Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Posts His Crime On YouTube, Lands In Jail

samzenpus posted more than 2 years ago | from the bad-ideas dept.

Security 176

wiredmikey writes "A former contract security guard who admitted hacking into a hospital's computer systems (where he worked), was sentenced to 110 months in Federal prison. Why did he do it? He admits that he intended to use the bots and the compromised computers to launch DDoS attacks on the websites of rival hacker groups. The FBI says he posted video of himself hacking into the hospital computers on YouTube — While the theme of 'Mission Impossible' played, he described his hack, step by step, including the insertion of a CD containing the OphCrack program, which allowed him to bypass all security. The FBI found the CD containing the OphCrack program in McGraw's house and found the source code for the bot on his laptop."

cancel ×

176 comments

Security researchers or confidential informants? (1, Interesting)

elucido (870205) | more than 2 years ago | (#35590752)


"FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group’s leader in jail, according to a recently unsealed search warrant affidavit.

Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlled HVAC system.

Last month’s raids were prompted by the aftermath of McGraw’s arrest. McGraw was the leader of an anarchistic hacking group called the Electronik Tribulation Army, and his bust led to a flood of harassment against the Mississippi computer-security researcher who discovered screenshots of the HVAC access online and informed the FBI."
http://www.wired.com/threatlevel/2010/07/eta/ [wired.com]

Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

Why do articles even call them "security researchers"? Now if this guys job is to investigate hackers, then he should be called a "cyber crime investigator". It's disingenuous to call an a cyber crime investigator/cybercop detective a security researcher.

What is with this trend? And what is the official function of a security researcher? Are they informants? I'd think maybe not if they aren't pretending to be outlaw/blackhats, so I cannot put them in the obvious informant/snitch category that albert gonzalez [wikipedia.org] is in. An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.

Re:Security researchers or confidential informants (3)

chemicaldave (1776600) | more than 2 years ago | (#35591008)

Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

Why do articles even call them "security researchers"? Now if this guys job is to investigate hackers, then he should be called a "cyber crime investigator". It's disingenuous to call an a cyber crime investigator/cybercop detective a security researcher. What is with this trend?

Who cares if the person was a "security researcher" or "cybercop detective"? What's it matter?

And what is the official function of a security researcher? Are they informants? I'd think maybe not if they aren't pretending to be outlaw/blackhats, so I cannot put them in the obvious informant/snitch category that albert gonzalez [wikipedia.org] is in. An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.

You took the term "security researcher", substituted your own definition of "confidential informant", and then hinted that the person might be a snitch...

Re:Security researchers or confidential informants (2)

Even on Slashdot FOE (1870208) | more than 2 years ago | (#35591098)

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

Re:Security researchers or confidential informants (1)

chemicaldave (1776600) | more than 2 years ago | (#35591296)

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

We're not talking about the mafia. This is a dumbass script kiddie.

Re:Security researchers or confidential informants (1)

scubamage (727538) | more than 2 years ago | (#35591410)

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

We're not talking about the mafia. This is a dumbass script kiddie.

The problem is sometimes, we are talking about the mafia.In this case you're correct, its just a script kiddie, but not always.

Re:Security researchers or confidential informants (1)

elucido (870205) | more than 2 years ago | (#35591328)

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

That is not the situation at all. Being a witness to a crime is not the same as being a snitch. A snitch knows the individuals who committed the crime, had the trust of these individuals, and betrayed them. I'm not saying the guy who found the photo and reported it to the FBI is a snitch like Albert Gonzalez and I'm not saying someone who witnesses a crime is snitching. You do risk your life and limb as a witness but it's not betraying anyone or harming your friendships to be a witness so the stigma is only bad to people who weren't your friends to begin with.

On the other hand if you pretend to be someone you aren't, pretend to be friends with a group of hackers to gather enough dirt to "inform" the FBI. Then you are a confidential informant, a snitch, a rat, etc. This carries a stigma because it involves personal betrayal of trust, destruction if personal friendships, and has a virus like effect on the hacker community.

So it's simple. If you are a cyber crime investigator, then don't pretend to just be a "researcher". But if you are just a researcher then your interest is purely academic, so what would you have to gain by reporting every crime you see? Sure if you want to report a crime you can be a witness, you wouldn't be labeled a snitch, but in this instance where the guy got 10 years in prison and fined for $30,000, while the security researcher didn't necessarily do the wrong thing, there probably should be more clarity as to the roles. Otherwise when researches claim they want to collect harmless statistics which they claim will be destroyed after it's analyzed, well perhaps people will think otherwise of them and wont be so quick to allow them to gather those statistics if you know what I mean.

Re:Security researchers or confidential informants (5, Informative)

iamhassi (659463) | more than 2 years ago | (#35592318)

"The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?"

But... he is a security researcher, here's his security [mcgrewsecurity.com] websites [dissectingthehack.com] and his LinkedIn says he has a PhD in Computer Science and works at the Mississippi State University Center for Computer Security Research (CCSR). [linkedin.com]

I'd say he's qualified. I don't understand why parent automatically assumed he was just an informant. If you're a private detective and with PhD in Criminal Forensics and you see a felony take place wouldn't you call the police? Would /. then assume you're simply an informant instead of being the private detective that the article correctly identified you as being?

