White House Web Page Cracker Faces Prison

gregstoll writes "Hacker Eric Burns (alias Zyklon) faces prison, according to this New York Times article (free registration required, of course...)" Meanwhile, according to an Excite News story sent in by lots of people, the DoD is thinking about removing JavaScript and ActiveX from its sites to make them harder for crackers to penetrate.

...

[David+Ham]

this isn't meant as flamebait, but he deserves it. the stuff he was doing was illegal. it has almost no practical use, other than to show a security hole, and the best way to do that is NOT by defacing the webpage. that's like breaking into a house and trashing it to show that locking your door is a good idea. yeah, it works, but there are other ways.

Re:...

[Sun]

That depends.

If the 40000$ damages were, even if in part, a result of the White House sysadmins updating security, you can't really attribute that to his crime.

Charging me for the fixing of a security hole I exploited is rediculous. The hole is there whether I broke in or not.

Re:...

[Hard_Code]

"If the 40000$ damages were, even if in part, a result of the White House sysadmins updating security, you can't really attribute that to his crime."

Yes you can. Security holes don't exploit themselves and cause $40000 in damages.

"Charging me for the fixing of a security hole I exploited is rediculous. The hole is there whether I broke in or not."

The charge is not for the fixing of the hole, but for reparations of the damages you caused by exploiting it.

In most cases the "damages" are grossly exaggerated, but in this case, the whole country has lost face and looks stupid. Imagine going to england.uk (or whatever...) to learn about England and seeing a defaced site. The whole country looks stupid.

Re:...

[redd]

> The whole country looks stupid

as a result of one individual who was brought up in that country. It's a bit harsh for some casual grafitti.

I imagine the $40,000 accounts for a massive investigation into finding the culprit so they could save face. They probably went on to prepare their legal case on the subject before even contacting the culprit.

Rather than do what most ISPs who suffer a cracked site would do, which is to just patch the hole, get the original site from backups, send a complaint to the upstream provider it came from, possibly block that provider out for a while and compensate the owner of the site if they get arsey about it. That's 2 hours work by one techie (eg $50). These things happen and there's not much you can do about it.

But no, whitehouse.gov is petrified of the teenagers they failed to educate (where $40000 would be more useful). unwise and stupid.

Re:...

[Greg+W.]

Imagine going to england.uk (or whatever...) to learn about England and seeing a defaced site. The whole country looks stupid.

Yes -- the country basically sends the world the message "we're too stupid to stop script kiddies from defacing our web sites".

This whole thing reminds me of an old Simpsons episode: the one where Lisa steals all of the Teachers' Editions of the text books. The whole school comes to a screeching halt because none of the teachers know anything about the subjects they're teaching. In the end, she has to write "I will not expose the ignorance of the faculty" (or words to that effect) over and over.

Re:...

[um...+Lucas]

I completely agree with you here. By now we know that webservers are not the most secure of systems. We don't need it proved anymore. A simple email to the sysadmin would probably accomplish the same goal, if said goal were to notify people that their site's were insecure.

Aside from that, this is the White Houses website. It's not just Joe's Site About His Pet's.com. It's the whitehouse. The fine for spraypainting the side of a building in New York is probably much less than that for spraypainting the whitehouse. I know it's not the same, but an example needs to be made.

If someone does that, and expects that the FBI isn't going to be involved and that he's not going to be tracked down and therefore he won't face any consequences, well, this is Darwinism at it's finest.

Expected.

[Hermetic]

This is, of course, to be expected. All cracking is illegal even if nothing is broken! This guy just hit the wrong site and got caught.

You must suffer the consequences of your actions, and cracking the White House site is a bad idea...

Wow, big surprise!

If someone vandalized the white house I would imagine they would be getting jail time -- even if they just broke in and didn't do anything. I don't see why this should be any different. Anyway, who would have thought javascript lead to holes in named, apache, etc?

Re:first post, NOT

[topher1kenobe]

Heya, if we spread the rumor that removing JS and ActiveX will make sites more secure, maybe it'll just go away. Yeah, lets.

Removing javascript.....

[CodeMonky]

Is that really necessary? As far as I know all javascript exploits have to do with the creation of nasty javascript on the serverside (redirecting people to fake login pages etc). The client can really do little with javascript from their side. Of course if they are talking about Java and ACtiveX well then ummm just ignore everything stated above.

--codemonky

Re:Removing javascript.....

[CodeMonky]

Hmmm. Reread article.
I didn't realize it was a removal from ALL computers. Not just web servers. That makes much more sense.

--Codemonky

Good and bad...

[rde]

If he broke into computers, he should be punished. But I'm a bit dubious aobut this 'three years' thing. Computers are no longer a luxury; most people reading this have computers as an integral part of their life. There's also the problem of 'what is a computer'. Can he play pacman in the local retro-arcade? What about a playstation? Can he program his video to record 'buffy' when he's at a parole meeting? Can he take cash from ATMs?
I could go on. And given the slightest incentive, I probably will.

Re:Good and bad...

[dennisp]

They modified a web page which wasn't on any government controlled network. They broke into what was most likely only the userland -- which means they could only modify web pages. This is hardly worth 3 years of punishment. I blame this mostly on paranoia on the part of the prosecuters involved and the ignorance of the judges who upheld this standard. I'm willing to bet that they also did not delete any files on the system which means that they are not guilty of file tampering or intellectual property damage.

The only charge which I can see as verifiably true is:

"All told, the attacks cost the government and businesses more than $40,000, prosecutors said"

Why? Because they wasted their time tracking this child down when the provider could have easily restored the page. Making examples of people, especially when the penalty it doesn't fit the crime, is wrong.
----------

Re:Good and bad...

[dennisp]

really, just to put this in perspective. This is the equivalent of breaking into a store with a scrolling electronic sign and changing it to say ---> get your gay sex toys in here -----. It says he can be facing up to 15 months in jail as well as the extremely large fine. People who get charged with assault with a deadly weapon or attempted murder get similar sentences.

Granted crimes like fraud carry stiff penalties as well. This is different in that they weren't dealing with material that had any much value. Seriously, it was the whitehouse web site -- not some mission critical army operations system.

It's not likely that this kid will serve that much time, but I'm still furius that they can take attempt to take 1.5 years away from someones life for manipulating a web page. If it was ebay where they would be losing thousands a second, maybe. The whitehouse web page? I seriously doubt it.
----------

Re:Good and bad...

[Zoltar]

I think your missing the point. It's not a matter of whats *fair* or whats right... The government wants to make a statement of "You hack our websites and you will get more than a little slap on the wrist" And I'm all for it.

Your analogy of changing the electric sign in a store doesn't fit here because we are not talking about him hacking some department store website, he hacked the White House website. Try making a series of obscene phone calls to Jane Doe and then do it to the WhiteHouse. Would you expect to receive a harsher penalty for the former or the latter? Lets face it, hacking the White House is not the act of a well centered, mentally balanced individual.

I think if you are stupid enough to hack the White House website then you deserve whatever you get. If you don't want to get fined and go to jail then act like a responsible human. It's really not that hard to do.

Re:Good and bad...

[fwad]

All told, the attacks cost the government and businesses more than $40,000, prosecutors said"

People are forgetting the fact that not only did they have to clean up the cracked web server (a simple task) but also ensure that he had not attacked other systems - this is the costly part of a cleanup. Reparing the actually damage is often very easy but first you have to ensure that you've found all the damage otherwise your cleanup efforted is wasted when the crackers come back next next using the security holes they created on there first visit.
--

Re:Good and bad...

[Danse]

As someone else pointed out, he didn't make the holes in their security. He just exploited them, thus letting them know that they existed. Someone would have had to fix them eventually anyway because they were security holes. They're trying to charge him for the costs of something they should have fixed themselves already. Slap him with the bill for restoring the website from backup, but not for fixing the problems that already existed.

Re:Good and bad...

[wayne]

I think your missing the point. It's not a matter of whats *fair* or whats right... The government wants to make a statement of "You murder a white girl and you will get more than a little slap on the wrist" And I'm all for it.

Your analogy of killing a nigger doesn't fit here because we are not talking about him killing some nigger, he murdered a white girl. Try making a series of obscene phone calls to Jane Doe and then do it to the WhiteHouse. Would you expect to receive a harsher penalty for the former or the latter? Lets face it, murdering a white girl is not the act of a well centered, mentally balanced individual.

I think if you are stupid enough to murder a white girl then you deserve whatever you get. If you don't want to get fined and go to jail then act like a responsible human. It's really not that hard to do.

Re:Good and bad...

uh...dude .. you are seriously twisted.

Re:Good and bad...

[Binestar]

OK, I read the above and my wheels started spinning. I was thinking what the heck is this guy talking about? White girl? Nigger? Then I re-read the post above THAT and finally understood. Good arguement, but you should have put some of your own explanation into it. I bet this gets moderated down, but I don't think it desearves it. It just needs to be better explained by the poster. I agree with the idea of this though, the Whitehouse.gov is just another site. The government isn't(Shouldn't be) better than the people it serves. But it will always happen.

Re:Good and bad...

[Magritte]

Three years is a long time isn't it. It would take a drooling idiot not to know that a person could barely be a part of society if completely cut off from computers. Especially if that person's skills lie in the realm of computers.
As much as I would prefer to think otherwise, I must recognize that the Government is not composed of drooling idiots. Backwards often, stubborn always but not complete idiots. They aren't quite smart enough to know that they're wasting too much time on this kid, but they are smart enough to realize that taking computers away from him for three years will be devastating. So, what they're are doing will ruin his life. They must be aware of that, and thus can't we assume that it's their aim?
The government, after having a major hand in the creation of computers, took up a long standing policy of hatred and fear of those who can use them. So, being the reactionary bastards they go straight for the jugular when provided the opportunity. They've got it and they did.
They're doing all they can to screw this guy, and they'll keep doing it. Can we do anything about it? Probably not, you won't find much overlap in the type of people who want to be politicians with the type of people who are pro technology.

Re:Good and bad...

