Another NASA Hacker Indicted

eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."

Teh Interwebs

[foldingstock]

If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?

Re:Teh Interwebs

[The Zon]

It's NASA 2.0. They're looking for input from the community.

Re:Teh Interwebs

[nEoN nOoDlE]

so that the people manning the system can check their Gmail in between shuttle launches.

Re:

[mindwhip]

No! not the people! It's the intelligent EO-1 satellites that need to check their Gmail!

Possibly Just Social 'Hacking'

[eldavojohn]

If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?

Well, with the case of McKinnon, I don't think he ever actually 'hacked' into something by way of computer. I think that he was more so a social engineer than a hacker but they call him a hacker because it has a rogue/negative sound to it. Anyway, I don't know what the facts are in the Romanian's case, only reported it to Slashdot.

Keep in mind that thes

Re:

[x_MeRLiN_x]

Errrm.. Garry McKinnon didn't do that.

Re:

[moro_666]

About keeping them connected to the net you are 100% right.

  Why in the bloody hell should be these machines connected to the internet ? Why ?

  There isn't really a reason for this. Backups can be managed other ways, and it's not like your going take a 5 minute break from leading your space station to read slashdot ... errr ...

  Nasa security experts: plug the cable and watch your pr0n ^H^H^H^H^H news sites from somewhere else.

Re:

[Crayon Kid]

Anyway, I don't know what the facts are in the Romanian's case, only reported it to Slashdot.

http://www.realitatea.net/27615_Hackerul-roman-sus tine-ca-a-spart-codurile-computerelor-NASA-din-joa ca-.html [realitatea.net]

Rough translation:

"It was not intentional, we got to them practically by mistake, very easily, considering that those systems were not adapted (updated?), the techniques in use didn't really have care for the systems. I did not try to bring damages to the US state or US, if I knew that my actions would lead

Re:Teh Interwebs

[cyclone96]

If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?

Indeed. The article is pretty thin on what was actually compromised and what "manually communicating with spacecraft" really meant. Rule number 1 with mission critical systems at NASA (I work for them, but not at the locations attacked) is that they are *completely* walled off from the outside.

Now, there are some mission associated systems that are accessible from the internet which are storing spacecraft data. Here's one that has datasets from the acceleration system on the International Space Station:

http://pims.grc.nasa.gov/html/ISSAccelerationArchi ve.html [nasa.gov]

It's out there because that's the easiest way to get the data to researchers, many of whom are at universities around the world. I suppose if that server ended up hacked, it would hit the news as "Hacker brings down Space Station support system!". Sounds bad, but it's not like you can actually gain control of the spacecraft. I suspect the machines affected were used for this sort of purpose.

Re:Teh Interwebs

[wximagery95]

I work for Lockheed Martin on a classified contract for the USAF and our entire classified network infrastructure is not accessible from the outside (no VPN, no dial in, no nothing). It's a completely isolated AND encrypted network. It's a pain to work on/maintain, but it's the only way you can guarantee no one other than an insider can compromise the system by manually copying data to removable media and taking it with them. Leaked information at this level could causer serious harm to nation's national security.

When I read articles like this one, it makes me wonder what classification of information was compromised. I highly doubt it's DoD Secret or greater and if it's less than that, the damage caused by this information landing in the wrong hands is probably minimal, though disconcerting.

Re:

[Zantetsuken]

When I read articles like this one, it makes me wonder what classification of information was compromised. I highly doubt it's DoD Secret or greater and if it's less than that, the damage caused by this information landing in the wrong hands is probably minimal, though disconcerting.

So quite possibly, its just more fud from an anti-US government "news-service" (I think it was zdnet)...

Red Nets

[Amazing Quantum Man]

Yep, having set up a red net, the very FIRST thing you do is pull the plug on the internet.

Re:

[jafac]

Well, there's also the issue of the people who USE the system, not being properly trained on Information Protection. Quite often they'll raise a big stink about "secret" information, that's really just "proprietary" to a contractor (FOUO). Such information is under administrative control, and when it's compromised, the contractors will scream holy hell, because that's their trade secrets. But it's often mixed in carelessly with other data that's not FOUO, and it's often hosted on systems that are not desi

Chuckle, chuckle...

[DaedalusHKX]

I've worked both private and public research before, the reason that you can keep your network private, is because most privateers can simply buy government sponsored research that suits them, have it paid for by the government, and later have the results they bought "classified" as "top secret" or "of national security interest".