Re:Security researchers or confidential informants (1)

cdrguru (88047) | more than 2 years ago | (#35592460)

The way for inner city youth is to follow the rules: Stop Snitching.

If they don't pay attention to the rules, they will run afoul of folks whose livelihood they are impacting. And probably end up as another statistic on how hazardous it is for minorities in the inner city.

Of course, you are correct that the only way for law enforcement is to have snitches. If they are subsequently beaten, tortured or killed it isn't the fault of law enforcement but our own sick, twisted society. It comes down to who do you want to support, the cops or the robbers? For the most part in the US we have chosen overwhelmingly for the robbers.

Re:Security researchers or confidential informants (0)

elucido (870205) | more than 2 years ago | (#35591134)

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Who cares if the person was a "security researcher" or "cybercop detective"? What's it matter?

Just like it matters that police have badges, wear uniforms, have warrants, it matters to most people whether or not their friend who claims to be a security researcher is actually a cop. Does the security researcher need a search warrant? I don't have a problem with cops, I just have a problem with undercover cops who pretend to be my friend. Wouldn't you have a problem with that situation?

You took the term "security researcher", substituted your own definition of "confidential informant", and then hinted that the person might be a snitch...

No I'm asking the question of what exactly the role of a security researcher is. A cyber crime investigator we know what their role is. A cybercop we know what their role is. A security researcher is not the same thing as a security investigator. Researchers are interested in academic pursuits, not crime fighting, not law enforcement. The guys who built freenet, tor, the linux kernel, these sorts of people are security researchers. If crime fighters are supposed to be honest, and supposed to be the good guys, why do they have to pretend or dress up in plain clothes, and act like the bad guys?

This is a legitimate question to ask.

Re:Security researchers or confidential informants (1)

chemicaldave (1776600) | more than 2 years ago | (#35591264)

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Ok...but in this case it's more like breaking into the hospital to steal drugs...

Re:Security researchers or confidential informants (1)

elucido (870205) | more than 2 years ago | (#35591584)

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Ok...but in this case it's more like breaking into the hospital to steal drugs...

And if I were the one who cracked the case then I would not be a security researcher, I would be a cyber crime investigator. I mean what is so difficult to understand? If someone does the police work or the police then the police don't have to pay anybody. This saves the police money but it does not necessary make us any safer. Whether or not we'd be safer would have to be decided on a case by case basis.

So what I'm saying is, if there really are cyber police or if there should be cyber police, shouldn't they have that in their job title, wear a uniform, or other insignia? I'm more concerned about functions, labels, and roles, than whether or not you decide to be a witness. Somebody has to be a witness of course, but when someone is a security researcher and a witness at the same time it puts their role as an impartial or neutral security researcher in jeopardy and can get them the stigma of being a government security researcher or something along those lines. It will make it harder for other researchers to do research, kind of like how if journalists report every crime they see then it can make it much more difficult for other journalists who don't report every crime they say because they are after the big story or the interview with Bin Laden or whatever.

Re:Security researchers or confidential informants (0)

Anonymous Coward | more than 2 years ago | (#35591720)

You make a valid point assuming that the researcher spends most of his time looking for and reporting cyber crimes.

I would certainly consider it valid for a security researcher to look for people bragging about exploits online, even if it won't qualify him to attend defcon. Also, it's worth noting that reporting this to the FBI isn't necessarily related to his work as a security researcher. If, for instance, I were to be featured in my local newspaper for my (hypothetical) work with animal shelters, they would be correct to refer to me as a computer programming--even though it has very little to do with the item of interest.

Re:Security researchers or confidential informants (1)

Anonymous Coward | more than 2 years ago | (#35591330)

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

And when at last you become the victim, I hope for your sake those around you don't think like you do.

Re:Security researchers or confidential informants (4, Insightful)

SuperKendall (25149) | more than 2 years ago | (#35591364)

That depends on whose home it is. If it's a rich assholes home, probably not

You do realize that this means you, too, are an asshole, and that someone even lower on the moral chain than yourself will watch someone break into your house and do nothing for the same reason?

The chain of violence only stops when people like you stop demonizing based on external factors.

Re:Security researchers or confidential informants (4, Insightful)

ElectricTurtle (1171201) | more than 2 years ago | (#35591480)

Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."

I always ask people, at what magical number does 'theft' become 'economic justice'?

Re:Security researchers or confidential informants (1)

elucido (870205) | more than 2 years ago | (#35591846)

Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."

I always ask people, at what magical number does 'theft' become 'economic justice'?

Justice is for the strong. What that means is that the rich typically get justice through the law and the poor do not.
The law does not treat rich and poor equally, you know this and I know this.

So if a rich strangers house is being broken into and burglarized I'm just not going to care about that rich persons junk. That rich person has more stuff than they need anyway, and I wouldn't want to spend my time sitting in court.

