Another NASA Hacker Indicted 164
eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."
Teh Interwebs (Score:5, Insightful)
Re:Teh Interwebs (Score:5, Funny)
Re:Teh Interwebs (Score:4, Funny)
Re: (Score:1)
Possibly Just Social 'Hacking' (Score:3, Interesting)
Well, with the case of McKinnon, I don't think he ever actually 'hacked' into something by way of computer. I think that he was more so a social engineer than a hacker but they call him a hacker because it has a rogue/negative sound to it. Anyway, I don't know what the facts are in the Romanian's case, only reported it to Slashdot.
Keep in mind that thes
Re: (Score:1)
Re: (Score:2)
Why in the bloody hell should be these machines connected to the internet ? Why ?
There isn't really a reason for this. Backups can be managed other ways, and it's not like your going take a 5 minute break from leading your space station to read slashdot
Nasa security experts: plug the cable and watch your pr0n ^H^H^H^H^H news sites from somewhere else.
Re: (Score:3, Interesting)
http://www.realitatea.net/27615_Hackerul-roman-sus tine-ca-a-spart-codurile-computerelor-NASA-din-joa ca-.html [realitatea.net]
Rough translation:
Re:Teh Interwebs (Score:5, Informative)
Indeed. The article is pretty thin on what was actually compromised and what "manually communicating with spacecraft" really meant. Rule number 1 with mission critical systems at NASA (I work for them, but not at the locations attacked) is that they are *completely* walled off from the outside.
Now, there are some mission associated systems that are accessible from the internet which are storing spacecraft data. Here's one that has datasets from the acceleration system on the International Space Station:
http://pims.grc.nasa.gov/html/ISSAccelerationArch
It's out there because that's the easiest way to get the data to researchers, many of whom are at universities around the world. I suppose if that server ended up hacked, it would hit the news as "Hacker brings down Space Station support system!". Sounds bad, but it's not like you can actually gain control of the spacecraft. I suspect the machines affected were used for this sort of purpose.
Re:Teh Interwebs (Score:5, Interesting)
When I read articles like this one, it makes me wonder what classification of information was compromised. I highly doubt it's DoD Secret or greater and if it's less than that, the damage caused by this information landing in the wrong hands is probably minimal, though disconcerting.
Re: (Score:1)
Red Nets (Score:2)
Re: (Score:2)
Chuckle, chuckle... (Score:4, Funny)
I've been there, i've seen that, done that, got tshirt and beer mug... They're just crucifying kids, because inquisitive minds, for better or worse, when coupled with direct action (they didn't wait for 20 years for anyone's approval) scare the crap out of the dictatorial regimes of the world, our dear old US included.
"In a democracy, you vote first, and take orders later, in a dictatorship, they spare you the trouble of choosing your tyrants and th wasted energy used up voting." ~unknown
Re: (Score:2)
Not even by sending a virus up the incoming data stream???
When I was there... (Score:4, Insightful)
That these three have been caught is almost incidental, when you consider the probability that there are possibly several orders of magnitude more people who have not. Those who have been were not doing anything significant, except insofar that it was possible to do at all. Nobody - least of all NASA - knows what those who have NOT been caught are doing. We're constantly being reminded about how dangerous the world is and how important it is to track kitty litter as it comes into the country. Assuming the claims have any merit at all, I'd be just a little more concerned with what the Government itself is openly, passively and willingly handing out to whoever asks out there in that "dangerous world". If it's so bloody dangerous, shouldn't the Government be doing at least the very basic minimum?
(If, however, the real reason is that NASA isn't doing anything mission-critical and that all information it has has no value whatsoever, then just shut the bloody thing down and put the money into education. I think NASA is worthwhile, but then I'd have kicked their security into shape within the first five minutes of having the authority to do so. They aren't, so they clearly don't.)
