A Romanian accused of hacking NASA is fighting against an order to pay damages to the space agency. Victor Faur, 27, from Arad, Romania, was ordered to pay $240,000 in damages by a court after he was found responsible for breaking into multiple systems at NASA, along with computers at the Department of Energy and Navy systems. …
The US protesteth too much
Whilst an argument can be made that the guy should pay for the cost of fixing any damage he caused to systems, the cost of "putting things completely right" is something that should be born by the organisation.
Its a cost they should have incurred before the incident, and should be incurring on an ongoing basis in any event; NASA is a organisation which has information of economic and military value and its only reasonable to expect the information on its systems to be kept secure.
I'd suspect a charge of about $20,000 would be much more appropriate to conduct an audit of the affected systems and repair any damage caused. $200k is one nought too many and the US claim is two zeros too many.
RE: The US protesteth too much
Cost of a DSL modem - $30.
Cost of time spent online hacking NASA servers - $3
Cost of thinking "I iz a 1137 haxor wiv skillz" - $240,000
Satisfaction at watching said gromless moron wriggle and squeal when he gets hit with a hefty fine and a criminal record - priceless!
How about paying the guy $20,000 for highlighting their current system administrators incompetence in a non-destructive manner and providing educational material as to what security efforts need to be taken?
If it wasn't this guy, it could've been some other guy with malintent, and then they really could've sustained $250,000 of damage.
As it is, the guy should be lauded for putting his skills to such benign use. In fact, those little security advisories could be considered a damn good CV/resume, so a job offer might be in order too.
Tell you what. I'll break into your house and spray graffiti on the walls. You can pay me 20 grand for showing you where your doors and windows are vulnerable.
Going by the US precendents, I will expect you to be fined the full value of my house, plus additional compensation to be paid to my neighbours whose own house values will have been reduced by your criminal activity.
Oh, and my legal fees too.
You're fine with that, right?
I wonder how a court might react to someone complaining that a stranger snuck into their house though an open window, spraypainted 'DON'T LEAVE YOUR WINDOWS OPEN' on the walls? I've got a pretty good idea what their insurers would have to say on the matter.
The US protesteth too much
The damages awarded to NASA obviously contain a punitive component as well as actual damages. It's a way of saying NO, it isn't OK to do this.
He got off lightly with only a 240k fine. I cant stand these little hacker punks that think they were somehow justified in what they did.
I think the purpose of his actions was to show the world "Oh.. i'm ever so smart" look at what i can do.
I say a lengthy prison sentence and a cell with a roomate named Bubba is what he needs.
"I say a lengthy prison sentence and a cell with a roomate named Bubba is what he needs."
Are you really suggesting that rape is an appropriate punishment? I hope I've simply misunderstood what you mean.
By that he means
"It's not just the cost of mopping up after the hacker(s), but it's the cost of putting things completely right after the event," he said.
recovering the cost of what should have been fixed in the first place. Cheap way to implement security if you can fine the right people, though they (hackers) should be allowed a reduction for the senior management justification campaign that they ran on NASA's behalf, last time I checked a good awareness campaign across a large organisation was about 1/4 million dollars.
Actually, what he meant
"240.000 is about the amount we need to hire a pr agency to wash the egg off our faces"
I do believe...
...that the US should be forced to justify the costs and time involved in clearing things up.
If they try and then tag on to this, the costs of closing holes that shouldn't have been open in the first place, then they should be slapped down.
These are ridiculous amounts of money if all that the bloke has done is leave files around.
If I was Romania, I'd be telling the US to detail their claim. Same thing with McKinnon. The US shouldn't be getting away with this. It's a good job that these trials aren't going on in the US, or there'd be no one to pull them up on things like this.
RE: I do believe...
The extent of criminal damage is not based on the security of the damaged property, but on the damage done. If a burglar breaks into your home, the judge trying him doesn't say "Well, they only had cheap locks on the windows so I'll let you off with a lighter sentence." The act of breaking in is still breaking in regardless. SirVic's lame excuse of "I just wanted to tell them they had security issues" is just complete male bovine manure, he wanted to brag about what a 1337 haxor he was and so defaced their sites. If all he wanted to do was warn them of problems he could have done so in an anonymous snail-mail letter.