Now if the roles were completely reserved and I'm the rich person and I'm watching a ghetto dwelling persons house getting broken into, maybe I'd decide to be a witness as a way to give back for what society has given me. In fact maybe I'd just give the unfortunate person some financial assistance, pay the legal fees, or give them a job.

But I'm not the rich person. Justice is not likely to work in my favor. A rich stranger is not likely to rescue me if I'm victimized. So if the rich person wants justice, they can buy it just like the poor person is expected to buy it. Unless you believe poor individuals should be expected to protect the mansions and property of rich individuals without being paid, hired, or without their property being equally protected by rich individuals. Since the property of poor individuals is not equally protected I just don't care what happens to some rich strangers mansion.

Re:Security researchers or confidential informants (1)

Anonymous Coward | more than 2 years ago | (#35592060)

Now if the roles were completely reserved and I'm the rich person and I'm watching a ghetto dwelling persons house getting broken into, maybe I'd decide to be a witness as a way to give back for what society has given me. In fact maybe I'd just give the unfortunate person some financial assistance, pay the legal fees, or give them a job.

No, you wouldn't.

You would likely feel you'd earned every penny you had and not owe anything back to society. You certainly wouldn't risk it for some poor person who could never pay you back and might expose you to personal risk.

Re:Security researchers or confidential informants (4, Insightful)

ElectricTurtle (1171201) | more than 2 years ago | (#35592188)

This is the worst kind of thinking. 'The poor don't get justice so I'll make sure the rich don't get it either! Then we'll all be equal!' Equally fucked. Such an great thing to which to aspire. Equality is not the sacred thing you seem to think it is. To paraphrase Margaret Thatcher, it is better to have a higher standard of living for the majority in a society with a high disparity than it is to have a lower standard of living for the majority in a society of greater equality.

Re:Security researchers or confidential informants (1)

Lehk228 (705449) | more than 2 years ago | (#35592290)

let's start with anyone making more than 128 times the national median income.

Re:Security researchers or confidential informants (2)

Actually, I do RTFA (1058596) | more than 2 years ago | (#35592398)

Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."

I'm not paid too much, but I am taxed too little. I would gladly raise my own tax rates by 5% if it applied to everyone making as much as I am or more (esp. if it applied to Warren Buffet, etc. who currently have their salaries as investment income.)

I always ask people, at what magical number does 'theft' become 'economic justice'?

That stupid rhetorical device has been done to death. At what level does a full head of hair become bald? At what level does the sand grains I collect one at a time in a location become a heap?

Obviously, if one person owned everything, it would be justified (if only so that people he did not like could eat), and if everyone was equally wealthy it would not be justified. The presence of a grey area may lend itself to long arguments about the optimum points to put tax rate changes, but it cannot be used to dismiss the concepts out of hand.

Re:Security researchers or confidential informants (1)

elucido (870205) | more than 2 years ago | (#35591666)

That depends on whose home it is. If it's a rich assholes home, probably not

You do realize that this means you, too, are an asshole, and that someone even lower on the moral chain than yourself will watch someone break into your house and do nothing for the same reason?

The chain of violence only stops when people like you stop demonizing based on external factors.

If I don't know anything at all about a person, never met the person in my life, I don't have any responsibility to care about the person.

And no I don't assume a majority of rich persons care about me. My decision of whether or not to be a witness would depend on factors such as whether or not I knew them, whether or not I want to sit in court for weeks or months, but it's still my decision to make.

Just like if someone decides to give to charity or give a donation, it's their decision to make. Nobody should call them an asshole if they don't donate to an African charity to help some starving family. And it's simple, if you know the guy then you get involved and if you don't know the guy then you don't get involved .The guy you save could be the mafia don and that guy could go on to be the biggest criminal in the city. When you deal with a complete stranger it's 50/50 like that so if it's some strangers house being robbed, and it's a mansion, I'm sorry I honestly don't give a fuck.

Am I supposed to feel bad that a rich persons mansion is being robbed when some poor person is probably living homeless that I actually might know? Yes sometimes you can be wrong and not help the rich person who might have been a great person, but so what? The rich person loses material items that they can afford to buy again, and more than likely the people stealing it are just as good or just as bad as the people it's being stole from.

Re:Security researchers or confidential informants (2)

sycodon (149926) | more than 2 years ago | (#35592250)

Baed on your attitude, I'm surprised that anyone cares about you...even your mother.

Re:Security researchers or confidential informants (0)

Anonymous Coward | more than 2 years ago | (#35591524)

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

You sir, are an amoral person.

You should rethink your philosophy; I suggest imagining that it's your home being broken into, and ask what you would want a third-party observer to do. Calling the police to report a crime is the moral duty of said observer.

Re:Security researchers or confidential informants (1)

elucido (870205) | more than 2 years ago | (#35591928)

If they knew me I would expect them to have compassion. If they don't then I wouldn't expect any compassion just as most of you don't have compassion for people dying in foreign countries.

