Slashdot Mirror
Hacker Posts His Crime On YouTube, Lands In Jail
wiredmikey writes "A former contract security guard who admitted hacking into a hospital's computer systems (where he worked), was sentenced to 110 months in Federal prison. Why did he do it? He admits that he intended to use the bots and the compromised computers to launch DDoS attacks on the websites of rival hacker groups. The FBI says he posted video of himself hacking into the hospital computers on YouTube — While the theme of 'Mission Impossible' played, he described his hack, step by step, including the insertion of a CD containing the OphCrack program, which allowed him to bypass all security. The FBI found the CD containing the OphCrack program in McGraw's house and found the source code for the bot on his laptop."
Step 2) ????
Step 3) Jail!
excitingthingstodo.blogspot.com
Do we have a winner for the prize of "stupidest person alive"? Who, with the slightest semblance of common sense, would think that posting a video of themselves doing this was a good idea? This ranks up there with the guy who used a camera mounted to his motorbike to record himself doing 140mph+ in the UK, then posted it on YouTube with his face and licence-plate.
This is exactly why we don't counter-attack those attempting to penetrate our network. While you *might* have some slim chance of reaching the attacker, chances are equally good you will end up attacking some systems in a hospital or something equally unacceptable.
They added the stupidity multiplier. It is there so the pollution of the gene pool by really stupid criminals is reduced.
Fight Spammers!
Hospital administrators who don't properly secure and audit their computer system deserve to be shot.
The network he had access to was a hospital's LAN. He wanted to use it to DDOS which would result in saturating much of the hospital's LAN to begin with and possibly screwing with equipment in the mean time. If he hacked into a Starbucks or a McDonalds to do the same I wouldn't care as much but his stupidity overreached on this one.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?
If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?
Why do articles even call them "security researchers"? Now if this guys job is to investigate hackers, then he should be called a "cyber crime investigator". It's disingenuous to call an a cyber crime investigator/cybercop detective a security researcher. What is with this trend?
Who cares if the person was a "security researcher" or "cybercop detective"? What's it matter?
And what is the official function of a security researcher? Are they informants? I'd think maybe not if they aren't pretending to be outlaw/blackhats, so I cannot put them in the obvious informant/snitch category that albert gonzalez is in. An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.
You took the term "security researcher", substituted your own definition of "confidential informant", and then hinted that the person might be a snitch...
This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?
I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not understand the different inherent functions of these terms. At the same time you have obvious professional betrayers like Albert Gonzalez being called "agents" and "heroes" by the feds in one sentence and then later on the feds are locking him up and he's a dirty rotten snitch greedy scoundrel.
So which security researcher, hacker, or cyber crime investigator wants to clear up exactly the different functions and roles?
Actions define people, not titles. You obviously already know this, why bother using it as an excuse to get on your soapbox? No one cares what they call themselves, except maybe them.
Eagles may soar, but weasels don't get sucked into jet engines.
The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?
And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.
Why is it excessive? From TFA:
Given the fact that his actions could have breached confidentiality of medical records, or, you know, even killed someone due to the HVAC system going haywire and not controlling the temperature in a patient's room, or a storeroom containing temperature-sensitive medications, I'd say that 9 years and 2 months (probably being served in a minimum-security federal prison camp) doesn't sound all that unreasonable.
That depends on whose home it is. If it's a rich assholes home, probably not
You do realize that this means you, too, are an asshole, and that someone even lower on the moral chain than yourself will watch someone break into your house and do nothing for the same reason?
The chain of violence only stops when people like you stop demonizing based on external factors.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Are we going to imprison the people who decided to use Windows as the operating system for a critical, safety-sensitive computer? Why are we acting like the problems here end with this guy? Computers are not some magical object that dark wizards vie for control over; the fact that this guy could have endangered hospital patients because he was interacting with the HVAC computer (and ultimately, that is what he was doing: interacting with the computer) says more about the problems with the HVAC controller than about the hacker.
Palm trees and 8
Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."
I always ask people, at what magical number does 'theft' become 'economic justice'?
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
That's not that bad. People could get much worse for having the police catch them with crack in their home!
That sentence is the least of his problems. Wait until the MPAA & RIAA find out he used the theme from 'Mission Impossible' in his YouTube posting without paying the appropriate licensing fees.