[peterjm]

well, im assuming that you've never admined any sort of critical networks.
you say they "they wasted their time tracking this child down when the provider could have easily restored the page"
erm....if you have something like your front page defaced, ah...how do i put this, you're *stupid* if you don't go hunting
around the system for other things that might have been comprimised.
sure, restoring a web page would be *trivial*. but that's not all that they were doing. I can garuntee you that.
when you've been (cr|h)acked, "you can no longer really trust any file on the system b/c the data you have isn't good
enough to determine which files have been altered." (Essential System Adminstration, AElien Frisch)...when you don't know
what's good and what's bad, you're only *real* option is to re-install the system (i doubt they were running corel linux w/ it's 7 minut install time)
and prey you have some decent backups that you trust.
besides, this is more than just "some kid rooting a web server", this is cyber-terrorism. flat-out.
that's the sort of shit that will put you back for a LONG time.
breaking www.some-dumb-isp.net is a LOT different than breaking www.whitehose.gov, just
like killing a cop is a lot different than killing your nosey neighbor.


anyway, just my $.02
-Peter

Re:Good and bad...

This is just retarded. This same question was asked when Kevin Mitnick was given the same punishment of not being allowed to use a computer. Everything has a computer chip in it from watches to TV's. The court probally stated in very clear terms that he can not use "personal computers" and not "Anything with a computer chip in it." They most likely said this so that he would not use a home computer to repeat his crimes, not that he couldn't have a watch or microwave because by using those items he could break into a White House web page. Its just common sense. Why was this post given a 4? This has to be the most redundant and most useless question, unless of course you need to argue about every miniscule point and like beating dead horse's.

Remove Active X

[They_Call_Me_Spanky]

Browsers are too powerful anyway. They should have access to your system the way they do now.


jackchaos.com

Re:Remove Active X

K. First of all browsers have little power whatsoever. I have seen a lot of malicious code but any code written from a website is impossible to attack. Also people who crack websites use FTP or telnet. I would also like to thank the people who have written distinguishing Hack from Crack, it is an extremly misunderstood idea. Now back to the main topic. Yeah put him in for three years that is good, people like him who have no value for other peoples goods should be punished. Just because this is cyberspace doesn't mean you can get away with anything. Also the government doesn't understand that it is necessary to use a computer simply because of the fact that it is as someone said before an integral part of our life. I don't send mail anymore only email. Though at the same time people have to understand that one should have respect.



May the Force be with you

Not allowed to use a PC for three years

[wolfgang_spangler]

how can such a thing be imposed? with everywhere computers are showing up now...fridges...microwaves...toasters....3 years is a long time. Look at where they are now from three years ago! He would be unable to attend school, is THAT what the system wants?
Not defending what he did, punish him and let him go about his life. If he does it again punish him more severely.
This isn't like shooting someone and being unable to use a gun for 10 years or something...the puter industry is a little different.

?

Maybe I'm just lame but how does javascript and Active x make i easier. Or was that the point.

ActiveX? Huh?

[kzinti]

I thought the problem with ActiveX was that it was a security hazard for the browser -- the person doing the surfing -- and the browsing system. Ditto JavaScript. Can someone please explain to me how these tools are a threat to the servers and their hosting systems?

Or is this just the case of some non-tech-savvy DoD security wonk overreacting to something he's read and misunderstood about the security issues? It happened at NASA. You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*

--JT

Re:ActiveX? Huh?

[ntsucks]

This points to one of the reasons they DoD has trouble securing there sites. They obviously do not understand the technology. FUD rules. Security threat! Security threat! shut down all the servers.

Re:ActiveX? Huh?

[Tim+Macinta]

I'm just waiting for their announcement that they are removing all HTML from their website to improve their security.

Re:ActiveX? Huh?

[Bronster]

I thought the problem with ActiveX was that it was a security hazard for the browser -- the person doing the surfing -- and the browsing system. Ditto JavaScript. Can someone please explain to me how these tools are a threat to the servers and their hosting systems?

In this case I'd say it is because of internal use. Consider Internet Explorer - most people these days use it - holy wars aside, it is the best browser for standards complience that's available now. You can set security for 4 different areas:

1. Internet
2. Local Intranet
3. Trusted Sites
4. Restricted Sites

Their servers are likely to be in either (2) or (3) for most internal users, i.e. "dangerous" stuff will be allowed to run.

This allows your average "script kiddy" hax0r to break in and change some Javascript or ActiveX code and cause more damage than if the browsers are set to not trust the servers.

It does sound a bit far fetched though, since it doesn't stop the original defacement.

There is always "server side Javascript" in the Netscape server and other server side CGI and ASP style code that can introduce security risks, but that's not what they say.

You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*

I'm acually quite impressed with the idea of Java, designing a language which is safe enough to use in most environments. It's still open to denial of service risks for the client (and the issue of trusted providers, but that's another rant entirely).

I just wish that the authors of the security nightmares mentioned above had the same commitment to safety over creaping featuritus.

Bron "Windows is the sandbox, just store important data safely somewhere else" Gondwana.

Security??

In addition to removing JS and ActiveX from their site the DoD MAY want to consider disconnecting their critical systems from the Internet altogether. I mean, is our entire nuclear arsenal at risk here? Could the end of the would come about as result of some 12-year-old with his new Gateway rather then the more conventional Judeo-Christian four horsemen?
I know that may seem ridiculous, but take a moment and think: if you had enough weaponry to destroy the would several times over, would you connect your network to the internet?

Re:Security??

[Hard_Code]

"Could the end of the would come about as result of some 12-year-old with his new Gateway rather then the more conventional Judeo-Christian four horsemen?"

We all know the end of the world will be because of Y2K. Sheesh...get a clue ;)

Re:Security??

[nathanm]

The DOD's classified systems are NOT connected to the internet now. The systems that are getting cracked are just web servers. They also use very strong encryption on their classified networks - remember, the NSA works for them.

Little Steep?

[BradyB]

Sounds like the government is charging the same thing back to the public as it does paying for stuff. Three attacks? How in the world would that equal anywhere near $40,000 in damage. I mean come on now. Unless they are paying someone 300 bucks an hour or something to reconfigure a machine. Oh well I guess I won't be learning how to crack into websites anytime soon. Not that I wanted to do it in the first place, this was enough to discourage me.

Re:Little Steep?

[Hard_Code]

"this was enough to discourage me."

Maybe that was the point. Also, how do you quantify in monetary numbers the effect of a country losing face and looking really stupid to the whole world. What if the hacker put up something really inciteful, like slurs against other countries?

Re:Little Steep?

Well, you got to 5-6 fat guys sitting around bullshitting and drinking coffee.

Re:Little Steep?

[Stonehand]

Perhaps it cost a bit to figure out *where* the initial entry was made? Even if you bust a guy and extract a confession, it may not be complete...

...and if you have a box cracked, I'd *hope* you do more than simply reach for the tapes. There was obviously at least one way in; there may be many more, some new; and you may simply be keeping the doors unlocked while straightening up a few tilted pictures. At that point, you need to study what went wrong and how to prevent it -- and that takes time and $.

Re:Little Steep?

[sgs]

I would guess that they add up all the time the sysadmins spent fixing the problems, all the time that their managers spent yelling at them, all the time the users had to wait while the sysadmins were fixing things, all the time that the Poo-Bahs spent talking to the press, etc, and added the usual Government multiplier for "overhead" (100% - 400%, the last time I looked.)

Question -- what the bleep do sysadmins do for a living? Seems to me that keeping crackers out of the Web pages would be featured prominently in the job description. As far as I'm concerned, the sysadmins screwed up by letting him in and then they had to work overtime to clean up the mess. Big deal. Far as I can see, it's part of the job.

The crackers that "deface" Web pages are *not* the ones you worry about. Think what you could do by changing some subtle bits of information ....

In any case, Zyklon seems to be utterly clueless. He needs to learn that he's a big boy now, and his actions can have real consequences. In particular, twisting the tails of the Powers the Be can get you into Real Trouble (tm). It's their laws, their cops, and their courts.

The sentance is, IMHO, 'way too severe, but not at all surprising.

Re:Little Steep?

[Danse]

At that point, you need to study what went wrong and how to prevent it -- and that takes time and $.

Money that should have been spent securing the site anyway since it obviously wasn't very secure. Just because he pointed out that the holes existed doesn't mean he should have to pay to have them fixed. Make him pay for restoring the site from backup, but not for fixing what should have been fixed in the first place.

Re:Little Steep?

I'll agree that zyklon seems to be utterly clueless, but mostly because the idiot confessed. Had he invoked his right to remain silent and his right to an attorney, he could have gotten a plea bargain for no jail time. (The right to remain silent and the right to an attorney are features of US law and should not be invoked by residents of most European countries. At least, not with a straight face.)

Banning Client Side Code Helps Servers ??

[ntsucks]

How will banning the use of Javascript and ActiveX from DoD sites prevent people from hacking DoD servers? Also, how does this help client machines, do they not trust their own servers? The problem with Javascript and ActiveX, is when DoD people use DoD computers (PCs) to surf untrusted sites on the Web. Then Javascript and ActiveX, especially ActiveX, become a security risk. Mobile code is a problem when users go get it from an untrusted site, DoD users should not be doing that.

Re:Banning Client Side Code Helps Servers ??

[orabidoo]

my thoughts exactly: how is banning client-side things like JavaScript and ActiveX going to make their servers any safer? not that I'd object if they cleaned their pages from any JS or A-X, but that has nothing to do with server safety. or maybe are they programming their server-side dynamic pages with javascript? some Netscape servers can do that, but AFAIK it's not a particularily popular option.

anyway, if the gist of the idea is to make most of their pages entirely static, I'd say it's a good idea. government agencies aren't in the business of building online communities with forums and stuff like that. in order to present themselves and their information to the public, static pages should be more than enough.

while we're at it: how to build a secure static server in a few minutes: set up a Linux box with only httpd and sshd running, and sshd firewalled at the internet-connecting router. install thttpd for the web server, chrooted to its document root, running under an uid that can't write to any of the files or directories inside of the chroot. then you have exactly two attacks to worry about: 1) kernel networking bugs (nothing much you can do about these except trust that they are rare, and that fixes are available very quickly), and buffer overflows in the webserver (which crash the process, but don't let the attacker actually do anything with the system, like write anywhere or run any programs).

Response & responsibility

[deefer]

A few things came up from reading this - the guy seems to think "the punishment is harsh for what he did".
I don't agree with this punishment for computer intruders, but the law is the law until it is changed by your elected representatives. And if you got caught, then tough tittie. You knew the risks. HNN has an excellent article about it.
Basically, this type of activity is like trespass & vandalism. In the UK, that's more like a slap on the wrist community service type punishment. I'm not going to go on about ethics or morals; that's been done to death and everybody has a different standpoint.
What would ultimately benefit society more - imprisoning this kid for a year, or making him teach (under supervision) underpriveleged kids how to use computers?