I've been there, i've seen that, done that, got tshirt and beer mug... They're just crucifying kids, because inquisitive minds, for better or worse, when coupled with direct action (they didn't wait for 20 years for anyone's approval) scare the crap out of the dictatorial regimes of the world, our dear old US included.

"In a democracy, you vote first, and take orders later, in a dictatorship, they spare you the trouble of choosing your tyrants and th wasted energy used up voting." ~unknown

Re:

[master_p]

Sounds bad, but it's not like you can actually gain control of the spacecraft.

Not even by sending a virus up the incoming data stream???

When I was there...

[jd]

...it was standard practice to put .rhosts files on all of the servers and desktops, so that nobody needed to log in more than once and so that shell scripts on remote sites could transfer data. Frankly, I'm less surprised that people have broken into mission-critical systems than in the fact that only three (the two mentioned and a file swapper) have ever been caught. I witnessed truly godawful ignorance on security issues, not least from those in charge of IT security. From the annual reviews of security, it would seem that things have improved and are now merely very sickeningly bad, but I cannot find any reason to excuse ANY weakness in a computer network (a) run by very bright people, and (b) containing a mix of extremely sensitive and/or utterly unique data.

That these three have been caught is almost incidental, when you consider the probability that there are possibly several orders of magnitude more people who have not. Those who have been were not doing anything significant, except insofar that it was possible to do at all. Nobody - least of all NASA - knows what those who have NOT been caught are doing. We're constantly being reminded about how dangerous the world is and how important it is to track kitty litter as it comes into the country. Assuming the claims have any merit at all, I'd be just a little more concerned with what the Government itself is openly, passively and willingly handing out to whoever asks out there in that "dangerous world". If it's so bloody dangerous, shouldn't the Government be doing at least the very basic minimum?

(If, however, the real reason is that NASA isn't doing anything mission-critical and that all information it has has no value whatsoever, then just shut the bloody thing down and put the money into education. I think NASA is worthwhile, but then I'd have kicked their security into shape within the first five minutes of having the authority to do so. They aren't, so they clearly don't.)

Re:When I was there...

[dgm3574]

I was there too. I worked as a contractor at JPL for a little over 3 years, on various projects, building what I'll call "mission support software" in the interest of brevity.

What I learned after being there long enough (and it took me a long time) is that one of the main reasons computer security at NASA sucks is funding; or really a lack of it. Bear with me as I explain...

The IT security people (and really, IT people in general) are considered about the lowest form of life at places like JPL, because we are ancillary to the mission. We are overhead. Our work, while helpful, is not viewed as "critical" to mission success. This is an unfortunate and incorrect perception. Try launching anything remotely complex without a computer or a network to support the mission and see what happens.

Most of the science people at NASA just want to get their work done, get the mission to fly, get their science data back, and do their analyses. The problem is that they don't value network/computer security like IT people do. They just have their narrow view of their narrow area of responsibility. This tunnel vision prevents them from caring about security until Something Bad happens and they lose mission data. Then get ready to hear the screaming. IT people get fired. Heads roll. Memos are written. Policies changed.

And then everything goes back to exactly how it was, again.

Underlying all of this is the fact that IT, because of how it is perceived, is poorly funded and therefore understaffed. Without enough staff, they can't respond to all the incoming requests for IT work.

Remember those science people? They will not accept anything getting in their way, least of all some sorry excuses from the IT department about how they can't get to your server today.

Consider this conversation:

IT: "I'm sorry, we're backlogged right now and I won't be able to do that for you today."

ScienceGuy: "No, you'll fix my server today or the lab director (basically the president of JPL) will hear about it and you'll lose your job because I won't be able to talk to the Mars rover today."

IT: "Uh, ok. You're the 5th person to threaten my job today. Looks like I'm getting fired. What would you like me to do?"

ScienceGuy: "Just give me the root password and I'll do it myself. I use a Mac with OS X, so I am a Unix Genius."

IT: "Sure thing. The password is p198*#&$S(s. Have a great day!"

ScienceGuy: "Thanks for being a team player! I'll make sure to write a memo to your boss about how you helped us."

And so, in order to "stay out of the way" of the science people, the IT people have to give away a lot of system administration duties. For this they are rewarded.