I really hope the damages actually get ramped up to send out a message to the skiddies - you may think you're oh-so-clever, but you will get caught and you will be made to pay for your crimes.
..yeh, but the judge doesn't make the burglar pay for the windows. Or if so, only damage to the windows to bring back to the level they were and certainly not to replace rotting wooden frames with state of the art uPVC with security bars.
This is going to be interesting
Everyone else who makes the point that the hacker should be penalised for the actual damage done, and not uprating the security, has got thumbs up.
I've got people on my back about it ... and a similar thing in another thread.
It seems that, since yesterday, that I have gained myself some hate-followers!
I think I'm going to have some fun with this.
We're in agreement that the charge should be based on the damage done, but the US seems to want to replace the clapped out old banger that was damaged with a brand new Ferrari.
That wouldn't work in any claim for damages and it shouldn't work here either
I now find that I am torn as to which way to go,on the one hand I hate 'hackers' (*) per se, but this one doesn't seem to have done a lot of damage ..... 1/4 million does seem a fair bit of spare change.
Decisions .... tend to agree with Matt most times on things, but have been reading Michelles blog..... and trying to find her web site.......
OK pop corn ready ......will see if any thing else appears on this story.
(*) by hackers I mean the script kiddies, anonymous, dulzsec etc. Apologies as I know this term can refer to rather more skilled denizens on the interwebs.
It seems that whenever a hacker gets caught they stump up the "I was advising on security holes" excuse. As commendable as this may be, they're still breaking the law. When I started reading the news item I thought "$240k. That's expensive." But the more I read it, the more I think it's justified. There has to be a deterrant, and being whacked with a huge fine or a suspended or custodial sentence seems to be the most logical step. Hackers need to be stopped. End of. The more we play down the actions and outcomes of hacking and showing leniency because "they're actually helping us get safer", the more hacking will continue. It's only a matter of time before some hidden damage leads to someone getting injured, or worse.
The fine isn't the deterernt
The deterrent is the prison sentence. The fine is for damages causes to the system, which do appear overinflated, given that much of what seemingly needed to be done using that money was stuff that should have been done anyway, in order to make the system secure.
I'm not saying what he did was right - it wasn't - just that the damages claim is over the top.
His punishment for the hacking is the 16 month prison sentence and a criminal record.
The financial aspect is about how much damage he has actually done (literally breaking stuff around: crash servers, cause downtime, steal money).
And by the looks of it, he just left some voicemails mocking their security. This hardly justifies the sum. As another person commented, he should be made to pay the cost of a security audit ($20k).
A nice analogy would be me breaking into your Renault and causing damage to it. Then, as a punishment, I would be charged for what I did but you demanded me to buy you a new Rolls Royce.
Suspended Prison Sentence.
He won't serve 1 day behind bars.
You try getting a 'suspended prison sentence'. It is a punishment, one that will affect his entire life. _IF_ he gets caught, and convicted, for anything else during the period of his sentence then he goes inside.
So he might not serve 1 day behind bars, he might serve 16 months.
Clean up costs...
...yes he should pay for damages to rectify problems he caused and do time,but...
"... it's the cost of putting things completely right after the event," he said.
Sorry, but if he used known Vulns, then you should be liable for exposing peoples data for poor security practices.
RE: Clean up costs...
One of my colleagues has a vintage Porsche Speedster (yeah, I know, a girl with a car like that, and she's a weekend eco-warrior type too!) which was keyed last summer. The vandal scartched his tag into her paintwork. Are you saying that the gormless cretin, that vandalised her car out of petty spite and jealousy, should be let off because her classic car didn't have a modern proximity alarm? There is zero difference between acts of physical vandalism and those in cyberspace - they both have monetary impact and cause distress to their victims, and they are both the acts of small-minded idiots without any real excuse for their actions.
Not quite the same
If the perp had got in and pissed on the seat, her insurance company would have taken her to task if she'd not locked the doors.
On the other hand, if he'd busted the lock to get in, then she'd have had every reason to feel fault free.
"Are you saying that the gormless cretin, that vandalised her car out of petty spite and jealousy, should be let off because her classic car didn't have a modern proximity alarm?"