Re:Response & responsibility

Should have got same penalty as for using a can of spray paint on a fence (a warning I think). On the 40K, I suspect $300 was for turning off the options in question. Should not have to wear the cost of $39,000 for a security review, and fixing a flawed design and implementation - as they obviously installed MS software - knowing the risks, and against decent technical advice. If you want security - #1 is no networking, #2 Mainframe, #3 AS400, #4 unix #5 read only site If they still have MS, and someone else does something bad - how culpable are they? If someone breaks my doorlock, I dont replace it with the same - I buy a better , stronger type. You would be a fool to believe in the packaging.....

reaching DOD "high security systems" from the web?

[turg]

The Excite article is a little fuzzy on whether the DOD is considering banning (a) code on their own pages or (b) browsers within their network from accessing such code from the open web (at first it seems to be talking about one, then the other). Either way, they say it is not suitable for "high security systems"

In the case of "(a)", I'd hope that no "high security systems" are accessible from the web. Surely the web servers are not on a network with access to sensitive data?

In the case of "(b)" the same thing applies. Would they really have a machine with access to both the WWW and sensitive defense info?

When the DOD talks about "high security" I assume this means as high as it gets anywhere. High security buildings have only one door. This makes it sound like they built a
"building" (so to speak) with thousands of doors and now they're lamenting the fact that they can't keep their eyes on all of them at once.
-
<SIG>
"I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht

Go to prison for harmless fun?

In the Netherlands crackers get caught too, but they only get a warning to stop being a naughty boy/girl. Killers will get in prison, not people who just had a little harmless fun! I used a major Dutch company's ports to send a lot of fake mail and used their servers to get even on this nazi pig I know and when they caught me, all they (the company) did was mail me back to say that they don't appreciate that stuff and ask me to please not do it again (and ended with friendly greets).

With the government and police it's more serious. The major crackerclubs here got caught now and then and the worst punishment they got was that their computers were taken from them (to analyse) and tey had to pay for the damage they did.

There's not really a big mafia here, we just get along and don't make a big fuss about nothing.

So much for the American freedom...

ActiveX/Java/JavaScript

[Erich]

Interesting that they remove it from their web pages...

I worked for a company that had military contracts, and our corporate web pages had javascript -- but our firewall stripped out ActiveX/Java/JavaScript from external web sources. With ActiveX/Java/JavaScript the problem isn't usually the server, it's usually the client, right?

In any case, does anyone remember the _Far_Side_ that has the mother and son dog... the son is in Jail and the mother is visiting, saying ``You should't have chased the _president's_ car'' or something like that...

Justice, what else?

[h2so4]

I admit to not knowing that much about this case, and don't have time to register for the NYT; but what that cracker did was illegal - so surely he should be punished?

I'm all for looking around interesting boxes on the net, but surely he must have known that whitehouse.gov is another matter, and he must have known beforehand that the consequences would be very severe.

IMHO, in a more general sense, if you are choose to compromise a computer, that's one thing, but when you change the HTML, that is just plain stupid. It's the electronic equivalent of putting graffiti on a wall: if your real information (name, address etc) becomes linked to your handle, you are in the shit. The electronic sense is even more stupid though, there are logs.

It also seems that an example is being made here. If you tread on the toes of any .gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.

Security has two sides: learning it, and becoming extremely knowledgable to the point where you are hightly employable, and the more sinister side of defacing web pages. I'll let you figure out which one to choose.

To me, this seems like justice.

Aieeee, the time.

Re:Justice, what else?

[Greg+W.]

but what that cracker did was illegal - so surely he should be punished?

No! You've got it completely backwards. Laws aren't the word of God. They're just a bunch of letters and numbers on a piece of paper.

Just because something is illegal does not mean it's wrong or that someone "should" be punished for doing it. The government is supposed to create laws to help protect the rights of the people. But lately the whole thing has just fallen apart. Everything's upside-down; instead of protecting and serving us, the government is abusing and harassing us.

It also seems that an example is being made here. If you tread on the toes of any .gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.

Do you think it's right that the government should be allowed to "make an example" of us? The government is supposed to have fewer rights than the average citizen does, not more.

Where I come from, someone who takes advantage of weaker people is called a "bully". But apparently, if you're in D.C., bullying is not only tolerated, but encouraged.

Someone who defaces a government web site should get a small fine to cover the costs of restoring the web site. No jail time, and no forfeiture of other civil rights should be imposed.

To me, this seems like justice.

To me, this seems like a police state.

Re:Justice, what else?

[randombit]

but what that cracker did was illegal - so surely he should be punished?

But the punishment should fit the crime. 1.5 years in jail for defacing a web page is like executing someone for having cigarettes underage (OK, those are necessarily equivalent, but you get my drift). This isn't even a money-making organization... if it were someone like ebay or e*trade I could understand that there were monetary damages, etc. and it would seem at least a little reasonable (but not really). There is no reason for the govt to be doing this except that he made them look like idiots, and they don't like it, though I don't see why they don't just get used to it, seeing how often it happens. :)

That said, breaking into the White House's web page is pretty fscking stupid. If he was smart, he would have posted the vulnerability to Bugtraq (along with a working 'sploit), got a lot of publicity, and someone else could get busted for actually using it. Oh, well...

Re:Justice, what else?

[h2so4]

Do you think it's right that the government should be allowed to "make an example" of us?

If "us" refers to crackers, then yes.
I stand by my view that if you break into a system, then change the HTML, you really must have an urge to experience the justice system.

Just look at the Attrition (or any other) mirror. Do these pages, complete with their 31337 talk demonstrate any sort of desirable qualities?

Someone who defaces a government web site should get a small fine to cover the costs of restoring the web site. No jail time, and no forfeiture of other civil rights should be imposed.

I'm pretty sure anybody who hosts a web page, and has been the victim of these attacks will disagree with you. You don't have to break in, do you? No matter how "cool" it may look to your fellow 3133 h4x0r friends.

No! You've got it completely backwards.
Nah, I'm pretty sure that's the right way round. You break the law, you get punished. Maybe 15 months is harsh for changing a website, but come on...nobody is forcing you to.

Justice, what else?

[h2so4]

I admit to not knowing that much about this case, and don't have time to register for the NYT; but what that cracker did was illegal - so surely he should be punished?

I'm all for looking around interesting boxes on the net, but surely he must have known that whitehouse.gov is another matter, and he must have known beforehand that the consequences would be very severe.

IMHO, in a more general sense, if you are choose to compromise a computer, that's one thing, but when you change the HTML, that is just plain stupid. It's the electronic equivalent of putting graffiti on a wall: if your real information (name, address etc) becomes linked to your handle, you are in the shit. The electronic sense is even more stupid though, there are logs.

It also seems that an example is being made here. If you tread on the toes of any .gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.

Security has two sides: learning it, and becoming extremely knowledgable to the point where you are hightly employable, and the more sinister, less knowlegable side of defacing web pages. I'll let you figure out which one to choose.

To me, this seems like justice.

Aieeee, the time.

newbie

[jyak]

After reading the article, its states that JavaScript poses a security risk. I was wondering if anyone could explain to me how does JS poses a threat on web pages.

Re:newbie

[DeadSea]

A lot of people have posted that they don't know how javascript can pose a security risk to the server side, and I agree with them. However, on the client side, it is an entirely different matter.

A friend pointed me to a web site that had at least 30 pages each with a different evil javascript on it. Most of them were slightly annoying, but at the time, one of them could read files from your hard drive and display them in your browser window.

If you have ever gotten stuck in a porn site that you can't get out of you know what I mean. They have java script set to open a new browser window (or two of them) whenever you close one. This one is fairly easy to fix by disabling java script and then closing the window.

One of the evilest hacks on the this site was one that made your window jump around. Java script allows the webpage to some location. Somebody got the bright idea of calling moveWindow(currentX + random, currentY + random) where random was between like -5 and 5. This made the window jump around like nothing else. You couldn't close the window because it was just about impossible to click on the x in the corner, nor could you access the menus for the same reason. The only thing to do was to end the browser process (which took a while because the computer was busy moving the damn window around).

Too bad more sites don't use it, or everybody would disable javascript.

Banning Javascript is a GOOD thing!

[Gurlia]

I've never liked Javascript ever since it became too popular. Personally my Netscape has Javascript disabled, simply because too many sites pop up lame consoles without my permission and it annoys me to no end.

I view websites as repositories of information, not entertainment theatres. If you want "interactive" entertainment, you can always download Quake :-) or go to the arcade. But when I search for useful information on the Web, the absolute last thing I want to see is a site that takes forever to load, pops up endless consoles with irrelevent ads/notices/whatnot, cluttered with useless animations and "interactive" crap. Give me a break, just deliver your goods! (If you have anything other than those useless crap, that is.) When I'm looking for something, sites with Javascript, ActiveX and what-not just don't fit the bill.

I realize that many people browse the web just for fun, so these things serve more like curiosities than annoyances. But to me, there are cleaner ways to do this than with JavaScript, or ActiveX (with all its security flaws). But technicalities aside, I still think it's utterly rude for an unsolicited, irrelevent console to pop up every time I load something from a particular site.

Also, the article seems to be making the claim that HTML forms will not work if they ban Javascript?!?!?! Come on, people, CGI is NOT "mobile code", which is the question at hand! Banning Javascript is a good thing. Your CGI scripts can still work (or use Java servlets instead, if you're paranoid about security. Not that that is much more secure, though). Just cut that useless Javascript crap from your pages, the net (IMNSHO) will fare better without it.

Re:Banning Javascript is a GOOD thing!

The biggest Javascrap crime I see being committed these days is the insistance of certain webmasters to use Javascrap instead of A HREF tags for hyperlinks. There is NO GOOD REASON to use Javascript instead of A HREF.

Javascrap was a bad concept from day one. What's with the 'Java' in the name, anyways? It has NOTHING to do with 'real' Java. It has been abused by everyone from Geocities to pornmeisters. But hey, I guess this is just another Netscape 'innovation', right?

Re:Banning Javascript is a GOOD thing!

You have my complete agreement. I turn it off and leave it off.

Re:Banning Javascript is a GOOD thing!

