Slashdot Mirror
White House Web Page Cracker Faces Prison
gregstoll writes "Hacker Eric Burns (alias Zyklon) faces prison, according to this New York Times article (free registration required, of course...)" Meanwhile, according to an Excite News story sent in by lots of people, the DoD is thinking about removing JavaScript and ActiveX from its sites to make them harder for crackers to penetrate.
this isn't meant as flamebait, but he deserves it. the stuff he was doing was illegal. it has almost no practical use, other than to show a security hole, and the best way to do that is NOT by defacing the webpage. that's like breaking into a house and trashing it to show that locking your door is a good idea. yeah, it works, but there are other ways.
--
you must amputate to email me
i read all replies to my comments
This is, of course, to be expected. All cracking is illegal even if nothing is broken! This guy just hit the wrong site and got caught.
You must suffer the consequences of your actions, and cracking the White House site is a bad idea...
Computers can only simulate determinism. ~Hermetic.
Heya, if we spread the rumor that removing JS and ActiveX will make sites more secure, maybe it'll just go away. Yeah, lets.
yadda
If he broke into computers, he should be punished. But I'm a bit dubious aobut this 'three years' thing. Computers are no longer a luxury; most people reading this have computers as an integral part of their life. There's also the problem of 'what is a computer'. Can he play pacman in the local retro-arcade? What about a playstation? Can he program his video to record 'buffy' when he's at a parole meeting? Can he take cash from ATMs?
I could go on. And given the slightest incentive, I probably will.
I thought the problem with ActiveX was that it was a security hazard for the browser -- the person doing the surfing -- and the browsing system. Ditto JavaScript. Can someone please explain to me how these tools are a threat to the servers and their hosting systems?
Or is this just the case of some non-tech-savvy DoD security wonk overreacting to something he's read and misunderstood about the security issues? It happened at NASA. You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*
--JT
Sounds like the government is charging the same thing back to the public as it does paying for stuff. Three attacks? How in the world would that equal anywhere near $40,000 in damage. I mean come on now. Unless they are paying someone 300 bucks an hour or something to reconfigure a machine. Oh well I guess I won't be learning how to crack into websites anytime soon. Not that I wanted to do it in the first place, this was enough to discourage me.
Good is never enough, when you dream of being great!
How will banning the use of Javascript and ActiveX from DoD sites prevent people from hacking DoD servers? Also, how does this help client machines, do they not trust their own servers? The problem with Javascript and ActiveX, is when DoD people use DoD computers (PCs) to surf untrusted sites on the Web. Then Javascript and ActiveX, especially ActiveX, become a security risk. Mobile code is a problem when users go get it from an untrusted site, DoD users should not be doing that.
Those who can do. Those who can't sue.
A few things came up from reading this - the guy seems to think "the punishment is harsh for what he did".
I don't agree with this punishment for computer intruders, but the law is the law until it is changed by your elected representatives. And if you got caught, then tough tittie. You knew the risks. HNN has an excellent article about it.
Basically, this type of activity is like trespass & vandalism. In the UK, that's more like a slap on the wrist community service type punishment. I'm not going to go on about ethics or morals; that's been done to death and everybody has a different standpoint.
What would ultimately benefit society more - imprisoning this kid for a year, or making him teach (under supervision) underpriveleged kids how to use computers?
Strong data typing is for those with weak minds.
In the case of "(a)", I'd hope that no "high security systems" are accessible from the web. Surely the web servers are not on a network with access to sensitive data?
In the case of "(b)" the same thing applies. Would they really have a machine with access to both the WWW and sensitive defense info?
When the DOD talks about "high security" I assume this means as high as it gets anywhere. High security buildings have only one door. This makes it sound like they built a
"building" (so to speak) with thousands of doors and now they're lamenting the fact that they can't keep their eyes on all of them at once.
-
<SIG>
"I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht
<sig>Guvf vf abg n frperg zrffntr
In the Netherlands crackers get caught too, but they only get a warning to stop being a naughty boy/girl. Killers will get in prison, not people who just had a little harmless fun! I used a major Dutch company's ports to send a lot of fake mail and used their servers to get even on this nazi pig I know and when they caught me, all they (the company) did was mail me back to say that they don't appreciate that stuff and ask me to please not do it again (and ended with friendly greets).
With the government and police it's more serious. The major crackerclubs here got caught now and then and the worst punishment they got was that their computers were taken from them (to analyse) and tey had to pay for the damage they did.
There's not really a big mafia here, we just get along and don't make a big fuss about nothing.
So much for the American freedom...
I worked for a company that had military contracts, and our corporate web pages had javascript -- but our firewall stripped out ActiveX/Java/JavaScript from external web sources. With ActiveX/Java/JavaScript the problem isn't usually the server, it's usually the client, right?
