> "He was accused of stealing the International Space Station’s source code controlling critical life-sustaining elements worth $ 1.7 million."
This makes for an exciting sentence, but doesn't make sense - as far as I can tell he didn't deprive them of their $1.7 million dollar code (I assume he just made a copy), and there is absolutely no opportunity cost here - it's not like he had a space station or was going to give it to someone else with a space station, stopping NASA getting revenue that they may had...
I find it very hard to see any way that that could be called 'stealing' or why the $1.7 million figure is relevant at all...
That doesn't excuse messing around in other people's systems of course.
> "His actions put NASA on hold for three weeks, costing them $41,000 because they had to check and of course fix the system."
Surely it was NASA's bad security practices that cost them $41,000 - do they really think if he hadn't found the problem, they wouldn't ever have had to fix their insecure systems?
> Surely it was NASA's bad security practices that cost them $41,000 - do they really think if he hadn't found the problem, they wouldn't ever have had to fix their insecure
Why is blaming the victim so uniquely acceptable when we're talking about hackers?
> Why is blaming the victim so uniquely acceptable when we're talking about hackers?
"Don't blame the victim" comes from the context of sexual assault. Blaming the victim for dressing provocatively is unjustifiable because dressing provocatively is not misconduct.
Maintaining insecure internet-facing servers is professional misconduct. Someone else's wrong doesn't retroactively make your wrong right.
I left my car door unlocked once in my apartment's parking garage, and someone stole my iPhone out of it. Am I engaging in professional misconduct? Maybe the garage is, for failing to take adequate security precautions, but not me.
> Am I engaging in professional misconduct? Maybe the garage is, for failing to take adequate security precautions, but not me.
Depends on what you mean by "professional misconduct." For lawyers like you (and me) the analysis by a bar-association ethics committee might be fairly strict. A lawyer's smartphone likely contains non-public client information such as contact info and perhaps even documents. In that case, leaving the phone (or worse, a laptop) in an unlocked car might be regarded as a failure to take prudent precautions to protect client confidences. That in turn could mean exposure for the lawyer, even though the thief was clearly the most-culpable.
ADDED: The same, negligence-based analysis might apply to security professionals as well: Even though others might be equally- or more-culpable, a failure to take prudent measures in accordance with "industry standards" (a vague term that would have to be [expensively] litigated) might lead to civil liability. See, e.g., The T.J. Hooper, a 1932 case in which the court held that a tugboat's failure to have reliable radios on board was negligent, even though that was not the prevailing practice among other tug operators [1]. It's a case with which all first-year law students (presumably) become familiar.
> But it doesn't absolve the attacker of any responsibility for damages caused, either.
stephen_g was questioning the assumption that he caused any damage at all.
> Surely it was NASA's bad security practices that cost them $41,000 - do they really think if he hadn't found the problem, they wouldn't ever have had to fix their insecure systems?
I don't think anyone was taking about absolution only weather or not the article was misleading.
Even if some "hacker" hadn't located the security issues, but some employee from NASA had located the security issues, it still costs NASA money to fix the code.
Also read "That doesn't excuse messing around in other people's systems of course." stephen_g isn't blaming the victim. But blaming the intruder as if he created the lack of security is just as disingenuous. Imagine a business that's generally open to the public at specific hours. The owner installs the doors himself without any consideration for locks. When reviewing security camera footage from non-business hours, he discovers someone open the door, walk in, look around, and leave. Sure, this person is indeed trespassing. But blaming the trespasser for the cost of putting locks on the door is asinine.
> By entering through a router in Dulles, Va., and installing a back door for access, he intercepted DTRA e-mail, 19 user names and passwords of employees, including 10 on military computers.
If the security issue was found internally, you can just patch it, do a cursory check to see if there is evidence of intrusion, and go on your way. When you find the security issue as a result of being hacked, now you not only have to patch to flaw but also investigate what was compromised, but may have been modified, etc. That would entail taking down all of the potentially affected systems for evaluation, which means a big hit to productive work while the investigation is underway.
Valid point. I did miss the installed backdoor. But I disagree about the "cursory check" - at the point of finding a vulnerability on a production system, one must assume compromise and be exhaustive. And that means it's costly, regardless of who found it first.