[Stain]

Too bad you also loose the style sheets feature in Netscape. Excellent programming... doh..

Computer Crime Sentencing

[fizik]

15 months for breaking into a computer. Whats the going rate for assault and battery, probably close to the same. I'm sure that people have gotten 15 months plus/minus for manslaughter. Lets look at the damage that was done here, someone posted 'j00 h4v3 b33n 0wn3d' with a list of names at the website. And now White House officials are screaming and yelling that he caused two days of downtime to their internal and external networks. I'm not a sysadmin but I know enough to be able to say that a hacked webserver should not affect a well built network to that extent. Plus, this kid is 19 years old. In our current day and age, lets be happy that he was messing around in front of his computer rather then planning to bomb his school. What will 15 months in jail teach this kid, do you really think he will come out with some positive reinforcement.

Re:Computer Crime Sentencing

[crivens]

Exactly my friend. I could be cynical and say "Only in america" (hopefully I'm quoting from the Simpsons correctly as I intend), but I'd rather say "What is this world coming to?". If he gets 15 months for this, I wonder what this would scale a prison sentence for murder up to? 50 years? Something more realistic and reasonable. Despite all the advertising in the UK, crime does pay, so why the hell am I being a good, honest citizen?? This makes the concepts of justice and judicial systems a farce IMHO.

Re:Computer Crime Sentencing

[Fastolfe]

I'm not a sysadmin but I know enough to be able to say that a hacked webserver should not affect a well built network to that extent.

When something like this happens, the admins don't just go "ho-hum, let me just fix the web page.." The system likely had been root compromised. This automatically means the system in question needs its OS rebuilt from scratch. As this guy had root-level access to this system for a time, and his intentions were obviously less-than-honorable, it's also quite likely other systems on this network were compromised in a similar fashion.

Intrusions like this cost people money. They have to shut down their network connectivity (to prevent access to other potentially compromised systems), rebuild the operating systems on the affected machines, restore the content, and then restore connectivity. This is not cheap.

Now, I'm not going to argue about the differences between prison sentences with other crimes. Instead of comparing it with violent crimes as you seem to want to do, compare it with real-life charges similar in scope. Specifically, compare it with breaking into a U.S. government building and damaging/destroying property. I believe you'll find a similarity in sentencing.

It always boggles me that there are so many people on Slashdot that go out of their way to defend kids like this when they clearly did a premeditated intrusion into a private system/network with the intent to cause damages/harm. He should be punished, just like all of the other l33t packet kiddies out there who do the same thing on a daily basis.

Re:Computer Crime Sentencing

[rotor]

Intrusions like this cost people money. They have to shut down their network connectivity (to prevent access to other potentially compromised systems), rebuild the operating systems on the affected machines, restore the content, and then restore connectivity. This is not cheap.

It's not cheap to fix a network after a crack, but should this kid have to pay for the hole to be fixed? he didn't put the hole there, he jsut exploited it. Sooner or later someone else would have or the hole would have been caught. Either way, the work would have had to have been done. He didn't do any real damage to anyone. He just replaced a web page. There should be a penalty for that, but 15 months and $36,000? What's the penalty for breaking and entering? I'd say that's what he did. And you could argue for some restitution for the time lost on the web page. Unless his message was left up for a LONG time, that doesn't make $36,000... I understand that they're charging him for the man-hours of work to close the hole, but like I said, he just pointed out that the hole was there. Charge him for the man-hour or so to re-create the page from the backup, sure, but this is too much (and for the record, I'm all for penalizing crackers, just make the punishment fit the crime).

Re:Computer Crime Sentencing

[Fastolfe]

He just replaced a web page.

Not quite. The victims of the intrusion MUST work under the assumption that the system has been backdoored ten different ways. The only thing they can do is wipe the system and rebuild it from scratch. The costs incurred by this are significantly more than the costs of applying a patch to fix a vulnerability.

It really bothers me when people try to put the blame on the victim because they failed to keep up to date with patches and fixes. Exploits are frequently released before patches/fixes are available, and for organizations that have a lot of systems to keep track of or are understaffed in this respect, upgrades can take a while to be propogated to affected systems. Just because the vulnerability was made known does NOT in any way mean the attack was OK.

Web hax0ring kids like this aren't doing it because they want to show the company that they're vulnerable to attack. If this were the case a simple e-mail would have sufficed (though it wouldn't have made the intrusion any more legal). They're doing it because they want to look 'l33t' in front of their haX0rZ 1RK friends, which is why they deface the web page (can you think of any more public way?).

I'm not going to pretend like I know precisely how the damages were assessed (though it's certainly possible that information has been made public), but it isn't as simple as just charging him for the man-hours. For every hour a worker spends rebuilding systems after an intrusion, that's an hour he can't spend working on the stuff he normally works on. Projects fall behind, work gets put on hold. Costs add up.

What *I* really don't understand is this: People are being convicted of these types of things all the time, and every time it happens we hear shouts of protest about how the penalty is much too harsh, etc. (mostly from Slashdot kiddies). Why, then, do people STILL DO IT? Do they think they're making a statement?

The kid deserves what he gets. He knew what he was doing was illegal, and he was no doubt aware of the penalties he'd bring down upon himself when he was caught. But, like most idiot adolescent packet kiddies, his head was too big for him to acknowledge the fact that he might be discovered. There's always a trail. Don't fuck with the people that have the resources to follow it.

Re:Computer Crime Sentencing

the site has been hosted on psi.net for as long as I can remember. I remember doing a traceroute to it at least a year ago and seeing this. It has never been on government owned networks.

Re:Computer Crime Sentencing

[Myddrin]

People are being convicted of these types of things all the time, and every time it happens we hear shouts of protest about how the penalty is much too harsh, etc. (mostly from Slashdot kiddies).

A) I am not a "kiddie." I'm 27 and trying to decide if I want to attend my 10 year re-union.
Why is it that the average slashdotter assumes that if you disagree with him/her you are either stupid or a kid? Geesh people this is the real world, people disagree with one an other and it's ok.

B) Gee, maybe the penalty is a little too harsh. Let's think about it... hmmmm, on the radio today there was a story about a man who was sentenced to probhation after killing someone at a off-campus UNC party. And this kid gets jail time. Are you really going to sit there and tell me that taking someone's life is less of a crime than costing the government or a corporation money?!?!?!??!?!?!?!?!?!?!?

The kid deserves what he gets. He knew what he was doing was illegal, and he was no doubt aware of the penalties he'd bring down upon himself when he was caught
And if he'd spary painted a wall would he deserve the same? What if he'd keyed someone's car?

Yes, hacking is wrong. But to say that the punishment fits the crime here is ridiculous. Yeah, it costs money to set the system back up... so garnish the kids wages for life, or make him/her do community service...that would be more in keeping with the kind of damage done.

Re:Computer Crime Sentencing

Ok, so it costs money (and time) to rebuild a system after it's more than likely been rooted. If the guy got into the system, though, it aparently had some holes big enough for him to do so. Instead of wasting prison space on a guy who defaced a webpage, why not tighten security on the system(s) that was hacked? There'd be less chance of the same thing happening again, and therefore less chance of more money being lost.

Re:Computer Crime Sentencing

[Fastolfe]

Geesh people this is the real world, people disagree with one an other and it's ok.

Who said I was specifically talking about you? All I meant is that there is a tendency for packet kiddies to hop on Slashdot and defend their packet kiddie friends after they're caught/imprisoned. Don't take my comments so personally.

Are you really going to sit there and tell me that taking someone's life is less of a crime than costing the government or a corporation money?!?!?!??!?!?!?!?!?!?!?

As I'm quite sure you're aware, as you seem to be an educated fellow, laws like this aren't black and white. The judges in question took lots of facts into account when pronouncing sentences. In a black and white world, no I don't think it would be fair for an intrusion like this to warrant more prison time than a murderer, but there's more to this "killing" case than you're letting on, isn't there? The judges usually have reasons for pronouncing the sentences they do.

But to say that the punishment fits the crime here is ridiculous.

I guess that's where your opinion differs from mine, and I'm not going to pretend as though I can change your mind in this respect.

Remember that by attacking a government-owned system, he committed a FELONY, not just a silly hack against some no-name company. He compromised a network run by the United States government.

If you think the laws in this respect don't spell out penalties more to your liking, try writing your congressmen. Posting on Slashdot won't get anything done.

Re:Computer Crime Sentencing

[Quack1701]

I would be so bold as to suggest that maybe the it's not the computer sentencing that is too strict, but rather the violent crime that is too lax? I agree something is out of wack. I think his punishment is too great. However, if that is going to be the punishment, we should push (and I already do) push for greater punishment for most other crimes.

Quack

Re:Computer Crime Sentencing

[Myddrin]

Who said I was specifically talking about you?
Sorry this week has been really bad for "As every intelligent person knows.." posts. You obviously aren't doing that.


..., but there's more to this "killing" case than you're letting on, isn't there?

You know, I was going to let this go, I wasn't going to respond but this part really bothered me... I just can't let this go without finding out... are you implying that I am hiding something here? I'm sure that you are an educated person and could ,if you wanted, go to the Raliegh News & Observer and findout for yourself. It was in yesterday's news.

Remember that by attacking a government-owned system, he committed a FELONY, not just a silly hack against some no-name company. He compromised a network run by the United States government.

I don't see why this makes a difference... all of the gov's classified stuff is not connected to the internet. You're not going to argue that the gov. has more rights than a private company/citizen are you? That it's somehow more wrong to deface the property of a governemnt by the people than the property of a person?


If you think the laws in this respect don't spell out penalties more to your liking, try writing your congressmen.

I do. Often. I also give to orgs. like the EFF which try to bring a little sanity to hacking discussions. (For example, Mitch's comments in "The Hacker Crackdown" by Bruce Sterling)


Posting on Slashdot won't get anything done.

You mean discussing the issue with other people is pointless? Debating the issue is a fruitless endevor? Hmmm... who knew. I though that by debating such issues people on both sides honed their arguements and brought there message to a larger audience.

He did *not* deface Whitehouse.

[Silicon_Knight]

Just a quick correction:

He did not deface the Whitehouse webpage. He denied it, he knows who's responsible but refused to name them. (read Hackernews, www.hackernews.com) as an example.