Now, remember that those science people don't care about security? And they don't let anything get in their way? Think they'll do goofy things to make their server or data more easily accessible? You bet they will, regardless of the policies. And you know what? That is why places like JPL are so successful. The science people are dedicated, and will generally stop at nothing to make their missions successful. Most of them are what I would call True Believers. They really are there because they believe in what they do. Unfortunately, they often work within very limited budgets, and within the institutional limitations like limited funding for IT staff.

Re:

[jd]

I completely agree with you, but I'd have thought JPL would have been interested in strange life-forms...

(Seriously, what you are describing I can vouch for 100% at LARC.)

Re:

[dargaud]

Good summary. I worked at Nasa in a lab doing mostly data analysis a long time ago, and all the system administration at the time was handled by student (full time in summer, part time the rest of the year). While many of those are dedicated and talented, it's an understatement to say that experience was lacking. Heck, I was 16 at the time ! Then again it was a long time ago in a non-mission critical lab, so things are different. But the reason was the same: funding, or rather, lack of it. Another thing I n

Re:

[jafac]

Right you are.

Especially if the system is involved with exchange of weather data.
(which really shouldn't be classified, IMO - anyone can lick their finger and hold it up inthe air).

NASA's weather systems exchange data with all kinds of other government agencies, Dept of Fish and Game, National Weather Service, etc. They have accepted ways of exchanging data, and holding all of these to tight information protection standards is kind of impractical.

Re:

[jd]

If the stuff's important, then they can always use a secure VPN tunnel. OpenCA will let you roll your own certs, so those cost nothing, and telling IPSec or SSH to validate on a cert is a piece of cake. It's all transparent to the user, the user doesn't need to learn anything fancy, the automated scripts would not even need touching, but you've now got a level of security that is at least beyond the average 5 year old.

Weather stuff and other public information need to be protected only insofar as they shoul

Re:

[jd]

Good point. Boeing's aircraft research (such as the blended wing body they worked on with NASA in the 1990s) was on open servers. DES encrypted, sure, but even back then, nobody took single-pass DES seriously as an encryption system. Undoubtedly work on scramjets, rocket fuels, etc, were also on public systems with insignificant protection. So far, there is no evidence of India, Pakistan or North Korea having hypersonic intercontinental cruise missiles, which tells me that those nations too unstable to be s

Re:

[gwayne]

Critical systems are firewalled off or completely isolated. Some of the systems on our contract got hacked. Some of the targeted NASA systems that are publicly accessible house engineering drawings and such that must be available to a variety of people and places. Incidently, most of the hacked systems were running Windows.

Re:

[tubapro12]

You forgot the satellites have bluetooth and Wireless-G adapter! Our satellite overloads [slashdot.org] have to have some way to get pirated music.

$1.3? $100k?!

[elysiuan]

Why bring the monetary damage (I'd be interested to see how it was calculated in the first place) into the equation at all? These are trifling amounts of money on the scale of government spending. 100k from the Navy and US Department of Energy? Yeah I'm sure they're feeling the 'loss'. Hacking into government systems should be enough of a crime without throwing this wacky money figure into it all.

Re:

[h2g2bob]

For extradition, there's often a minimum amount of damage (in $$$) that is required before someone can be extradited.

Re:

[Warg! The Orcs!!]

The term "damage" is quite loose here. NASA can claim that $1.3m of damage was caused whereas I would have described it as "$1.3m was spent plugging the holes that shouldn't have been there in the first place". In this case the 'hacker' isn't causing any damage at all, he's merely exposing a badly designed system. Any damage is the fault of the original progammers.

Hacker Crackdown

[dbIII]

Read Bruce Sterling's "The Hacker Crackdown" for how these spurious figures are calculated. The examples are old but so is the mindset behind this. The author has put the entire book online.

Project Gutenberg

[Anonymous Coward]

http://www.gutenberg.org/etext/101 [gutenberg.org]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bitt3n]

hey, have a heart! the Navy could have used that $100K to buy a hammer and maybe even a few nails.

Re:

[edwardpickman]

Personally I'd rather see that money put towards fixing the Hubble telescope or extending the mars rover mission than fixing damage that some hacker did.

Paraphrased for Joe Six Pack

[Alchemar]

Your Honor:

This kid broke into my house and stole a six pack of beer, but now I don't feel safe in my house anymore, so for actual damages I am including the cost of a house in a lower crime area with private security guards. The kid's dad originally bought the beer so I didn't include the cost of the beer in the total.