Yeah, if "interacting with the computer" involves breaking into a locked room, removing security controls on a computer with a sensitive function, and then planning to use it to launch DDoS attacks against other "rival groups." This isn't like, "What, I was just at the mall, using a touchscreen kiosk to find directions to the Urban Outfitters store!"
Considering he apparently needed both physical access (in a locked room) to the computers, and he had to disable security controls on the computer, I'd suggest that this indicates pretty a fairly decent attempt to secure the system and prevent it from being exploited.
ObCarAnalogy:
Would it be okay for me to break into your locked garage, replace all the software on your car's sensors & control units, and then claim I was "just interacting with a computer," when your brakes failed due to the changes I'd made?
Accidentally hitting someone with a car and accidentally hitting someone with a car after you've swilled half a bottle of Gold Schlager would be treated differently. Accidents happen. Deliberately fucking with hospital systems in a way that you KNOW could cause damages and even get someone killed is not an accident.
Don't be too hard on them. Any HVAC system can be circumvented using windows.
Give me Classic Slashdot or give me death!
Not all research is academic. I with a large number of research scientists, very few of them are doing anything academic. This particular security researcher is someone who makes his living by providing his skills to companies and other organizations in return for money. He researches security risks and ways to compromise computer systems and develops tools to combat them (my interpretation of the information on his business website). The overlap between what he does as a security researcher and what a cyber investigator would do is significant. Additionally, the link you posted mentions that he works at a university, suggesting that he may indeed do quite a bit of academic research. There is no evidence in any of the articles that have been brought forward so far that he is in any way employed by a law enforcement agency.
The simplest explanation of the facts as we know them is that he really is a security researcher who in the course of his research came across a video of someone hacking into a hospital computer system and reported it to the FBI. I am not sure why the idea that a private citizen might feel it is their public duty to report crimes they come across is so difficult for you to get your head around.
The truth is that all men having power ought to be mistrusted. James Madison
This is the worst kind of thinking. 'The poor don't get justice so I'll make sure the rich don't get it either! Then we'll all be equal!' Equally fucked. Such an great thing to which to aspire. Equality is not the sacred thing you seem to think it is. To paraphrase Margaret Thatcher, it is better to have a higher standard of living for the majority in a society with a high disparity than it is to have a lower standard of living for the majority in a society of greater equality.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Baed on your attitude, I'm surprised that anyone cares about you...even your mother.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
I'm assuming he wasn't part of 'Anonymous' then? ;-)
"The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?"
/. then assume you're simply an informant instead of being the private detective that the article correctly identified you as being?
But... he is a security researcher, here's his security websites and his LinkedIn says he has a PhD in Computer Science and works at the Mississippi State University Center for Computer Security Research (CCSR).
I'd say he's qualified. I don't understand why parent automatically assumed he was just an informant. If you're a private detective and with PhD in Criminal Forensics and you see a felony take place wouldn't you call the police? Would
my karma will be here long after I'm gone
I'm not paid too much, but I am taxed too little. I would gladly raise my own tax rates by 5% if it applied to everyone making as much as I am or more (esp. if it applied to Warren Buffet, etc. who currently have their salaries as investment income.)
That stupid rhetorical device has been done to death. At what level does a full head of hair become bald? At what level does the sand grains I collect one at a time in a location become a heap?
Obviously, if one person owned everything, it would be justified (if only so that people he did not like could eat), and if everyone was equally wealthy it would not be justified. The presence of a grey area may lend itself to long arguments about the optimum points to put tax rate changes, but it cannot be used to dismiss the concepts out of hand.
Your ad here. Ask me how!
I install HVAC control systems for a living. Almost all of them rely on Windows at some point along the way anymore, either for setup software or the user interface software (if it doesn't use a web interface).
However, most do NOT require the Windows computer in order to function properly. The systems either have a dedicated embedded-style building controller, or use a peer-to-peer arrangement with each device handling its own schedules and talking to each other directly to integrate. It's entirely possible that the most he could actually do from that computer is look at a few temperatures.
Not that I expect that's reality. Unfortunately, we're typically talking about people with very little computer / networking skills, and security is dead last on anyone's mind when setting these systems up. They wouldn't even talk to IT at all if they didn't need an IP or LAN drop somewhere. I try to caution people about the need for at least rudimentary security, but all too often ease-of-use wins the day. Some even have their HVAC systems exposed directly to the net so they can more easily use their smartphones or check on things from home. Combine with braindead username/password selection and I'm surprised many haven't been hacked.
