White House Web Page Cracker Faces Prison

gregstoll writes "Hacker Eric Burns (alias Zyklon) faces prison, according to this New York Times article (free registration required, of course...)" Meanwhile, according to an Excite News story sent in by lots of people, the DoD is thinking about removing JavaScript and ActiveX from its sites to make them harder for crackers to penetrate.

Good and bad...

If he broke into computers, he should be punished. But I'm a bit dubious aobut this 'three years' thing. Computers are no longer a luxury; most people reading this have computers as an integral part of their life. There's also the problem of 'what is a computer'. Can he play pacman in the local retro-arcade? What about a playstation? Can he program his video to record 'buffy' when he's at a parole meeting? Can he take cash from ATMs?
I could go on. And given the slightest incentive, I probably will.

ActiveX? Huh?

I thought the problem with ActiveX was that it was a security hazard for the browser -- the person doing the surfing -- and the browsing system. Ditto JavaScript. Can someone please explain to me how these tools are a threat to the servers and their hosting systems?

Or is this just the case of some non-tech-savvy DoD security wonk overreacting to something he's read and misunderstood about the security issues? It happened at NASA. You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*

--JT

Little Steep?

Sounds like the government is charging the same thing back to the public as it does paying for stuff. Three attacks? How in the world would that equal anywhere near $40,000 in damage. I mean come on now. Unless they are paying someone 300 bucks an hour or something to reconfigure a machine. Oh well I guess I won't be learning how to crack into websites anytime soon. Not that I wanted to do it in the first place, this was enough to discourage me.

Response & responsibility

A few things came up from reading this - the guy seems to think "the punishment is harsh for what he did".
I don't agree with this punishment for computer intruders, but the law is the law until it is changed by your elected representatives. And if you got caught, then tough tittie. You knew the risks. HNN has an excellent article [hackernews.com] about it.
Basically, this type of activity is like trespass & vandalism. In the UK, that's more like a slap on the wrist community service type punishment. I'm not going to go on about ethics or morals; that's been done to death and everybody has a different standpoint.
What would ultimately benefit society more - imprisoning this kid for a year, or making him teach (under supervision) underpriveleged kids how to use computers?

reaching DOD "high security systems" from the web?

The Excite article is a little fuzzy on whether the DOD is considering banning (a) code on their own pages or (b) browsers within their network from accessing such code from the open web (at first it seems to be talking about one, then the other). Either way, they say it is not suitable for "high security systems"

In the case of "(a)", I'd hope that no "high security systems" are accessible from the web. Surely the web servers are not on a network with access to sensitive data?

In the case of "(b)" the same thing applies. Would they really have a machine with access to both the WWW and sensitive defense info?

When the DOD talks about "high security" I assume this means as high as it gets anywhere. High security buildings have only one door. This makes it sound like they built a
"building" (so to speak) with thousands of doors and now they're lamenting the fact that they can't keep their eyes on all of them at once.
-
<SIG>
"I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht

Re:Good and bad...

They modified a web page which wasn't on any government controlled network. They broke into what was most likely only the userland -- which means they could only modify web pages. This is hardly worth 3 years of punishment. I blame this mostly on paranoia on the part of the prosecuters involved and the ignorance of the judges who upheld this standard. I'm willing to bet that they also did not delete any files on the system which means that they are not guilty of file tampering or intellectual property damage.

The only charge which I can see as verifiably true is:

"All told, the attacks cost the government and businesses more than $40,000, prosecutors said"

Why? Because they wasted their time tracking this child down when the provider could have easily restored the page. Making examples of people, especially when the penalty it doesn't fit the crime, is wrong.
----------

Re:Little Steep?

"this was enough to discourage me."

Maybe that was the point. Also, how do you quantify in monetary numbers the effect of a country losing face and looking really stupid to the whole world. What if the hacker put up something really inciteful, like slurs against other countries?

Justice, what else?

I admit to not knowing that much about this case, and don't have time to register for the NYT; but what that cracker did was illegal - so surely he should be punished?

I'm all for looking around interesting boxes on the net, but surely he must have known that whitehouse.gov is another matter, and he must have known beforehand that the consequences would be very severe.

IMHO, in a more general sense, if you are choose to compromise a computer, that's one thing, but when you change the HTML, that is just plain stupid. It's the electronic equivalent of putting graffiti on a wall: if your real information (name, address etc) becomes linked to your handle, you are in the shit. The electronic sense is even more stupid though, there are logs.