Re:

[Ninjaesque One]

But the thing is, govermental IT is different, especially military IT. They spend $100,000 on maintenance for 50-year-old carriers that have about the same chance as a snowball in hell's surviving to be returned into active service. The military probably spends $100,000 yearly on landscaping for Arlington Nat'l Cemetery.

Re:

[balsy2001]

You are underestimating by an order of magnitude. In the FY 2000 budget for grounds keeping at the national cemetary cost $1.75 million and that doesn't count the $698,000 for tree and shrub maintenance (http://www.arlingtoncemetery.net/decay02.htm). I am sure it has only gone up since then. I had a hard time finding more recent numbers with such a good break down on grounds keeping cost.

Think about...

[Anonymous Coward]

...all that money spent on server security...

Prove it

[Anonymous Coward]

Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said.

I smell a false inflation of damages, much like Motorola in the Mitnick case.

Re:Prove it

[loraksus]

What are you talking about? NASA had to hire hundreds of people to write the communications out by hand in binary and send over 200,000 pigeons to deliver it to the spacecraft (where they had significant issues with packet loss).
Those numbers are extremely conservative!

Re:

[garcia]

Well, it was the number of pigeon spacesuits and oxygen tanks for those suits that actually caused the financial damage. It wasn't the pigeons and binary conversions themselves!

Re:

[electrosoccertux]

Those numbers are extremely conservative!

That's exactly why the can't be trusted. ;)

Re:

[Anonymous Coward]

I would argue that there are no financial damages due to unauthorized break ins. If someone tells them how to infiltrate their systems without actually doing it. They would have to assume it's already been done and take exactly the same steps. Don't get me wrong, it's still wrong but losses should not be a factor if nothing was done except breach security.

Re:

[westlake]

I would argue that there are no financial damages due to unauthorized break ins. If someone tells them how to infiltrate their systems without actually doing it. They would have to assume it's already been done and take exactly the same steps.

The Law for Geeks 101: You break it, you buy it.

Re:

[madsheep]

There is something you have to understand about how these numbers are calculated. If one system is compromised (and remember there were hundreds), it can take hours of investigation by multiple people. Then there may be computer imaging, other forensics work, and ultimately reinstallation of the machine. This may go across multiple departments, contractors, and divisions within a single organization. So if we have 6 people involved in one incident and they each spent 6 hours on it. That's 36 hours wort

Not very bright and certainl not "white hat"

[madsheep]

If you ever went to the websites that this "Victor" character hosted their "hacks" on you could see what kind of geniuses they were. The "White Hat Team" as they called themselves were/are a bunch of clueless script kiddies. They would host their website (www.whitehat.ro) on hacked servers, so it would frequently go down and be reuploaded elsewhere. They flat out told you this on their ugly poorly designed webpage. On top of that they had tons of screen shots of various systems they compromised accounts on (and sometimes gained root). It was fully of typos, bad commands, and just other terribly embarassing things.
Honestly, I feel bad for this guy (and probably the rest of the team when they're indicted), not because he's been arrested, but because he is such a moron! Hackers... not at all. White hats.. nope (about as smart as the Ironic on). Morons..yes.

Re:Not very bright and certainl not "white hat"

[Anonymous Coward]

> It was fully of typos, bad commands, and just other terribly embarassing things.

Sounds like he has a bright future right here, on slashdot.

Re:

[pilsner.urquell]

The "White Hat Team" as they called themselves were/are a bunch of clueless script kiddies.

Yes, and can you say Deep Do Do?

Re:

[ms139us]

It was fully of typos

Oh, teh inory!

'hackers'

[hadhad69]

The hackers didn't actually break in though, they merely sandboxed a comp in an underground bunker in new mexico...

Manually Communicate?

[houstonbofh]

Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft
I can just see one of the guys standing outside NASA JSC yelling up at the sky, "How Ya'll doin up there?"

This is the result

[cdrguru]

of glorifying such stunts and of the FBI refusing to even consider something for which there isn't at least $25,000 worth of damages.

Glorifying such fool pranks I would consider the same as glorifying cutting brake lines on school buses. Really quite funny when the bus driver tries to stop. How could it possibly hurt anyone because any bus driver is going to notice what is wrong long before the first child sets foot on the bus. Right. Keep thinking that way. Of course, what these folks did was just for fun and it didn't really hurt anyone, now did it?