I don't like the idea of limiting him to "3 years without a computer". I think that the laws are very vague on the definiton of what a computer is. Can he use an ATM machine? Work at McDonalds? Or operate any Point-Of-Sale system for that matter? Prison is supposed to reform prisoners, but denying someone computer access (not internet access) is like denying someone a way to make a living, and a lot of good that does to help them fit back into society again.

-=- SiKnight

a time and a place...

[BiLlCaT]

there once was a time and place for system hacking/cracking, but it is no more... if you're interested in security, play with your own machines, or do something useful with their skills. of course, there is one resource available to these snot-nosed script kiddies that wasn't available before. that is the ability to crack systems with little or no knowledge of the inner workings of the system. it's kinda frustrating to look back and think about the time put into a problem in the "old days" and to see these kids using windows and "xploits" or whatever to crack remote computers in a matter of minutes.

out.

--bc
------------------------------------------
the amazing bc
latin/funk flugelhorn & trumpet
webnaut, music junkie, sysadmin from hell

Re:a time and a place...

personally i have just a few things to say.. i get more and more sad each day when i see how the h/c/p/a (hacking, cracking, phreaking, anarchy) scene dies.. i applause the good old days where you phreaked your way to some underground bbs's to download the latest txt's and 'warez' the days where the gatherings was about sharing information, writing demos and tracking music and not play a shitty game called quake with a bunch of 10yr old kids using their dad's latest PIII machine even i am dying, i haven't blasted anything to pieces in more than 2 years time using some home made mixture atleast some ppl is trying to keep the scene alive.. may it be what you call 'script kiddies'

Re:a time and a place...

Oh come on, I can't believe that you could possibly believe that, "there once was a time and place for system hacking/cracking, but it is no more... " Just because cracking has become mass-market, available to script kiddies running widows doesn't change the act. There is no difference between breaking into a VAX and defacing a website. If these script kiddies had been born 10 years earlier they probably would have been old-school hackers. Don't try to justify your activities in the "old days" just because it took time to plan out an attack. A hack is a hack regardless of the method used.

Re:a time and a place...

[BiLlCaT]

in the climate of today, there is no place for system hacking/cracking. sysadmins look at it as a hostile act whereis in the "old days" a sysadmin was more likely to buy you a beer for pointing out a hole in his system. high-profile malicious hacking/cracking and popular culture has lead to this my friends. i'm just saying that there is no place for it anymore. the scene needs to die anyway. it's like everything else in life, there is no place for irresponsibility. computers are more than the playgrounds and accounting systems of the past. in some cases, people's lives are at stake. but script kiddies and people like yourselves don't give a shit.

and there is a difference. there is an art to it. downloading a crack from a website and using it to exploit a website takes a hell of a lot less effort than growing your own custom packet-sniffing/logging software and dropping it on a box in the broom closet of the local university, filtering for login name password combos, logging into the VAX or unix box, then finding the hole(s). all i have to say is, piss off!

out.

--bc
------------------------------------------
the amazing bc
latin/funk flugelhorn & trumpet
webnaut, music junkie, sysadmin from hell

stupid stupid stupid

[renegade187]

Unless he wanted to go to jail...

Who in their right mind would try to do that? Isnt it basically akin to walking up and spray painting the white house?

I know what would be worse than jail for this guy, make him watch some "educational" videos on how hacking is "bad".

Or let Clinton boot him like the aussies tried to do on the simpsons...

Re:Graffiti

[radja]

and when was the last time someone got 15 months for spraying graffiti, and be banned from using any kind of paint for 3 years?

//rdj

Hackers, crackers, what is what?

[Lost+Carrier]

I dont know why, but lately people dont know how to differentiate these two words.

Hacking originally was smart solutions for problems. (for example the coke-machine trick)

Hacking and entering is when a hacker enters a system, reads and changes data. Ie you hack a website, you dont crack it.

Cracking has always been to crack copy protection. Cracking has nothing to do with hacking.

Lost Carrier

Re:Hackers, crackers, what is what?

[Caspuh]

As far as I could tell from thier interview on Slashdot not too long ago, this was the Cult of the Dead Cow's view also. If anyone should know, it's them.

What a profoundly anti-democratic sentiment!

[Paul+Crowley]

Questioning the decisions that Government makes, and the laws they pass, is supposed to be a central element of a functioning democracy. Yet if we're supposed to remain silent when it seems that those laws have led to bad or inappropriate consequences, the whole exercise is futile.
--

Re:What a profoundly anti-democratic sentiment!

[deefer]

"Questioning the decisions that Government makes, and the laws they pass, is supposed to be a central element of a functioning democracy."

*sigh*.
I was actually trying to imply this; I didn't think /. readers needed me to type a few extra paragraphs on the basic process of democracy and lawmaking - you have proved me wrong. But at the end of the day, it is the "elected representatives." (my words from original post) who will effect the change in the law, not you or I. Unless you're a judge! :) Although I'd like to think the legislative changes are at our behest.

But hey, that's your definition of democracy and not mine. I'd go further to state that my definition of democracy would also encompass a bit more influence on Government than mere "Questioning" - I'd like to think that they may actually take the feelings of the populace into consideration...

This isn't a just a personal rights issue, it also incorporates business law. Which I suppose is the great pity - who can shout the loudest? Huge companies with expansive expense accounts vs a bunch of [geeks|nerds] - see recent articles :) with a few laptops... Hmmmm... And we all know how much respect politicians have for judges and courts... Jeffrey Archer, anyone?

Re:What a profoundly anti-democratic sentiment!

[Head+Louse]

Yes it is our "elected representatives" & judges that make the laws. However our representaives in america are famous for their soundbite filled political speechs that don't really say anything. so we really don't know too much of what is going to happen when they go into office. When our "elected representatives" do go to propose or vote on new laws they are mainly getting there info from thinktanks and lobbyists. So in order for us to change anything not only do we have to vote for who we want but we have to shout to make ourselves heard above the tides of money in the form of lobbyists.

Javascript/ActiveX

[nhowie]

Quote from Excite article: But without the popular code, Web sites become largely passive and unable to deliver the most basic interactivity.

Just what exactly is 'interactivity' defined as here?
Most 'interactivity' can be achieved through well-coded HTML/forms and server-side code such as PHP3 or perl (hell, even a shell-script with CGI).
Perhaps 'pointless memory-hogging eyecandy' might be a better expression for most of the 'interaction' that Javasctipt/ActiveX offer ;)

... if it doesn't work with lynx, it doesn't work at all, IMHO.
--

Re:Javascript/ActiveX

[jdeisenberg]

True, I could have gotten the interactivity for the exercises in my [shameless self-promotion] Russian alphabet and chmod tutorials with server-side scripting, but that would require a connection to a server.

By doing it in JavaScript, I can offer the tutorial as a downloadable file that can be used off-line at hard disk speeds -- we don't all have T1 lines into our houses, you know.

I must confess that I do open up a sub-window in part of the Russian tutorial for the audio player control. Now if only I could add some really annoying animation. :-)

Re:Javascript/ActiveX

[Aaron39]

you spelled it wrong, its L I N U X some user u are, pshaaaa.... toodaloo


Dont let school get in the way of your education

Re:reaching DOD "high security systems" from the w

[Slamtilt]

Yeah, that was very confused. I also couldn't see why people were worried about DOD sites not being 'competitive', whatever that was supposed to mean. I don't see that the military really should be involved in any kind of war for eyeballs (pun intended, and it made me cringe, too), so what does it matter? It's not like they need to make $$$ from their sites...

High Security?

From what I gathered about classified networks during some of my job interviews a while back, they are kept very seperate. There were two ethernet jacks everywhere, a black one for the unclassified network, and a red one of the classified network. Managed hubs kept the hardware ethernet addresses in a database, so if you took a classified computer and pluged it into the black jack, it would not work, and vice versa. Most employees had two computers if they needed access to both networks. So, my point being that there really is no threat of outsiders getting access to classified information, because there simply is no path to the information. The external webservers are undoubtably on the "black" network. From what I remember, the "red" network is interconnected between sites, but is competely seperate, so I could use my "red" desktop to access other classified computers in another state (this was NJ to DC). And to relate this to the story, I really did not understand the point it was trying to make, very poor story. praXis

The problem with damages in computer 'crime' cases

[Nicolas+MONNET]

• They have to do their security home work anyway, so there's no reason to blame the cost of securing their network to the h4x0r.
• I know good sysadmins are expensive, but $40k is quite high a price to restore from back up.
• ALL the cases of computer crimes have over inflated damages. Like, when Sun claimed Mitnick had costed them $100k by stealing the Solaris source code, whereas they're now giving it away to students, and had anyway source licenses for much less at the time.

--

What all does it add?

They still have cgi scripting and stuff like Flash.

Since I'm not a web developer, could someone who is explain what ActiveX adds besides M$, and what JavaScript adds that can't be done with the above.

Also, keep in mind that if the DoD websites have JavaScript and ActiveX, so do the DoD client computers.

Security Inacuracies...

[retep]

The Department of Defense is considering banning all JavaScript and other mobile code from
military Web sites because the tools could pose a security risk to its computer systems.

If they want to keep security tight they should disable ActiveX and JavaScript on the workstations used to access at the DoD. Banning scripting on their web pages will do nothing. After all if a hacker breaks into a site the hacker can easily add a script to the site.

"Your sites will end up being less competitive overnight," Plummer said, adding that a
complete ban on all mobile script capabilities could lead to a Web presence that does not
permit online chats or the filling out and sending of online forms.

This is totally wrong. You don't need client-side scripting to make chat rooms or fill out forms. Server-side scripting (CGI for example) is adiquate. Sure you can't make a stupid little bear dance across the screen but who cares?

To give an example the tripod chat at chat.tripod.com even works with Lynx. So much for needing JavaScript or ActiveX.

In any case if you want to protect security disable ActiveX first. It basically allows anything to happen to your computer without your knowledge. Disable Java and JavaScript later. Some code might exploit a security hole in Java and might be able to cause some damage.

Interesting...

There are two interesting pieces here, one, the government is obviously trying to save face and stave off some future attempts. Second though, and more interesting to me is that here is an example of some kind of reasonable thought happening, in that they gave Java and ActiveX a shot, found them in-secure in the implementation they needed and are re-evaluating the validity of their use. Neither MS or Sun or anyone's spin team are able to talk their way of of reality and in the end this hack does show that. In reality the defacement hack should be a warning that more serious attacks can be made while the current setup exists. I belive that this makes putting him in jail a bit of an extreme response, punish him, sure, but see the light of his actions and their implications in regard to your systems.

