The Cyber Crime Hall of Fame

DigitalDame2 writes "Not all hackers are bad guys, but a few fall prey to the dark side and use their talents for evil — not good. In compiling this list of the craziest cyber crimes, PC Mag looked for a few things: ingenuity (had it been done before?), scope (how many computers, agencies, companies, sites, etc. did it affect?), cost (how much in monetary damages did it cause?), and historical significance (did it start a new trend?). Read on about famous hackers John Draper, Robert Morris, Kevin Poulsen, and others."

Trouble compiling

In compiling this list of the craziest cyber crimes, PC Mag looked for a few things:

I'm having trouble replicating their results. I'm getting errors no matter which compiler I use. Did they use some expensive proprietary compiler?

Re:Trouble compiling

[arth1]

An AC wrote:

try turning off all the advertisements

If you turn off the ads at your end, you're just a user.
If you turn off the ads at the server end, you're a hacker.

They forgot one big hacker

Michael Bolton.

The criminal mastermind who successfully laundered (To clean... no, I mean... to channel money through a source or by an intermediary.) thousands of dollars from his employer, Initech.

Like any great hacker, he was not caught due to the fact that all physical evidence of his crime disappeared...

Re:They forgot one big hacker

[Pugwash69]

Guilty of releasing some awful albums too, if I remember correctly.

Re:They forgot one big hacker

[PitaBred]

I believe the term is "no-talent ass clown" ;)

Re:They forgot one big hacker

[PawNtheSandman]

Personally, I celebrate his entire catalog.

Must be said!

[TheRealMindChild]

FREE KEVIN!

Re:Must be said!

He is actually Free Now... The slogan have since changed to "PUT KEVIN BACK!".

Re:Must be said!

[Phoenix]

http://www.mitnicksecurity.com/

Already been done and now he's doing quite well for himself. He was wrong for doing what he did, and yes so to was the government.

However he is now doing fairly well for himself with his books and appearances on TV. I think AMW last year he was working to help profile a computer hacker.

You want him free? Done and Done.

Re:Must be said!

[TheRealMindChild]

I refuse to let the meme die! Even if it completely irrelevant. I will beat this horse until its organs stain my clothes.

Re:Must be said!

[g0dsp33d]

Please don't stop there.

Re:Must be said!

He means free as in beer!

Free (as in beer) Kevin Mitnick!

Re:Must be said!

[JoCat]

*With purchase of equal or lesser value.

Students

[TechwoIf]

Don't forget the MIT http://yro.slashdot.org/article.pl?sid=08/08/09/1812256 students. After all, its not everyday one get censored by the government. Can't have those "hackers" releasing info.

Balls

Actually, the person who created this: http://www.symantec.com/security_response/writeup.jsp?docid=2007-042705-0108-99&tabid=2 has some nerve.

Unsolved Cyber Crime

[pigphish]

I'd love to see the companion to this article. Greatest unsolved computer exploits. They never seem to get much publicity when they are not caught.

Re:Unsolved Cyber Crime

[Intron]

Was the author of this ever found? Two lines of cleverly obfuscated code. http://kerneltrap.org/node/1584

history be judge

[Tom]

I agree with them as far as the "historic significance" goes. For the more recent ones, I'm not so sure. Maybe that's because most of those who actually did it first weren't caught. But the most important trends at this time are stuff like organized crime, spam (and the connection between the two) and extortion. The singular trend behind all these is that those early guys were curious people who did things "because they can", as the article states. But they're dinosaurs today. Money is the reason these days, not curiosity. To miss that one vital trend is to miss everything that's happened in security for the past years.

Re:history be judge

[darkmeridian]

I agree. The TJX break-in that revealed the private information of hundreds of thousands of consumers was recent but also groundbreaking because it brought to the fore the importance of data security. Before TJX, IT budgets were probably being cut to make room for Sarbanne-Oxley compliance. After TJX got screwed, I'm sure IT security budgets went through the roof.

