Romanian Accused of Breaking Into NASA 169
alphadogg writes "Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems. Robert Butyka, 26, was arrested on Tuesday in Western Romania following an investigation by the Romanian Directorate for Investigating Organized Crime and Terrorism. According to local reports, the hacker used the online moniker of 'Iceman.' He does not have a higher education or an occupation, a DIICOT spokeswoman said."
...not to endorse his actions (Score:5, Insightful)
...but why aren't IT admins being held accountable for the lax security on their servers? And no, I don't buy the "if I leave my door unlocked, it's not an invitation to break in", since it's a paid position. If a cop fails to prevent a crime due to neglicence, the city can be sued. Most of these break-ins are due to IT negligence, not hacker genius.
Re:...not to endorse his actions (Score:4, Interesting)
Re: (Score:2)
Not in DC (Score:5, Informative)
If a cop fails to prevent a crime due to neglicence, the city can be sued.
http://en.wikipedia.org/wiki/Warren_v._District_of_Columbia [wikipedia.org]
Re: (Score:2, Offtopic)
If a cop fails to prevent a crime due to neglicence, the city can be sued.
http://en.wikipedia.org/wiki/Warren_v._District_of_Columbia [wikipedia.org]
From that wikipedia page:
DC's highest court ruled that the police do not have a legal responsibility to provide personal protection to individuals, and absolved the police and the city of any liability
If the police have no responsibility to provide personal protection to individuals what the hell are they for?
Re: (Score:2)
Probably money.
As a programmer, while I like to think I'm diligent when it comes to security, if I could find myself in prison for introducing a security bug .. I'd be wanting a hell of a lot more money for accepting that risk.
Ultimately you'd probably just end up with the equivilant of medical malpractice insurance .. occasional screwups would be spread out and become a "cost of business", and we'd just be back to square one.
Re:...not to endorse his actions (Score:4, Insightful)
I think negligence would be *very* hard to establish. First, most computer bugs, including vulnerabilities, are very obvious - in retrospect. Finding the needle in the haystack is easy after somebody points it out to you. That's entirely different than integrating hundreds of software components without creating any "obvious" holes.
Second, how many sysadmins are given all the resources they would like to do their jobs? Security is cost/benefit, like anything else, you devote enough resources to make the pain tolerable, and no more. That means most admins have far more responsibilities than they can cover 100%.
Re: (Score:2)
Usually it seems to be the configuration scripts of the system that is the problem. There isn't any need to bury bugs in source code. Think of every network based application a system may have and how many configuration files each of these has; ssh, sftp, mail-servers/clients, file-sharers, networked file systems. It only takes one to have an easy to guess password and user account or open permissions.
You just need to sugarspeak dangerous safety options in the official (or unofficial) webpage.
"If you want t
Re:...not to endorse his actions (Score:4)
How do you know the admin was not held responsible? He could have been fired, demoted, etc.
If you mean why isn't the admin held responsible by the legal system, what law would allow him to be held responsible? IT admins are not sworn to duty (like police) or licensed (like professional engineers).
Your example of the city being sued does not work here. The person suing the city would be the person who was harmed by the negligence. Who, other than NASA, would have standing to sue in this case? Who would they sue, themselves?
Your kidding right, they're the government (Score:2)
We have the head the of SEC replying when asked "why can't we fire failed regulators" respond by saying that that would harm the agency.
http://www.washingtonpost.com/business/economy/seven-sec-employees-disciplined-on-failure-to-stop-madoff-fraud/2011/11/10/gIQA3kYYCN_story.html [washingtonpost.com]
We just had a recent story about how the IRS can't get its act together and I betcha they are not in worry about losing their jobs. We have more government workers making over 100k a year and 900+ over 170k a year. Do you think any a
Re: (Score:3)
Damages (Score:4, Interesting)
I'm betting the damages are formulated entirely from the cost of them having to do PR (they got hacked by a NEET after all) and 'fix' the security hole (because face it, they'll probably introduce 10 more flaws when fixing one).