Some Excellent Reading Material

[try67]

Prehaps he should have had a look at this article before handing the feds a confession...

Anyway - 15 months for a defacement??? OUCH...

Attention Law Breakers

I have seen several posts where people are yelling about how he broke the law and how he should be held accountable for his actions.

I would just like to point out, that by your definition, most of us have broken the law today. If you drove your car anywhere today and went even 1 mile per hour (1Kph) above the speed limit you are just as guilty, by your own defenition.

Granted the guy didn't pick the best way to expose a security flaw, and I do not condone his activity. I think he accomplished his objective.

Let ye free of sin cast the first stone.

its all about keeping face...

It means MORE to the US government to squash a computer hacker than imprision a REAL criminal (the president). I mean COME ON!! This justice BS is getting out of hand. The kid did not do anything to harm the country or anyones personal being so why is he being imprisoned?? Now if u look at good 'ol Bill, he LIED under oath and committed a REAL crime but never was punished for it. I dont think malicous hacking is a mature thing to do, but I sure as hell dont think it is a crime punishable by prison. If you dont want to haxed then get your box off the net, or learn how to admin the SOB.

fake guru list

There are a couple of fake guru's out there:

• Crackers (who think they're comp. science professors, which they are not)
• Gamers, chatters and surfers wearing beanies
• MTV crackers
• Crackers in movies like The Net (quote from The Net: "She copied the disk! Clever girl...") and Hackers (they used Mac laptops and played a game in which they flew through skyscrapers to hack into a computer: "Oh no, they're reaching the kernel!" and "Is that all that you have?!" as if you can hack more intense)
• So-called Windows freaks

If we extract those fake geeks from the real ones, there aren't many left!

Re:fake guru list

[nhowie]

So-called Windows freaks

I thought anyone who chooses to use Windows was a freak ...
--

Looks stupid

[radja]

actually, I think the punishment makes them look MORE stupid.. a LOT more.

//rdj

Is this Plummer guy a Newbie, or what?

[TrentTheThief]

Form handling and interactivity require Javascript and ActiveX? Maybe the GartnerGroup really are bunch of Microsoft stooges. Hasn't he ever heard of PERL? HTMLScript? PHP? C/C++? Director? Etc. (and sorry for the others I missed)? Which time capsule did this guy crawl out of that he thinks interactivity requires Javascript and ActiveX? Get a grip Plummer!

Is this Plummer guy a Newbie, or what?

[TrentTheThief]

Form handling and interactivity require Javascript and ActiveX? Maybe the GartnerGroup really are bunch of Microsoft stooges.

Hasn't he ever heard of PERL? HTMLScript? PHP? C/C++? Director? Etc. (and sorry for the others I missed)?

Which time capsule did this guy crawl out of that he thinks interactivity requires Javascript and ActiveX?

Get a grip Plummer!

Punishment out of line with crime

[FreeUser]

Yes, what he did was illegal (and collassally stupid -- poke a grizzly in the eye and you'll probably get mauled), BUT the severity of the sentance (and of sentencing requirements) for cracking into web sites is completely out of line with the seriousness of the crime.

1) If someone "breaks into" a computer it is not the same as breaking into a person's home. There is no physical threat present, and monetary damages have other aveneus for recompense.

2) A government or corporation operates on a completely different fiscal scale than an individual. $40,000 in damages to a large corporation is tiny (even microscopic when the government, with its $5 trillion budget, is the target. Whereas for an individual that is allot of money -- often more than one makes in a year. It is bad enough that corporate America is the recipient of enormous tax breaks, development grants, and other forms of corporate welfare, not to mention preferred status when it comes to legal and economic rights, but to eqaute a $10,000,000 corporations $40k loss with an average individual's $40k loss is really absurd.

3) Most of the "damages" this particular cracker is being accused of amount to fixing security flaws which already needed fixing. How would it have been if, instead of a punk teenager, cybersquadrons working for Slobodan Milosovic had cracked the site instead? They needed to fix their security regardless of what this kid did -- the only "damage" they can reasonably accuse him of causing is the time needed to recover the old web pages from backup and put them back on the server. The rest was work they needed to do, anyway -- sticking this cracker with the bill is extremely unjust.

4) Oh, they didn't have backups? Well, to blame that level of stupidity, incompetence, even negligence, on a cracker (however malicious) goes well beyond absurd.

Cracking is wrong. It should be punished. But to equate it with real-world breaking and entering, and to argue that financial damages which are miniscule to a large corporation and governments are the same as those for an individual of modest means and should be punished the same, is to toss justice to the winds and replace it with an ugly form of modern corporate witchburning.

Alas, while cruel, this kind of crushing penalty for individual misdeeds against a large corporate or government entity is hardly unusual in this country, so it is unlikely that this cracker will succeed in appealing his sentence on the grounds that it is "cruel and unusual."

Re:Punishment out of line with crime

[Woodie]

Hmm -

admittedly the punishment does seem a bit steep for the crime. However, there are a couple of aspects of this that need to be considered:

1> You've got to send a message now, that that kind of behavior will not be tolerated. It needs to be made clear that it is illegal, and you will be punished _severely_ if caught. This helps deter repeat offenders - and occasionally inspires more offenders who are irate about how big brother came down hard on some fool who broke the law.

2> Equating it to real world breaking, entering and vandalism is perfectly correct. Think about it, if I break into egg-head or buy.com - that is there only store-front. They are completely virtual, they have no real-world stores. If you vandalize, or crack the system to get yourself some cool stuff - that is just as bad as real life. To continue operating under the apprehension that virtual == not real means that online businesses, and citizens are always second class, and not necessarily afforded the same rights as their IRL counterparts.

When you say there is no physical threat, I think you severely underestimate the possibilities. Much of this depends on what kind of system I break into - but the possibility exists for theft and larceny on a grand scale. Those crimes are punishable by long prison terms, and large fines. Poking around government sites, and grabbing info from them, and confidential corporate information can result in some very serious physical threats. You may unknowingly be threatening hundreds or thousands of people's livelyhoods, or revealing information which leads directly to physical action being taken by certain individuals....

In this case - none of that occured. But you've denied the fact that it could have.

3> When you read the article, they mention that he broke into several sites - and he's being punished with a $36,000 fine. If you figure around 5K damages to each site that's not unreasonable - as it represents the damages caused by lost functionality during the time the sites were vandalized, and the cost of restoring from backup - and probably a week of some engineers time to patch the security hole. Personally, I think the prison term of 15 months is enough, and would forgo the fine - but don't even imagine that 36K is _unreasonable_.

- PW

Re:Punishment out of line with crime

[Chandon+Seldon]

1> You've got to send a message now, that that kind of behavior will not be tolerated. It needs to be made clear that it is illegal, and you will be punished _severely_ if caught. This helps deter repeat offenders - and occasionally inspires more offenders who are irate about how big brother came down hard on some fool who broke the law.

It is not the purpoise of the criminal justice system to "send messages". Each case should be judged as a unit. Remember: Those who break the law still have rights - and if the punishment doesn't fit the crime it should be considered cruel and unusual.

[really OT]

[ethereal]

And this was "Insightful" how?

Browsers are too powerful anyway.

Oh good, an unfounded opinion with no supporting evidence...

They should have access to your system the way they do now.

...followed by an incomprehensible statement. So either you don't want things to change at all, you're missing some key words in there, or you're using "now" to mean two different timeframes.

As a comment this isn't too far from the average /. comment posted here. But it's definitely not "Insightful". I've read it five times and still have no insight into what the author was getting at.

[even more OT] While I'm ranting, what's up with everybody cutting and pasting their signatures at the bottom of their posts? If you have a /. account, you can put your signature in the space provided on your user page. Then other readers can turn off signature displays in their user profiles, and not have to download and view signatures. If everybody just pastes their signature lines at the bottom of their messages, then the system doesn't work.

OK, I think I'm done now.

Re:[really OT]

But it's definitely not "Insightful". I've read it five times and still have no insight into what the author was getting at.

I'm afraid I have to agree. What's more, my comment about 'crackers should get what's coming to them' got moderated down to -1, any particular reason why?

Looks like a load of morons just got moderator access... (or pro-cracking hackers)

Re:[really OT]

[hey!]

It's not that browsers are to powerful; it's that they're too trusting. While there are elaborate security measures in Java and Javascript, for example, these are not sufficient because as soon as the browser activates a helper or a plug-in, all bets are off. So you click on a Word document with a macro in it, and all hell breaks loose.

The combination of a browser and quasi-executable content that is interpreted by outside applications is a security witch's brew. Stir in a little OLE automation and you've got real trouble.

Any piece of executable script should come with a signature that's checked against a trusted authority. This shouldn't just be when you click on a ".exe" in the browser, but when activating any object or macro throughout the system.

Java and Javascript aren't too bad. What they should really do is band the ".doc", ".xls", ".ppt" and any other kind of file format that can be executable from their servers and e-mail systems, unless the interpreter limits access to the system, the way Javascript and Java do.

Removing ActiveX/JavaScript from DoD's WILL help..

[cowbutt]

...because if internal web pages require ActiveX or Java for navigation, most users will leave those features switched on all the time, even when surfing untrusted sites.

If internal sites no longer require mobile code to be executable, then it will be easy (well, easier) to disable those features in the browser permanently with little impact on legitimate use.

Maybe I'm judging too harshly, but hey, I've just been asked to spell 'ls' by one of my users...

Lawyer: prison not for reform

[hawk]

The notion of people reforming in prison is nice, but it just doesn't happen. Yes, you see the occasional article about it,which is exactly the point: it's so rare that it's newsworthy when it happens.

Prison renders criminals incapable of committing crimes for some period, and it punishes them. The criminals that do go straight usually do so because, in a moment of lucid thought, they realize that if they don't commit any more crimes, they don't have to go back! This is obvious to most of us, but a revelation to a large portion of the population in question.

This doesn't mean that we shouldn't try to teach them useful skills: this changes the choices that they're making about whether or nto to commit more crimes. But for Heaven's sake, please don't put the white collar criminals inthe same prisons with the regular folks--we don't want them cross-polinating.

While I'm at it, prison *is* cost effective for felons. I wish that I had a nice cite for it handy, but studies have shown that the financial losses alone from the crimes commited by felons are lowerthan incarceration costs. We pay taxes to lock them up, butwhile lose, they inflict a random tax.

