Gary McKinnon is an idiot. Or he’s the most dangerous hacker who has ever penetrated US military systems.
Evidence for idiocy comes from Slashdot’s discussion of McKinnon’s failed attempt in a British court to block his extradition to the United States.
Evidence for danger comes from this BBC report that the US claims he caused $700,000 in damages hacking military and government computers.
A few thoughts, off the cuff:
No question, we’re talking grade-A idiot. For one thing, he was looking for hidden UFO data. For another, he was spelunking about in US military systems and got caught using off-the-shelf monitoring tools, rather than hacker tools that might at least have given him a shot at covering his tracks.
But is he dangerous? And more importantly, is there anything we should be taking away from this story?
For one thing, if McKinnon’s claims are true that he accessed some of these systems and found that they had no password protection, that’s something we need to be looking at very strongly. I don’t think it excuses his actions (neither does his stupidity, for that matter), but there’s not a great deal of difference between what McKinnon did to NASA and what you’re doing to jeffporten.com right now. That is, the difference isn’t “hacking”, but rather that I want you here, and the NASA computer is more obscure than my site. But still findable, and still on the Internet.
Here’s an example. Let’s say you’re using a computer with nmap installed, and you type in the following command:
nmap -sS 188.8.131.52
What you will get back is a list of protocols on which my website is willing to talk to you. Now let’s say you do this instead:
nmap -sS 143.84.24.*
and you’re stupid enough to do this from somewhere other than someone else’s Wifi access point. What you’ll get back is a list of people in dark suits with badges who are suddenly interested in what you’re doing. Because now you’re mapping a block of sites that includes the Army Research Laboratory, whose scary warning I blogged a while back.
Note that I have not actually run that command and I don’t think you should either. You’ll end up scanning 256 computers that are most likely all military, and for all I know some of them are not supposed to be accessed by guys without uniforms. But all of them are on the Internet, and all you’ve done so far is walk up to all of them and say, “Hi! What services are you running?”
So let’s say you’ve done this, and somebody over in the Double Secret Probation Security Department decides to figure out if you’re an idiot or a true threat. He gets a team to trace your traffic. But you used several of nmap’s standard obfuscation techniques (which I’m not going to document for you; they’re easy enough to find), so it takes them a week to figure out which logs apply to you. Then they have a map of IP addresses from which Internet providers you used, so they ask an FBI type to go knocking on ISP doors and connect those to physical addresses.
Then they set up a surveillance team and nail your ass.
No, I’m not running off on some paranoid fantasy. I’m just working some numbers from the Bureau of Labor Statistics, and doing a few sums in my head, and the figure I come up with is that what took you about five seconds to do, cost about $25K for the US government to nail you for, just in terms of salaries for the people involved. Probably higher since my numbers presume that these computer techies and FBI types don’t have any supervisors and prosecution is done pro bono.
That’s why I’m, well, skeptical when I see numbers like “$700,000 [in] damage to military and NASA systems”. I remember seeing reports of attacks on military computers from the 1990s, designed to scare the hell out of Congress, where the exact line of code I listed earlier would have been counted as 16,777,216 separate attacks on military networks. Under extremely vague statutes in force today, opening your laptop in the wrong part of Washington DC, and accidentally handshaking with an open government Wifi base station, could constitute a terrorist attack.
Which is not to say that I think this is a secret government plot to throw all computer users in Gitmo. Every server I run is attacked on the order of 1,000 times a day by automated attacks, and I’m guessing that any government system gets hit far worse. Most folks fly way beneath the radar even if they are terminally stupid, and I presume that McKinnon did something to set off an alarm bell or two.
But if he is right, and he did find services that were inadequately protected, then it would be awfully nice if the process of prosecuting him also exposed these problems and caused them to be fixed. Because it’s axiomatic that if he found them, he wasn’t the first nor the last. Somehow, I don’t expect that kind of open trial is going to take place.
And I gotta say… the worst hack in US military history came from a UFO nut in London, working alone, and cost only $700K to fix? Man, that’s the most reassuring news I’ve heard in years.