Re:When I was there... (Score:5, Interesting)
What I learned after being there long enough (and it took me a long time) is that one of the main reasons computer security at NASA sucks is funding; or really a lack of it. Bear with me as I explain...
The IT security people (and really, IT people in general) are considered about the lowest form of life at places like JPL, because we are ancillary to the mission. We are overhead. Our work, while helpful, is not viewed as "critical" to mission success. This is an unfortunate and incorrect perception. Try launching anything remotely complex without a computer or a network to support the mission and see what happens.
Most of the science people at NASA just want to get their work done, get the mission to fly, get their science data back, and do their analyses. The problem is that they don't value network/computer security like IT people do. They just have their narrow view of their narrow area of responsibility. This tunnel vision prevents them from caring about security until Something Bad happens and they lose mission data. Then get ready to hear the screaming. IT people get fired. Heads roll. Memos are written. Policies changed.
And then everything goes back to exactly how it was, again.
Underlying all of this is the fact that IT, because of how it is perceived, is poorly funded and therefore understaffed. Without enough staff, they can't respond to all the incoming requests for IT work.
Remember those science people? They will not accept anything getting in their way, least of all some sorry excuses from the IT department about how they can't get to your server today.
Consider this conversation:
IT: "I'm sorry, we're backlogged right now and I won't be able to do that for you today."
ScienceGuy: "No, you'll fix my server today or the lab director (basically the president of JPL) will hear about it and you'll lose your job because I won't be able to talk to the Mars rover today."
IT: "Uh, ok. You're the 5th person to threaten my job today. Looks like I'm getting fired. What would you like me to do?"
ScienceGuy: "Just give me the root password and I'll do it myself. I use a Mac with OS X, so I am a Unix Genius."
IT: "Sure thing. The password is p198*#&$S(s. Have a great day!"
ScienceGuy: "Thanks for being a team player! I'll make sure to write a memo to your boss about how you helped us."
And so, in order to "stay out of the way" of the science people, the IT people have to give away a lot of system administration duties. For this they are rewarded.
Now, remember that those science people don't care about security? And they don't let anything get in their way? Think they'll do goofy things to make their server or data more easily accessible? You bet they will, regardless of the policies. And you know what? That is why places like JPL are so successful. The science people are dedicated, and will generally stop at nothing to make their missions successful. Most of them are what I would call True Believers. They really are there because they believe in what they do. Unfortunately, they often work within very limited budgets, and within the institutional limitations like limited funding for IT staff.
Re: (Score:2)
(Seriously, what you are describing I can vouch for 100% at LARC.)
Re: (Score:3, Informative)
Re: (Score:2)
Especially if the system is involved with exchange of weather data.
(which really shouldn't be classified, IMO - anyone can lick their finger and hold it up inthe air).
NASA's weather systems exchange data with all kinds of other government agencies, Dept of Fish and Game, National Weather Service, etc. They have accepted ways of exchanging data, and holding all of these to tight information protection standards is kind of impractical.
Re: (Score:2)
Weather stuff and other public information need to be protected only insofar as they shoul
Re: (Score:1, Flamebait)
Re: (Score:1)
Re: (Score:1)
$1.3? $100k?! (Score:4, Insightful)
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Hacker Crackdown (Score:5, Informative)
Project Gutenberg (Score:5, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Paraphrased for Joe Six Pack (Score:3, Insightful)
This kid broke into my house and stole a six pack of beer, but now I don't feel safe in my house anymore, so for actual damages I am including the cost of a house in a lower crime area with private security guards. The kid's dad originally bought the beer so I didn't include the cost of the beer in the total.
Re: (Score:1)
Re: (Score:2)
Think about... (Score:1, Interesting)
Prove it (Score:3, Insightful)
I smell a false inflation of damages, much like Motorola in the Mitnick case.
Re:Prove it (Score:5, Funny)
Those numbers are extremely conservative!
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Interesting)
Re: (Score:3, Insightful)
The Law for Geeks 101: You break it, you buy it.
