Another NASA Hacker Indicted 164
eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."
Think about... (Score:1, Interesting)
Not very bright and certainl not "white hat" (Score:5, Interesting)
Honestly, I feel bad for this guy (and probably the rest of the team when they're indicted), not because he's been arrested, but because he is such a moron! Hackers... not at all. White hats.. nope (about as smart as the Ironic on). Morons..yes.
Re:Prove it (Score:1, Interesting)
I'm not sayin'... (Score:5, Interesting)
Possibly Just Social 'Hacking' (Score:3, Interesting)
Keep in mind that these guys did 150 computers, the NASA problems were only NASA's reports of their 'hacking.' It could be that he was part of a team that was trying everything to get at government computers (pretexting/social engineering, hacking, you name it) and that this guy was the only one who actually physically went to a facility and illegally accessed data. I think if you're smart enough to hack into a NASA system, you should be smart enough to cover your tracks--so maybe this guy just waltzed in and presented real ID but just lied about who he was or representing?
So before you call NASA stupid for leaving those computers connected to the internet, I would wait until you find out what they're actually accusing this guy of--it could be another case as with Gary McKinnon where the person wasn't some steller computer genius, he was just really good at gaining trust from people and lying his way into facilities.
Re:Teh Interwebs (Score:5, Interesting)
When I read articles like this one, it makes me wonder what classification of information was compromised. I highly doubt it's DoD Secret or greater and if it's less than that, the damage caused by this information landing in the wrong hands is probably minimal, though disconcerting.
Re:When I was there... (Score:5, Interesting)
What I learned after being there long enough (and it took me a long time) is that one of the main reasons computer security at NASA sucks is funding; or really a lack of it. Bear with me as I explain...
The IT security people (and really, IT people in general) are considered about the lowest form of life at places like JPL, because we are ancillary to the mission. We are overhead. Our work, while helpful, is not viewed as "critical" to mission success. This is an unfortunate and incorrect perception. Try launching anything remotely complex without a computer or a network to support the mission and see what happens.
Most of the science people at NASA just want to get their work done, get the mission to fly, get their science data back, and do their analyses. The problem is that they don't value network/computer security like IT people do. They just have their narrow view of their narrow area of responsibility. This tunnel vision prevents them from caring about security until Something Bad happens and they lose mission data. Then get ready to hear the screaming. IT people get fired. Heads roll. Memos are written. Policies changed.
And then everything goes back to exactly how it was, again.
Underlying all of this is the fact that IT, because of how it is perceived, is poorly funded and therefore understaffed. Without enough staff, they can't respond to all the incoming requests for IT work.
Remember those science people? They will not accept anything getting in their way, least of all some sorry excuses from the IT department about how they can't get to your server today.
Consider this conversation:
IT: "I'm sorry, we're backlogged right now and I won't be able to do that for you today."
ScienceGuy: "No, you'll fix my server today or the lab director (basically the president of JPL) will hear about it and you'll lose your job because I won't be able to talk to the Mars rover today."
IT: "Uh, ok. You're the 5th person to threaten my job today. Looks like I'm getting fired. What would you like me to do?"
ScienceGuy: "Just give me the root password and I'll do it myself. I use a Mac with OS X, so I am a Unix Genius."
IT: "Sure thing. The password is p198*#&$S(s. Have a great day!"
ScienceGuy: "Thanks for being a team player! I'll make sure to write a memo to your boss about how you helped us."
And so, in order to "stay out of the way" of the science people, the IT people have to give away a lot of system administration duties. For this they are rewarded.
Now, remember that those science people don't care about security? And they don't let anything get in their way? Think they'll do goofy things to make their server or data more easily accessible? You bet they will, regardless of the policies. And you know what? That is why places like JPL are so successful. The science people are dedicated, and will generally stop at nothing to make their missions successful. Most of them are what I would call True Believers. They really are there because they believe in what they do. Unfortunately, they often work within very limited budgets, and within the institutional limitations like limited funding for IT staff.