The FBI putting a dollar floor on damages ensures that nothing is ever done when these kids do something minor. Rather than someone identifying them and giving them a warning nothing happens. When you were 16 if you were never, ever caught shoplifting would your escapades advance to other, higher-price objects? Of course. Which is exactly what is happening here.

ISPs refuse to identify or even forward communication from people complaining about attacks. So your only choices are to either wait for $25,000 in damages to bring in the FBI (who is the only possible law enforcement agency with jursidiction) or you decide to spend lots of your own money to file suit against some 16 year olds to "teach them a lesson". Of course, you end up with the "lesson" because they will be laughing at you when you find out you can't sue a kid in Romainia.

Re:

[jpardey]

No. This is the result of bad security. If they hadn't done it, some mafia somewhere probably would have. If you are in the government and have a car plainly marked as such, do you leave it on the side of the road with no one attending it, and wait for someone to plant a bomb in it or cut the brakes? I highly doubt it. Big targets need security, if they want to remain secure.

Re:

[twistah]

Glorifying such fool pranks I would consider the same as glorifying cutting brake lines on school buses. Really quite funny when the bus driver tries to stop.

Yeah man, lots of kids have died due to hacking attempts. There isn't a "rolleyes" icon big enough to reply to your post.

Manually communicate with spacecraft ?

[Timesprout]

Is that like giving hand signals to V'ger?

Re:

[account_deleted]

Comment removed based on user account deletion

I'm not sayin'...

[lazycam]

I agree with hacking into US goverment machines. I have no plans of spending the next 10 years in a federal prison or Gitmo for that matter. But, who is then responsible for testing the security of our critical systems? Is that no our duty as programming and security professionals? Please explain to me why such machines were connected to the internet again? That's like walking outside the door in the morning without a pair of pants.

Re:

[Frosty Piss]

But, who is then responsible for testing the security of our critical systems?

The point is, not some random hacker from the UK or Romania who calls themselves a "security researcher". Honestly, this guys story is lame.

Re:

[lazycam]

Hey, sometimes it's your average Joe who points out a problem. http://it.slashdot.org/article.pl?sid=06/11/30/133 3216 [slashdot.org]

Re:

[asuffield]

But, who is then responsible for testing the security of our critical systems?

The point is, not some random hacker from the UK or Romania who calls themselves a "security researcher". Honestly, this guys story is lame.

Who, then? A company who calls itself a "security researcher" will simply keep any issues secret so that the government bureaucrats can continue to do nothing about them - their customers are the people who have a vested in interest in secrecy, and no real interest in security. This sort of th

Re:

[budgenator]

I'd hope the these guys actually broke into a machine in the DMZ serving data over the internet and used a shell on that one to penetrate deeper into the network.

Re:

[dapyx]

Not just 10 years, but up to 54 years, if he'd be found guilty of all 10 offenses. But there's a problem with his extradition: Romania and the United States have an extradition treaty from 1924, which includes a large variety of crimes, but not computer crimes.

Re:

[Beryllium Sphere(tm)]

>Is that no our duty as programming and security professionals?

If we're the ones owning or operating the systems. I've got some trouble believing someone who leaves taunting messages (but not detailed remediation instructions) when they claim they were running a pro bono penetration test.

They can manually communicate with a spacecraft?

[DeQueue]

Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft...

Did they use an a hitchhiker style Sub-Etha Sens-O-Matic electronic thumb or just a towel?
Dequeue
"Insert witty .sig here"

What i really think is that -

[unity100]

they are frightened to death of them that they might reveal information that nasa and co are able to hide from the public by getting scientists sign dreadful national security oath papers.

The money lost at NASA

[joe_schmoe_the_geek]

NASA = $18 billion in corporate welfare for aerospace companies and bureaucrats.  A few million more is pocket change.  Personally, I'd rather see the FBI spend its time catching terrorists and spies and leave the chasing of Romanian teenage script kiddies to someone else.

Re:

[ScentCone]

A few million more is pocket change ... leave the chasing of Romanian teenage script kiddies to someone else.

OK, so if some stupid punk kids decided to torch a NASA training jet worth a few $million, that wouldn't be worth the trouble, either? Wasting NASA's resources (my tax dollars) on the physical destruction of property, or the collosal waste of human energy hunting down pointless script kiddie vandalism is just as bad. And just as worth runing down.