Re: (Score:1)
Not very bright and certainl not "white hat" (Score:5, Interesting)
Honestly, I feel bad for this guy (and probably the rest of the team when they're indicted), not because he's been arrested, but because he is such a moron! Hackers... not at all. White hats.. nope (about as smart as the Ironic on). Morons..yes.
Re:Not very bright and certainl not "white hat" (Score:5, Funny)
Sounds like he has a bright future right here, on slashdot.
Re: (Score:1)
Yes, and can you say Deep Do Do?
Re: (Score:2, Informative)
Oh, teh inory!
'hackers' (Score:1)
Manually Communicate? (Score:5, Funny)
I can just see one of the guys standing outside NASA JSC yelling up at the sky, "How Ya'll doin up there?"
This is the result (Score:5, Insightful)
Glorifying such fool pranks I would consider the same as glorifying cutting brake lines on school buses. Really quite funny when the bus driver tries to stop. How could it possibly hurt anyone because any bus driver is going to notice what is wrong long before the first child sets foot on the bus. Right. Keep thinking that way. Of course, what these folks did was just for fun and it didn't really hurt anyone, now did it?
The FBI putting a dollar floor on damages ensures that nothing is ever done when these kids do something minor. Rather than someone identifying them and giving them a warning nothing happens. When you were 16 if you were never, ever caught shoplifting would your escapades advance to other, higher-price objects? Of course. Which is exactly what is happening here.
ISPs refuse to identify or even forward communication from people complaining about attacks. So your only choices are to either wait for $25,000 in damages to bring in the FBI (who is the only possible law enforcement agency with jursidiction) or you decide to spend lots of your own money to file suit against some 16 year olds to "teach them a lesson". Of course, you end up with the "lesson" because they will be laughing at you when you find out you can't sue a kid in Romainia.
Re: (Score:2)
Re: (Score:1)
Yeah man, lots of kids have died due to hacking attempts. There isn't a "rolleyes" icon big enough to reply to your post.
Manually communicate with spacecraft ? (Score:2)
Re: (Score:2)
I'm not sayin'... (Score:5, Interesting)
Re: (Score:2)
The point is, not some random hacker from the UK or Romania who calls themselves a "security researcher". Honestly, this guys story is lame.
Re: (Score:1)
Re: (Score:2)
Who, then? A company who calls itself a "security researcher" will simply keep any issues secret so that the government bureaucrats can continue to do nothing about them - their customers are the people who have a vested in interest in secrecy, and no real interest in security. This sort of th
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
If we're the ones owning or operating the systems. I've got some trouble believing someone who leaves taunting messages (but not detailed remediation instructions) when they claim they were running a pro bono penetration test.
They can manually communicate with a spacecraft? (Score:4, Funny)
Did they use an a hitchhiker style Sub-Etha Sens-O-Matic electronic thumb or just a towel?
Dequeue
"Insert witty
What i really think is that - (Score:2)
The money lost at NASA (Score:1)
Re: (Score:2)
OK, so if some stupid punk kids decided to torch a NASA training jet worth a few $million, that wouldn't be worth the trouble, either? Wasting NASA's resources (my tax dollars) on the physical destruction of property, or the collosal waste of human energy hunting down pointless script kiddie vandalism is just as bad. And just as worth runing down.
I'm a "White Hat" hacker too (Score:4, Funny)
I just hacked my way into the Bank of America, just to test its security. The fact that I managed to dowload millions of user account files with sensitive personal information I could sell to unscrupulous characters is *totally* beside the point of my wholly beneficial White Hat Crusade.
Next week, I'll be mounting a White Hat Mission to test the security of Apple's online ordering system. If a few dozen dual core machines find their way to my house, it's a sacrifice I must make for the greater good!
US Government is a joke (Score:1, Funny)
Everyone knows all you do is type in login: admin and no password to get root access to every branch of the US.