You are right I am amoral. Just like a corporation, a government, etc.

Re:Security researchers or confidential informants (2)

Attila Dimedici (1036002) | more than 2 years ago | (#35591956)

Not all research is academic. I with a large number of research scientists, very few of them are doing anything academic. This particular security researcher is someone who makes his living by providing his skills to companies and other organizations in return for money. He researches security risks and ways to compromise computer systems and develops tools to combat them (my interpretation of the information on his business website). The overlap between what he does as a security researcher and what a cyber investigator would do is significant. Additionally, the link you posted mentions that he works at a university, suggesting that he may indeed do quite a bit of academic research. There is no evidence in any of the articles that have been brought forward so far that he is in any way employed by a law enforcement agency.
The simplest explanation of the facts as we know them is that he really is a security researcher who in the course of his research came across a video of someone hacking into a hospital computer system and reported it to the FBI. I am not sure why the idea that a private citizen might feel it is their public duty to report crimes they come across is so difficult for you to get your head around.

Re:Security researchers or confidential informants (0)

Anonymous Coward | more than 2 years ago | (#35592266)

That is truly a staggering failure of logic. You are assuming that even though you are witnessing a crime you will assume the person deserves it simply if they have more or less than you? You might want to look into therapy for that level of damage, it may well push into the edge of psychotic.

You are not the moral authority of what people need or do not need. If a person earns something in life, they have earned it, regardless of whether you believe they should share it or not. Without basic morality, ethics, and property rights, civilization deteriorates. Nothing in life is ever equal, the idea that equalization can be taken into a persons hands is absurd. There have never been and will never be two identically equal people because of the choices people make in their lives.

Re:Security researchers or confidential informants (0)

Anonymous Coward | more than 2 years ago | (#35591562)

Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

Not just breaking into a home, a fucking hospital. When shit breaks in a hospital, people can die.

Re:Security researchers or confidential informants (1)

bmo (77928) | more than 2 years ago | (#35592132)

>If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

It's not like calling in a break-in of someone's house. I've done that myself. Called it in while I was watching across the street, and identified the bad guys while talking on 911 and later as I sat in the police car and the cop shined a light on them (they were caught).

Cops know how to deal with that. Clear cut, simple.

But to call in a computer security problem? To people who don't know anything about computers? Nope. Not a chance. Ain't getting involved unless I can be guaranteed to talk to someone who knows what he's doing and isn't out to screw everyone in the hopes of making a name for himself. Same goes for reporting a security hole to a system administrator unless I can do it anonymously. Too much ass covering and trying to make the messenger look like the bad guy. We've seen it here more than once.

I would report anonymously to the head of IT before I ever get the FBI involved, and if i can't do either, I'm staying schtum.

There are too many problems with reporting computer crimes.

--
BMO

Re:Security researchers or confidential informants (1, Interesting)

ElectricTurtle (1171201) | more than 2 years ago | (#35591022)

I don't think you understand how whitehats think. They think they are talented superhero vigilante crime fighters. I've known a few in my time, and they are frequently the kind of Eagle Scout archetype of a neighborhood watch captain. They have no real official power, but they get off on being "the good guys" and will turn in anybody for anything. It's a terrible combination of boredom, a modicum of skill, and an underdeveloped legalist sense of ethics.

At the same time, blackhats like GhostExodus are pathetic in the opposite dimension. They egotrip on being able to put a live CD into a Windows box to haxx0r its security like that's so hard. As far as I'm concerned the white vs. black drama can keep going as long as they want. Meanwhile the vast majority of grays will mind their own business, neither snitching nor bragging. Both are stupid unless you have a really good reason.

I do know how they think, I know them. (1)

elucido (870205) | more than 2 years ago | (#35591996)

But I'm trying to figure out why they think that way.

Re:Security researchers or confidential informants (1)

doomy (7461) | more than 2 years ago | (#35592310)

This seems to be their YT channel - http://www.youtube.com/user/XxxxETAxxxX [youtube.com]

110 Months (1)

Reilaos (1544173) | more than 2 years ago | (#35590780)

That's not that bad. People could get much worse for having the police catch them with crack in their home!

Re:110 Months (0)

Anonymous Coward | more than 2 years ago | (#35590860)

People who do this to hospitals deserve to be shot. 110 months is not enough considering all the problems he could have caused.

Re:110 Months (2, Insightful)

YodasEvilTwin (2014446) | more than 2 years ago | (#35590934)

Hospital administrators who don't properly secure and audit their computer system deserve to be shot.

Re:110 Months (-1, Troll)

ADRA (37398) | more than 2 years ago | (#35590936)

Really? This tools was a windows based password cracker. Instead, I'd suggest arresting any software developers that created safety critical hospital software using windows as a platform.

Re:110 Months (0)

Anonymous Coward | more than 2 years ago | (#35591320)

That's a brilliant suggestion.

