Related link: http://www.thisislondon.com/news/articles/19164714?source=Evening%20Standard
You can read “World’s biggest hacker held” at This is London. By biggest, I take it they don’t mean weight, height, or girth. Read more below the fold…
Doesn’t “Worlds Biggest Hacker” make you think of some 2-ton recluse?
It just doesn’t add up, “$1 billion” in damages by breaking into the “most secure computers at the Pentagon and NASA”. For starters, how are we calculating damages, and how confident should the American public feel if one guy in his late thirties can break into the “most secure computers at the Pentagon and NASA” by scanning “tens of thousands of computers on US military networks from his home PC, looking for machines that might be exposed due to flaws in the Windows operating system“. (emphasis mine) Later in the article, “Many of the computers he broke into were protected by easy-to-guess passwords, investigators said.”
Hmmm… as a taxpayer, my first question is this: “Why are the most secure machines at the Pentagon and NASA connected to (likely unpatched) Microsoft Windows machines with easy-to-guess passwords? How do we know he’s the “biggest”? Is there a list somewhere, did we just ask a random sample of script kiddies who they thought was “the biggest”? Funny something like this happens right around the time to the Senate is contemplating the next incarnation of the Patriot Act. What a coincidence!
Also, I wouldn’t call nmap and circumventing an idiotic password policy “hacking”, I’d call it a cake walk. The headlines we should be reading are, “Hundreds of Military IT Experts Fired for Negligence”, “President Establishes Cabinet Level Position for Information Security”, or “Military Actively Recruiting Hackers”. Instead we spend a few million dollars prosecuting some middle aged sysadmin.
I’m not advocating what this guy did. He was evidently looking for proof that the US is hiding secrets about UFOs. If anything he’s got too much time on his hands, and watches too many X-files reruns. But, the charge sheet is hyperbole and the money spent prosecuting this guy would be better spent employing him and hiring some competent security experts.
Most disturbing is that “Most of the alleged hacking took place in 2001 and 2002. At one stage the US thought it was the work of the al Qaeda terror network”. This tells me that we know so little about the threat environment that a single, unemployed, sci-fi freak can throw our security into disarray. Instead of building a missile defense shield the US government should hire a gaggle of overweight Unix sysadmins and give these wierd looking, Metallica t-shirt wearing long hairs carte blanche to tell General Whetever what kind of firewall, password policy, and operating systems the Navy will start using tommorrow. Instead we get government contractors spending hundreds of millions of dollars to build failures like the FBI’s Virtual Case File.
Rant.
They're Not...
The most secure systems aren't publicly accessible. The machines he hacked were unclassified machines at the most used for web surfing, unclassified word-processing, unclassified e-mail, nothing mission critical or too really even work related. All essential, sensitive, and mission critical information is handled via SIPRNET. That isn't likely to be compromised anytime soon. Every time the media reports on the Government/Military being hacked, it's almost always some insignificant unclassified system used for trivial tasks.
No, this blog entry is hyperbole!
Good sir, there is no such thing as "too many X-Files reruns."