calculations even more closely, because they'd be able to more easily afford getting caught every once in a while (in the same way that a larger insurance company can sometimes offer lower premiums, because they're bigger and can absorb more risk).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
"Janurary" 2005? Someone needs a spellchecker...
How do you "prove" an assertion about what "ought" to happen?
Take the statement:
You can only prove that if you start with a system of more basic beliefs about the way things ought to be - and if those starting points can lead logically to the desired conclusion.
"Might makes right" and "you should 'love your neighbour as yourself'" are not propositions which can be proved - they are assumptions about how we ought to behave.
Similarly, kmweber's twin assertions that the USA is all about individualism and that people should oppose any acts that counter such "individualism" are just that - axioms chosen to justify a desired conclusion. You could equally well assume that the USA is about a balance of individual freedom and respect for other citizens' rights. Or that one is quite justified in opposing what the USA (or any state) is "about", if it is "wrong" or "harmful to the people" or "bad for the environment" or whatever. It's a matter of belief.
Of course, some belief systems make for happier societies, or more fair societies, or societies in which individuals have more chances to achieve their particular goals, or... You get to decide which you think are the important goals (or you pick a religion or philosophy that tells you).
Just don't pretend it's about logic or proof!
Paul "Say no to feeping creaturism"
Comment removed based on user account deletion
So someone finds out that another government has stollen actual secrets from the US, reports it, gets fired, then wins a lawsuit and this is obscure news. But an advertising company puts up some signs in Boston and it is all over the news. Let's see, stolen government secrets vs. publicity stunt gone bad. Damn that mainstream media and their liberal bias!
http://www.popularculturegaming.com -- my blog about the culture of videogame players
Corporations limit investor's liability to financial loss (you can't lose more than you put in - investors don't inherit a bankrupt company's debts) -- but corporations do not and cannot limit managers' and employees' criminal liability.
If a company started harvesting organs illegally, the individuals would be liable to prosecution.
The problem is sometimes that laws are weak, and the authorities fail to punish the individuals. But the risk is there, and it has to be part of the equation.
Also, however much the corporate environment encourages "sociopathic" personalities, not all directors and managers are evil (or "amoral", if you feel better about that label). That might be one of those "irrationalities" another poster mentioned - but I prefer to think of it as people doing the right thing.
Finally, some people and companies take a more enlightened view of self-interest, and a longer-term view of benefit. That can lead to better behaviour all round. The "iterated prisoner's dilemma" in game theory illustrates this idea.
So it's not necessarily all doom and gloom.
Paul "Say no to feeping creaturism"
That Sandia would want to cover this up is not surprising. Remember the Cox Report? According to that Congressional study, U.S. aerospace defense contractors have been the subject of "decades of intelligence operations... conducted by the Ministry of State Security" of the Peoples' Republic and that the PRC successfully stole U.S. nuclear technology. It was a big scandal ten years ago. Though at the time a lot of finger-pointing and security legislation prevailed, the long term effects seem to be negligible: "After Carpenter's termination, the investigations into the Titan Rain group appear to have gone nowhere, said Winkler, a former National Security Agency analyst." Sounds like this trade is of benefit to people with enough juice to make long-term threats to their enterprise disappear...
Its called an externality, meaning that they suffer a very disproportionately small amount for the good they reap. It's what polution is, it's what turning the news into entertainment is, etc, etc. So no, they could care less. Oh ye commons, thy death is so tragic.
Relax I just want some peanuts.
To me, it looks like it was only putting the interests of a corporation against the interests of another corporation. But the guy was smart and choose the bigger one.
However, if my job was to get disinformation out to people, I would call it secret, pay millions for security, but let it get stolen anyway.
Ya just gotta be paranoid to survive in this world.
It seems that the Carpenter debacle is only the latest of a string of management failures at the facility. A big of Googling turned up a cache of PDFs posted to a Los Alamos related web site (LANL, The Real Story). The site is no longer maintained, but available. The letters are PDFs of actual correspondence from Senator Grassley to the Secretary of Energy, the Department of Energy Inspector General, and other high-ranking officials regarding security problems and retaliation issues at Sandia. Sandia has a separate Corporate Investigations division, and in 2003 and 2004 they turned up some interesting items in their investigations. From the correspondence, however, it seems that Sandia management wasn't too pleased when they got the bad news from the investigators, who were simply trying to do their jobs.
The investigators were threatened, transferred to rodent-infested trailers, and were written up. According to two of the letters, Senator Grassley's office saved their jobs by intervening on their behalf, issuing several strong warnings to Sandia about retaliating against whistleblowers.