Gary McKinnon

[stewbee]

FTFA

Never underestimate the power of curiosity. In 2001 and 2002, British hacker Gary McKinnon gained access to Air Force, Army, Navy, NASA, Pentagon, and Department of Defense computers--97 in total--in a quest for evidence of flying saucers.

Why do I find this so funny!

Oooh! Oooh! I know!

[$RANDOMLUSER]

PC Mag looked for a few things: ... scope (how many computers, agencies, companies, sites, etc. did it affect?), cost (how much in monetary damages did it cause?), and historical significance...

Windows 98?

Anyone see something WRONG here?

[L4t3r4lu5]

"Vladimir Levin transferred a sum of $10.7 million to accounts in the U.S., Finland, the Netherlands, Israel, and Germany... sentenced to three years in jail, and ordered to pay $240,015 in restitution to CitiBank."

"In 1999, David Smith released the Melissa worm... All told, the worm hit over 300 companies worldwide, including Microsoft, Intel, and Lucent Technologies, forcing them to shut down their e-mail gateways due to mass overcrowding and causing estimated damages nearing $80 million... After pleading guilty, Smith's prison sentence was reduced to 20 months..."

"Jonathan James found out just how much the source code documents for the NASA's International Space Station are worth: $1.7 million... James received six months in prison and probation until he turned 18."

"In February 2000, Calce launched a denial-of-service attack that struck 11 major Web companies... analyst estimates range as high as $1.7 billion Canadian (that's currently about $1.6 billion U.S)... handed a sentence of eight months "open custody," limited Internet use, a small fine, and one year of probation."

" In 2001 and 2002, British hacker Gary McKinnon gained access to Air Force, Army, Navy, NASA, Pentagon, and Department of Defense computersâ"97 in totalâ"in a quest for evidence of flying saucers... Officials claim damages from his entry range close to $700,000... McKinnon is currently facing extradition to the U.S., which could mean up to 70 years in prison."

Anybody spot a GLARING, COMPLETELY LUDICROUS issue here?
Don't talk to me about Govt or National Security; He caused NO significant financial loss and caused NO national security issues past what was already there through inept administration.

Re:Anyone see something WRONG here?

[FreeUser]

He's a terrorist.

[Best Republican Redneck Drawl]
Man's gettin' what he deserves! He should thank his lucky UFOs he's going to Federal Pound-me-in-the-ass Prison for 70 years, and not gitmo for life.
[end Best Republican Redneck Drawl]

Seriously, if there was ever a time to question the lack of proportionality in our post-9/11 Bushite anti-terror legislation, this is it. Unfortunately, the fact that the man in not from the US, and doesn't have a very powerful lobbying base in the US, probably means this particular injustice will have to run its course, along with many others, before anyone in America wakes up, smells the coffee, and starts to reclaim the country.

If it isn't already too late.

Re:Anyone see something WRONG here?

[Madball]

What I see is a comparison of several actual sentences and a theoretical maximum sentence. The two, at least in the US, tend to differ widely.

Re:Anyone see something WRONG here?

[morgan_greywolf]

They want to make an example of McKinnon. Mess with the government and you'll spend the rest of your life in prison. Screwing with banks? Cause financial damage? Yeah, we'll give you hell for it. But screw with the government. Oh, you are SO going down. Nevermind that it's already been established that security on U.S. government systems is horribly inept to the point of being almost ridiculous.

Re:Anyone see something WRONG here?

Sometimes the attempt is punished even though there's no actual damage. Or do you think attempted murder should be a misdemeanor?

There was no attempt. He fully succeeded in accessing the systems. The claim is that punishment doesn't reflect the severity (or lack there of) of the crime.

Do you believe in capital punishment for streaking?

Re:Anyone see something WRONG here?

[Cassius+Corodes]

Not really, the point of that is so that the judge can have some leeway in deciding the seriousness of the offence, and sentence accordingly. The real problem is when laws call for mandatory sentencing and you get people in jail for years for stealing a pizza.

I know it's a pet peeve

[krgallagher]

Here is the quote:

"Everyone wants to be the first at something and claim their spot in history; though being the first hacker tried for releasing a virus isn't exactly the sort of "first" Mom's going to brag about. In 1999, David Smith released the Melissa worm from a computer in New Jersey through a stolen AOL account."