No, people are saying - to extend your analogy - that he should pay for the repairs, but *not* for installing a modern proximity alarm that wasn't there in the first place.
RE: @Matt Bryant
But the additional costs are for the security review the hack caused. And that was a direct result of SirVic's actions, so therefore I think it is justifiable. Anyway, this is NASA, notorious for their $20,000 hammers, don't you think they can be creative with the accounting to make it look like the cost of the added security was actually the cost of reviewing the hack?
I suspect the real issue is the comedy sentence passed down by the Romanian court, so the Yanks want to hammer him a bit more.
"the additional costs are for the security review the hack caused"
You mean the security review that *should* have been held *before* the hack that *should* have found the gaping vulnerabilities used?
RE: RE: @Matt Bryant
Security reviews should be ongoing. No charge should be levied against the hacker for them.
An aside, Where are the data backups?
The biggest loss to NASA should have been time to restore the affected data Surely that should be minimal with an effective backup regime?
RE: RE: RE: @Matt Bryant
".....Surely that should be minimal with an effective backup regime?" You're just highlighting another area of cost. Not only do you have to rebuild your server from scratch - just to be sure, we're talking ANYTHING that could be recoded, so that's reloading the BIOS, checking the components like cards with writeable firmware - and then re-intsalling from a gold image as you may not actually know if your backup has been infected or altered. If the last backup was taken after the hack had started you are going to have to assume it is unreliable. Go ahead, keep pointing out ways the NASA charges are justifiable.
When will the lessons be learned?
As the quote from the (inevitable) Security Professional put it '..."It's not just the cost of mopping up after the hacker(s), but it's the cost of putting things completely right after the event," he said...'
So when ANY (setting aside its NASA, the Navy, the DoE etc in this case) organization does that risk assessment 'thing' and goes, "You know, what? Its just so unlikely we'll get hacked, we can risk not spending the *estimated* money..." then who's truly at fault?
IMHO, the guy's a hacker; he should be penalised proportionately and an organisation that tries to claim damages due to being hacked is at liberty to do so BUT they can only claim, as a maximum, the amount of spend they 'averted' by not properly bolting the doors... This guy's lawyer's would probably be best served by asking for that kind of information to bolster their defence, do the 'depreciated asset' calcs etc... Of course, such organisation's would then have to explain their lack of understanding of the liabilities the 'averted spend' truly represented...
It's one thing
For the hacker to claim he's only posted rubbish to drawer attention to lax security but why should anyone take him at his word.
Shirley the cost has to be a complete audit of all systems to make sure he has not done anything for which he's not claiming credit
Same as if you fould a note on your dinig room table from someone who'd got in, saying you'd left the front door open; you'd be round the house checking everything was still where you'd left it.
SecurEnvoy, apparently one to avoid
given that their CTO thinks a given security vulnerability can be caused by someone exploiting said vulnerability. (You do know time moves...forwards, right?)
Like McKinnon, the costs should be for the damaged caused. The reward for setting up insecure systems shouldn't be that someone else has to pay to secure them.
damages put at $1.5m.
NO NO NO... Its not $1.5m in damages its $1.5M to put it right, but as it should have been right to start with he can hardly be blamed. same with Mckinnon..
I hope he wins this inflation argument. but he also should not have hacked into the machines however easy it was.
If you get a hacker into your systems, you have to reinstall all compromised systems. Period.
And if it gets you 20 hours per system (and depending on complexity, it can be more): 3x400$-> 1200$ per server. At least.
reinstall, really? you mean reformat and rebuild with new OS every server?
That sounds like a lot of effort that would in no way guarantee there was no code planted.
Thats probly how nasa arrived at their 1.5m figure , although I bet they didnt do it.
reminds me of the texas 1994 hackers described in Bruce sterlings book . When pushed in court US Bell (the telco) attributed the $1m damages caused by copying a document to
-the wages involved in researching the content
-the cost of machinery it was written on
-the cost of machinery to hard copy it
-cost of server it was stored on etc etc
I remember that one
Bell kinda forgot to mention that the stolen document could be purchased legally for $25 from their tech support store.
Re: only 240K?
> 1200$ per server. At least.
I redeploy servers regularly. With cobbler and puppet, I can set up as many servers as I like within about half an hour. Restore the config from fisvis, and the box is ready to go.