Re:Lawyer: prison not for reform

[Ozwald]

I've said it before, and nobody will listen this time either. But here goes anyway:

This guy figured out how to break in to a location that should be impossible to get to. And the first thing that comes to the governments' minds is smack the guy around fooling themselves that he will automagically reform.

Instead, they should be promoting his talents. Put him on salary. Tell him to hack into government networks. Because if he can do it, someone from a less friendly country can too. Who would you rather have breaking into your computers?

Ozwald

Re:Lawyer: prison not for reform

[paxil]

The notion of people reforming in prison is nice, but it just doesn't happen. Yes, you see the occasional article about it,which is exactly the point: it's so rare that it's newsworthy when it happens.

Recidivism is high, however, I have not seen a definitive model of causality WRT this. IMHO, there are probably structural reasons for the failure of the prison system to reform inmates. Perhaps the total cost to society would be reduced if somebody would take a serious look at this.

Prison renders criminals incapable of committing crimes for some period, and it punishes them. The criminals that do go straight usually do so because, in a moment of lucid thought, they realize that if they don't commit any more crimes, they don't have to go back! This is obvious to most of us, but a revelation to a large portion of the population in question.

I thought that there were four "R's" which guide the design of correctional institutions:

Restraint: Prevent them from comitting crimes while locked up.

Restitution: Pay for any physical or psychic harm which resulted from the crime.

Retribution (Retaliation): This covers the belief that someone who has done wrong should be punnished.

Rehabilitation: A person should come out of prison not wanting, nor needing to commit more crimes. This serves the incarcerated individual as well as society as a whole.

The "R" with the greatest potential for reducing costs for the average citizen is the one which you discount: Rehabilitation. If we could get at, understand, and change the reasons for so many people returning to prison, we would dramatically reduce the cost of criminal justice, as well as save a few souls.

Re:Lawyer: prison not for reform

[hawk]

> [four R's]

Yes. ALthough when most states lay out their philosophy, they at most use 3.

> The "R" with the greatest potential for reducing
>costs for the average citizen is the one which
> you discount: Rehabilitation.

It's not that I discount it--I used to believe in it. But with very few exceptions, it just plain doesn't work. It's not any bias that I have, but a bitter conclusion from dealing with criminals.

>If we could get at, understand,

This we have. It's easier to steal, and they have a weak understanding (at best) of the correllation between crime and being sent back to prison.

> and change the
>reasons for so many people returning to prison,
>we would dramatically reduce the cost of criminal
>justice, as well as save a few souls.

Yes, if we could find a way. I no longer have much hope, but still think we should give them chances to learn productive skills while incarcerated.

Incidentally, the notion of a penitentiary comes from the Quakers. The idea was (roughly) to leave them in the cell with nothing but a Bible, and eventually they might find the error of their ways, become penitent, and leave a good person.

Indeed (somewhat off-topic)

I have been recently accused of a crime. While changing lanes on a state highway, I was struck by a vehicle that apparently attempted to pass me on the shoulder before I completed the lane change, ran out of shoulder, and struck my car. Because I was struck in a manner that appeared to indicate that I hadn't checked my blind spot, I received a traffic ticket for illegal lane usage. That is a crime. While supposedly a minor offence, the ticket clearly states "People of Illinois vs. ". Furthermore, contrary to popular belief, I am NOT guilty until proven innocent (of a traffic violation). In fact, if I so chose, I can elect a trial by jury. Us accused criminals do have rights (at least in the U.S.) It should be clear at this point that I am fighting this charge and maintaining my innocence (yes, I signalled, checked my blind spot, etc). But, if found guilty, I will forever have to admit that I am a convicted criminal (on job applications, to immigration officials while travelling, etc.) While most wouldn't bother, failing to do so is fraud (and possibly purgery), for which the punishment can be much more severe than the $75 fine I received. For example, I could be fired from a job for lying about a criminal past on an application, etc. Sure, it would be an unreasonable thing to do, but we all know that zealotry comes in waves, and technically I would be in the wrong. Since I don't particularly like the stigma associated with being a convicted criminal, and believe myself innocent of any wrong-doing, I will fight this. Legal fees will likely run from $180 up, so clearly it isn't a matter of not wishing to fork over $75 (which I would consider a reasonable fee for the service the police rendered in recording the accident for insurance purposes, if I didn't have to admit guilt). In Liberty, Rene S. Hollan P.S. in Quebec, Canada, asking to see a warrant or what one is charged with can be "reasonably" construed as delaying the process of law enforcement, and usually results in an additional charge of "obstructing justice" (which would probably not stick, but can lead to an immediate arrest). I've seen this happen to a poor black kid (Blacks and Montreal police do not mix) who was a few minutes late getting the last student-fare bus to go home and was arrested for trying to defraud the bus company by not paying full fare. It disgusted me to see the police respond to the bus driver's call with no less than six cops in riot gear to arrest what appeared to be a ten-year-old. Sadly, I did not have the courage to stand up to this blatant abuse of police power at the time.

Re:Indeed (somewhat off-topic)

[elgardo]

I believe the immigration thingies ask you, not just if you have ever been convicted of any criminal acts, but it also continues, "with the exception of traffic violations". Always read the entire paragraph before checking off the box. :^)

Re:Indeed (somewhat off-topic)

True enuf, though I've seen the "with the exception of traffic violations" clause omitted as often as I've seen it included. I was once asked, on entering the U.S. from Canada (I am a Canadian citizen, and a current (but not then) TAX (as opposed to permanent) resident of the U.S.), if I was ever convicted of a crime. Period. No "traffic violation" clause. I replied (truthfully) "no" and was asked the same question two more times. I suspect that the immigration officer may have thought I was lying because I didn't admit to any traffic violations (since I never held a driver's licence or owned a car up to that point, it was unlikely that I could[1]). He did let me enter the U.S., though, without further hassle. In Liberty, Rene S. Hollan [1]It was possible to have been guilty of a traffic violation anyway, because bicycle riders are subject to the same highway code as drivers (in Quebec, anyway).

Indeed (somewhat off-topic)

I have been recently accused of a crime.

While changing lanes on a state highway, I was struck by a vehicle that apparently attempted to pass me on the shoulder before I completed the lane change, ran out of shoulder, and struck my car.

Because I was struck in a manner that appeared to indicate that I hadn't checked my blind spot, I received a traffic ticket for illegal lane usage. That is a crime.

While supposedly a minor offence, the ticket clearly states "People of Illinois vs. ". Furthermore, contrary to popular belief, I am NOT guilty until proven innocent (of a traffic violation). In fact, if I so chose, I can elect a trial by jury. Us accused criminals do have rights (at least in the U.S.)

It should be clear at this point that I am fighting this charge and maintaining my innocence (yes, I signalled, checked my blind spot, etc).

But, if found guilty, I will forever have to admit that I am a convicted criminal (on job applications, to immigration officials while travelling, etc.) While most wouldn't bother, failing to do so is fraud (and possibly purgery), for which the punishment can be much more severe than the $75 fine I received. For example, I could be fired from a job for lying about a criminal past on an application, etc. Sure, it would be an unreasonable thing to do, but we all know that zealotry comes in waves, and technically I would be in the wrong.

Since I don't particularly like the stigma associated with being a convicted criminal, and believe myself innocent of any wrong-doing, I will fight this. Legal fees will likely run from $180 up, so clearly it isn't a matter of not wishing to fork over $75 (which I would consider a reasonable fee for the service the police rendered in recording the accident for insurance purposes, if I didn't have to admit guilt).

In Liberty,

Rene S. Hollan

P.S. in Quebec, Canada, asking to see a warrant or what one is charged with can be "reasonably" construed as delaying the process of law enforcement, and usually results in an additional charge of "obstructing justice" (which would probably not stick, but can lead to an immediate arrest). I've seen this happen to a poor black kid (Blacks and Montreal police do not mix) who was a few minutes late getting the last student-fare bus to go home and was arrested for trying to defraud the bus company by not paying full fare. It disgusted me to see the police respond to the bus driver's call with no less than six cops in riot gear to arrest what appeared to be a ten-year-old. Sadly, I did not have the courage to stand up to this blatant abuse of police power at the time.

Java/Active X?

[johnnycache]

I'd think the security hole is the use of IIS, not Acive X/JScript. It's probably the most, and most easily hacked server software on the planet. If they are trusting security to NT/IIS I believe it is the sysadmins that deserve prison time. Remember, the only real security is made with scissors.

Re:Java/Active X?

[Zagato-sama]

Out of curiousity, what is so unsecure about IIS?

Re:Graffiti

[Gid1]

Sod 15 months.. I'm sure anyone that tried to graffiti the side of the White House wouldn't make it as far as the driveway before becoming a disfiguring red stain on the wall.

Re:Graffiti

More like... dude takes out a store's window and replaces it with his own window, which has graffiti on it. The original window is put behind the counter in the store.

As a result, he gets 15 months in jail, is banned for doing any kind of painting (even though he would have been hot in the advertising industry), and is billed for a brand new window, as well as the new metal bars put in front of the window, on the outside, and the new security system put in all points of entry to the store.

Now, imagine that the "store" in question was the White House...

Sure, what happened was illegal, but it also goes to prove several things (that we already knew), such as 'the "superior" shall not be defaced', 'the White House is no normal shop', etc. However, I also believe that the US often strikes too hard, too fast, without thinking. It's an "eye for and eye" mentality, driven by the adrenalin rush, rather than thinking of the best of society. I am pretty certain that I could easily have fallen into the same hacking pattern myself, while I was in college, had I not been given the RESPONSIBILITY of administering one of the servers. In other words, I was put on the other side of the entire issue, worked together with administration, I had other people try to hack into the system (provided that they didn't destroy anything), etc. In other words, with the responsibility given to me, I turned lawful. But without such responsibility, if I was to be concidered "just a little kid who shouldn't have access to none of this stuff", there is no doubt in my mind that, in order to make use of my skills, I would turn to the more illegal side of computing.

And again, this is where I see the US going in the wrong direction. The country is generating criminals by treating its skilled residents as fools, and supressing them, rather than recognizing and giving them the tools to use their skills, in such a way that they'd also feel that they were part of BUILDING the country.

That being said, I am sure I will now be tremendously flamed for whacking down on the allmighty US of A.

I wonder...

