World's Biggest Hacker Held

Hieronymus Howard writes "The London Evening Standard is reporting that the "worlds biggest computer hacker" has been arrested in London. Gary McKinnon, 39, was seized by the Met's extradition unit at his Wood Green home. The unemployed former computer engineer is accused of causing the U.S. government $1 billion of damage by breaking into its most secure computers at the Pentagon and NASA. He is likely to be extradited to America to face eight counts of computer crime in 14 states and could be jailed for 70 years. Apparently he broke into U.S. military computers to hunt for evidence of a UFO cover-up."

Smart? Yes. A Nut? Perhaps. How about both?

[lecithin]

"Apparently he broke into US military computers to hunt for evidence of a UFO cover-up."

It sounds like an excuse to me.

So is the guy really nutty or is this just an attempt to justify his illegal activities?

Then again, perhaps he was on to something?

UFO cover-up

[iocc]

Did he find any evidence of a UFO cover-up?

World's Biggest Hacker?

[Dagny Taggert]

Really? Because he broke into a Pentagon network? That just makes him stupid; if he were really a big hacker, he'd be doing blackhat corporate work. UFOs! Yeah...whatever.

Re:what?

[garcia]

$1 billion damages? honestly - how do they come up with these figures?

they'd do better hiring this guy to teach their sysadmins a thing or two.

They hire overpaid techs that do shoddy work. They have to come up with these figures in order to make sure the public doesn't mind them wasting taxpayer dollars to track him down all over the world.

One beeelllliiioonn dollars?

[bc90021]

1 Beeelllion Dollars?

Where do they get that from? If that's really the case, it would only take about 6,000 people to cause enough damage to double the national debt!

The article doesn't mention anything anywhere about pure damages, for starters. It mentions the costs associated with tracking and capturing the guy, and costs correcting some of the problems - combined. Those costs are listed as 570,000 pounds. At the exchange rate I just looked up (1.83 dollars to a pound), that's still only 1,054,500 dollars, which is more like a meeelllion dollars. Even if they tack on the 950,000 pound in fines, that's still not even three million.

That's a far cry from a billion... and about two million less than the damages Kevin Mitnick was supposed to have caused.

Frankly, they should have just let this guy find some "evidence" of UFOs. Then he might have spent his time trying to convince people of it instead of looking for more!

Will they plea??

[mbathgate]

The question now is whether the government will attempt a plea deal and put him to work like we've seen in other cases. With jails full, it seems rather silly to put such useful talent behind bars when he really isn't a threat to society. Plus, he could be our secret weapon against those vicious North Koreans. He's got to be worth at least 100 NK's if he's the "biggest in the world, right?"

Free On Bail (BBC)

[Anonymous Coward]

According to this, he's free on bail:

http://news.bbc.co.uk/2/hi/uk_news/4071708.stm [bbc.co.uk]

He didn't commit a crime in the US

[thogard]

He only committed a crime in the UK even though the effects that crime where in the US. There are already enough laws in the UK about breaking into military sensitive computers that can put him in jail for a very long time and there are enough treaties with the US so that breaking into a US military computer in the UK can get you thrown in jail forever.

The judge should rule that he can't be extradited to the US until he has been tried in the UK and then only if the US has charges that don't fit into double jeopardy.

Re:what?

[BJZQ8]

Exactly. In my time working with school district (a government entity, of course), consultants will come in and make a big deal about "security", and sell a district a PO a mile long with all sorts of unnecessary crap on it. I have even seen them produce port-scanning logs as evidence of "being hacked." The School Boards will happily hand over $100,000 (in a district with a $2 million yearly budget) to remedy this "security hole." It's the same in the huge government boondoggle of departments and agencies. I'm getting more and more convinced that the coming crisis of the world pulling out of US bond markets is the best thing that could happen; right now this country has unlimited money, and is busy making an unlimited bureaucracy to spend all of it...

Re:what?