If you want a real challenge, try identifying and hacking other hackers computers.
Honestly the US is a joke - my boss asked me to do background checks on new employees to check for criminal records (doesn't bar employment) and red flags, so I logged into the NSA's highest admin (again, l/p = admin/(blank)). Ok so
Re: (Score:1)
SS/Evisc? Someone needs to learn2play.
Claims to have led a 'white hat team' to expose... (Score:1)
So what's being done... (Score:2)
Say it with me again folks... (Score:5, Insightful)
Most people seem to be bringing up the lack of security on NASA systems or the inflated monetary loss estimates. Totally irrelevant. If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid but that still does not give you the right to enter my house without my permission.
Re: (Score:3, Insightful)
Re: (Score:2)
NASA ought to get slapped around for being reckless. The law shouldn't be used to shelter this willful disregard of basic computer and data safety. Turning to the law ought to be a last resort. What if they'd lost their valuable data because they didn't back it up off site and a fire broke out and destroyed their data center? Sue the fire department? Or if a hurricane destroys it, sue NOAA? So I suppose they'll sue this hacker into bankruptcy and lock him up for 10 years so theyll have plenty of time
Re:Say it with me again folks... (Score:4, Informative)
I once attended an infosec meeting at a NASA center several years ago. The initial presentation was an analysis of an incident involving some Oganization's lab systems. It was well done and full of very handy technical information, lessons learned, and advice to other Orgs on how to avoid a simular incident. I looked around the room. Most eyes were well glazed over. Obviously the information was lost on an audience who should be taking notes. The next presentation came from our FBI representative. The rep. basically talked about the lab equipment that was confiscated... what was happening to the HDs during analysis... and the process of "getting the bad guys." The crowd lit up. Everyone was rather excited. They were going to get the bad guys. Few there seemed to realize that this was not "good news". Rather, it was a failure as the lab systems compromised represented lossess to already-tight budgets.
Things have changed since that time. Infosec is changing... at least at NASA. There are new attitudes, new requirements, new regulations. I've still got my own concerns and criticisms of the state of things. It's far from perfect, to say the least. But there is change. We'll see how well it holds.
Re: (Score:3, Interesting)
If the estimates are inflated, something which has been known to happen, then the misstatement diverts law enforcement resources and can influence sentencing. Petty larceny and grand larceny are separate crimes for a reason.
>If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid
Your insurance com
Re: (Score:2)
And if I'm not home, my two dogs will possess 9/10ths of your body parts.
The government that couldn't build a database (Score:1)
Manually communicate? (Score:1)
Re: (Score:3, Informative)
Pfffffffft (Score:2)
The joke's on them. They're going to jail, and you've got all the epics!
There has been crime commited on both sides. (Score:4, Interesting)
Another crime is commited here though, which is denying this kid a fair trial.
The previous case with the UK script kiddie was indication enough that things are terribly wrong. The FBI is banking on the general public's unawareness on computers. That Gary guy accessed some US govt. server with a default windows password or something like that, was it? Yeah fitting punishment of life in prison NOT. The FBI throws around ridicioulus numbers as to justify the harsher penalties, but the truth is, the guy is responsible for very little damage, even though the system had to be reinstalled etc, BECAUSE the system was so insecure in the first place that it should have been replaced in the first place! The wast majority of the costs are the due to their own stupidity. The equivalent case would be a car crashing into a skyscraper and the skyscraper collapsing. Yeah, sure the driver is at fault for driving badly, but he's no way responsible for the collapse of the skyscraper in any sense except direct physical!
The amount of damages is seriously overinflated aswell, others have pointed to Bruce Schneier about it. You can't claim millions of dollars of damages when "you" (the FBI) went around and handled the whole thing the wrong way! Yeah, I might expect a citizen not to have a clue about computers and buy these stories, but the FBI has a responsibility not to talk out of its ass.