One way I try to prevent total disaster is by careful programming - make it so the user front-end doesn't allow them to do stupid stuff, and sanity-check user input. But there's a limit to what can be done with most of these systems, and in the end if the customer says he wants to be able to do something stupid - well, it's his building. Just don't expect me to cover it under warranty!
Being in the medical IT field I can tell you that almost all medical software is written for Windows. And last I checked I don't think you can arrest anyone for developing for the windows platform. Just because the system is on Windows doesn't automatically make it insecure. There are a number of things that could have been done to mitigate this such as ... super-gluing the USB ports, securing door access, group policy to lock down what can be run. If best practice security was followed this guy would have hard a hard time doing it. If you leave a system wide open for attack it will be ... whether it be Unix, Mac, or Windows.
But if you are just a researcher then your interest is purely academic, so what would you have to gain by reporting every crime you see?
As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.
You could go with Rawls (paraphrased): Inequalities are acceptable if they makes the worst off in the new system better off than the worst off without those inequalities.
Your ad here. Ask me how!
If anyone sees a crime, they should report it. This has nothing to do with hackers or not, or the fictitious color of their hats. It is always a good idea to report it unless you have concerns about your own safety. Face it these guys are not boy scouts and they know they are committing serious crimes. Looking the other way is a serious breach of morality. Who cares about the roles. Their role as a public citizen should be enough to compel them to report a crime.
Security researchers are not priests sitting in a confidential confessional booth, and they're not psychiatrists or lawyers with ethical obligations to protect the secrets of their clients.
Society is something I tolerate. I did not ask to be born into this society. I do not have any emotional attachment to this society. It's not all good.
There are good people who matter to me. I care about those people. The social contract isn't real and does not exist. People pretend it exists just as they pretend human rights exist and just as they adopt American exceptionalism.
You think the world owes you all it's natural resources because you are an American? You think lives in foreign countries don't matter?
Are you willing to risk your life to stop the American empire from expanding? Are you willing to get locked up in Gitmo to protect human rights? Are you willing to be tortured?
Well that rich guy across the street from you isn't, else there might be human rights already. So yes I have a right to be as selfish as necessary to survive, and why expect everyone who doesn't have to be the selfless but expect the people who actually have something to give, like bankers and CEO's, for them greed is good?
Be consistent. Greed is good for everybody, or for nobody.
Have you gotten your meals out of dumpsters and supplemented them by shoplifting?
Have you gone days and days without a shower because you had no place to take one? Slept in parks and alleyways?
I'm guessing the answer is "no."
Well, I have. And you know what? I survived by doing what I had to do and through the kindness of people who had nothing to gain by helping me. Without those people I would be dead and we wouldn't be having this pleasant conversation.
I learned that nobody owes me anything. I get what I get because I work hard for it. As it should be.
What is more, I try to help people. Why? Because it's the right and ethical thing to do. I don't judge people by what they have or how they live or paint whole societies with a broad brush. I go by what people do and what they say.
We live in an unequal world. It's not right and it breaks my heart to know that many people have short, harsh, brutal lives. But I can't make everything better.
I can't stop the oil companies from raping the Earth, or bankrupt the corrupt corporate executives who happily endorse screwing the most vulnerable among us to pad their own pockets, or jail the scumbags who commit atrocities in the name of my home. I can, however, treat my fellow humans with respect and kindness. I can lead by example.
What do you do? You hate on others. Usually, that's a sign that you hate yourself.. Do you feel inadequate in some way? Didn't your mommy love you enough? Did some sociopath scumbag abuse you as a child?
As my late sister used to say, "hurt people hurt people," and she was (and is) right.
I care a great deal about people wherever they are. Because people are (which is the whole point you're missing) on the whole, decent, and if given the chance, kind, caring, and willing to do the right thing. As such, they are worthy of the same.
You say that Americans think the world owes them something. I'm sure some (but not most) of us do. And those are the people who wouldn't call the police if they saw someone's house being broken into. Sound familiar?
The problems we have come from people like you. With your "Fuck you Jack! I'm alright." attitude. We have a word for people like you: sociopaths.
Whether you're a poor sociopath or a rich sociopath, it really doesn't matter.
The saddest part is that you don't realize that you and the people like you *are* the problem.
No, no, you're not thinking; you're just being logical. --Niels Bohr