Re: (Score:2)
Re:Damages (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
As someone who worked at NASA during a hacker break-in, I am frankly surprised that the damages are that small. All of the machines were taken offline for a couple of days. All of the IT people worked round the clock to restore the servers to a previous state and try and fix the exploit. All kinds of onerous policies for the users are put in place that lasted for a month. Several new onerous policies persisted longer. Work productivity was definitely lost by all of the users (scientists) of all of th
How much? (Score:2)
I can maybe understand if a figure like that is reached via physical proximity and a sledgehammer.
But an unauthorised intrusion?
Even a complete restore from backup can't possibly cost that much in lost time for employees.
Re: (Score:2)
I could see the audit process to determine what, if anything, was downloaded/altered costing a pretty good chunk of that. Especially when you start getting lawyers involved over possible ITAR issues if someone on the inside was negligent or actively aiding the intrusion.
Re:How much? (Score:4, Insightful)
Re: (Score:2)
actually all that work would have been necessary regardless of the intrusion.
Re: (Score:2)
the costs come from noticing and investigating.
in other words, there would have been no monetary damages if they hadn't pursued the culprit.
funny, eh? the damages are thus made up from thin air.
No education or occupation (Score:4, Insightful)
According to local reports, the hacker used the online moniker of "Iceman." He does not have a higher education or an occupation, a DIICOT spokeswoman said.
No education and no occupation, ha?
So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?
Butyka is accused of hacking into several NASA servers over a period of time that started on Dec. 12, 2010. The authorities claim that the hacker destroyed protected data and restricted access to it. The charges brought against Butyka include obtaining unauthorized access and causing severe disruptions to a computer system, modifying, damaging and restricting access to data without authorization and possession of hacking programs.
He possess hacking programs, that means he is a terrorist. What kind of 'severe disruptions' did he cause that cost 500,000 USD?
Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems.
- this is a bunch of nonsense.
He cost an admin a few hours of time and maybe a reinstall and reconfigure. Even at 1000USD / hour no way somebody spent 500 hours on it (that's 20.8 24 hour days) or 12.5 40 hour weeks.
This is more government nonsense.
Re:No education or occupation (Score:4, Interesting)
Possession of "hacking programs" is a crime? I think all my computers except my gaming PC have "hacking programs" on them, good thing I don't travel to the states these days.
Re:No education or occupation (Score:4, Funny)
well, he also owns a computer, this is almost a 100% indication that he is a pedophile-terrorist, or a pedo-rist.
This is what government is for - making sure that the right people are always punished for their transgressions. That's why Jon Corzine is in charge normally, of some government and/or economic function somehow and disgusting people like Ron Paul are blacked out by the media because they challenge the status-quo.
Also USA is sending troops to Australia [rt.com]. You know, in case pro-Chinese Kangaroos join Al-Qaeda.
Re: (Score:3)
Now that I think of it, the government own quite a number of computers
Re: (Score:1)
Yes, and I am sure that some of those computers will be "inadvertently" found to be in possession of some of those Australian kangaroos. And Ron Paul.
Re: (Score:2)
... and quite a number of hacking programs, for that matter!
Re: (Score:2)
Re: (Score:2)
Q: What's a libertarian's favorite snack?
A: Pyrk rands.
Re: (Score:2)
... good thing I don't travel to the states these days.
Not sure what the laws are in the 'states' regarding hacking programs, but the article clearly states he was arrested in Romania... Does this mean residents of Romania are restricted from accessing BackTrack and BackBox linux distros?
Re: (Score:1)
good thing I don't travel to the states these days.
Does it sound like he did?
Re: (Score:2)
This easily falls under the CFAA [wikipedia.org] in the United States, but so does practically anything, like, say lying about your weight on a dating site (seriously - there was an article about it on the Register yesterday as of this writing). I'm sure hacking programs are also covered in an over broad way on that law.
And of course United States laws apply to everyone... but I can see Romanian authorities bowing to the whims of the United States - if the US has a friend in Europe, it is Romania. When I was there about th
Re: (Score:2)
You have vi on all but one of your machines? You damned criminal types! :P
Re: (Score:2)
... good thing I don't travel to the states these days.