I'm a "White Hat" hacker too

[Infonaut]

I just hacked my way into the Bank of America, just to test its security. The fact that I managed to dowload millions of user account files with sensitive personal information I could sell to unscrupulous characters is *totally* beside the point of my wholly beneficial White Hat Crusade.

Next week, I'll be mounting a White Hat Mission to test the security of Apple's online ordering system. If a few dozen dual core machines find their way to my house, it's a sacrifice I must make for the greater good!

US Government is a joke

[Anonymous Coward]

Pfft, hacking government systems are the SS/Evis - 2 button "I Win" rogues of hacking.

Everyone knows all you do is type in login: admin and no password to get root access to every branch of the US.

If you want a real challenge, try identifying and hacking other hackers computers.

Honestly the US is a joke - my boss asked me to do background checks on new employees to check for criminal records (doesn't bar employment) and red flags, so I logged into the NSA's highest admin (again, l/p = admin/(blank)). Ok so

Re:

[Jeian]

Pfft, hacking government systems are the SS/Evis - 2 button "I Win" rogues of hacking.

SS/Evisc? Someone needs to learn2play. :P

Claims to have led a 'white hat team' to expose...

[Thaidog]

I can believe that. You'd almost certainly look like a black hat trying to describe flaws in such systems.

So what's being done...

[Schraegstrichpunkt]

... about the government's chronic security problems? I don't care whether or not what this guy did was illegal; He shouldn't have been able to do that much damage. Was this attack not in the government's list of screenplays?

Say it with me again folks...

[davmoo]

...if you can't do the time, don't do the crime. And "if you can't pay the fine, don't do the crime" works too.

Most people seem to be bringing up the lack of security on NASA systems or the inflated monetary loss estimates. Totally irrelevant. If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid but that still does not give you the right to enter my house without my permission.

Re:

[QuantumG]

big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef"

Sounds like an invitation to me.

Re:

[bzipitidoo]

NASA ought to get slapped around for being reckless. The law shouldn't be used to shelter this willful disregard of basic computer and data safety. Turning to the law ought to be a last resort. What if they'd lost their valuable data because they didn't back it up off site and a fire broke out and destroyed their data center? Sue the fire department? Or if a hurricane destroys it, sue NOAA? So I suppose they'll sue this hacker into bankruptcy and lock him up for 10 years so theyll have plenty of time

Re:Say it with me again folks...

[_Sprocket_]

Various US Government Agencies have been slow to pick up information security. With few notable exceptions, the US Government just doesn't get infosec. But what the US Government does understand is law. Law is a relatively slow process compared to the hack. Some of these cases take years before the Feds are knocking on doors. If you're a script kiddie who's keen on a *.gov address for your IRC bot, keep that in mind. In the short term you may be successful. But you have no idea if the US Government actually did notice and are taking the long, drawn out process to bring you down via whatever Law allows it.

I once attended an infosec meeting at a NASA center several years ago. The initial presentation was an analysis of an incident involving some Oganization's lab systems. It was well done and full of very handy technical information, lessons learned, and advice to other Orgs on how to avoid a simular incident. I looked around the room. Most eyes were well glazed over. Obviously the information was lost on an audience who should be taking notes. The next presentation came from our FBI representative. The rep. basically talked about the lab equipment that was confiscated... what was happening to the HDs during analysis... and the process of "getting the bad guys." The crowd lit up. Everyone was rather excited. They were going to get the bad guys. Few there seemed to realize that this was not "good news". Rather, it was a failure as the lab systems compromised represented lossess to already-tight budgets.

Things have changed since that time. Infosec is changing... at least at NASA. There are new attitudes, new requirements, new regulations. I've still got my own concerns and criticisms of the state of things. It's far from perfect, to say the least. But there is change. We'll see how well it holds.

Re:

[Beryllium Sphere(tm)]

>the inflated monetary loss estimates. Totally irrelevant.

If the estimates are inflated, something which has been known to happen, then the misstatement diverts law enforcement resources and can influence sentencing. Petty larceny and grand larceny are separate crimes for a reason.

>If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid

Your insurance com

Re:

[davmoo]

Come on my property while I'm home and threaten me or that property and I'll allow you to possess 10/10ths of a number of pieces of lead, all flying at high speed. And in my state, gun ownership os legal. And so is deadly force if you feel yourself, your family, or your property is under imminent threat.

And if I'm not home, my two dogs will possess 9/10ths of your body parts.

