The NASA hacker: Scapegoat or public enemy?

The NASA hacker: Scapegoat or public enemy?

Summary: An unemployed North Londoner has been accused of committing the biggest military computer hack of all time by the US government while authorities in Britain chose to release him without charge

TOPICS: Security

Gary McKinnon has a lot to worry about. His job prospects are bleak. He will shortly have to leave his home in North London and could be facing up to 70 years in a US federal prison — a prospect that terrifies him.

His actions have been well recorded. Over a period of years he managed to bypass the security of what should be the most sophisticated IT systems on the planet, many of which belong to the US Department of Defense (DoD) and NASA.

That was back in 2002 and he has already been investigated thoroughly by the legal authorities in this country and released without charge. No one in the UK justice system considered him a threat. But the slow-working cogs of the US legal system have finally clicked into action leaving him hanging in limbo awaiting an extradition hearing later this month.

The unemployed UFO enthusiast was, metaphorically speaking, able to walk right in, look around and make himself at home in what are supposedly some of the most secure systems in the world. Although breaking into the DoD required a combination of ingenuity and hours of mindless drudgery, ultimately it was the "dangerously lax IT systems" that made it possible, he claims. And as for the "minor" damage to the systems concerned, it was not deliberate but happened accidentally while he was trying to cover his tracks.

Mckinnon, now 39, admits that there was a period of his life when he was "addicted" to computers. It threatened his life, his health and his relationships at the time, but he couldn't leave them alone.

His interest in IT was sparked, as it was for many others, by an interest in science, science fiction and the unknown. It was the search for proof of extraterrestrial life and a potential cover-up around the events of 11 September, 2001, that led him to the restricted government sites to begin with.

His story raises some critical issues around the rights of British citizens accused of committing a crime in the US, the state of IT security internationally and the possible existence of antigravity technology in a US military establishment.

Q: Why do you think the US authorities behaved the way they did, with an extradition order?
A :Well, the reason they give is that I, on my own, closed down the entire metro district of Washington for a few days, including a weapons station, which I dispute. My thing was being quiet and not being seen and getting the information out. And also, when I was there, you do a NetStat routine and you see all the other connections to that machine and there is a permanent weakness for foreign hackers because their security is not even lax, it is non-existent. You wouldn’t believe it.

They might claim that by installing a remote control program, I opened them [the systems] up, but the access was already there. I didn't even have to crack passwords.

What about the damage you are said to have caused?
What they call damage is really just them realising that they have been accessed without authorisation. Then they say things like I deleted 300 users, deleted systems files and such. That was one instance when I did a batch file to clean up all my stuff. I think once and only once, though perhaps I ran it on the root drive of the "c:" drive. But it certainly wasn’t every machine I was on and, if you believe them, they talk about 94 networks being damaged.

Topic: Security


Colin Barker is based in London and is Senior Reporter for ZDNet. He has been writing about the IT business for some 30-plus years. He still enjoys it.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • wow...
    I'm wondering if the IT group is just stupid or overworked. I understand sometimes the business need are put ahead of the IT needs and things are left in an insecure way but this.... The US Gov't has acknoledged this security laps. So now we know. The scary part is wonder what we don't know....

  • Accussing someone else of something wrong while you yourself are also in the wrong is the usual defense of those that don't seek to learn from their mistakes. Scape goat, cover up, etc comes to mind.

    As such delivering the whistle blower into the hands of those that should really be accussed seems mighty counter productive to me. If they seek to learn they should ask. Ask nicely. If however they seek a means to satisfy their frustrations then they should not be rewarded in such.

    Because the real question is still: how could anyone (maybe still?) come so far for so long? What was it that gave them that false sense of security anyhow? And might others be at risk of the same danger? How are things done at high security installations within the EU? Similiair to the US perhaps? If so we have a situation in need of some serious decision making.
  • Why is this guy getting so much coverage and credibility on this site? He is a criminal, sure people argue that his hacking was maligned and just driven by curiosity about aliens, nevertheless the guy committed a crime in full knowlege that he was committing a crime. Also I don't buy the whole "showing up the flaws in the security" argument it does not apply to the non virtual world so why does it apply to the cyber world?
  • Anybody else smell a honeypot here? SysAdmins with no passwords, apparently lots of (far too) juicy information, hackers from all over the world poking around for years. Certainly keeps the attention away from the genuine parts of the network...
  • So, let's celebrate the criminal's actions and put on trial the victim. Everyone is a strategy expert after the footbal or soccer game is over!
  • Sigh. The man isn't a genius. So either something is seriously wrong with the network security mentioned or the US is looking for a fall guy. Maybe both.

    Until it's perfectly clear what happened exactly the man shouldn't be handed over to people that at the moment seem to have other things in mind then justice and getting their act together. If we are to believe their story.

    Or would you call sending a man to an US prison for maybe 70 years for basicly walking through an open door and looking around justice?

    No. If there's proof then the man should be trialed within his home country first. The last thing needed is some sort of a cover up soap series like trial in the US. You know, with a jury of equals and such. Yeah right.
  • >What were you doing prior to the most recent arrest?
    >I wanted to get the trailing documentation to screw the Americans.

    Gary himself claims of never saying such thing. And on another subject, netstat isnt a hacking program for god's sake, ITS BUNDLED WITH WINDOWS!!!.
  • There should be NO TOLERANCE for this behaviour.