Here's some highlights: After investigating an incident in Sandia's SCIF (Sensitive Compartmented Information Facility) that involved alleged sexual liaisons between highly cleared staff members, the Sandia Vice President in charge at the time -- David Nokes -- ordered a subordinate to destroy a hard drive that was assigned as evidence to the investigation. The subordinate complied by "smashing the hard drive with a sledge hammer." The SCIF employee in question was also found to have been hacking into Sandia Intranet computers. It became impossible to find out exactly what the employee was doing after the drive was destroyed. The drive was presumably destroyed because the VP wanted to "avoid embarrassment" to the organization.
After being "forced" to resign, C. Paul Robinson and Mr. Nokes publicly sparred in the press. While this public display was going on, Dr. Robinson was quietly reinstating Mr. Nokes' security clearances and hiring him back as a "security consultant". Now that seems odd, given the circumstances of his departure. It was only until an unknown Sandia employee anonymously faxed Mr. Nokes' clearance reinstatement paperwork to Senator Grassley's office did the good Senator become aware of what was going on.
After the smoke cleared from Sandia executive management's "sham internal review" of what happened (the Senator's words, not mine), Sandia quietly handed out huge bonuses to the employees that toed the company line -- including the hard drive smasher (who was in charge of security at the SCIF). None of this became public until they were posted on the LANL site by -- you guessed it -- an anonymous person. The Albuquerque Journal ran a story about the huge bonuses and pay raises awarded to every employee that was disciplined in the matter in the fall of 2006. While disciplined publicly, they all received huge cash awards ($20,000 non-base award to the drive smasher) and unheard of pay raises. That seems like sort of a red flag to me, especially since the American tax payer is doling out the cash for this nonsense.
BTW, Sandia Corporation is a subsidiary of Lockheed Martin Corporation. It was set up as an at-will employer, so staff can be fired for any reason and at any time. A Government Accountability Office (GAO) report on the Department of Energy reimbursement of contractor litigation expenses can be found here: http://www.gao.gov/new.items/d04148r.pdf
The GAO found that almost all claims are summarily reimbursed by the DOE, even in cases of malfeasance, fraudulent conduct, etc ($330 million between 1998 and 2003). DOE contractors only picked up a paltry $12 million of the tab.
There's all kinds of goodies in the PDFs, so I won't ruin the suspense for those of you that are interested.
The Sandia National Laboratories / Senator Grassley docume
There seems to be an opinion among Sandia Laboratories management that they can interpret "just focusing on our job" as meaning "we are entitled to ignore evidence of penetration of defense contractors and/or government systems and sit on it". In my opinion every last one of those managers should be fired. et ... why not close down Sandia Laboratories in its entirety to prevent this sort of mentality from spreading? If this is the way those clowns view their job of protection of US interests who needs them?
And to top it all off ... they see fit to pile psychological pressurise on a loyal, responsable employee, and (the height of unprofessionalism) they try to blackmail him with his wife's job.
Has everyone grasped that Sandia management _actively_ tried to prevent this employee from cooperating with the FBI and Army Intelligence because it might (from the article) "bring unwanted attention to Sandia"? Am I alone in thinking that such conduct belongs in Soviet Russia of 30 years ago and not the US today?
Anybody who's ever been involved in a business ethics issue knows that the ultimate bottom line is whatever you can get away with.
We see this in all walks of life. From business to politics (where it is all but mandated that you act this way), to private and personal lives. A business is not a sentient entity. it is comprised of people, and it is the people that do these things. By blaming "the company" or companies, you provide an easy escape goat for the behavior. By accepting and perpetuating this scapegoat the underlying problem can never be solved.
This is the abuse of classifying corporations as "people". It removes actual personal responsibility and accountability from people who can be punished to fines for a collective organization, an entity which does not possess sentient thought. People over time learn, an collective entity such as a corporation has a "memory" only so long as those who were impacted by the consequences allow it.
So people - media, pundits, politicians - continue to blame the collective instead of the perpetrators. And the problem continues.
My Suburban burns less gasoline than your Prius.
Its been a while since my export control training, but can't Lockheed lose its contractor privileges for something like this? Or does Sandia protect them from liability as a child company?
(Q.E.D).
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
ppl out there! It's time to become a hackerzzz!!!
As you should been aware, Febuary is language deteriation month. Especially when your talking about nucular subsiderarys. Saying "Janurary' in Febuary makes sense in that regards.
My other car is a 1984 Nark Avenger.
... isn't that a corporation ignored potential national security concerns.
What alarms me, is that apparently Lockheed-Martin did.
