Romanian Accused of Breaking Into NASA

alphadogg writes "Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems. Robert Butyka, 26, was arrested on Tuesday in Western Romania following an investigation by the Romanian Directorate for Investigating Organized Crime and Terrorism. According to local reports, the hacker used the online moniker of 'Iceman.' He does not have a higher education or an occupation, a DIICOT spokeswoman said."

Re:Pictures of his house during arrest

[Rootkit]

Goatse, don't click.

...not to endorse his actions

...but why aren't IT admins being held accountable for the lax security on their servers? And no, I don't buy the "if I leave my door unlocked, it's not an invitation to break in", since it's a paid position. If a cop fails to prevent a crime due to neglicence, the city can be sued. Most of these break-ins are due to IT negligence, not hacker genius.

Re:...not to endorse his actions

[bberens]

Where do you live that a cop failing to prevent a crime can lead to the city getting sued?

Re:...not to endorse his actions

[timeOday]

Most of these break-ins are due to IT negligence, not hacker genius.

I think negligence would be *very* hard to establish. First, most computer bugs, including vulnerabilities, are very obvious - in retrospect. Finding the needle in the haystack is easy after somebody points it out to you. That's entirely different than integrating hundreds of software components without creating any "obvious" holes.

Second, how many sysadmins are given all the resources they would like to do their jobs? Security is cost/benefit, like anything else, you devote enough resources to make the pain tolerable, and no more. That means most admins have far more responsibilities than they can cover 100%.

Re:...not to endorse his actions

[bws111]

How do you know the admin was not held responsible? He could have been fired, demoted, etc.

If you mean why isn't the admin held responsible by the legal system, what law would allow him to be held responsible? IT admins are not sworn to duty (like police) or licensed (like professional engineers).

Your example of the city being sued does not work here. The person suing the city would be the person who was harmed by the negligence. Who, other than NASA, would have standing to sue in this case? Who would they sue, themselves?

Re:...not to endorse his actions

[cusco]

I rather doubt that NASA has an Information Security department, they're squeezing blood out of turnips just to keep the existing systems functioning. It doesn't help when they have lawyers and MBAs telling them "You have to build the infrastructure to send men to Mars, but we're not going to give you any money or manpower to do it with."

Damages

[AdamJS]

I'm betting the damages are formulated entirely from the cost of them having to do PR (they got hacked by a NEET after all) and 'fix' the security hole (because face it, they'll probably introduce 10 more flaws when fixing one).

Re:Damages

[bberens]

You get a few senior level IT people in a room and a single meeting can easily cost $1k. Total time to figure out what happened, track the guy down, etc. could easily cost $500k.

Re:Damages

As someone who worked at NASA during a hacker break-in, I am frankly surprised that the damages are that small. All of the machines were taken offline for a couple of days. All of the IT people worked round the clock to restore the servers to a previous state and try and fix the exploit. All kinds of onerous policies for the users are put in place that lasted for a month. Several new onerous policies persisted longer. Work productivity was definitely lost by all of the users (scientists) of all of the computer systems. Accusing the IT folks of being lapse is totally ignorant as well. Some of the finest IT people work for NASA. NASA's problem instead is the rule from the top. Administrators with basically no science or IT experience enact policies that those people need to follow which are stupid. Many of the IT people know it but they are stuck with the administrators' or even government mandates as to how these systems need to be operated. I remember several of the IT people during the incident that occurred while I was there complaining that they were not as yet allowed to move the systems into virtualization where far less damage occurs with exploits.

How much?

[Coisiche]

I can maybe understand if a figure like that is reached via physical proximity and a sledgehammer.

But an unauthorised intrusion?

Even a complete restore from backup can't possibly cost that much in lost time for employees.

Re:How much?

[moogied]

Its not just a restore. There was an investigation, then an audit process for the proposed change, then you have the CAB meetings, the testing in dev, then in stage, then finally the push to production environment. Then you have possible hardware changes(depending on mode of access), and additionally you need to sanitize the environment to be 100% sure nothing was left behind. Thats easily a few hundred man hours . 500k may be a tad high(depending on a lot of things), but its not unreasonable.

Re:Education

[ByOhTek]

How much you make doesn't indicate how much you know.

I have a friend who is a complete idiot in the functional aspect of doing his job, lacking the background education, but he's good with people and instead delegates most of the functional work to others (basically acting like a manager, though he isn't), and makes a huge salary.

And I've another friend, who also lacks the background education, but is very competent, and makes a huge salary.

i.e. Salary does not indicate competence and qualification, sadly this seems to be especially true when you get to managerial and executive level positions, which half the time simply need a warm body to fill a chair and occasionally point in a (hopefully good) direction.

Likewise, Education (or lack thereof) does not indicate competence or qualification.

In general there are trends towards better education meaning more competence, and more competence correlating to higher salary, but they are by no means tight or without exception.

No education or occupation

[roman_mir]

According to local reports, the hacker used the online moniker of "Iceman." He does not have a higher education or an occupation, a DIICOT spokeswoman said.

No education and no occupation, ha?