Re:110 Months (1)

cusco (717999) | more than 2 years ago | (#35592352)

Right, because nurses and maintenance people have lots and lots of time to learn new operating systems, new GUIs, and the new programming conventions that come with an OS change. The X-ray machine will use Red Hat with gnome, the climate control system will be Suse with KDE, the pharmacy will be OS-X and the MRI will be DRDOS with some piece of crap interface that Philips cobbles together. Truly something to look forward to.

When you graduate and get out in the real world you're going to find that standardization, even on a standard that is arguably 'least common denominator' like Windows, saves time, energy, money and lives.

Re:110 Months (1)

sycodon (149926) | more than 2 years ago | (#35592264)

"People who do this deserve to be shot."

Fixed.

Re:110 Months (0)

Anonymous Coward | more than 2 years ago | (#35590868)

Or worse yet, MP3s.

Re:110 Months (1)

elucido (870205) | more than 2 years ago | (#35590878)

Thats not bad? Do you know how many years that is? Thats terrible.
He got caught so he has to do the time, but 110 months is around 9 years.

Re:110 Months (1)

Reilaos (1544173) | more than 2 years ago | (#35590996)

Gonna kill a joke by explaining it, but dealing with crack cocaine can get you 6-20 years.

Re:110 Months (1)

Tigger's Pet (130655) | more than 2 years ago | (#35590960)

According to the original paperwork and release by the DOJ - http://www.justice.gov/usao/txn/PressRel09/mcgraw_cyber_indict_pr.html [justice.gov] - the two counts each carried a maximum of 10 years (to which he got close) and a £250,000 fine. At least they only fined him $31,881.75, so he'll only be slightly poor when he eventually gets out.

Re:110 Months (0)

Anonymous Coward | more than 2 years ago | (#35591368)

According to the original paperwork and release by the DOJ - http://www.justice.gov/usao/txn/PressRel09/mcgraw_cyber_indict_pr.html [justice.gov] - the two counts each carried a maximum of 10 years (to which he got close) and a £250,000 fine. At least they only fined him $31,881.75, so he'll only be slightly poor when he eventually gets out.

So this is a crime that's been on the books since colonial days?

Re:110 Months (1)

chemicaldave (1776600) | more than 2 years ago | (#35591188)

That's not that bad. People could get much worse for having the police catch them with crack in their home!

Yeah, and in countries where they cut off your hands for stealing, you should be grateful they don't just cut off your head like in other places!

Re:110 Months (4, Funny)

WrongSizeGlass (838941) | more than 2 years ago | (#35591502)

That's not that bad. People could get much worse for having the police catch them with crack in their home!

That sentence is the least of his problems. Wait until the MPAA & RIAA find out he used the theme from 'Mission Impossible' in his YouTube posting without paying the appropriate licensing fees.

What 110 months! Almost 10 years! (1)

Anonymous Coward | more than 2 years ago | (#35590796)

Mein Gott! Others get hand-slapped, but 10 YEARS??????

Re:What 110 months! Almost 10 years! (0)

Anonymous Coward | more than 2 years ago | (#35590826)

Who taught you how to round?

Yes, 10 Years!!!! (2)

www.sorehands.com (142825) | more than 2 years ago | (#35590882)

They added the stupidity multiplier. It is there so the pollution of the gene pool by really stupid criminals is reduced.

Re:Yes, 10 Years!!!! (2)

RajivSLK (398494) | more than 2 years ago | (#35592016)

Not only that- but he was also hacking a hospital. If his poorly crafted script kiddie hack had compromised the functions of even the administrative computers patients treatment could be compromised. This is a place of healing. If you fuck with a hospitals functions you should get 10 years.

Re:What 110 months! Almost 10 years! (1)

sdguero (1112795) | more than 2 years ago | (#35591266)

He won't do more than 5 unless he shanks someone.

Seems a bit excessive (0)

Anonymous Coward | more than 2 years ago | (#35590804)

Stupid though he was to post this publicly almost 10 years in prison for a hack like that seems very excessive.

Re:Seems a bit excessive (3, Informative)

Nikker (749551) | more than 2 years ago | (#35590982)

The network he had access to was a hospital's LAN. He wanted to use it to DDOS which would result in saturating much of the hospital's LAN to begin with and possibly screwing with equipment in the mean time. If he hacked into a Starbucks or a McDonalds to do the same I wouldn't care as much but his stupidity overreached on this one.

Re:Seems a bit excessive (3)

Americano (920576) | more than 2 years ago | (#35591252)

Why is it excessive? From TFA:

While hacking into the HVAC computer, McGraw knew the risk of affecting the facility’s temperature, and the treatment and recovery of vulnerable patients. In addition, he could have affected the efficacy of all temperature-sensitive drugs and supplies. Although he denies, it, access to the nurses’ station computer could have opened the door to patient records.

Given the fact that his actions could have breached confidentiality of medical records, or, you know, even killed someone due to the HVAC system going haywire and not controlling the temperature in a patient's room, or a storeroom containing temperature-sensitive medications, I'd say that 9 years and 2 months (probably being served in a minimum-security federal prison camp) doesn't sound all that unreasonable.