In any case, does anyone remember the _Far_Side_ that has the mother and son dog... the son is in Jail and the mother is visiting, saying ``You should't have chased the _president's_ car'' or something like that...
-- Erich
Slashdot reader since 1997
I admit to not knowing that much about this case, and don't have time to register for the NYT; but what that cracker did was illegal - so surely he should be punished?
.gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.
I'm all for looking around interesting boxes on the net, but surely he must have known that whitehouse.gov is another matter, and he must have known beforehand that the consequences would be very severe.
IMHO, in a more general sense, if you are choose to compromise a computer, that's one thing, but when you change the HTML, that is just plain stupid. It's the electronic equivalent of putting graffiti on a wall: if your real information (name, address etc) becomes linked to your handle, you are in the shit. The electronic sense is even more stupid though, there are logs.
It also seems that an example is being made here. If you tread on the toes of any
Security has two sides: learning it, and becoming extremely knowledgable to the point where you are hightly employable, and the more sinister, less knowlegable side of defacing web pages. I'll let you figure out which one to choose.
To me, this seems like justice.
Aieeee, the time.
"Could the end of the would come about as result of some 12-year-old with his new Gateway rather then the more conventional Judeo-Christian four horsemen?"
;)
We all know the end of the world will be because of Y2K. Sheesh...get a clue
It's 10 PM. Do you know if you're un-American?
I've never liked Javascript ever since it became too popular. Personally my Netscape has Javascript disabled, simply because too many sites pop up lame consoles without my permission and it annoys me to no end.
I view websites as repositories of information, not entertainment theatres. If you want "interactive" entertainment, you can always download Quake :-) or go to the arcade. But when I search for useful information on the Web, the absolute last thing I want to see is a site that takes forever to load, pops up endless consoles with irrelevent ads/notices/whatnot, cluttered with useless animations and "interactive" crap. Give me a break, just deliver your goods! (If you have anything other than those useless crap, that is.) When I'm looking for something, sites with Javascript, ActiveX and what-not just don't fit the bill.
I realize that many people browse the web just for fun, so these things serve more like curiosities than annoyances. But to me, there are cleaner ways to do this than with JavaScript, or ActiveX (with all its security flaws). But technicalities aside, I still think it's utterly rude for an unsolicited, irrelevent console to pop up every time I load something from a particular site.
Also, the article seems to be making the claim that HTML forms will not work if they ban Javascript?!?!?! Come on, people, CGI is NOT "mobile code", which is the question at hand! Banning Javascript is a good thing. Your CGI scripts can still work (or use Java servlets instead, if you're paranoid about security. Not that that is much more secure, though). Just cut that useless Javascript crap from your pages, the net (IMNSHO) will fare better without it.
mikre he sophia he tou Mikrosophou.
15 months for breaking into a computer. Whats the going rate for assault and battery, probably close to the same. I'm sure that people have gotten 15 months plus/minus for manslaughter. Lets look at the damage that was done here, someone posted 'j00 h4v3 b33n 0wn3d' with a list of names at the website. And now White House officials are screaming and yelling that he caused two days of downtime to their internal and external networks. I'm not a sysadmin but I know enough to be able to say that a hacked webserver should not affect a well built network to that extent. Plus, this kid is 19 years old. In our current day and age, lets be happy that he was messing around in front of his computer rather then planning to bomb his school. What will 15 months in jail teach this kid, do you really think he will come out with some positive reinforcement.
Just a quick correction:
He did not deface the Whitehouse webpage. He denied it, he knows who's responsible but refused to name them. (read Hackernews, www.hackernews.com) as an example.
I don't like the idea of limiting him to "3 years without a computer". I think that the laws are very vague on the definiton of what a computer is. Can he use an ATM machine? Work at McDonalds? Or operate any Point-Of-Sale system for that matter? Prison is supposed to reform prisoners, but denying someone computer access (not internet access) is like denying someone a way to make a living, and a lot of good that does to help them fit back into society again.
-=- SiKnight
Questioning the decisions that Government makes, and the laws they pass, is supposed to be a central element of a functioning democracy. Yet if we're supposed to remain silent when it seems that those laws have led to bad or inappropriate consequences, the whole exercise is futile.
--
Xenu loves you!
Quote from Excite article: But without the popular code, Web sites become largely passive and unable to deliver the most basic interactivity.
;)
Just what exactly is 'interactivity' defined as here?
Most 'interactivity' can be achieved through well-coded HTML/forms and server-side code such as PHP3 or perl (hell, even a shell-script with CGI).
Perhaps 'pointless memory-hogging eyecandy' might be a better expression for most of the 'interaction' that Javasctipt/ActiveX offer
... if it doesn't work with lynx, it doesn't work at all, IMHO.