Uhm, hello??? He was arrested in Romania by Romanian authorities and is being charged under Romanian laws in the Romanian court system. It's not illegal to have "hacking programs" in the States.
Re: (Score:3)
Reinstalling and reconfiguring every system the hacker may have touched is impractical, and would take far more time than NASA can spare. Calling in auditors to make sure there were no rootkits, backdoors, or other bad stuff on any other systems is expensive. Deleting the results (and backups) of the latest experiments means months or years of work has to be redone.
$500,000 actually strikes me as a pretty reasonable estimate.
Re: (Score:2)
That's just nonsense. A large organization can re-image large numbers of machines automatically, but more importantly is that in large organizations the Internet connection is normally done through one or a few systems, not every computer has its own external IP address and ports are restricted on the exit nodes. Watching and restricting the Internet-to-internal machine traffic on ports is part of what admins are for in the first place.
Fix the problem even if it means a reinstall of the exit nodes, patch t
Re:No education or occupation (Score:5, Informative)
I take it you've never actually worked on a high-security system. Here's what I remember of the procedure at the last high-security place I worked:
In the event that a machine (including a gateway) is compromised, any machine it can access is considered threatened, and must be thoroughly checked. No, NAT does not help, because once someone has control over the bridge, they can send data to any machine they want, even those without an external IP address. If any router, switch, or machine shows any slightly-suspicious activity (even as benign as an unscheduled database login), that machine gets an even more thorough examination to find out whether the activity was actually related to the hack, and what resources the hacker may have gained access to. If there's any indication that the hacker had shell access or retrieved data, the machine is considered compromised. If the machine stored any sensitive data, that data is reviewed to see if it could allow access to other systems (such as challenge questions & answers for resetting passwords). This investigation, which often involves the use of outside consultants (because there may have been inside help) continues throughout the whole network until the full extent of the breach is known. Being a government agency, the breach will likely involve a several-hundred-page report covering every detail. Somebody has to write that.
The cost is already in the hundreds of thousands of dollars, and only then can the repairs start. It's often not as simple as just restoring a backup, either. Sure, the operating system can usually be done quickly (including fixes for the responsible security holes), but if there's any indication of data being touched (which, in this case, there was), that has to be addressed, too. Backups are usually old. In an ideal world we'd be making hourly backups stored offsite in an everything-proof vault, but that's never really the case. If an admin's lucky, he has a backup that's less than a week old - or it was when the breach occurred. Somehow (best described as "magically"), the admin has to figure out what changes were intentional (like experiment results, or customer orders, or whatever) and what was the result of the breach, then piece together the data to get something reasonably complete and up-to-date. Finally, after days, weeks, or months of reconstruction (most vital systems first, of course), the system is declared clean. Until then, projects get postponed, and other employees are being paid to play solitaire until their real work can continue.
Then there's the "let's not do this again" phase, where employees change passwords, get lectured on security practices, sit through seminars on how to properly encrypt data, and so forth, all of which costs even more money. There's probably still an ongoing investigation as to whether anyone inside the organization helped the hacker, likely being run by consultants.
Then there's the damages caused by any delays, which may involve contractual obligations. That's more money.
It's not as simple as just re-imaging and assuming that everything's fine. Sure, that works on workstations, but it's unlikely that a workstation was all that was damaged. Once a server gets touched, the costs rise dramatically.
Re: (Score:2)
So let me get this straight... If a workstation is compromised, it's cleaned, but there's no need to bother reimaging. If a server is compromised, and data is lost/damaged, it doesn't matter because it was already the admin's job to fix it, so it doesn't cost anything? And the lost productivity due to countless meetings to review doesn't cost anything? And the projects that get delayed don't cost anything, regardless of being under contracts? And the resulting investigation, likely involving travel to forei
Re: (Score:2)
I work in a large company (not government/CIA) and if we had some kind of break-in with our systems we'd be going through all the sorts of things you suggest. And we care about turning a profit so it isn't like we just spend money for the sake of doing so. The CIO would be ticked, but he'd be brining in those consultants pronto because with something like this you have to do it right.