Re:Seems a bit excessive (4, Funny)

betterunixthanunix (980855) | more than 2 years ago | (#35591406)

Are we going to imprison the people who decided to use Windows as the operating system for a critical, safety-sensitive computer? Why are we acting like the problems here end with this guy? Computers are not some magical object that dark wizards vie for control over; the fact that this guy could have endangered hospital patients because he was interacting with the HVAC computer (and ultimately, that is what he was doing: interacting with the computer) says more about the problems with the HVAC controller than about the hacker.

Re:Seems a bit excessive (2)

Americano (920576) | more than 2 years ago | (#35591510)

(and ultimately, that is what he was doing: interacting with the computer)

Yeah, if "interacting with the computer" involves breaking into a locked room, removing security controls on a computer with a sensitive function, and then planning to use it to launch DDoS attacks against other "rival groups." This isn't like, "What, I was just at the mall, using a touchscreen kiosk to find directions to the Urban Outfitters store!"

Considering he apparently needed both physical access (in a locked room) to the computers, and he had to disable security controls on the computer, I'd suggest that this indicates pretty a fairly decent attempt to secure the system and prevent it from being exploited.

ObCarAnalogy:
Would it be okay for me to break into your locked garage, replace all the software on your car's sensors & control units, and then claim I was "just interacting with a computer," when your brakes failed due to the changes I'd made?

Re:Seems a bit excessive (1)

Anonymous Coward | more than 2 years ago | (#35591622)

It's no different than someone who builds a safety-critical structure out of wood, which has a known security vulnerability in that anyone with a match can set it ablaze. What they should have done is hired a security guard to make sure nobody would mess with the equipment. Oh wait.

Re:Seems a bit excessive (0)

Anonymous Coward | more than 2 years ago | (#35592234)

Anyone with physical access to a machine can compromise it. This guy was hired as a fucking security guard, dipshit.

You also might wanna bone up on law there a little, Matlock.

I think he knows the underwear gnomes. (4, Informative)

gurps_npc (621217) | more than 2 years ago | (#35590844)

Step 1) Post a video of yourself committing a crime

Step 2) ????

Step 3) Jail!

Re:I think he knows the underwear gnomes. (2)

ElectroPrime (1817866) | more than 2 years ago | (#35592408)

Step 2 is "get noticed by the cops".

The role and ethics of security researchers: (1, Interesting)

elucido (870205) | more than 2 years ago | (#35590848)

This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not understand the different inherent functions of these terms. At the same time you have obvious professional betrayers like Albert Gonzalez being called "agents" and "heroes" by the feds in one sentence and then later on the feds are locking him up and he's a dirty rotten snitch greedy scoundrel.

So which security researcher, hacker, or cyber crime investigator wants to clear up exactly the different functions and roles?

Re:The role and ethics of security researchers: (1)

Dr. Evil (3501) | more than 2 years ago | (#35591050)

It's like accounting. Your superiors make the call, and you have an ethical decision if they don't do the right thing.

Although.... accountants have tighter laws and professional bodies to revoke designations. Security will get to the same point in the next 10 or 20 years.

Re:The role and ethics of security researchers: (2)

Anonymous Psychopath (18031) | more than 2 years ago | (#35591058)

This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not understand the different inherent functions of these terms. At the same time you have obvious professional betrayers like Albert Gonzalez being called "agents" and "heroes" by the feds in one sentence and then later on the feds are locking him up and he's a dirty rotten snitch greedy scoundrel.

So which security researcher, hacker, or cyber crime investigator wants to clear up exactly the different functions and roles?

Actions define people, not titles. You obviously already know this, why bother using it as an excuse to get on your soapbox? No one cares what they call themselves, except maybe them.

Re:The role and ethics of security researchers: (1)

chemicaldave (1776600) | more than 2 years ago | (#35591132)

It likely has less to do with their title and more to do with who they work for. If they work for the federal government directly, at an agency, they might be compelled to submit this information. If they work for a government funded, third party organization, perhaps it's in a contract. They may work for a totally private organization or free-lance in which case they likely have full discretion. Or maybe the "informant" was just a disgruntled acquaintance.

If it's in their contract (1)

elucido (870205) | more than 2 years ago | (#35591448)

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

Anyway if it's in the contract or a part of their job title and definition then nobody can accuse them of being an informant, and at the same time nobody can mistake them for being an ordinary joe. They'd basically be like cops.

Re:If it's in their contract (1)

chemicaldave (1776600) | more than 2 years ago | (#35591570)

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

Re:If it's in their contract (1)

elucido (870205) | more than 2 years ago | (#35592052)

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

Everything is public though. Thats not really fair.

Re:If it's in their contract (0)

Anonymous Coward | more than 2 years ago | (#35592390)

There are some cases where you either have to report to government authorities or have to leave. if you do go report to someone directly above you, you have to consider the possibility the person above you may be involved in the illegal activity.