The government that couldn't build a database

[titusdwight]

The Department of Homeland Security has spent millions (some reports have it as high as 100 million) to build a database that will share terror information. So far they have nothing that even works in a Beta state much less a working program. And we're supposed to be shocked that these folks can be hacked. I read an article about it on http://www.adamswickle.com/ [adamswickle.com]

Manually communicate?

[yamamushi]

Can someone please explain to me how they would manually communicate with a spacecraft, as opposed to using a computer system? What is the difference?

Re:

[Detritus]

You could manually compile a list of commands and type them into the command encoder. Normally, most of the work is automated.

Pfffffffft

[lewp]

It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft.

The joke's on them. They're going to jail, and you've got all the epics!

There has been crime commited on both sides.

[A beautiful mind]

The romanian kid is obviously a script kiddie and obviously he deserves some kind of punishment.

Another crime is commited here though, which is denying this kid a fair trial.

The previous case with the UK script kiddie was indication enough that things are terribly wrong. The FBI is banking on the general public's unawareness on computers. That Gary guy accessed some US govt. server with a default windows password or something like that, was it? Yeah fitting punishment of life in prison NOT. The FBI throws around ridicioulus numbers as to justify the harsher penalties, but the truth is, the guy is responsible for very little damage, even though the system had to be reinstalled etc, BECAUSE the system was so insecure in the first place that it should have been replaced in the first place! The wast majority of the costs are the due to their own stupidity. The equivalent case would be a car crashing into a skyscraper and the skyscraper collapsing. Yeah, sure the driver is at fault for driving badly, but he's no way responsible for the collapse of the skyscraper in any sense except direct physical!

The amount of damages is seriously overinflated aswell, others have pointed to Bruce Schneier about it. You can't claim millions of dollars of damages when "you" (the FBI) went around and handled the whole thing the wrong way! Yeah, I might expect a citizen not to have a clue about computers and buy these stories, but the FBI has a responsibility not to talk out of its ass.

Similarly, in this new case, damages are overinflated and, yeah the kid broke into the system, but the one who caused the damages which caused problems at NASA is the idiotic MORON who designed the system in the first place. These stupid hacker stories are designer/maintainer problems and the FBI should damn well recognize this, because they have the technical expertise in order to do so.

But they are not doing this. In light of this I'm a pretty serious proponent in urging the non-US countries of the world of suspending ALL extradiction treaties (which should have happened right after Guantanamo rights abuses went public) with the USA until we can be sure that justice is served, not some scaremongering directed at the domestic public of the USA.

It has to be mentioned that I'm pretty pissed about it, since it sort of hits home. Arad, where the guy is from is a historical hungarian town which now belongs to Romania. There is a good possibility that this guy has hungarian origins and as a hungarian I'm
a.) scared about the bullying the USA comes up with
b.) even if the guy extradited is an obvious moron. I would think he'd deserve something in the amount of 2 years probation judging by the cases I'm familiar with, not extradition to a foreign country and dumped in a pound-my-ass prison for life. The USA prison conditions are despicable, but that's another story.

Re:

[hritcu]

Arad, where the guy is from is a historical hungarian town which now belongs to Romania.

Well, if everybody was to judge like this then the whole Pannonia is a historical Romanian province, which now belongs to Hungary (map from 82BC [wikipedia.org]). Just be more careful with affirmations like this.

There is a good possibility that this guy has hungarian origins

Just by looking at his name (Faur) you can tell this guy is Romanian.

Finally, he is a Romanian citizen and it's very unlikely that he will be extradited. Y

Re:

[A beautiful mind]

Arad is not a hungarian town and never was. That geographical area was briefly occupied by the Austro-Hungarian empire but the hungarian population in Arad is probably arround the 7% average applicable to Romania.

I'm getting pretty tired of baseless nationalism. It is pretty despicable the way people are trying to rewrite history when dealing with the consequences of WW1.

Currently you could say that the 15% hungarian minority in Arad makes it pretty "romanian", and I guess you were right, but you don't

Re:

[A beautiful mind]

Didn't I say historical? Reading comprehension, zero. Check my reply to the other uninformed post.

Re:

[A beautiful mind]

I guess I was being careless in underestimating the nationalism. If I would have known that some romanians will completely ignore what my post was about and nitpick on stupid nationalistic details then I'd have just omitted writing down that sentence.

It's way off topic here and I generally refuse to get involved in petty squabbles. I don't care about nations or countries or borders, but about humans and I would have thought europeans would have gotten tired with the infighting.