[Yakko]

if the whitehouse folks are (or were) using something blatantly insecure in the first place, like FrontPage extensions... From what I've read about others' experiences with this, getting cracked as a result is not only trivial, but arguably deserved imho :o)

Also, if this is indeed the case, it doesn't take a web page defacement to gather that they're stupid anyway.

--

Oh No, It's The Gartner Group!

[C+A+S+S+I+E+L]

(They're my favourite consulting firm. Really. Very entertaining when there's nothing else to read.)

But without the popular code, Web sites become largely passive and unable to deliver the most basic interactivity.

I dunno: many of the sites I visit (and the ones I implement) seem to manage fine without any mobile code whatsoever.

Dave Plummer, a vice president for Internet and Java at the GartnerGroup consulting firm, noted that without any mobile code capabilities, DOD Web sites would become much more static than standard corporate Web sites.

This is a bad thing?

"Your sites will end up being less competitive overnight," Plummer said, adding that a complete ban on all mobile script capabilities could lead to a Web presence that does not permit online chats or the filling out and sending of online forms.

(a) Untrue; (b) Since when was the DOD competitive?

BTW: has anyone seen mention of any kind of class action lawsuit against MICROS~1 for their criminal negligence in design and implementation of security models in their internet and web tools?

The legal system is a horrible deterrent

[Mark+Histed]

In more usual crimes like physical vandalism or arson, laws are needed to prohibit them because there's no other way to stop these crimes. (There's no such thing as totally spray-paint resistant walls, for example.) Laws are meant to stop crime by punishing it. They are not perfect.

In recent years, the same philosophy has been applied to information crimes like hacking. The difference is that there is such a thing
as a hack-proof web site. If the goal is to stop hacking, the best way to do it is to make your web site hack-proof, not rely on the incredibly inefficient legal system as a deterrent. (inefficient: how much does it cost for the judge, court staff, courtroom, lawyers, etc. to prosecute a single case?)

As society changes, legal philosophies need to change too. (c.f. the FSF. :-)

As a side note, 15 months in prison? For a 19 year old who was able to put some files on a disk in Washington because the web site designers didn't do their jobs correctly? How many lives did he put at risk? Give me a break.

It's all about arrogance, attitude and vengeance.

This Cracker is going to be SLAMMED by the gov't just for his arrogance of "I h4x0r3d your site so ha! ha! ha!". So now the Feds want revenge and to teach this guy a lesson he'll never forget. The law is already waaaay out of the picture by now. This is a personal vendetta. And if you don't believe me that this is so, walk up to a cop and flip him the finger. There's no law saying this is illegal, yet watch what kind of massive retalliatory punishment settles upon you. Will it be disproportionate to what is not even defined as a crime? You bet. Is what's happening to the cracker any different?

Are you kidding?

[Danse]

What if the hacker put up something really inciteful, like slurs against other countries?

Fine. If someone does that, they should be held accountable. What does that have to do with this case? Should the lawyers prosecute him for something he could have done, but didn't? As for making the country lose face, how is it his fault that they had crappy security? I'd say if anyone caused anyone to lose face, it's the admins responsible for the website. They were the ones that didn't have a secure box. Maybe they think they shouldn't have to worry about security because they can just prosecute anyone that makes them look bad. God help us if the military starts thinking this way.

"What do you mean the missile missed? The target moved?! Dammit! Get the legal department on the phone! Those bastards are trying to make us look bad!"

About Zyklon's attacks

Posting anonymously, for hopefully obvious reasons.

Though I can't comment on the attack he was charged on because I have nothing to do with that site, I do administer a site he also attacked, and we cooperated with the investigators in Virginia.

In our case, he cracked root on several machines, set up sniffers, messed with our name server, and caused a lot of havoc. The main goal appears to have been to change our web page, but he did a lot of damage along the way.

So, don't assume that "just changing the web page" is a minor thing or is easily fixed. There could be a lot more to the story.

Let him fry

People have to know that this stuff is wrong. It's right up there with breaking into a house and vandalizing it.

I knew this guy...

Wow! I went to school with this guy and have known him since ... 2nd grade I think. We even played on the same soccer team as kids. Craziness. I wonder if he's gotten a job offer from the NSA? He has the working resume that should enable him to get in...
Hey Eric, best of luck to 'ya in your new job! Just don't store work files on your home PC, k? ;~)
PS How good is anonymous posting at /.? Oh well... enough clues there for someone to figure out who I am probably.

Re:reaching DOD "high security systems" from the w

[hey!]

Well, the problem is that when you get too paranoid about security, you end up with less security.

In the China nuclear spying cases it turns out that the nuclear scientists had secure systems on their desktops right next to the insecure ones, but by the time a pc model gets certified for secure work it is obsolete. So, you can either wait for your secure P90 to grind out results or you can rock on your PIII/500.

I wouldn't be surprised if there were similar issues in the military of people trying to get their job done by working around the regs.

Re:It's all about arrogance, attitude and vengeanc

[ph0rk]

Your point? If you were to be blunt enough to stroll up to a peace officer and explain your inner feelings towards him via your middle finger, would you really expect him to ignore you? Hacking any governmental site is dumb. Getting caught is dumber. Being dumb is bad.

Well, its a Good Thing{tm}

[quonsar]

So, if I understand the legal thinking behind this:

Masturbating on the White House Lawn is far more Bad{tm} than masturbating on your common, everyday suburban front yard lawn.

In order to make that point, a judge could sentence you to non-use of your penis for 3 years.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Why not do both?

[Fastolfe]

I wish everyone would stop insisting that this kid did nothing wrong here. He broke into a web site and caused people a lot of grief. He knew what he was doing, and he was aware of the consequences.

No Computers for you...Bad Bad boy

[billybob+jr]

Is it just me or is denying someone use of a computer for 3 years some sort of infringement on the individual's rights? Yes he committed a crime. He is being punished for this already. I'm a bit confused as to how it is legal for a judge to forbid someone from using a computer.

Is someone who steals from a convenience store forbidden from shopping in a store after they get out from prison?

Are there other examples where someone who commits a crime can be denied freedoms after they serve a prison sentence?

Good, bad and the ugly

[liNA-seven-nine]

i got this dialog on irc:

doodz 1: dude! they got eric! shit!
doodz 2: let's not hack another site again! agree?
doodz 1: i'll never touch a computer again!

do you think that by punishing eric will makes the kids stop. hell no! the only action that 2 of eric's friend will do is cr|h the site again. and this time they will make sure they won't get caught. i'll bet on all of my $34.98

--

defacing is the way!

[liNA-seven-nine]

illegal? yes. but never says it has no practical value. these kids shows what terrible security the sites had.

you are saying that give e-mail to the admin saying that they got a bad security. i have try that. it doesn't work. check www.djakovo.net. i have given them e-mail for the past 3-4 month. then came SysEdit. i keep telling them...but they won't listen.

--

Origin of "Zyklon"

[hwestiii]

Does anyone know anything about the origin of this person's nom de hack: 'Zyklon'?

The association that I made immediately is with 'Zyklon B', the trade name of the agent used in Germany to gas Jews during WWII.

Whatever his crimes or misdemeanors, his choice of hacker name instantly diminishes his credibility with me.

Re:Rebuilt - What - no audit logs or backups??

Sack Sysadmins who can't rebuild in the time a full restore could be done. Assine remarks - the belts and braces approach - reinstall everything indeed is for LCMs. There are smarter ways to rebuild a compromised system - like running rsync against a master image. The audit log, duplexed , will be trustworthy, as will any file checksum/alterations. If you dont trust these - then get a better operating system, as well as paying overtime to people who are supposed to administer security (LOG CHECKING BY ANOTHER NAME) This assumes you have a backup strategy and disaster recovery process in place, as well as QA and change procedures, and can competently do partial restores, as well has having some automatic rebuild scripts.

Re:backdoors - more rubbish

Thats why something like tripwire exists. All you gotta do is a partial restore of the affected files and reboot ; after fixing the problem so it does not come back; The author claimed excuses for not being on top of the situation. I find subscribed security alerts beat kiddy hacks like this every time. I know that there are more holes - that the non-kiddies know about, that are most hush hush. It pays to be across the holes in several OS's, as similar tricks ripple through. The resources to punish would be better directed to education.

Hrm

[Robert+S+Gormley]

Take two hands. Take shirt off. Now, thump chest repeatedly, Tarzan-like, chanting/shouting "U S A. U S A."

Surprise surprise. What do you know? The right to silence, and the right to an attorney are pretty well enshrined in a very high proportion of all first world countries, including most of Europe, and Australia, Canada, etc.

Enough with the ego massage.

Temptation.

... and lead us not into temptation, but deliver us from evil.

This sentence has its corollary: Thou shalt not tempt.

Quite obviously, it's time Her Britanic Majesty lent her webmaster to the ex-Colony to teach the Presidential and many other system admins how to do their jobs so that they do not tempt the country's citizenry. Number one is to teach the admins how to restore a system from backup in less than Two Days! For goodness sake, can't you do it properly even on the Head of State's server? It's not the hacker's fault that the sysadmins are a bunch of utter no-hopers. Now update the o/s on www.whitehouse.gov to somthing a bit more modern and the Web server to something a bit more secure.

telnet www.whitehouse.gov 80
Trying 198.137.240.92...
Connected to www.whitehouse.gov.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 404 Not found
Server: Netscape-Enterprise/3.6
Date: Wed, 24 Nov 1999 09:05:13 GMT
Content-type: text/html
Connection: close

Netcraft tells me that the o/s is Solaris.

contrast this to:-

telnet www.royal.gov.uk 80
Trying 193.32.28.66...
Connected to www.royal.gov.uk.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 24 Nov 1999 09:53:44 GMT
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)
Last-Modified: Wed, 03 Nov 1999 12:23:59 GMT
ETag: "e808-2214-3820295f"
Content-Length: 8724
Keep-Alive: timeout=15, max=100
Content-Type: text/html
Connection: close

Connection closed by foreign host.

The first is a real temptation the second is not anything like as bad.

In spite of he misdemeaners; what the Ultimately Satanic Area has done to this young boy is totally over the top. A free society? HoHum! I hope that the AC account really _is_ anon. Oh well we'll soon find out.

anyone have a copy of this article?

[csnow]

Hi just wondering if anyone could provide me with a copy of the article referenced here, I can't seem to find it online anymore (or not free anyway). thanks