I'm sure some data would be lower risk than others and might not get as much scrutiny, but just determining what is importa
Re:No education or occupation (Score:4, Insightful)
So anybody who can smash a car window and steal a stereo is smarter than the guys who design cars? That is not a logical conclusion.
Re: (Score:1)
If that's your metaphor for an unpatched system or a system with some weak passwords in it, then I can't help you.
The work of an admin is not to leave an 'unsecured car' without supervision. If the 'windows can be smashed', it means the admin is not doing his job.
Actually it's more like having a tank with a hutch opened, and somebody throwing a hand grenade into it.
Re: (Score:3)
No, but a guy who figured out how to throw a pebble in *just* the right way to allow access to a locked car (and drive it) without setting off the car alarm or giving much evidence of intrusion is smarter than the guy who designed the car's security measures.
Re: (Score:2)
Re: (Score:2)
No education and no occupation, ha?
So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?
This is Eastern Europe. He might have a job and just evading taxes.
Re: (Score:1)
Evading taxes? Oh crap, don't tell that to the prosecutors. Like the guy doesn't have enough problems on his plate already. Shush.
No different than (Score:2)
the DEA stating that each cannabis plant is equal to a lb of weed, Sure its possbile if you grew it outdoors in Calfornia but 99% of the time people get no where near that. With big plants (6 week veg) they might get 4oz dry off each plant.
Re: (Score:2)
A virus can break into your huge, complex and perfectly evolved human immune system, while being the simplest lifeform.
Defending is a much harder problem than attacking.
Re: (Score:2)
So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?
So who was working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems? FTFY
What kind of 'severe disruptions' did he cause that cost 500,000 USD?
It costs money to replace your entire IT department.
Re: (Score:2)
so your contention is that NASA's IT dep't must be fired?
Yes. If someone with no education or experience can infiltrate your network, your IT department is non-existing. It needs to be replaced. Are you suggesting equal opportunity can not co-exist with the right to replace someone incompetent?
Aren't you this [slashdot.org] guy [slashdot.org]?
Yes.
You didn't answer [slashdot.org] the question [slashdot.org] yet.
It was not a question. It was a troll. A question is, "How do all AAA nations have profitable
Re: (Score:2)
the fact that you were trolling for personal information makes it a troll. http://developers.slashdot.org/comments.pl?sid=2521666&cid=38038114 [slashdot.org]
Re: (Score:2)
You are claiming people should be burned with tires on their heads if they don't create unprofitable 'jobs'
I made that claim? Are you sure you are not just repeating it in hopes that someone believes you?
How many jobs have you created?
I don't respond to trolls. However, If you want an answer regarding the possibility of a successful business model in an economy with minimum wage you can simply look at the success failure rate of businesses in the U.S., U.K., France, Germany, Australia, Canada and Japan ov
Re: (Score:2)
Despite the fact that your a fucking troll I will answer this question.
how many jobs have YOU created that are a loss generator?
None. I assure you. I have never created a loss generator job.
Re: (Score:2)
He possess hacking programs, that means he is a terrorist. What kind of 'severe disruptions' did he cause that cost 500,000 USD?
If he disrupted servers used by NASA to provide data to their employees, it could easily reach that. For example, the Planetary Data System servers are the normal point of access for thousands of researchers around the country working with raw data from NASA space probes. Take that off line for a day and you've disrupted quite a lot of work. Similar if you take down a technical data server that suppliers need to access detailed requirements or coordinated design data like CAD models of a system a supplier
Re: (Score:2)
This is not your home media server with your pirated music and downloaded porn, these are thousands of servers worldwide running one-of-a-kind custom written software and mission critical systems. After finding which exploits were used they need to find which systems could have been affected. The need to know which systems can be taken off the network in what time frame, and what needs to be done to each. Apply the wrong patc
The United Federation of Planets must know! (Score:3)
They are evidently no longer basing operations within the Beta Quadrant!