"Cursory" was perhaps the wrong word. In any case, taking down your company's network for forensic investigation is extremely costly - it's not something you'd do unless there was evidence of an intrusion. It would have been a whole lot cheaper to take care of this incident if the problem was found internally, rather than performing damage assessment and control after the fact.
> In any case, taking down your company's network for forensic investigation is extremely costly - it's not something you'd do unless there was evidence of an intrusion.
It's not something you would do even if there was. The sensible first response when you find a vulnerability is take a snapshot of the existing system -- you want to do this before patching the vulnerability in any event, in case the patch causes serious problems and has to be rolled back. Then you can conduct your investigation against the snapshot without having to disable the production systems.
Which is why I think you're making a very strong argument for why attributing "mitigation costs" is a farce. Because you could easily find a company who would take down their network and incur very high costs unnecessarily. The overreaction is not the fault of nor is it under the control of the attacker.
> The sensible first response when you find a vulnerability is take a snapshot of the existing system ... without having to disable the production systems.
Which would involve taking the system down to conduct the snapshot. What gets put back in place will depend on the severity of the breach, perceived threat, sensitivity of data, etc. They had no way of knowing exactly how sophisticated the attack was until the cops finished their investigation - is this some script kiddie or the Chinese military? I'm not going to worry about a foreign intelligence service if I'm serving up web pages for an eCommerce site, but I would if I were working for NASA. Just because you patch the vulnerability in question doesn't mean you've denied the attacker access to your network...
If they suspected additional backdoors have been added during the breach, the affected systems would need to rebuilt entirely, patched, then have data selectively restored from backup (you don't want to reintroduce to the system any malware that was saved to a backup). What other systems were accessible from the one that was hacked? Are there rootkits sending beacons home on any of them? Is there reason to preemptively take them down and rebuild them? What if one of the affected systems is a mail server/file server/etc.?
No, I don't blame NASA for overreacting. The kid pulled back technical details for a space station. The Russian government would have done the same (and may even have already been in there). NASA took steps that they thought were sensible, and they ate the costs. The kid ended up getting 6 months of house arrest and 2 years probation.
> Which would involve taking the system down to conduct the snapshot.
a) Not necessarily. Modern virtualization systems support live snapshots.
b) Taking the system down for a matter of minutes to make an offline snapshot is still dramatically less expensive than taking the system down for the duration of the investigation.
c) You still need the snapshot to be able to roll back to when patching the vulnerability in case it doesn't go well. The cost is the same whether you need it for an investigation or not because you need it regardless.
> I'm not going to worry about a foreign intelligence service if I'm serving up web pages for an eCommerce site, but I would if I were working for NASA.
You're arguing yourself into a corner. If the system is just "web pages for an eCommerce site" then taking the system offline is an overreaction. If it contains some vital national security information then you're here:
> The Russian government would have done the same (and may even have already been in there).
At which point it doesn't matter whether you know an intrusion has occurred, you have to treat it as though it had, because the likely adversary is sophisticated enough to evade cursory detection and the system is important enough to justify the expense of being thorough.
> At which point it doesn't matter whether you know an intrusion has occurred, you have to treat it as though it had...
Which gets you into benefits/trade-offs territory; I think it's probably an overreaction for NASA to take their internet facing servers and all computers on the connected networks down to investigate for possible intrusions every time a new security patch comes out. I don't think it's unreasonable for them to do so when they have credible evidence that they've been hacked. (of course, I don't work for NASA, so I have no idea what procedures they have in place)
The problem is that this situation sometimes (not always) demands that we apportion blame to both the perpetrator and the victim.
The perpetrator is always to blame, and their blame is obviously not mitigated by anything the victim does.
If the victim has a duty to protect the information lost, and the victim is negligent, they have an orthogonal culpability as well.
On message boards, it really seems like people have trouble holding these two thoughts together in their head at the same time. Of course, nerds like us on message boards have a cluster-headache of a persecution complex as well, which is ironic given that we're all making bank making everyone else's jobs disappear.
Oh those poor government agencies with their millions of dollars in funding. Who will defend them from those teenage hackers that are causing them "trillions" in damages tm.
You know this is a bad argument. Being a taxpayer doesn't convey some superior status. You are a member of the collective with restrictions on your behavior.
You can't dig up roads, take library books, or drive cop cars.
Are you suggesting if I copied all your bank records I haven't done any harm because you still retain the originals?
Destruction isn't the point. The point is that something paid with public money isn't available for the public's use. You have no rights to any object just because you pay taxes.