Similarly, in this new case, damages are overinflated and, yeah the kid broke into the system, but the one who caused the damages which caused problems at NASA is the idiotic MORON who designed the system in the first place. These stupid hacker stories are designer/maintainer problems and the FBI should damn well recognize this, because they have the technical expertise in order to do so.
But they are not doing this. In light of this I'm a pretty serious proponent in urging the non-US countries of the world of suspending ALL extradiction treaties (which should have happened right after Guantanamo rights abuses went public) with the USA until we can be sure that justice is served, not some scaremongering directed at the domestic public of the USA.
It has to be mentioned that I'm pretty pissed about it, since it sort of hits home. Arad, where the guy is from is a historical hungarian town which now belongs to Romania. There is a good possibility that this guy has hungarian origins and as a hungarian I'm
a.) scared about the bullying the USA comes up with
b.) even if the guy extradited is an obvious moron. I would think he'd deserve something in the amount of 2 years probation judging by the cases I'm familiar with, not extradition to a foreign country and dumped in a pound-my-ass prison for life. The USA prison conditions are despicable, but that's another story.
Re: (Score:2)
Well, if everybody was to judge like this then the whole Pannonia is a historical Romanian province, which now belongs to Hungary (map from 82BC [wikipedia.org]). Just be more careful with affirmations like this.
Just by looking at his name (Faur) you can tell this guy is Romanian.
Finally, he is a Romanian citizen and it's very unlikely that he will be extradited. Y
Re: (Score:2)
I'm getting pretty tired of baseless nationalism. It is pretty despicable the way people are trying to rewrite history when dealing with the consequences of WW1.
Currently you could say that the 15% hungarian minority in Arad makes it pretty "romanian", and I guess you were right, but you don't
Re: (Score:2)
Re: (Score:2)
It's way off topic here and I generally refuse to get involved in petty squabbles. I don't care about nations or countries or borders, but about humans and I would have thought europeans would have gotten tired with the infighting.
Common sense (Score:2, Insightful)
At least everybody *should* take note of that.
Let me get this straight... (Score:1)
But wait a minute.. (Score:2)
The whole internet is based on getting information from systems, and if NASA is providing this information its their fault...
Good! (Score:1)
rhY
He is NOT going to be extradited (Score:2)
Re: (Score:2, Insightful)
Also gives 'em something to tack onto next year's budget request...
rj
Re: (Score:2)
Not to mention they typically charge for "fixing the hole" when they should have fixed the hole on their own dime in advance.
Where did you get "guesstimate" ? (Score:4, Insightful)
Instead of tossing out a "guess-timate", they should not give a quote without all the facts present.
If the government claims $1.36M + $100k in damage done, they have to submit evidence to the court as to why and how they came up with those numbers. Much of the reason cases involving economic damage take so long is that the discovery phase of the trial, when all of this information gets unearthed and shared among plaintiff and defendant, takes a lot of depositions, requests for information, requests for further information, and so on. You'd better believe that *if* the US successfully gets him extradited to the United States, his attorney will be issuing subpoenas for proof of those numbers. If the government can't substantiate them, it won't fly with the judge.
Re: (Score:1)
Get a spin doctor (Score:2)
1. Calling in and paying the IT guys. Assuming its not covered by insurance/protection plan/special contract, you're looking at thousands of dollars worth of fees right there. NASA doesn't exactly run on closet full of servers converted from unused PCs that can be wiped on a whim just because a hacker got in.
2. Downtime. Whats that? Your staff of hundreds/thousands
Re: (Score:2)
You assume the defendant will be provided with a competent attorney.
Just because someone is extradited doesn't mean they can't obtain their own counsel. Even if they were given court-appointed counsel, you'd have to try pretty damned hard to find an attorney that had passed the bar in any state in the Union who would be so incompetent as to not seek evidence during discovery. If he or she were to not take advantage of discovery, they would very likely later be sued for malpractice. The losing party woul
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)