So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

Butyka is accused of hacking into several NASA servers over a period of time that started on Dec. 12, 2010. The authorities claim that the hacker destroyed protected data and restricted access to it. The charges brought against Butyka include obtaining unauthorized access and causing severe disruptions to a computer system, modifying, damaging and restricting access to data without authorization and possession of hacking programs.

He possess hacking programs, that means he is a terrorist. What kind of 'severe disruptions' did he cause that cost 500,000 USD?

Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems.

- this is a bunch of nonsense.

He cost an admin a few hours of time and maybe a reinstall and reconfigure. Even at 1000USD / hour no way somebody spent 500 hours on it (that's 20.8 24 hour days) or 12.5 40 hour weeks.

This is more government nonsense.

Re:No education or occupation

[GameboyRMH]

Possession of "hacking programs" is a crime? I think all my computers except my gaming PC have "hacking programs" on them, good thing I don't travel to the states these days.

Re:No education or occupation

[roman_mir]

well, he also owns a computer, this is almost a 100% indication that he is a pedophile-terrorist, or a pedo-rist.

This is what government is for - making sure that the right people are always punished for their transgressions. That's why Jon Corzine is in charge normally, of some government and/or economic function somehow and disgusting people like Ron Paul are blacked out by the media because they challenge the status-quo.

Also USA is sending troops to Australia. You know, in case pro-Chinese Kangaroos join Al-Qaeda.

Re:No education or occupation

[TommyGunnRX]

... good thing I don't travel to the states these days.

Not sure what the laws are in the 'states' regarding hacking programs, but the article clearly states he was arrested in Romania... Does this mean residents of Romania are restricted from accessing BackTrack and BackBox linux distros?

Re:No education or occupation

[Pi1grim]

Now that I think of it, the government own quite a number of computers

Re:No education or occupation

[Sarten-X]

Reinstalling and reconfiguring every system the hacker may have touched is impractical, and would take far more time than NASA can spare. Calling in auditors to make sure there were no rootkits, backdoors, or other bad stuff on any other systems is expensive. Deleting the results (and backups) of the latest experiments means months or years of work has to be redone.

$500,000 actually strikes me as a pretty reasonable estimate.

Re:No education or occupation

[roman_mir]

That's just nonsense. A large organization can re-image large numbers of machines automatically, but more importantly is that in large organizations the Internet connection is normally done through one or a few systems, not every computer has its own external IP address and ports are restricted on the exit nodes. Watching and restricting the Internet-to-internal machine traffic on ports is part of what admins are for in the first place.

Fix the problem even if it means a reinstall of the exit nodes, patch the hole, change the passwords and keep watching the traffic, fixing whatever happens internally if it happens. But that's routine work for a network admin.

Re:No education or occupation

[timeOday]

So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

So anybody who can smash a car window and steal a stereo is smarter than the guys who design cars? That is not a logical conclusion.

Re:No education or occupation

[Sarten-X]

I take it you've never actually worked on a high-security system. Here's what I remember of the procedure at the last high-security place I worked:

In the event that a machine (including a gateway) is compromised, any machine it can access is considered threatened, and must be thoroughly checked. No, NAT does not help, because once someone has control over the bridge, they can send data to any machine they want, even those without an external IP address. If any router, switch, or machine shows any slightly-suspicious activity (even as benign as an unscheduled database login), that machine gets an even more thorough examination to find out whether the activity was actually related to the hack, and what resources the hacker may have gained access to. If there's any indication that the hacker had shell access or retrieved data, the machine is considered compromised. If the machine stored any sensitive data, that data is reviewed to see if it could allow access to other systems (such as challenge questions & answers for resetting passwords). This investigation, which often involves the use of outside consultants (because there may have been inside help) continues throughout the whole network until the full extent of the breach is known. Being a government agency, the breach will likely involve a several-hundred-page report covering every detail. Somebody has to write that.

The cost is already in the hundreds of thousands of dollars, and only then can the repairs start. It's often not as simple as just restoring a backup, either. Sure, the operating system can usually be done quickly (including fixes for the responsible security holes), but if there's any indication of data being touched (which, in this case, there was), that has to be addressed, too. Backups are usually old. In an ideal world we'd be making hourly backups stored offsite in an everything-proof vault, but that's never really the case. If an admin's lucky, he has a backup that's less than a week old - or it was when the breach occurred. Somehow (best described as "magically"), the admin has to figure out what changes were intentional (like experiment results, or customer orders, or whatever) and what was the result of the breach, then piece together the data to get something reasonably complete and up-to-date. Finally, after days, weeks, or months of reconstruction (most vital systems first, of course), the system is declared clean. Until then, projects get postponed, and other employees are being paid to play solitaire until their real work can continue.

Then there's the "let's not do this again" phase, where employees change passwords, get lectured on security practices, sit through seminars on how to properly encrypt data, and so forth, all of which costs even more money. There's probably still an ongoing investigation as to whether anyone inside the organization helped the hacker, likely being run by consultants.

Then there's the damages caused by any delays, which may involve contractual obligations. That's more money.

It's not as simple as just re-imaging and assuming that everything's fine. Sure, that works on workstations, but it's unlikely that a workstation was all that was damaged. Once a server gets touched, the costs rise dramatically.