I mean, if the single SCMM level 5 company could get their shit stolen, then either something is seriously fishy in them not having infosec to match their coding practices, or someone actually told them security isn't an important parameter for this assignment.
I strongly believe that hacking is an unethical behavior since it is invading somebody's property as well as privacy. Sure, it was the right thing for carpenter to do what he did to help out on the investigation, and he knew what he was doing could cost him his job, but he still took that risk and it payed. Good for him. But still, what carpenter did shows a strong security concern. And I dont think he should have awarded that much of an amount. He might had done it with a good intention, but others could also claim the same thing when hacking, even if they have bad intentions. No bad person would ever say that he is bad. Also, his actions could influence others (amatuer) to hack around as they please with reason to look for "something that could help the FBI" hoping they too, could receive such award. It's almost like an encouragement.
Dude that was classic. Funniest /. comment in a while.
Before the dim wits have their employees sign a waver stating they wont be sued because of their bosses bad behavior.
Maybe employees need to make it clear to them by making their new bosses sign a waver in regards to how they will handle illegal activities by their bosses?
*weebit cites dimwit for top secret internet files theft, citing article 8467-C of Internet International Law, AND Article -6- of the Ten Commandments: " Thou shalt not STEAL." please sign here: X_________________________ press hard... eight copies.*
This afternoon, Sandia President Tom Hunter sent the email below to all Sandia employees concerning the Shawn Carpenter trial. It is the second such email that has been sent out concerning the Carpenter trial.
The Albuquerque Journal provided extensive (daily) stories of the trial proceedings, and these internal emails fail to acknowledge even an iota of failings of Sandia management in this case. As a longtime Sandia employee, I find the disparity between the Albuquerque Journal reporting and what is being communicated to employees extremely disconcerting. In fact, I would go as far as describing this most recent email as corporate propaganda that insults the intelligence of the hard working, patriotic and dedicated employees I work with every day.
The most recent Sandia Lab News, an internal publication, did not contain one line of print about the Carpenter case. Staff in my office were both amazed and suspicous that management did not make an effort to address this. Platitudes about "we are disappointed with the verdict" and "putting the nation first" do nothing whatsoever to reassure employees that they will not be subjected to treatment similar to that apparently received by this former employee.
If a senior Sandia manager used terms such as "decapitate" and "bloody" in an interview with an employee, it is unconscionable that he is not held to the same standards that are preached in these emails. From my perspective, it is obvious that Sandia handled the termination of this employee unfairly. It seems ludicrous that Carpenter would currently hold a top secret security clearance at the State Dept. and be the lawbreaking criminal that management keeps implying in these communications to employees. Sandia employees are not ignorant, and do read publications other than those produced within Sandia.
It is apparent that the Sandia leadership did not learn anything from the events several years ago that led to the Bay Report. Despite the fact that Sandia has a huge influence on the local community, a jury of local citizens found Sandia liable, and doubled the punitive damages in their verdict to send a message. These very public situations are tough for current employees to deal with. To be frank, it is embarrassing when the topic comes up in conversations with non-Sandians.
Good leaders take responsibility for their shortcomings, acknowledge them, and then move forward to implement solutions to improve the organization. Sandia leadership continues to erode employee confidence with their meaningless emails and state of denial. Dr. Hunter needs to step up to the plate to regain his credibility within the Sandia community - preferably before employee confidence is totally gone.
Here is the text of the email that all Sandians received this afternoon:
----------------
From: Hunter, Tom
Sent: Wednesday, February 28, 2007 5:43 PM
To: SNL-ALL-SITES
Subject: Recent Media Attention
Dear Sandians,
As many of you are aware, a New Mexico state court jury awarded former Sandian Shawn Carpenter more than $4 million on February 13, 2007. The outcome of the trial was a great disappointment to me personally, but I am most concerned about any perception that the laboratory may not have acted in the best interest of the nation.
It is essential in all cases that Sandians adhere to the principle of putting the nation first. I firmly believe Sandia must always conduct its work lawfully, with appropriate authorizations, and when people step beyond clear boundaries we must act responsibly. In fact, living and acting upon our values are of the utmost importance to our continuing to have the opportunity to provide exceptional service to the nation. I and the management team are committed to these values in all we do and every decision we make.
In my career at Sandia, I have come to know Sandia as a place of exemplary character and values, earned through the exceptional conduct of its employees and the significant contribut
He probably love to sing songs like "Somewhere over the RAMbow","Lets Get Digital" and "We all live in a yellow subroutine" when finishing or repairing structures.
hehe