Security guard admits he hacked hospital PCs
A former security guard has pleaded guilty to compromising more than a dozen computers that belonged to the hospital he was supposed to be protecting and posting some of his exploits on YouTube. Jesse William McGraw, 25, called himself Ghost Exodus in videos such as this one as he wandered the halls of the North Central Medical …
20 years for attempting to DDoS an HVAC system? You could get a murder and a few rapes for that money in Blighty!
What would have happened if one or more people in the hospital died as a result of the DDoS'd HVAC unit? Would it then be splitting hairs between homicide and murder?
Not sure about anything being rapped .. except maybe the HVAC unit and the Mr. Ghostie Exodus chances of a legitimate career prospects involving a computer
"20 years for attempting to DDoS an HVAC system? You could get a murder and a few rapes for that money in Blighty!"
20 years is the maximum. Only the most serious offenders get the max.
But messing with the HVAC in a hospital is very serious. Hospitals have complex HVAC requirements. Operating suites require low temperatures, as the staff are covered head to toe in sterile gowns. Rooms containing contagious patients require lots of air flow, and no recirculation, and return air must be passed through UV. Imagine what happens if the entire HVAC system goes dead on the hottest day of the year? Deaths are very likely.
DDOS a HVAC system in a hospital, on one of the hottest days in the year, in a city where it would be considered a cool day when the tarmac is melting.
In a hospital, remember. People in hospitals are often more sensitive to extreme temperatures than normal. Too much heat and they *will* die. Not might. Will.
Living in Texas, he's lucky he doesn't get the chair.
...you could eat a live baby in public on the left-hand side of the Atlantic, and not get 20 years in federal PMTIA Prison. :?
I hope the authorities carry out the charges they've filed against this person.
How the heck does a contract security guard get access to ANY client site computer systems?
How about a post-it note on the monitor?
\cynical
Disabling the HVAC system in a hospital can lead to patients dying from heatstroke.
HVAC systems also help to keep operating rooms sterile so losing the system could lead to infections.
Normally I'd call 20 years excessive. But in this case I do think its warranted.
"20 years for attempting to DDoS an HVAC system? You could get a murder and a few rapes for that money in Blighty!"
This is Texas. A state that at one point said you could do 20 years for a joint.
A few rapes and murder in Texas will earn you the right to suck on some cyanide gas .
...the should give him a good caning for being an idiot script kiddie.
You can see he's wearing his security guard uniform under his hoodie.
The guy had a bit of a laugh.
No doubt, many of the OMGORZ000RZ!!!!!!111 HE DUN HAKKED OWR COMPOOTURZ mob are the same mob as those who wished Mr McKinnon well in his exploits.
Secure your networks, or get out of the job you're in.
Show me the victim of his 'crime' and I'll shut up.
Also;
Inb4 'Well attempted murder is still murder'. He Never attempted to murder anyone.
So he's not standing over each patient and clubbing them to death with a monitor or keyboard .. in this regard you are right it's not "murder".
But if anyone died as a result of his DDOS "attempts" against the HVAC unit, he deserves the "extra credit" afforded by the law. Messing with patient records is one thing, tampering with a system that would be similar to a life-support system is an entirely different matter. Once he went at the HVAC system he was literally messing with people's lives.
If you can't see the differences between this case and MacKinnon's, then you are as dangerous as the turd in this report. Nothing MacKinnon did put any lives at risk. Also, most of the fuss about MacKinnon (just to summarise, because you clearly don't read things properly), is not *whether* he did it, but where he should be tried - after all, he has admitted it.
Your argument isn't just comparing apples and oranges, it is comparing apples with volcanic ash! There was a serious risk, bordering on a certainty, that, if he had been a bit more discrete and clever about the way he did this, people would have died as a direct result of his activities. I think he has been lucky to get off with being charged only with computer meddling, and not attempted offences against the person through negligence. However, as mentioned in other comments, he should not be the only one in the dock - the head of IT, whoever contracts out important jobs like security to the cheapest bidder, and the scum that run the cheapest bidder's company should be joining him.
"Nothing MacKinnon did put any lives at risk."
And, of course, this guy is probably the assistant to Ali Kayeeda! He recklessly endangered so many lives!!!111 HE IS UH TERRURIST LETS GET HIM!
There is no risk to anyone, on a properly secured network.
If your network is improperly secured, there's only one person to blame, and it's not a janitor with a USB drive.
Who is ultimately responsible for IT security in that hospital? Are they still employed? Do United Protection Services still have the contract? Was - as is so often the case - security tendered out to the cheapest bidder? They all seem to have had a hell of a lot of eggs in one not-very-secure basket, given what's at stake in a large hospital.
Mr McGraw deserves gaol time for his antics, no question. Seems to me he shouldn't be serving that time alone. Hacking to this extent is rightly a criminal offence. As should be corporate stupidity.
i've always thought this whole situation was blown way out of proportion.
he did this place a favor by his nonsense. what if he was a terrorist planning alot more then just disabling a freaking hvac.
if the well-being of the patients was that important in regards to the hvac then the hospital workers wouldn't "wonder why" things were happening but instead would immediately act and find out what the hell was going on.
Looks to me like typical outsourcing and junk contracts are to blame. I know in my state hospitals contract out security work, usually for very little pay to companies with very little screening. Companies are more interested in hiring based on affirmative action then they are security minded individuals.
So this is what you get, a $9/hr flunky screwing with your probably multi-million dollar hvac system while the staff wonder around with their thumbs up their rear-ends.
This guy deserves to be let off, you could as others have said on here, rape or kill someone and probably have less charges once it's all said and done.
I doubt his intention was ever to cause anyone any harm.
He doesn't appear to be being prosecuted for attempted manslaughter or any other made up charge. Thought police do not exist yet.
"two felony counts of transmitting a malicious code"
For which 20 years seems a bit high. Didn't a mobile phone seller release a batch with a virus recently?
Why the heck would you use hospital computers for something like this? In my experience (as an NHS employee with IT geek tendancies), hospital computers are ancient, slow and loaded with meaningless crap. Hardly the sort of thing you'd want to use for a leet haxxzors sploit, or whatever terminology you kids use these days.
"Why the heck would you use hospital computers for something like this? In my experience (as an NHS employee with IT geek tendancies), hospital computers are ancient, slow and loaded with meaningless crap. Hardly the sort of thing you'd want to use for a leet haxxzors sploit, or whatever terminology you kids use these days."
I'm wounding was this a county hospital(state ran). I've been inside private hospitals that required RIFID card or a smart card to log on plus a password . I've all so been in hospitals were they had specialized RICO photo copiers/ fax/ Printer all in one . In order to fax or photo copy on these machines you had to enter a user name and password(user name is the email the hospital gave you) . All images were stored local on the copier/fax on an encrypted hard drive. The RICO machine is running Linux. It logged all out going fax number for 180 days. They can tell who faxed or photo copied a document .
Sign up, sign up for The Register's weekly IT security newsletter - click here