So NASA was p0wned by a newb? (Score:1)
I bet the embarrassment alone was worth $500K and then some.
$500,000? (Score:3)
Even more so because TFA doesn't ever mention
Sure, he broke in, but what did he do with that access?
Delete files? Rename them? Rearrange them? Simply just shut the servers down? Perhaps a virus or two?
All I can think of that should be possible remotely would just cause an IT admin a headache for a few hours while he fixed the damages.
Unless he found the "self destruct" button, and now NASA is without any equipment.
Re: (Score:2)
I'm guessing you're a hacker apologist? After an intrusion there are resources that have to be redirected to find out what access the intruder got; there's downtime hardware, there's the cost of the investigation e.g. flying inspectors out to Romania if needed.
No harm-no foul rules only count on non-critical systems. Most admins don't take intrusions as an "academic act of altruism granted to them by white hats."
Re: (Score:2)
Re: (Score:1)
So why are not the people who's application had the hole he used not responsible at all.
I bet there would be a lot fewer holes to exploit.
And with all the billion NASA has or can earn if they wont stand behind a NASA used application then NASA should write it themselves. Not let something that critical connect to a public network.
Not spend my tax dollar finding some guy with no education in Romania how much do you think that cost.
Re: (Score:2)
"Even more so because TFA doesn't ever mention /what/ it was he did."
He found the Directors pr0n collection....
Re: (Score:2)
The real story here... (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3)
who the hell still falls for this? I just assume any link in the comments is to goatse...
Re: (Score:2)
Any link that goes to evenweb.com is goatse.
Well, the most current links going to goatse over the past month or two have been from evenweb.com
Re: (Score:2)
I'm 12 years old and what is this??
Your dad.
Re:Education (Score:5, Insightful)
How much you make doesn't indicate how much you know.
I have a friend who is a complete idiot in the functional aspect of doing his job, lacking the background education, but he's good with people and instead delegates most of the functional work to others (basically acting like a manager, though he isn't), and makes a huge salary.
And I've another friend, who also lacks the background education, but is very competent, and makes a huge salary.
i.e. Salary does not indicate competence and qualification, sadly this seems to be especially true when you get to managerial and executive level positions, which half the time simply need a warm body to fill a chair and occasionally point in a (hopefully good) direction.
Likewise, Education (or lack thereof) does not indicate competence or qualification.
In general there are trends towards better education meaning more competence, and more competence correlating to higher salary, but they are by no means tight or without exception.
Re:Education (Score:4, Funny)
Re:Education (Score:5, Insightful)
This reminds me of the Kurt Vonnegut bit in Slaughterhouse Five about Americans attitude towards esteem and money.
"America is the wealthiest nation on Earth, but its people are mainly poor, and poor Americans are urged to hate themselves. To quote the American humorist Kin Hubbard, “It ain’t no disgrace to be poor, but it might as well be.” It is in fact a crime for an American to be poor, even though America is a nation of poor. Every other nation has folk traditions of men who were poor but extremely wise and virtuous, and therefore more estimable than anyone with power and gold. No such tales are told by the American poor. They mock themselves and glorify their betters. The meanest eating or drinking establishment, owned by a man who is himself poor, is very likely to have a sign on its wall asking this cruel question: “if you’re so smart, why ain’t you rich?” There will also be an American flag no larger than a child’s hand – glued to a lollipop stick and flying from the cash register."
Re: (Score:2)
Re: (Score:2)
I'll agree with your assessment. I'm trying to move from a general IT position to a project management job and the salaries I see, considering the experience they want, are generally shit.
On rare occasions, when they want at least ten years hardcore experience, you might find a few jobs over $80K, but most are in the $50K - $60K range, even with the experience.
Granted, I'm only looking on the east coast so maybe the midwest, south and west coast are different.
Re: (Score:2)
When I'm a full time project engineer and can't afford to move out of my mom's basement, It's pretty bad. Renting an apartment costs nearly twice what a house costs to buy, per month. And because i have student loans, my credit is so bad i cant get a mortgage, despite having perfect credit otherwise. Being poor sucks.