A government levies taxes and through appropriation spends that money. If a park is built, then fine use it. If a tank is built, then too bad that's not your tank.
I thought we were talking about source code by an entity funded by tax payers. Is that the same as a person's private bank records?
Your argument doesn't make sense for source code created by a tax funded entity. It makes sense for private information, or a publicly funded physical object, but this not either of those. I have a hard time believing you don't realize this, why even argue the point? Do you really think someone shouldn't have access to source code payed for by their own taxes?
We've talked about prosecutorial misconduct, trumped up charges, classification of computer hobbyists as terrorists, 7 felonies a day, hyper-aggressive (and borderline illegal) pushes to force settlements pre-trial, and so on, and so on, innumerable times here on HN.
It's no surprise that unchecked power to ruin individual lives no matter the severity of supposed crimes would lead to things like this. Either we should be surprised this doesn't happen more often, or shouldn't be surprised when it continues to happen.
And I certainly have zero faith that we'll see federal prosecutors reigned in any time soon.
Could someone explain the dynamics and incentives of this aggressive prosecution to a non-US person? One could draw the conclusion that the prosecutors are after political points for going after "easy prey" in an impressive sounding case but I have no idea if this 'opportunist prosecutor' model represents any practical facet of reality.
So, Jonathan James was indicted and accepted a plea bargain in 2000 for 6 months house arrest and two years of probation. He then committed suicide 8 years later. How can you rationally come to the conclusion that his death is the prosecutor's fault?
As I understand it, he was suspected of involvement in the 2007 TJX case and allegedly harassed for it.
“I honestly, honestly had nothing to do with TJX. I have no faith in the ‘justice’ system. Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control.” James’s suicide note.
But he was never charged, so there was no prosecutor involved.
EDIT: Now that I'm looking a little further into the case...
He was apparently raided by the FBI two weeks prior to the suicide during an investigation in the TJX hack. During the raid, the police found another suicide note that James had written several years prior. His suicide note[2] spends the first page and a half talking about something that's been redacted, then the next page and a half talking about some background on the TJX case, denying that he had any connection and noting the fact that one of the other suspects (Chris) had been arrested and subsequently released. He believed that meant that Chris had tried to pin the blame for the hack on him, and he believed that the FBI would be looking to arrest him for a crime he didn't commit.
Whenever hackers talk about the systems the break into it just reads as a rapist saying "Well if she didn't wear such a short shirt I wouldn't have done it." They know what they are doing is illegal and they do it anyway just for the hell of it. I have no sympathy for that kind of asshole.
> Years after the suicide of two hacker geniuses, Jonathan James and Aaron Swartz, one question is still circling the online community: How come those two hackers both committed suicide after being charged by the FBI, and what is even more interesting, they had to deal with the same federal prosecutor? Two obituaries one prosecutor?
In America one person dies by suicide every 13 minutes.
I'm kind of surprised that only two people being prosecuted by her have died by suicide. The computer industry is mostly people with some risk factors (male; single), although they do have some protective factors (ability to solve problems; money; health insurance).
I am particularly interested in anything that can help men seek help, especially for suicide or other mental health problems. (Please do send me email if you're aware of good work). I like these Australian sites:
The first link had some age-based information [1]. The rate for people 15 to 24 is 10.9 per 100,000. The highest rate is people 45 to 64, at 19.1. The next age bracket they use is 25 to 44, a much broader range which includes both Jonathan James (25) and Aaron Swartz (27), it's rate appears to be 15.something.
> "He was accused of stealing the International Space Station’s source code controlling critical life-sustaining elements worth $ 1.7 million."
This makes for an exciting sentence, but doesn't make sense - as far as I can tell he didn't deprive them of their $1.7 million dollar code (I assume he just made a copy), and there is absolutely no opportunity cost here - it's not like he had a space station or was going to give it to someone else with a space station, stopping NASA getting revenue that they may had...
I find it very hard to see any way that that could be called 'stealing' or why the $1.7 million figure is relevant at all...
That doesn't excuse messing around in other people's systems of course.
> "His actions put NASA on hold for three weeks, costing them $41,000 because they had to check and of course fix the system."
Surely it was NASA's bad security practices that cost them $41,000 - do they really think if he hadn't found the problem, they wouldn't ever have had to fix their insecure systems?