Re:The role and ethics of security researchers: (1)

BJ_Covert_Action (1499847) | more than 2 years ago | (#35591180)

You posted what is, essentially, the exact same post content-wise 7 minutes before this one. Do you always repeat yourself, or only when you have an axe to grind?

Re:The role and ethics of security researchers: (1)

houghi (78078) | more than 2 years ago | (#35591298)

When is it a good idea to inform the FBI of a crime?

I would say: never.
Once reported a child porn site and I had to come to the police office where they wanted to charge me with obstruction of the law, spreading child porn and and fraud.

They asked to come by calling my employer and telling him they needed to speak to me concerning a child porn case. Yes I had used the companies computer to report it.

Luckily I could convince the police they were idiots and luckily the people at my company where intelligent enough to understand what was going on and even offered a lawyer if anything would come of it.

If it would have been anybody else, they might have been convicted of a crime not done or at least lost their job, because of how the police informed them.

The company even told me (after a 20 second explanation) that if I wanted, they would protect my identity as long as possible.

The police (and other law institutes) already think you are guilty. They will be even more convinced if you tell them anything they think you should not know.

Re:The role and ethics of security researchers: (1)

LanMan04 (790429) | more than 2 years ago | (#35591466)

This this a million times this. Stay as FAR AWAY from police as possible at all times. They're like a tornado of trouble and being in their vicinity, **even when you're doing good for society**, can damage you in all kinds of horrible ways.

Not worth the risk, ever.

Re:The role and ethics of security researchers: (0)

Anonymous Coward | more than 2 years ago | (#35592362)

At what point does it do any good? I've informed the FBI and the Secret Service of dozens of instances of hacking and wire fraud. It does *no good* until someone publicly offends a big enough institution, *and* it shows up on the news. Until then, it's "business as usual" and a game of "go tell someone else". The FBI Computer Crime department is a black hole into with the reports flow and no one is prosecuted until the publicity is much too large for them to ignore, but always too late to protect the general public.

Ladies and Gentleman (4, Funny)

Tigger's Pet (130655) | more than 2 years ago | (#35590856)

Do we have a winner for the prize of "stupidest person alive"? Who, with the slightest semblance of common sense, would think that posting a video of themselves doing this was a good idea? This ranks up there with the guy who used a camera mounted to his motorbike to record himself doing 140mph+ in the UK, then posted it on YouTube with his face and licence-plate.

Re:Ladies and Gentleman (1)

Anonymous Coward | more than 2 years ago | (#35592262)

Not the stupidest - he lived. There are plenty of dumber people in the world who kill themselves by trying to accomplish something truly stupid every year.

Self-defense (5, Interesting)

Anonymous Coward | more than 2 years ago | (#35590862)

This is exactly why we don't counter-attack those attempting to penetrate our network. While you *might* have some slim chance of reaching the attacker, chances are equally good you will end up attacking some systems in a hospital or something equally unacceptable.

Re:Self-defense (0)

Anonymous Coward | more than 2 years ago | (#35592582)

As long as the counter-attack isn't a DoS then I don't see any particular problem in pursuing after the offenders. Blowing an attacker off the tubes is a very blunt tool that has no lasting effect. But sleuthing their info is good IMO. Plus, its blinky fun. =)

1337 (1)

Toe, The (545098) | more than 2 years ago | (#35590894)

How do you spell elite? Is it: (0~\/1(7?

Let it be a lesson (1)

microbee (682094) | more than 2 years ago | (#35590904)

The FBI found the source code for the bot on his laptop.

Open source doesn't really work for hackers.

Re:Let it be a lesson (1)

elucido (870205) | more than 2 years ago | (#35590922)

Neither does closed source. Who knows whether or not an informant or undercover cop put a backdoor in the botnet.

Re:Let it be a lesson (1)

H0p313ss (811249) | more than 2 years ago | (#35591648)

Neither does closed source. Who knows whether or not an informant or undercover cop put a backdoor in the botnet.

Perhaps you should spend the rest of the day searching youtube to find out.

Well, that explains his choice of professions... (0)

mmell (832646) | more than 2 years ago | (#35590940)

I mean, who here hasn't aspired to the role of Private Uniformed Security Provider?

This nimrod's just a script-kiddie with delusions of grandeur. Lock 'im up!

Sorry, I gotta say it: (0)

Anonymous Coward | more than 2 years ago | (#35590966)

FAIL

Re:Sorry, I gotta say it: (1)

nobodylocalhost (1343981) | more than 2 years ago | (#35591714)

You are missing "EPIC" in front of that "FAIL"

Reminds me of... (1)

Vomster (1816032) | more than 2 years ago | (#35591144)

Pirates of the Caribbean "You are without a doubt the worst [hacker] I’ve ever heard of"

Come on, dude. (1)

fivevoltforest (2012744) | more than 2 years ago | (#35591204)

Anywhere but a hospital.

Delusions of grandeur is right.
"So what if I mess around with the HVAC controller in this hospital? I have SERIOUS HACKER BUSINESS to conduct!"

