Re: UK hacker loses appeal against US extradition

It probably means he was stupid enough to use his girlfriend's email address for something like a anonymous FTP. Of course, it may mean the IP address; it wouldn't surprise me that a non-tech reporter might not know the difference.

Personally, I have no sympathy for him. He (allegedly) broke the law, and was trying to hide behind the UK's extradition laws. If I recall correctly, he has repeatedly admitted what he did in published reports, but used a defense of "I didn't break the law THAT badly."

IMO, the US prosecutors should throw the book at him.

Re: UK hacker loses appeal against US extradition

At face value, I totally agree with you thorn, and at first I figured this guy was being bankrolled by some "evil" faction. I mean shouldn't you have "mad l33t haxor skilz" to intrude on the pentagon and NASA? But as the story played out, it turns out this guy is a virtual nobody. I'm left wondering exactly what he did, and how it cost the government "hundreds of thousands" of dollars. My second concern is - and we may never know - is did carnivore play any part in the detection. I have a hard time believing this is just a giant sniffer. But whatever his "real" reason, you can be certain that when he stands trial, he's going to be quite unhappy.

Re: UK hacker loses appeal against US extradition

I don't really know the story, but I would assume that this is largely the cost of analyzing the system after the attack. If he only got a toehold into the organization's network, they can't know that for sure without auditing everything. Auditing takes time and is therefore expensive.

Of course, you have to ignore that the organization probably didn't pay out hundreds of thousands of dollars, but rather paid the normal salary to a handful of people that could, in theory, have been working on something else.

Re: UK hacker loses appeal against US extradition

Must have missed Steven RamBam's talk

xor

The SAS coming in through the windows mite make anyones girlfriend give you up quick.

If you are going to try and hack the US government you better live in like China or Russia, not living in a country that is no doubt our greatest friend.

Re: UK hacker loses appeal against US extradition

see... i've always found this to be interested. someone pointed out once that many organizations (be they non-profit educational institutions or for-profit publicly-traded companies) are required to have a good deal of open-ness with regard to their financial books.

So often, an organization (or even a whole industry) will claim huge "losses" due to anything from computer intrusion to piracy... but how often do these "losses" (at least, the numbers that appear on court documents) show up on end of year spreadsheets? or on tax returns?

if it's not being claimed to the IRS, it's not a real business loss, in my opinion.

(not defending digital nefarious-ness, btw... just speaking out against the manufacture of fake numbers for purposes of press releases or courtroom leverage)

Re: UK hacker loses appeal against US extradition

I have a different take on this based on first hand experience.

Let's say, for the sake of this discussions, that he is guilty of what he has been accused of, illegally entering the networks of the US Government. Based on that the following are potential items that result in real cost, whether a tax paying organization or not:

1. Identifying how he entered the network and taking actions to prevent the same thing from happening again. When you taken into account the size of the DOD's organization from a physical and network, you can see how many sites would have to be inspected and verified. I believe I read somewhere that he accomplished this by using a dial up modem that provided access to the internal network. How hard is it to check for this? How many man hours do you think it would take to inpsect every phone number that answered with a modem at a Government PBX? While our military is vastly under paid, again speaking from first hand experience, there is still a cost to have these people doing this work.
2. Investigating what information he accessed and what the impact unauthorized access to that information has on our nation defense. Anyone who has done forensics analaysis knows that it is not a processed that is rushed, lest mistakes be made, and again given the size and potential number of systems he could have had access to and having to do the impact analysis of that amount of information is very time consuming and thus costly.
3. The last, and often the most overlooked, is what is the cost to fix any systems about which he gained information. Take any major weapons system or platform and the disclosure of even unclassified information that is available on government systems could reveal short comings or means to detecting or defeating those systems/platforms. The cost of having to do upgrads and or abandoning these systems and platforms as a result of the unauthorized access to this information should not be overlooked. No matter if he was acting along or in concert with 3rd parties the fact that the informaiton is no longer "controlled" means that it could cost lives in the wrong hands and therefore can not be considered safe any longer.

Bottom line - someone gaining unauthorized access to any information has a lot of hidden cost to the parties invovled.

Re: UK hacker loses appeal against US extradition

I think this is the point that is quite debatable. Since this network is so large, we can probably assume they have full-time staff performing these operations. The organization is therefore not paying anything extra to perform these tasks. If you are going to talk about the cost of this time, then, you have to figure out what the people might have been doing otherwise, factor in the chances of success of that project, and estimate the revenue/cost savings of the alternative projects.

Another cost may be that of hiring new people to deal with the increased workload, but ,unless they are contractors hired solely for analysis/response, it isn't as simple as "time eq money".

Re: UK hacker loses appeal against US extradition

Even if they used existing contractors and other employees, there is surely overtime and performing work outside of the scope of an original contract to contend with. You can assume a full-time staff is performing regular operations, but probably not performing forensic analysis on systems just for the absolute joy it brings. It isn't like every location has a forensics expert hanging out.

I'll agree that some numbers that companies may put out are a little hard to swallow without proof. A billion dollar loss because the janitor got pwned is not going to fly too well. I think it may be an easier thing to state "This cost us n to clean up and remedy." rather than the whole "We lost huge tracts of land and many ponies because of this horrible atrocity, we demand compensation!" statement that is more often published.

Re: UK hacker loses appeal against US extradition

We're talking about the government here. When they say they spent x million dollars fixing something, it's typically an underestimation. Remember, they have to put everything out to tender, pick the highest bidder on a cost+ basis, run security clearances because the contractor only wants to send new guys, pay for time and cost overruns, fire that contractor (paying the termination fees), hire a new one, repeat, more time and cost overruns, file a lawsuit against the original contractor, and then they get 15000 pages of documentation dictating how they're going to track down the actual damage done. Somewhere on page 14999, someone checks the logs.

Re: UK hacker loses appeal against US extradition

Still not in jail, here in the US....WTF.

http://news.bbc.co.uk/2/hi/uk_news/8312134.stm

xor

Note to self, hire Gary's lawyer if I ever get in trouble.

Re: UK hacker loses appeal against US extradition

In related news...

http://www.networkworld.com/communit...ity_2009-10-16

http://www.gao.gov/new.items/d104.pdf

xor

Re: UK hacker loses appeal against US extradition

I have a friend that works in NASA and I asked him about this incident and what they have done to correct it. They aren't even allowed to talk about it (even internally), they refer to it as "the incident"