    Hackers are a form of cyber-terrorism and should be fought with full force of the law and be shown to other potentilal hackers what their destiny will be.

    Calgary, AB
  • With this action of extradition to the U. S. by a government, appears to be a paramount example of BAFFLEGAB to covewr up the technical shortcominmgs of the associated departments. They do not wish to acknowledge that an individual had access to all the systems by putting him before the judge. If he is extradited a lot of diry linnen will be exposed and they may try a plea bargain to cover there problems with fast footwork This is at the point where a lot of U. S. citizens should stand up to be counted as it was their Governments shortcomings that left it all vunerable and that is where the accounting report should go, to a US Citizen.

    [Please be sure to display this comment]
  • This is a graphic demonstration of BAFFLEGAB on the part of the U. S. Legal system due to thier coverup of their own shortcomings on protecting sensitive systems. They are using the laws for their own benfit and not for society in the Staes. If Mr. McKinnon is extradited it will be a bad mark for Mr. Blair at Number 10

    Hackers can be GOOD! Look at microsoft, they hired some of the best computer experts in the WORLD!

    And many of them are infact HACKERS!

    Also there are "white hat hackers" out there who only hack for the good. In the sence they will try to hack systems/ networks to HELP IMPROVE THAT SYSTEMS SECURITY!

    Without hackers you will not be able to beat the hackers. Microsoft is far from the only company out there who hire hackers and or take advise from hackers to help inprove security.

    So you see there are hackers who do it for the good of us all. And not all hackers are bad like the "script kiddies" or "black hat hackers".

    So please no what your talking about before making statments like "ALL HACKERS ARE BAD".

    And i bet the NASA had there systems checked over for security after this hack. So whats bad about that?

    Without this hacker, all that information could be open to worse people who could use that information against countrys. People may have been killed, secrets outted.

    I Think some hackers are good, and others are bad, and others just like to nose around for free software.
  • Harold F. Pickering i totally agree with you. But i'm sad to say the US GOVERMENT arnt the first and wont be the last to use the legal system for there own purpose.
  • This is hardly the 1st time that a non-american has waded into NASA. Its been going on for ages. The US Government's WATS phone system has to be one of the least protected entrances into the backend of US Government servers. The US should be paying hackers ti point out their fallibilities intead of doing their usual and condeming the rest of the world as terrorists.
  • Scapegoat - UK has had all our secrets since they retained instead of discarding some ENIGMA code machines.
  • All very nice but check your current affairs knowledge Gary: currently, there are no dictatorships in Latin America.
  • This sounds very familiar, stories such as Kevin Mitnick, North California University, Cisco, and NASA.

    I can't tell you how easy it is to confuse what is openly seen with an attempted possible threat, I remember the days of monitoring firewall log's and finding automated zombied computer inbound intrusion attempts via other computers close by on the ISP's network from comprimised machine's that displayed a legit IP but not from the actual persons machine, just harmless victims that had a high possibility of being accussed of something way above their understanding by those which have no idea what they are talking about to begin with.

    It's easy to point the finger and internet security is still not fully established but it's getting there, the concept of gaining access back then and breaching security was as simple as clicking on a hyperlink that came up in a search engine result not even related to whatever you were really looking for that took you somewhere to a website or webpage you didn't neccesarily totally understand, you just kept clicking and reading then move onto the next subject as there was no total password protection, this wasn't due to hacker intelligently comprimising a website that had the ultimate security via a well known company that falsely and openly qouted protection it didn't really offer like other companies that was only in theory at that time, it was due to poor website design, poor search engine results, and accidentily walking into Dillards instead of JCPenny's.

    Imagine back then you type in AOL to bring up the main AOL website in a search engine only to find nothing but a secret project deemed "The new and improved AOL, click here to access the new/current website featuring the latest information and news", then you click on the link and it takes you to a link related to an investigation of Charlie's Chicken and KFC, you click a link on KFC and it takes you straight to UFO investigation website and something related to JFK, you click on another link and it takes you to a University such as Polytech University, click another link it sends you back to NASA, that same week you see on TV someone illegally accessed Polytech University and KFC and they are still wondering who shot JFK.

    Not only that, often when you hear of a person charged with hacking you hear of how much money was lost, and it's usually some very high figure estimation, this along with a very high prison term, now when I hear something like that I begin to wonder what it was they were really hiding to give such high figures, maybe it's just to scare teens into not wanting to become hackers, dunno, but one thing's for sure, these days, actual losses from hacking unless dealing with deep financial or identity theft would be minimal at best, I mean most things are solved with a restore and a reboot these days, and dataloss is becoming rare.

    My biggest point is, if they can gain access to a secure system, the person that's at fault is the person that didn't configure the system correctly or the person that designed the security didn't properly design it, for example, let's say a parent has a gun, the parent, the gun needs to be locked up securely so kid doesn't get ahold of it, the parent doesn't use a lock and one day the kid get's ahold of gun and there's an accident the kid was playing with the gun, well, who's fault is it? You think if the parent locked the gun cabnit the kid might not have gotten ahold of it? If the kid got 70 years for the parents mistake that would be shocking.

    In this case, the kid admitted to possibly doing damage to atleast 1 machine, this doesn't mean he deserves a life sentence or the death penalty and I can understand why the British would let the kid go in this case, hopefully, there was a lesson learned by everyone on this.