Re:No education or occupation

[DeltaVelocity]

... good thing I don't travel to the states these days.

Uhm, hello??? He was arrested in Romania by Romanian authorities and is being charged under Romanian laws in the Romanian court system. It's not illegal to have "hacking programs" in the States.

Re:No education or occupation

[DriedClexler]

No, but a guy who figured out how to throw a pebble in *just* the right way to allow access to a locked car (and drive it) without setting off the car alarm or giving much evidence of intrusion is smarter than the guy who designed the car's security measures.

The United Federation of Planets must know!

[sl4shd0rk]

They are evidently no longer basing operations within the Beta Quadrant!

Re:Alien Secret Documents

[sizzzzlerz]

Or those classified documents of how they faked the moon landings?

Re:Pictures of his house during arrest

[ByOhTek]

who the hell still falls for this? I just assume any link in the comments is to goatse...

Re:Education

[trum4n]

Being smart and poor ain't something to brag about. I'd know.

Re:Bill Gates

Woz was the phone phreak, true. Jobs was the one who wanted to commercialize the device to do the phreaking. Woz was one guy making free calls. Jobs wanted to make money off of selling "free call devices" to others.

Re:Bill Gates

[SuricouRaven]

Common, I'd imagine. A hacker has to hack - if someone of technological talent isn't directed into a productive use of their skill, they'll likely end up using it to play around just because it's fun. I know when I was a pupil in school I used to frequently hack their primative network security, and had much fun in the dialup days port scanning and poking at whatever I found. A lot of experts today probably got started with some explorations of dubious legality.

$500,000?

[JustAnotherIdiot]

This number bothers me, and I find it hard to believe.
Even more so because TFA doesn't ever mention /what/ it was he did.
Sure, he broke in, but what did he do with that access?
Delete files? Rename them? Rearrange them? Simply just shut the servers down? Perhaps a virus or two?
All I can think of that should be possible remotely would just cause an IT admin a headache for a few hours while he fixed the damages.
Unless he found the "self destruct" button, and now NASA is without any equipment.

Not in DC

[srussia]

If a cop fails to prevent a crime due to neglicence, the city can be sued.

http://en.wikipedia.org/wiki/Warren_v._District_of_Columbia

Re:Bill Gates

[ackthpt]

Well that case, it even is still directly doing damage (crashing the server, downtime = lost sales/productivity). Compared to several other hackers that get in comparable trouble for literally just connecting and reading the content. Companies/government tend to want to hold the hackers liable when they connect/access, without actually causing any downtime. Time spent applying security updates for a flaw that should have been fixed before, is not downtime caused by the hacker that is downtime caused by the security team not having done it right the first time. Unless trade secretes were sold to a competitor, or downtime/data loss was caused, there are no "damages". In the same way that trespassing is not by definition theft.

I took over security when I started my first job as a programmer. I already had tried out code for various spoofs and what not. Never did anything nefarious with it (the worst thing I did was bring one system to its knees with a program to compute pi to some large number of places) I knew the weaknesses (those idiots in Milwaukee were only using standard passwords on DEC systems used by Field Service .. password to [1,2] was SYSTEM, password to [1,1] was DECSER or DEC[Month abbreviation]) I developed honey pots and left them around the system where people could find them. Great way to alert me what people were up to. I key scanned and logged everything of known miscreants and methods. It was fun, but too easy. Most attackers were of limited education and vision. Breaking into a system to crash it was idiotic. Breaking into a system to learn was what separated the men from the boys.

Re:Education

[0-until-pink]

This reminds me of the Kurt Vonnegut bit in Slaughterhouse Five about Americans attitude towards esteem and money.

"America is the wealthiest nation on Earth, but its people are mainly poor, and poor Americans are urged to hate themselves. To quote the American humorist Kin Hubbard, “It ain’t no disgrace to be poor, but it might as well be.” It is in fact a crime for an American to be poor, even though America is a nation of poor. Every other nation has folk traditions of men who were poor but extremely wise and virtuous, and therefore more estimable than anyone with power and gold. No such tales are told by the American poor. They mock themselves and glorify their betters. The meanest eating or drinking establishment, owned by a man who is himself poor, is very likely to have a sign on its wall asking this cruel question: “if you’re so smart, why ain’t you rich?” There will also be an American flag no larger than a child’s hand – glued to a lollipop stick and flying from the cash register."

Re:Education

[trum4n]

When I'm a full time project engineer and can't afford to move out of my mom's basement, It's pretty bad. Renting an apartment costs nearly twice what a house costs to buy, per month. And because i have student loans, my credit is so bad i cant get a mortgage, despite having perfect credit otherwise. Being poor sucks.

Re:Education

[trum4n]

I've noticed. I'm wondering why i obey laws at all. I'm about to just file a patent for "the use of a road with wheels somehow involved" and bribe the patent office. Then ill just sue everyone. Seems to work for apple, ibm, microsoft, and trolls everywhere.

The real story here...

[DeltaVelocity]

...is not that a Romanian hacker got into NASA systems and caused an alleged $500k in damages/remediation expenses. The real story is that the Romanian authorities actually DID something about it.