A worm is not a virus. Neither is a trojan. It drives me nuts when the media uses these words interchangeably. I usually forgive the likes of ABC, but you would think PC Magazine would get it right.

Re:I know it's a pet peeve

[SPQR_Julian]

Only on Slashdot would a post explaining the technical differences between viruses, trojans, and worms be modded offtopic. Naturally, my mod points expired yesterday.

TFA is wrong

"Though charged and convicted in the U.K., McKinnon is currently facing extradition to the U.S., which could mean up to 70 years in prison."

McKinnon was never convicted in the UK. IIRC the Computer Misuse act hadn't been passed then. See here: http://www.theregister.co.uk/2008/08/28/mckinnon_european_appeal_rejected/

He's currently being extradited under the disgraceful one sided treaty where we (i.e. British) hand over anyone the USA asks for without the need to demonstrate a primae facia case.

That'll be the special relationship where we bend over and USA screws us.

Re:TFA is wrong

[theverylastperson]

For the record we here in the USA equally screw all nations, usually with the help of the puppet governments we install.

To imply that we only screw the UK is an insult, we've spent the last 8 years trying to prove to the world that we'll screw anybody for any reason possible.

I insist that when discussing how the US screws other countries you please remember that we would never limit this activiy to just the UK. We're just like a 16 year old boy, we'll screw anybody. To imply otherwise is simply barbaric and an insult to our leaders and everything they send others to die in their place for.

Robert Morris' Worm

[martyb]

<GrayBeardMode> I was working at PR1ME when the Morris Worm hit. Nobody really new what was going on at first. Then word was getting out that there was something running rampant over the internet and our feed was taken down. Later it was learned that our systems had the wrong architecture and we were safe from the attack, but the impact on the net was so great that everything was glacially slow. </GrayBeardMode>

There's a great write-up by Don Seeley, Department of Computer Science, University of Utah that (as posted by Francis Litterio). (I used to work with Fran - Hi there!) Anyway, the link to it from wikipedia (Morris Worm) is broken, but I found a copy in Google's cache at "A Tour of the Worm". There are other links available (e.g. to a pdf) if you search Google for this title, but I don't want to unnecessarily bog down someone's server. Highly recommended!!

MafiaBoy

[SirLestat]

From the article: "then teenage super hacker". I'm sorry but downloading a script from the internet and being stupid enough to run it does not make you a super hacker.

Pengo?

[gambit3]

I was hoping to see Pengo, the East German hacker, but it seems history has forgotten about him.

They missed Jeffery Ward, the first one

[Animats]

They missed Jeffery Ward, the first person to do jail time for computer crime.

This was the stone age of computer crime. Ward was convicted of grand theft for stealing a proprietary plotting program from ISD for the benefit of his employer, UCC. One of UCC's customers. Shell, was also an ISD customer, and they had a remote terminal, a UNIVAC 1004, with a card reader, printer, (optional) card punch, and 2400 baud synchronous modem. The customer used the same terminal ID (wired into a plugboard; there weren't really passwords then) to use both UCC and ISD. Ward used a similar terminal at UCC to impersonate the customer's terminal and connect to ISD. Then he submitted a job (on punched cards!) to request that the binary for the plotting program be sent to his terminal and punched on the card punch.

And that's his plan started looking like "America's Dumbest Criminals". The customer terminal he was impersonating didn't have a card punch. So the ISD computer instead punched the desired card deck on a punch in ISD's computer room, and printed a message for the operator indicating who wanted the card deck. The card deck was then packaged up by ISD staff and mailed to Shell.

The package was received at Shell. Since they hadn't ordered it, they sent it back to ISD with a request for a refund. The ISD staff took a look at the card deck, and after some puzzlement, someone realized what it was.

It took a while to figure out what was going on, but the Alameda County DA's office and the Oakland police were brought in, and the first search warrant ever for the search of a computer was issued, to be served on UCC. Nobody was really sure how to do this, but an outside consultant with UNIVAC experience was brought in for the search.