--
The Department of Defense is considering banning all JavaScript and other mobile code from
military Web sites because the tools could pose a security risk to its computer systems.
If they want to keep security tight they should disable ActiveX and JavaScript on the workstations used to access at the DoD. Banning scripting on their web pages will do nothing. After all if a hacker breaks into a site the hacker can easily add a script to the site.
"Your sites will end up being less competitive overnight," Plummer said, adding that a
complete ban on all mobile script capabilities could lead to a Web presence that does not
permit online chats or the filling out and sending of online forms.
This is totally wrong. You don't need client-side scripting to make chat rooms or fill out forms. Server-side scripting (CGI for example) is adiquate. Sure you can't make a stupid little bear dance across the screen but who cares?
To give an example the tripod chat at chat.tripod.com even works with Lynx. So much for needing JavaScript or ActiveX.
In any case if you want to protect security disable ActiveX first. It basically allows anything to happen to your computer without your knowledge. Disable Java and JavaScript later. Some code might exploit a security hole in Java and might be able to cause some damage.
Form handling and interactivity require Javascript and ActiveX? Maybe the GartnerGroup really are bunch of Microsoft stooges. Hasn't he ever heard of PERL? HTMLScript? PHP? C/C++? Director? Etc. (and sorry for the others I missed)? Which time capsule did this guy crawl out of that he thinks interactivity requires Javascript and ActiveX? Get a grip Plummer!
but what that cracker did was illegal - so surely he should be punished?
No! You've got it completely backwards. Laws aren't the word of God. They're just a bunch of letters and numbers on a piece of paper.
Just because something is illegal does not mean it's wrong or that someone "should" be punished for doing it. The government is supposed to create laws to help protect the rights of the people. But lately the whole thing has just fallen apart. Everything's upside-down; instead of protecting and serving us, the government is abusing and harassing us.
It also seems that an example is being made here. If you tread on the toes of any .gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.
Do you think it's right that the government should be allowed to "make an example" of us? The government is supposed to have fewer rights than the average citizen does, not more.
Where I come from, someone who takes advantage of weaker people is called a "bully". But apparently, if you're in D.C., bullying is not only tolerated, but encouraged.
Someone who defaces a government web site should get a small fine to cover the costs of restoring the web site. No jail time, and no forfeiture of other civil rights should be imposed.
To me, this seems like justice.
To me, this seems like a police state.
A friend pointed me to a web site that had at least 30 pages each with a different evil javascript on it. Most of them were slightly annoying, but at the time, one of them could read files from your hard drive and display them in your browser window.
If you have ever gotten stuck in a porn site that you can't get out of you know what I mean. They have java script set to open a new browser window (or two of them) whenever you close one. This one is fairly easy to fix by disabling java script and then closing the window.
One of the evilest hacks on the this site was one that made your window jump around. Java script allows the webpage to some location. Somebody got the bright idea of calling moveWindow(currentX + random, currentY + random) where random was between like -5 and 5. This made the window jump around like nothing else. You couldn't close the window because it was just about impossible to click on the x in the corner, nor could you access the menus for the same reason. The only thing to do was to end the browser process (which took a while because the computer was busy moving the damn window around).
Too bad more sites don't use it, or everybody would disable javascript.
Yes, what he did was illegal (and collassally stupid -- poke a grizzly in the eye and you'll probably get mauled), BUT the severity of the sentance (and of sentencing requirements) for cracking into web sites is completely out of line with the seriousness of the crime.
1) If someone "breaks into" a computer it is not the same as breaking into a person's home. There is no physical threat present, and monetary damages have other aveneus for recompense.
2) A government or corporation operates on a completely different fiscal scale than an individual. $40,000 in damages to a large corporation is tiny (even microscopic when the government, with its $5 trillion budget, is the target. Whereas for an individual that is allot of money -- often more than one makes in a year. It is bad enough that corporate America is the recipient of enormous tax breaks, development grants, and other forms of corporate welfare, not to mention preferred status when it comes to legal and economic rights, but to eqaute a $10,000,000 corporations $40k loss with an average individual's $40k loss is really absurd.
3) Most of the "damages" this particular cracker is being accused of amount to fixing security flaws which already needed fixing. How would it have been if, instead of a punk teenager, cybersquadrons working for Slobodan Milosovic had cracked the site instead? They needed to fix their security regardless of what this kid did -- the only "damage" they can reasonably accuse him of causing is the time needed to recover the old web pages from backup and put them back on the server. The rest was work they needed to do, anyway -- sticking this cracker with the bill is extremely unjust.