A.dozen servers in an hour is easy. $1200 each? You must be mad.
RE: Re: only 240K?
Well, first you have to determine the extent of the hack - has he played at childish vandal and defaced your webserver, but has he also been smart and hidden some nasties on your deployment or management servers? Are you simply reinstalling with added backdoors that means the idiot and other likeminded cretins are actually going to be back in there five minutes after you reinstall? Not so simple, is it?
When you do a clean-up after one of these childish vandals, you have to start from the assumption that anything connected to the known-bad system is also compromised and then work backwards to prove each item is either clean or is stays on the rebuild list. And when I say "connected", that means if someone has plugged a USB device into one of the bad machines and then used it elsewhere you have to assume every machine that USB device has been used with is also on the rebuild list. In an environment with thousands of servers, suddenly a clean-up bill of $240k starts to look very reasonable.
Sounds more like
Oh shit we're so embarrassed about having our lame security discovered.
I know, let's be spiteful to the guy.
RE: Sounds more like
Sounds more like you don't have a clue and don't work in IT.
At my company we pay those guys $240K
Should be the other way round (going by UK security consultant rates)...he's highlighted that their security was lame.
Nasa should say thanks, and make their sh!t more freckin secure.
an experienced consultant costs more than 1000$ per day. as all the vultures here said, there is an audit of the system or a re-install, clean up or audit the archives, change encryption keys maybe (which in some cases cost 2000 per certificate), 240.000 = 240 days means only 2 months for a team of 5 people.
All in all 240.000 is quite reasonable. The hacker should be forced to work to pay these money if he doesn't have it, whatever his reasons what he did was against the law.
He hasn't got Asperger's. Weird.
Hope he never plans to travel
If he gets anywhere with an extradition treaty he might find himself in bob's backdoor prison in some us territory.
Hackers get this into your heads
The US really doesn't like having its u/s security shown up for what it is. Just leave it to the Chinese, North Koreans, Russians etc.
All you ID10Ts who think he should be thanked?
Just remember that the nex ttime some burglar breaks into your upstairs window and does anything in YOUR abode. I'm sure letting him off with a Thank You for letting you know just how crapy your security is will be just fine with you at that point...........
The lot of you should be 'thanked' by NASA and then spaced out the airlock!
If you leave your upstairs window open and a ladder nearby, do you think that you'd get much sympathy from your Insurance Company when you try to claim for your lost valuables?
You have a responsibility for securing your property, it's no use bleating that "he shouldn't have done it!" after the event and demanding that others pay to fix your mistakes.
Or a locksmith...
...offers you a free security check on your property, finds problems, then you ask him to fund fitting new deadlocks all round...
Analogies are crapola...
"If you leave your upstairs window open and a ladder nearby...." You really haven't got a clue about how the law works, do you? Regardless of whether you enter a property through an open window or by breaking and entering, if you are not invited in then you are tresspassing. If you remove the owner's belongings from the property without their permission you are committing theft, regardless of how you got in, and if you spray paint their walls it is still vandalism and destruction of property.
If you worked in real IT you'd know this because even your work desktop/laptop would have a login banner saying something like "This system belongs to Company X, only authorised people of Company X can use this system, if you log in and are not authorised you are in breach of law XYZ". By continuing further, even if you are using the correct login credentials for a real user, you are committing a cybercrime. You usually have to click to go past the banner, which is taken as you being aware you are breaking the law but carrying on regardless, which makes if easy for the prosecution to then send you down. I can just about guarantee any NASA system that SirVic hacked would have had just such a warning banner.
NASA Hacking all too easy
I was looking for a document referenced on another site yesterday that was supposedly hosted at a NASA site. I ended up at a page which had stuff like "All your IP addresses and keystrokes belong to us" on it. On reading the fine print I discovered it was a stern warning to hackers along the lines of those "FBI investigates piracy", I was at some unauthorized webpage.
Oh dear. I must have just hacked NASA. Except that this page is supposed to be public and it had better be because as a taxpayer I have the right to access it unless its national security related (FORTH? National Security?).
I think NASA's got the same problem as GCHQ. Anybody who knows what they're doing has long decamped to somewhere that pays a lot better.