Romanian Accused of Breaking Into NASA

alphadogg writes "Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems. Robert Butyka, 26, was arrested on Tuesday in Western Romania following an investigation by the Romanian Directorate for Investigating Organized Crime and Terrorism. According to local reports, the hacker used the online moniker of 'Iceman.' He does not have a higher education or an occupation, a DIICOT spokeswoman said."

...not to endorse his actions

...but why aren't IT admins being held accountable for the lax security on their servers? And no, I don't buy the "if I leave my door unlocked, it's not an invitation to break in", since it's a paid position. If a cop fails to prevent a crime due to neglicence, the city can be sued. Most of these break-ins are due to IT negligence, not hacker genius.

Re:Education

[ByOhTek]

How much you make doesn't indicate how much you know.

I have a friend who is a complete idiot in the functional aspect of doing his job, lacking the background education, but he's good with people and instead delegates most of the functional work to others (basically acting like a manager, though he isn't), and makes a huge salary.

And I've another friend, who also lacks the background education, but is very competent, and makes a huge salary.

i.e. Salary does not indicate competence and qualification, sadly this seems to be especially true when you get to managerial and executive level positions, which half the time simply need a warm body to fill a chair and occasionally point in a (hopefully good) direction.

Likewise, Education (or lack thereof) does not indicate competence or qualification.

In general there are trends towards better education meaning more competence, and more competence correlating to higher salary, but they are by no means tight or without exception.

Not in DC

[srussia]

If a cop fails to prevent a crime due to neglicence, the city can be sued.

http://en.wikipedia.org/wiki/Warren_v._District_of_Columbia

Re:Education

[0-until-pink]

This reminds me of the Kurt Vonnegut bit in Slaughterhouse Five about Americans attitude towards esteem and money.

"America is the wealthiest nation on Earth, but its people are mainly poor, and poor Americans are urged to hate themselves. To quote the American humorist Kin Hubbard, “It ain’t no disgrace to be poor, but it might as well be.” It is in fact a crime for an American to be poor, even though America is a nation of poor. Every other nation has folk traditions of men who were poor but extremely wise and virtuous, and therefore more estimable than anyone with power and gold. No such tales are told by the American poor. They mock themselves and glorify their betters. The meanest eating or drinking establishment, owned by a man who is himself poor, is very likely to have a sign on its wall asking this cruel question: “if you’re so smart, why ain’t you rich?” There will also be an American flag no larger than a child’s hand – glued to a lollipop stick and flying from the cash register."

Re:No education or occupation

[Sarten-X]

I take it you've never actually worked on a high-security system. Here's what I remember of the procedure at the last high-security place I worked:

In the event that a machine (including a gateway) is compromised, any machine it can access is considered threatened, and must be thoroughly checked. No, NAT does not help, because once someone has control over the bridge, they can send data to any machine they want, even those without an external IP address. If any router, switch, or machine shows any slightly-suspicious activity (even as benign as an unscheduled database login), that machine gets an even more thorough examination to find out whether the activity was actually related to the hack, and what resources the hacker may have gained access to. If there's any indication that the hacker had shell access or retrieved data, the machine is considered compromised. If the machine stored any sensitive data, that data is reviewed to see if it could allow access to other systems (such as challenge questions & answers for resetting passwords). This investigation, which often involves the use of outside consultants (because there may have been inside help) continues throughout the whole network until the full extent of the breach is known. Being a government agency, the breach will likely involve a several-hundred-page report covering every detail. Somebody has to write that.

The cost is already in the hundreds of thousands of dollars, and only then can the repairs start. It's often not as simple as just restoring a backup, either. Sure, the operating system can usually be done quickly (including fixes for the responsible security holes), but if there's any indication of data being touched (which, in this case, there was), that has to be addressed, too. Backups are usually old. In an ideal world we'd be making hourly backups stored offsite in an everything-proof vault, but that's never really the case. If an admin's lucky, he has a backup that's less than a week old - or it was when the breach occurred. Somehow (best described as "magically"), the admin has to figure out what changes were intentional (like experiment results, or customer orders, or whatever) and what was the result of the breach, then piece together the data to get something reasonably complete and up-to-date. Finally, after days, weeks, or months of reconstruction (most vital systems first, of course), the system is declared clean. Until then, projects get postponed, and other employees are being paid to play solitaire until their real work can continue.

Then there's the "let's not do this again" phase, where employees change passwords, get lectured on security practices, sit through seminars on how to properly encrypt data, and so forth, all of which costs even more money. There's probably still an ongoing investigation as to whether anyone inside the organization helped the hacker, likely being run by consultants.

Then there's the damages caused by any delays, which may involve contractual obligations. That's more money.

It's not as simple as just re-imaging and assuming that everything's fine. Sure, that works on workstations, but it's unlikely that a workstation was all that was damaged. Once a server gets touched, the costs rise dramatically.