4) Oh, they didn't have backups? Well, to blame that level of stupidity, incompetence, even negligence, on a cracker (however malicious) goes well beyond absurd.
Cracking is wrong. It should be punished. But to equate it with real-world breaking and entering, and to argue that financial damages which are miniscule to a large corporation and governments are the same as those for an individual of modest means and should be punished the same, is to toss justice to the winds and replace it with an ugly form of modern corporate witchburning.
Alas, while cruel, this kind of crushing penalty for individual misdeeds against a large corporate or government entity is hardly unusual in this country, so it is unlikely that this cracker will succeed in appealing his sentence on the grounds that it is "cruel and unusual."
The Future of Human Evolution: Autonomy
The notion of people reforming in prison is nice, but it just doesn't happen. Yes, you see the occasional article about it,which is exactly the point: it's so rare that it's newsworthy when it happens.
Prison renders criminals incapable of committing crimes for some period, and it punishes them. The criminals that do go straight usually do so because, in a moment of lucid thought, they realize that if they don't commit any more crimes, they don't have to go back! This is obvious to most of us, but a revelation to a large portion of the population in question.
This doesn't mean that we shouldn't try to teach them useful skills: this changes the choices that they're making about whether or nto to commit more crimes. But for Heaven's sake, please don't put the white collar criminals inthe same prisons with the regular folks--we don't want them cross-polinating.
While I'm at it, prison *is* cost effective for felons. I wish that I had a nice cite for it handy, but studies have shown that the financial losses alone from the crimes commited by felons are lowerthan incarceration costs. We pay taxes to lock them up, butwhile lose, they inflict a random tax.
Do you think it's right that the government should be allowed to "make an example" of us?
If "us" refers to crackers, then yes.
I stand by my view that if you break into a system, then change the HTML, you really must have an urge to experience the justice system.
Just look at the Attrition (or any other) mirror. Do these pages, complete with their 31337 talk demonstrate any sort of desirable qualities?
Someone who defaces a government web site should get a small fine to cover the costs of restoring the web site. No jail time, and no forfeiture of other civil rights should be imposed.
I'm pretty sure anybody who hosts a web page, and has been the victim of these attacks will disagree with you. You don't have to break in, do you? No matter how "cool" it may look to your fellow 3133 h4x0r friends.
No! You've got it completely backwards.
Nah, I'm pretty sure that's the right way round. You break the law, you get punished. Maybe 15 months is harsh for changing a website, but come on...nobody is forcing you to.
In more usual crimes like physical vandalism or arson, laws are needed to prohibit them because there's no other way to stop these crimes. (There's no such thing as totally spray-paint resistant walls, for example.) Laws are meant to stop crime by punishing it. They are not perfect.
:-)
In recent years, the same philosophy has been applied to information crimes like hacking. The difference is that there is such a thing
as a hack-proof web site. If the goal is to stop hacking, the best way to do it is to make your web site hack-proof, not rely on the incredibly inefficient legal system as a deterrent. (inefficient: how much does it cost for the judge, court staff, courtroom, lawyers, etc. to prosecute a single case?)
As society changes, legal philosophies need to change too. (c.f. the FSF.
As a side note, 15 months in prison? For a 19 year old who was able to put some files on a disk in Washington because the web site designers didn't do their jobs correctly? How many lives did he put at risk? Give me a break.
Well, the problem is that when you get too paranoid about security, you end up with less security.
In the China nuclear spying cases it turns out that the nuclear scientists had secure systems on their desktops right next to the insecure ones, but by the time a pc model gets certified for secure work it is obsolete. So, you can either wait for your secure P90 to grind out results or you can rock on your PIII/500.
I wouldn't be surprised if there were similar issues in the military of people trying to get their job done by working around the regs.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
It's not that browsers are to powerful; it's that they're too trusting. While there are elaborate security measures in Java and Javascript, for example, these are not sufficient because as soon as the browser activates a helper or a plug-in, all bets are off. So you click on a Word document with a macro in it, and all hell breaks loose.
The combination of a browser and quasi-executable content that is interpreted by outside applications is a security witch's brew. Stir in a little OLE automation and you've got real trouble.
Any piece of executable script should come with a signature that's checked against a trusted authority. This shouldn't just be when you click on a ".exe" in the browser, but when activating any object or macro throughout the system.
Java and Javascript aren't too bad. What they should really do is band the ".doc", ".xls", ".ppt" and any other kind of file format that can be executable from their servers and e-mail systems, unless the interpreter limits access to the system, the way Javascript and Java do.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Surprise surprise. What do you know? The right to silence, and the right to an attorney are pretty well enshrined in a very high proportion of all first world countries, including most of Europe, and Australia, Canada, etc.
Enough with the ego massage.
Open Source. Closed Minds. We are Slashdot.