Re:Come on, dude. (1)

betterunixthanunix (980855) | more than 2 years ago | (#35591308)

On the other hand, why was the HVAC system left open to these sorts of attacks? If it is as safety sensitive and critical as the FBI is claiming, one would think that Windows should be low on the list of operating systems to choose.

Re:Come on, dude. (5, Funny)

Hatta (162192) | more than 2 years ago | (#35591734)

Don't be too hard on them. Any HVAC system can be circumvented using windows.

Re:Come on, dude. (1)

cusco (717999) | more than 2 years ago | (#35592430)

Building maintenance computers are expected to last for a decade or more, which is probably longer than the building maintenance people will stay on their job. These systems are written for Windows because the new guy can come in, poke around a bit, and because he understands the basic MS programming conventions be productive in his new position almost immediately.

Re:Come on, dude. (2)

RandomJoe (814420) | more than 2 years ago | (#35592550)

I install HVAC control systems for a living. Almost all of them rely on Windows at some point along the way anymore, either for setup software or the user interface software (if it doesn't use a web interface).

However, most do NOT require the Windows computer in order to function properly. The systems either have a dedicated embedded-style building controller, or use a peer-to-peer arrangement with each device handling its own schedules and talking to each other directly to integrate. It's entirely possible that the most he could actually do from that computer is look at a few temperatures.

Not that I expect that's reality. Unfortunately, we're typically talking about people with very little computer / networking skills, and security is dead last on anyone's mind when setting these systems up. They wouldn't even talk to IT at all if they didn't need an IP or LAN drop somewhere. I try to caution people about the need for at least rudimentary security, but all too often ease-of-use wins the day. Some even have their HVAC systems exposed directly to the net so they can more easily use their smartphones or check on things from home. Combine with braindead username/password selection and I'm surprised many haven't been hacked.

One way I try to prevent total disaster is by careful programming - make it so the user front-end doesn't allow them to do stupid stuff, and sanity-check user input. But there's a limit to what can be done with most of these systems, and in the end if the customer says he wants to be able to do something stupid - well, it's his building. Just don't expect me to cover it under warranty!

Jeeeeeeeez... (0)

Anonymous Coward | more than 2 years ago | (#35591244)

...this is starting to get out of hands! A Guy should be kicked very hard in his balls for hacking a hospital computer, but come on, almost 10 YEARS hard time?!?!

Three words: (1)

sstamps (39313) | more than 2 years ago | (#35591256)

Stupid should hurt.

That said, I think sentencing for most of these crimes is a little over the top, but still; if you ask to get busted, you're going to get busted.

Re:Three words: (1)

diskofish (1037768) | more than 2 years ago | (#35591938)

A part of me feels sorry for this fool.

No, that's pity, not sorrow. (1)

zooblethorpe (686757) | more than 2 years ago | (#35592076)

A part of me feels sorry for this fool.

As in, I pity the fool...

Sometimes actually I miss the 80s.

Cheers,

You are ridiculous (0)

Anonymous Coward | more than 2 years ago | (#35591438)

If the summary is correct (and this is a big if),
what would be the sentence if he ran over a man with his car (accidentally)?
Probably less months.

You know that you are ridiculous, don't you?

Posting as AC for obvious reasons.

Re:You are ridiculous (3, Insightful)

DurendalMac (736637) | more than 2 years ago | (#35591668)

Accidentally hitting someone with a car and accidentally hitting someone with a car after you've swilled half a bottle of Gold Schlager would be treated differently. Accidents happen. Deliberately fucking with hospital systems in a way that you KNOW could cause damages and even get someone killed is not an accident.

Worst is yet to come (1)

Anonymous Coward | more than 2 years ago | (#35591824)

While the theme of 'Mission Impossible' played

Just wait till the RIAA sues him for this part of it.

Should read: Dumbass posts his crime on Youtoob... (1, Insightful)

ehintz (10572) | more than 2 years ago | (#35591926)

There. I fixed it for you.

What is the way forward here? (1)

Anonymous Coward | more than 2 years ago | (#35591962)

There's nothing cool or counter culture about screwing with hospital computers you are promising to guard. I'd inform on this sort of crap with a very clear conscience. I think the kid should be reformed not simply locked in a cell till his playstation expires but then the US penal system is another issue.

script kiddie (1)

mshenrick (1874438) | more than 2 years ago | (#35592278)

correction: script kiddie ;) although securing against someone with physical access is impossible without full disk encryption

So..... (2)

carbonUnit42 (1698328) | more than 2 years ago | (#35592288)

I'm assuming he wasn't part of 'Anonymous' then? ;-)

Hackers? As in the movie, "Hackers"? rofl (0)

Anonymous Coward | more than 2 years ago | (#35592464)

Found this at youtube, http://www.youtube.com/watch?v=vsHqbtmmRH8

He's giving shouts to "hacker" aliases Acid Burn and Crash Override? Really? lmfao.

And another youtube video taken down

http://www.youtube.com/watch?v=WN3xUrFUoNw&feature=related

due to a copyright claim by ETA? lmfao more.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...