[shotfeel]

Remember, this was thought to be a terrorist group attacking the US. Just guessing, but I assume security teams had to be sent out to lock down the facilities, assess damages and begin trying to figure out where these attacks came. That's just the start.

Part of the "lock down" may even include completely replaing large systems not only so you can start clean, but also so the compromised systems can be assessed, studied and used for evidence.

Then you have to figure out what other areas may have been exposed by these breakins and do some heavy duty damage control there as well.

Then there's the cost of teams of investigators and their expenses. We're talking an international, multi-year investigation.

All those expenses can really start to add up. Doing an investigation "the right way" can really cost a lot.

It MOST CERTAINLY is not!

[NRAdude]

He stole nothing, he physically broke into nothing, he has seen nothing, he has been caught holding nothing. When crappy everyday news press start labeling everyone a "hacker" I think this world is run by Joseph Goerbles. It takes alot of relative merit to hold a label of any kind. For one, IP addresses belong to the ISP, not the subscriber; the software properly authenticated and was allowed access. I do it all the time at Slashdot: sometimes I auth as Anonymous Coward with the password "frommyparentsbasementIstabtheetaco"; Someone changes it to somthing else everytime it is posted though. Information crimes If it needs to be a secret, don't hold the secrets on a network-accessible computer or you're asking for someone with authentication to publicize the material. When I speak of "proper authentication", I speak on the train of thought that probability can be just as valid as authentication; guess a number and use it. I'm just using plain English, no in-fancy federal-code talk trying to conceal common-sense law in pounds upon pounds of codified indirect procedure used to anyone's bereft. You'ld think people just love eachother for accessing their server, and you're assumed to be not hostile until proven hostile. George Noory's information COASTTOCOASTAM.COM has the same crap, and I don't see anyone making commercial gain other than plastering stupid secret shit on baseball caps and shirts. Oh, that must be sooo detrimental to take secret information and make a fat cult of pudgy geeks that just gossip about trinagles in the sky. I know Slashdot makes many federal-like assumptions to its viewers; thinking we read hardware advertisements and the advertisements within the topic of those advertisements. The day those appointed to serve as "Government" can conceal information is the day the people are ussurped by lies. Look at how many spy and nuclear secret threats were feared by those supposes people appointed as "Government", and its they that have mis-used the technology the most!

Re:"Damage"

[Perl-Pusher]

Obviously you have never had all work completely stop while the sysadmins wiped every machine clean and restored files from backup. A hacker at Langley Research Center easily wasted $1 million dollars a day for 4 days, just in the pay to unproductive employees.

Re:what?

[arkanes]

If this is what you do everytime theres a break-in at your company, I fear for your security. First off, you're presuming that he didn't delete the accounts beyond ADs ability to restore them, which is a pretty big assumption. And you're ignoring the work involved in auditing the restores of all the users data and privledges, to make sure that you don't accidently restore any tampering. Dealing with a large scale security breach is complicated and a major task, and while it's not fair to pin the total cost on the hacker (like fixing the hole he came in through), the secondary costs can be quite large - auditing and figuring out how he came in in the first place, deciding exactly how much of your infrastructure you can trust after the breakin, what a safe date to restore off tape is, etc, etc.

Re:Odd facts in this case

[jd]

I've done some work for NASA and the DoD in the past, and all I can say is I'm surprised by how few break-ins the guy is tied to. Typical system administration passwords are "password" according to the agency-wide briefing I was in on, the use of .rhosts on mission-critical systems is scary, and the preference of rsh/telnet over secure protocols is beyond belief.

The evidence so far is that the guy IS a skript-kiddie, and probably not a very good one at that. If, after countless reviews and endless debate, many Federal agencies are still scoring D or worse on their own evaluations, I cannot find any reason to have any confidence in their ability to secure their systems.

Perhaps, instead of wasting time chasing UFO spotters, they should be putting more time and effort into getting their own house in order. Windows machines are rated for standalone security, not network security, and Windows is only C-class even then. That may be fine for a desktop hosting seriously unimportant files, but I would not regard that as nearly good enough for servers or desktops likely to have files of significance.