It also seems that an example is being made here. If you tread on the toes of any .gov or .mil, it is highly likely that one day, you will be caught, especially if you are in the US.

Security has two sides: learning it, and becoming extremely knowledgable to the point where you are hightly employable, and the more sinister, less knowlegable side of defacing web pages. I'll let you figure out which one to choose.

To me, this seems like justice.

Aieeee, the time.

Re:ActiveX? Huh?

I thought the problem with ActiveX was that it was a security hazard for the browser -- the person doing the surfing -- and the browsing system. Ditto JavaScript. Can someone please explain to me how these tools are a threat to the servers and their hosting systems?

In this case I'd say it is because of internal use. Consider Internet Explorer - most people these days use it - holy wars aside, it is the best browser for standards complience that's available now. You can set security for 4 different areas:

1. Internet
2. Local Intranet
3. Trusted Sites
4. Restricted Sites

Their servers are likely to be in either (2) or (3) for most internal users, i.e. "dangerous" stuff will be allowed to run.

This allows your average "script kiddy" hax0r to break in and change some Javascript or ActiveX code and cause more damage than if the browsers are set to not trust the servers.

It does sound a bit far fetched though, since it doesn't stop the original defacement.

There is always "server side Javascript" in the Netscape server and other server side CGI and ASP style code that can introduce security risks, but that's not what they say.

You wouldn't believe the trouble we had getting Java code into mission control at JSC, because some misinformed security expert decided that Java == security threat. *sigh*

I'm acually quite impressed with the idea of Java, designing a language which is safe enough to use in most environments. It's still open to denial of service risks for the client (and the issue of trusted providers, but that's another rant entirely).

I just wish that the authors of the security nightmares mentioned above had the same commitment to safety over creaping featuritus.

Bron "Windows is the sandbox, just store important data safely somewhere else" Gondwana.

Computer Crime Sentencing

15 months for breaking into a computer. Whats the going rate for assault and battery, probably close to the same. I'm sure that people have gotten 15 months plus/minus for manslaughter. Lets look at the damage that was done here, someone posted 'j00 h4v3 b33n 0wn3d' with a list of names at the website. And now White House officials are screaming and yelling that he caused two days of downtime to their internal and external networks. I'm not a sysadmin but I know enough to be able to say that a hacked webserver should not affect a well built network to that extent. Plus, this kid is 19 years old. In our current day and age, lets be happy that he was messing around in front of his computer rather then planning to bomb his school. What will 15 months in jail teach this kid, do you really think he will come out with some positive reinforcement.

Re:...

I completely agree with you here. By now we know that webservers are not the most secure of systems. We don't need it proved anymore. A simple email to the sysadmin would probably accomplish the same goal, if said goal were to notify people that their site's were insecure.

Aside from that, this is the White Houses website. It's not just Joe's Site About His Pet's.com. It's the whitehouse. The fine for spraypainting the side of a building in New York is probably much less than that for spraypainting the whitehouse. I know it's not the same, but an example needs to be made.

If someone does that, and expects that the FBI isn't going to be involved and that he's not going to be tracked down and therefore he won't face any consequences, well, this is Darwinism at it's finest.

Re:Computer Crime Sentencing

I'm not a sysadmin but I know enough to be able to say that a hacked webserver should not affect a well built network to that extent.

When something like this happens, the admins don't just go "ho-hum, let me just fix the web page.." The system likely had been root compromised. This automatically means the system in question needs its OS rebuilt from scratch. As this guy had root-level access to this system for a time, and his intentions were obviously less-than-honorable, it's also quite likely other systems on this network were compromised in a similar fashion.

Intrusions like this cost people money. They have to shut down their network connectivity (to prevent access to other potentially compromised systems), rebuild the operating systems on the affected machines, restore the content, and then restore connectivity. This is not cheap.

Now, I'm not going to argue about the differences between prison sentences with other crimes. Instead of comparing it with violent crimes as you seem to want to do, compare it with real-life charges similar in scope. Specifically, compare it with breaking into a U.S. government building and damaging/destroying property. I believe you'll find a similarity in sentencing.

It always boggles me that there are so many people on Slashdot that go out of their way to defend kids like this when they clearly did a premeditated intrusion into a private system/network with the intent to cause damages/harm. He should be punished, just like all of the other l33t packet kiddies out there who do the same thing on a daily basis.