So the big day came. Oakland cops, an assistant DA, and the UNIVAC expert show up at the front door of UCC in Oakland. It's not clear that a search would have found anything; most data back then was on magnetic tape, and the UCC data center had thousands of reels of tape. However, Ward was in the building at the time, and he decided to grab all the incriminating material and duck out the back door.

Big mistake for Ward. Cops know about covering the back door. Ward was quickly arrested, and since he had all the incriminating data, the search was unnecessary and Ward was carted off to jail.

There was a later civil settlement between UCC and ISD. ISD got four tape drives and a "CTMC", a 32-line async port controller. (This was a truckload of 1970s technology.) I worked for ISD when that gear arrived, and it was not in good shape, but we got it working.

Re:They missed Jeffery Ward, the first one

[Animats]

Interesting that he had to pay $305,000 for a plotting program in 1971.

One of ISD's competitive advantages in the early 1970s is that they offered remote plotting, using CALCOMP pen plotters, when almost nobody else did. Engineering companies liked this. The remote plotting was implemented by emulating a UNIVAC 1004 on a very small minicomputer, then hooking up a plotter which was fed from the "output card punch" stream. Since the printer/plotter message protocol had checking and retransmit, this could produce clean plots, unlike competing systems that used async modems of the period, which had no checking.

All this stuff was much harder back then. The mainframes were 1.2 MIPS machines; the remote minicomputers were something like 0.1 MIPS with 8K of memory.

An amusing bit of trivia about Mitnick

One of Mitnick's first arrests (as an adult) resulted from his breaking into The Santa Cruz Operation. Yes, that S.C.O..

The reason he got caught was because SCO thought it was their competition who was breaking in.

It took an extremely motivated effort to track him down, due to the way the Telco's worked at the time, and Mitnick knew it. What he didn't know was that SCO was very determined (for the wrong reason).

Note that, contrary to all the published nonsense out there, Mitnick was NEVER prosecuted for breaking into SCO. They were afraid of pressing charges. He was nailed because SCO's competition wasn't afraid to press charges.

Could be a better article

[adona1]

They missed out the #1 hacker of all time, Matthew Broderick. And Eugene "The Plague" Belford...a very bad man.

The dollar value of a human life?

[SanityInAnarchy]

I don't see one fatality because of these "idiots" -- quoted because obviously some amount of intelligence is needed to pull off what they did.

I don't think terrorism should be blown out of proportion, the way it often is in the US, but terrorists actually kill people.

Are you saying that ten million dollars in damage is comparable to killing several thousand people? In other words, that the value of a human life not only can be measured, but that you consider it to be less than a thousand dollars?

My favorite Cybercrime

was when Phil Zimmerman exported munitions to teh terrists!

Explanation of MafiaBoy

[nickswitzer]

MafiaBoy At the time of his hack, Mike Calce could only be referred to as MafiaBoy since Canadian laws prevented news outlets from releasing the name of the then teenage super hacker. In February 2000, Calce launched a denial-of-service attack that struck 11 major Web companiesâ"including Amazon, eBay, E*TRADE, and Dellâ"via 75 computers on 52 networks. While there's no hard data to quantify how much monetary damage was done, analyst estimates range as high as $1.7 billion Canadian (that's currently about $1.6 billion U.S). When tried in 2001, Calce was handed a sentence of eight months "open custody," limited Internet use, a small fine, and one year of probation. Ranks For: Scope, Cost

He basically found out how to do a DDOS, which was the first of it's kind. Before that, the main exploits ranged from SMURF.c to PEPSI.c to SLICE3.c (for some reason they were a lot of soft drink names). MafiaBoy went into an irc channel (I am omitting the name) bragging about how he could "down" anything. A few suggestions were made for what at the time were the biggest sites on the web. Once he packeted one, the spectators were unsure that it was really him until he made large website after large website a "404". The rest is history.

I'm Unimpressed

[Psion]

Not a single mention of that nefarious hacker, Rick Astley, who has managed to hijack so many hyperlinks to relevant videos in so many online discussions?