For the sorts of establishments we're talking here, I would say that a minimum of B3 on internal security and something comparable for network security should be the minimum for anything beyond the kiosks they've been pushing people onto.

Re:what?

[Steve Newall]

Symantic difference between British English and American English.

British burglars burgle.
American burglars burglarize.

Re:what?

[blackicye]

whats wrong with his spellerizing?

burglarize
verb

(US)
burglarized, burglarizing
1. To burgle.

Etymology: 19c.

Wellcome to cynicsville, population: Me.

[Scrameustache]

I think its interesting how computer crimes (even ones that technically do no physical damage, like destroying of files/property, etc) can warrant these huge jail times, yet a confessed convicted rapist, child molester, or other misc. violent criminal can sometimes get as few as 5 years in prison.

What does that tell us? We care more about our files than our children. While I don't think that breaking into a computer system just to prove you can is a smart idea (not saying that was the case in this situation, but rather in general), but I would consider a child molestation as a much more heinous crime, that should always warrant a longer sentence.

Laws aren't there to protect you, they are there to protect the rich.

Some poor looser raping other poor looser's kids is bad for their work productivity, so it is illegal, but acts that could cause the rich to loose riches are much more illegal, because these things really matter to those who make the laws.

Re:Smart? Yes. A Nut? Perhaps. How about both?

[h4rm0ny]

And on a related note, what accounts for the $1billion damages? I'd wager a large part of that is plugging security holes that should not have been there in the first place. Although it's stated in the article that fixing the problem and tracking him down cost £570,000 pounds.

In fact, reading the article, I can find no reference to $1 billion. It's estimated that he may be fined £900,000 (that figure makes so much sense), but if that equates to $1 billion at the current exchange rate then I think I better get over there and buy a town. Editors not reading the story?

The UK should *not* extradite anyone to the US...

[johansalk]

The extradition agreement signed between the US's Ashcroft and the UK's Blunkett over terror is seriously flawed; it doesn't require the the Americans to provide *any* evidence, but demands so from the Brits, and American authorities have proved too willing to misuse it, far beyond "terror". Furthermore, the treaty removes key protections, and the UK parliament was *not* consulted at all http://tinyurl.com/4yph4 [tinyurl.com]. For all I've seen, it's all been one-sided so far, with Brits extradited for various reasons, even to a Brit CEO demanded by the Americans for "price-fixing"(!!) http://tinyurl.com/7tdkv [tinyurl.com]. The UK should *not* extradite any Brits to the US, at all!!! This American Gitmo administration is not fit for any role of justice!

Re:what?

[jonfr]

I have even seen them produce port-scanning logs as evidence of "being hacked."

Been there, done that. I scanned my formal school network, but i also found a securty hole in a form of syspref.inf with a working password, it was in the computer class room on the C:\ drive, in clear text. I did test the password to see if it was working. Took a peek at the schools servers, but i didn't damage anything.

Then the case got to the cops, they did use port scanning logs to proofe that i was trying to damage the school network by portscanning the lan. But offcose that was plain BS.

Also, the state lawyer didn't have any evidense to proof anything on me. And the School second-headmaster did confirm my word where i had refused to damage the schools servers.

The case went to trial, i am now waiting the outcome. I hope that i win.

(Now i will get flamed to hell and modded up)

Re:A Darwin Award nomination, say I!

[lost_n_confused]

I truly doubt he got into any classified systems. From my 7 years of working in military intell and then 13 years of installing networks for the military I have never worked on a classified system that was connected to the internet. There are red and black networks to keep the traffic separated. You can't even run a CAT 5 red network wire down the same wall as the black network wires. There is never an intermingling of wires let alone traffic. The DOD has its own world wide network to run classified traffic over. This is like a person breaking into a bank lobby and saying it is the same thing as breaking into the vault. lobby != vault. Internet servers != NSA servers not even close not even on a bet.