Assuming you're making your student loan payments on time (and since you say you have perfect credit otherwise, I assume you are), that really shouldn't affect your credit like that. I just bought a house, and I have student loans to pay the total of which exceed my annual salary. My credit score was 820 and the loan process went off without a hitch (although it was still a ridiculous pain in the ass, they were still getting information from my employers the day before closing day. I understand that they
Re: (Score:2)
You should buy something small on that card and pay it off because they might cancel it since you don't use it. Small like a book or magazine or bottle of beer. I lost my oldest credit card for never using it.
Re: (Score:2)
Being smart and poor ain't something to brag about. I'd know.
Ruthless people make the money. Intelligent and ruthless people keep it
Re: (Score:2)
Re: (Score:2)
Being smart and poor ain't something to brag about. I'd know.
It's still better than being dumb and rich. Having lots of money proves that you are good at getting lots of money, nothing more.
Re: (Score:1)
It's universal that majority of people who make the most money in the world are the most connected people in the world.
The way to be the most connected is either by being born into the right family or by attending the right schools (which is similar to being born into the right family). It's good to become a member of some exclusive elite club while at school [youtube.com].
OTOH it's possible to make a lot of money while not having almost any formal education (Steve Jobs or what's his name Zuckerberg).
Re: (Score:1)
Oh, also it's good to be a KGB agent and to be in the right place at the right time in history and to be absolutely willing and able to deal with the most shady elements of society to bring any attempt at a democracy to its knees. [telegraph.co.uk]
It helps when you are a dictator, you can steal a lot of money, especially if the country is resource rich.
Re: (Score:2)
How much you make doesn't indicate how much you know.
Sure it does, just not in the way you expect: Power = Work / Time. Knowledge=Power. Time=Money. Thus Money = Work / Knowledge. QED.
Re: (Score:2)
(successful six figure earning high school drop out)
Big deal, there are plenty of stupid rich people around.
Re: (Score:3)
Or those classified documents of how they faked the moon landings?
Re: (Score:1)
Anyone who clicks on these deserves it. Lazy fucker's using a URL that trolls have been using for at least a year now.
Re: (Score:1)
by the way, based on the previous thread with this same user under dev235 [slashdot.org], I am just going to assume that the picture he links to is goat love, so unless you are into that kind of shit, you may want to abstain from going there.
Re: (Score:2)
Any time it is evenweb.com it is goatse, he uses many different accounts, but only one domain.
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:3)
Well that case, it even is still directly doing damage (crashing the server, downtime = lost sales/productivity). Compared to several other hackers that get in comparable trouble for literally just connecting and reading the content. Companies/government tend to want to hold the hackers liable when they connect/access, without actually causing any downtime. Time spent applying security updates for a flaw that should have been fixed before, is not downtime caused by the hacker that is downtime caused by the security team not having done it right the first time. Unless trade secretes were sold to a competitor, or downtime/data loss was caused, there are no "damages". In the same way that trespassing is not by definition theft.
I took over security when I started my first job as a programmer. I already had tried out code for various spoofs and what not. Never did anything nefarious with it (the worst thing I did was bring one system to its knees with a program to compute pi to some large number of places) I knew the weaknesses (those idiots in Milwaukee were only using standard passwords on DEC systems used by Field Service .. password to [1,2] was SYSTEM, password to [1,1] was DECSER or DEC[Month abbreviation]) I developed ho
Re: (Score:2)
Unless trade secretes were sold to a competitor, or downtime/data loss was caused, there are no "damages". In the same way that trespassing is not by definition theft.
If someone trespassed on their physical premises, an organisation like NASA would have to waste a lot of time (and therefore money) checking whether anything had been tampered with, even if nothing was stolen.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A lot of guys are just attracted to the challenge.
Well, I'm quite interested in the challenge of performing the perfect bank robbery, but if I get caught waving a shotgun in a cashier's face, I'm still going to prison for armed robbery.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)