There has been crime commited on both sides. (Score:4, Interesting)
Another crime is commited here though, which is denying this kid a fair trial.
The previous case with the UK script kiddie was indication enough that things are terribly wrong. The FBI is banking on the general public's unawareness on computers. That Gary guy accessed some US govt. server with a default windows password or something like that, was it? Yeah fitting punishment of life in prison NOT. The FBI throws around ridicioulus numbers as to justify the harsher penalties, but the truth is, the guy is responsible for very little damage, even though the system had to be reinstalled etc, BECAUSE the system was so insecure in the first place that it should have been replaced in the first place! The wast majority of the costs are the due to their own stupidity. The equivalent case would be a car crashing into a skyscraper and the skyscraper collapsing. Yeah, sure the driver is at fault for driving badly, but he's no way responsible for the collapse of the skyscraper in any sense except direct physical!
The amount of damages is seriously overinflated aswell, others have pointed to Bruce Schneier about it. You can't claim millions of dollars of damages when "you" (the FBI) went around and handled the whole thing the wrong way! Yeah, I might expect a citizen not to have a clue about computers and buy these stories, but the FBI has a responsibility not to talk out of its ass.
Similarly, in this new case, damages are overinflated and, yeah the kid broke into the system, but the one who caused the damages which caused problems at NASA is the idiotic MORON who designed the system in the first place. These stupid hacker stories are designer/maintainer problems and the FBI should damn well recognize this, because they have the technical expertise in order to do so.
But they are not doing this. In light of this I'm a pretty serious proponent in urging the non-US countries of the world of suspending ALL extradiction treaties (which should have happened right after Guantanamo rights abuses went public) with the USA until we can be sure that justice is served, not some scaremongering directed at the domestic public of the USA.
It has to be mentioned that I'm pretty pissed about it, since it sort of hits home. Arad, where the guy is from is a historical hungarian town which now belongs to Romania. There is a good possibility that this guy has hungarian origins and as a hungarian I'm
a.) scared about the bullying the USA comes up with
b.) even if the guy extradited is an obvious moron. I would think he'd deserve something in the amount of 2 years probation judging by the cases I'm familiar with, not extradition to a foreign country and dumped in a pound-my-ass prison for life. The USA prison conditions are despicable, but that's another story.
Re:Say it with me again folks... (Score:3, Interesting)
If the estimates are inflated, something which has been known to happen, then the misstatement diverts law enforcement resources and can influence sentencing. Petty larceny and grand larceny are separate crimes for a reason.
>If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid
Your insurance company will come up with a better word than "stupid".
Obviously neligence by NASA doesn't excuse an illegal breakin. The point everyone's trying to make is that the illegality of the breakin doesn't excuse NASA's negligence.
Re:Possibly Just Social 'Hacking' (Score:3, Interesting)
http://www.realitatea.net/27615_Hackerul-roman-su
Rough translation:
Which IMHO contrasts wildly with the following fact, also reported by Los Angeles Times:
My take (and I've been around Romania enough to speak the language and know what goes around): just another bunch of stupid kids with nothing better to do. They piss around with sensitive stuff like this, and when the FBI comes looking for them they whine "we didn't want to do it, it just 'happened'".
They don't even make a moral or political stand, they're simply stupid. There was an old saying, don't do the time if you can't do the time, wasn't it? It's all the more idiotical considering these are skilled people, this one claimed to have worked for IBM at some point. Way to throw it all out the window.
Granted, 54 years in jail is a rough punishment for stupidity. I doubt they'll be extradited, but they will have just as rough a time in Romania. The government is trying to make up for the country's standing negative fame on the Internet by dealing excessive prison sentences in such cases. And trust me, an American prison looks like a spa compared to the dumps they call prisons around here.
On the other hand, his daddy used to be the head of a local county hospital. I doubt he hasn't made some connections and dough, which would come in handy right about now. If the son is prosecuted in Romania there's a 50/50 chance he'll be able to bribe his way out of it clean or with a minimal sentence. Of course, the moment he steps out of the country he's fair game.