Common sense

[c-reus]

It's simple -- you just don't hack government computers. Way too much trouble when you get caught for that. Everybody knows that.

At least everybody *should* take note of that.

Let me get this straight...

[alexhard]

systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said.

They first build insecure systems...then complain when they have to spend money fixing them? wtf? They can't actually be that stupid, can they?

But wait a minute..

[Roy van Rijn]

Because NASA didn't secure their computer properly and have to do it again (costing some money) they are going to have some teenager take the blame..!?

The whole internet is based on getting information from systems, and if NASA is providing this information its their fault... :P

Good!

[crhylove]

I think most of the scientific data available from our space program should be immediately available to the public anyway! Now, is this just read access, or is somebody able to ruin the data?

rhY

He is NOT going to be extradited

[hritcu]

He is a Romanian citizen and it's very unlikely that he will be extradited. Romania does have a extradition convention with the US from 1924, which become valid by the Constitution change in 2003 (before that no Romanian citizen could have been extradited by the Constitution). However, the list of crimes that this convention covers does not include breaking into computer systems (it was signed in 1924 so it's quite normal). And this would not be the first time when these kind of things happen, there were ot

Re:

[Deadstick]

The government has a way of inflating values on damage like this to make the charges more than what they should be.

Also gives 'em something to tack onto next year's budget request...

rj

Re:

[Qzukk]

The government has a way of inflating values on damage like this to make the charges more than what they should be

Not to mention they typically charge for "fixing the hole" when they should have fixed the hole on their own dime in advance.

Where did you get "guesstimate" ?

[Infonaut]

Instead of tossing out a "guess-timate", they should not give a quote without all the facts present.

If the government claims $1.36M + $100k in damage done, they have to submit evidence to the court as to why and how they came up with those numbers. Much of the reason cases involving economic damage take so long is that the discovery phase of the trial, when all of this information gets unearthed and shared among plaintiff and defendant, takes a lot of depositions, requests for information, requests for further information, and so on. You'd better believe that *if* the US successfully gets him extradited to the United States, his attorney will be issuing subpoenas for proof of those numbers. If the government can't substantiate them, it won't fly with the judge.

Re:

[rijit]

No idea where I got guesstimate, just seems to me that the damage amounts in all recent hacking cases are higher than would be expected for someone invading a network and printing some rude message. After years of hearing reports of the government paying outrageous sums for contract work it would only be a slight stretch to apply the same overinflated amounts to "virtual damage" done to government networks to try and build high dollar cases against hackers to get a better chance at extradition.

Get a spin doctor

[MMaestro]

Seriously. Its really not THAT hard to BS cases when you're talking about literally thousands of different factors. Just go down the usual list.

1. Calling in and paying the IT guys. Assuming its not covered by insurance/protection plan/special contract, you're looking at thousands of dollars worth of fees right there. NASA doesn't exactly run on closet full of servers converted from unused PCs that can be wiped on a whim just because a hacker got in.

2. Downtime. Whats that? Your staff of hundreds/thousands

Re:

[Infonaut]

You assume the defendant will be provided with a competent attorney.

Just because someone is extradited doesn't mean they can't obtain their own counsel. Even if they were given court-appointed counsel, you'd have to try pretty damned hard to find an attorney that had passed the bar in any state in the Union who would be so incompetent as to not seek evidence during discovery. If he or she were to not take advantage of discovery, they would very likely later be sued for malpractice. The losing party woul

Re:

[Mr. Hankey]

They are responsible for those figures. Without going into too much detail, the cost of the personnel's salary who work on the various aspects of the investigation as well as the salaries of researchers affected is taken into account. If they attach a figure, there's something to back it up.

Re:

[budgenator]

I met your Olympic boxing coach and your boxers at Atlanta 96 and they earned a lot of my respect; don't hate your country, it's been through more than most could endure several times over. Things will get better.

Re:

[SinGunner]

So if you walk outside in the morning without your pants on, it's fine for someone to throw acid on your private parts because it shows that you're an idiot for not wearing pants? Life is risky from the first second to the last second. Is your life's goal to be encased in carbonite so nothing can get at you? Cause I hear your eyes don't work for shit after they unfreeze you, which will mean you'll be even MORE vulnerable!

Re:

[budgenator]

A psycho with a funny mustache named Hitler, killed them