Kuji Media Corporation Ltd.

Analysis Accused Pentagon hacker Gary McKinnon is continuing to fight against extradition to the US after losing an appeal last week.

Only the Law Lords now stand between the Scot and a US trial for allegedly breaking into and damaging 97 US government computers between 2001 and 2002 and causing $700,000 worth of damage, in what US authorities have described as the “biggest military” computer hack ever. He allegedly infiltrated networks run by the US Army, US Navy, US Air Force, Department of Defense and NASA. US authorities described McKinnon as an uber-hacker who posed a threat to national security in the aftermath of the 9/11 attack.

McKinnon (AKA Solo) admits he infiltrated computer systems without permission. The 41-year-old former sysadmin said he gained access to military networks – using a Perl script to search for default passwords – but describes himself as a bumbling amateur motivated by curiosity about evidence of UFOs. He said numerous other hackers had access to the resources he was using and questions why the US authorities have singled him out for extradition.

Any damage he did was purely accidental, McKinnon claims. If convicted, following extradition and a US trial, McKinnon faces a jail term of up to 45 years’ imprisonment.
Scapegoat

According to a reformed computer hacker accused of similar crimes 10 years ago, McKinnon is been made a scapegoat for the shortcomings of US military security.

Mathew Bevan, whose hacker handle is Kuji, was accused of breaking into US military computer systems but his 1997 case at Woolwich Crown Court was dropped after a legal battle lasting around 18 months. No attempt was made to extradite Bevan. After the case, Bevan became an ethical hacker and security consultant, first with Tiger Computer Security, and later on a freelance basis with his firm the Kuji Media Corporation.

“Both Gary and I were accused of similar offences. The difference is his alleged crimes were committed in a different political climate, post 9-11. The decision to push extradition in Gary’s case is political,” Bevan told El Reg.

Bevan, like McKinnon, has an interest in free energy and evidence of UFOs. The similarities in the case go further. The crimes Bevan is alleged to have committed were cited as evidence of cyberterrorism in US senate hearings in 1996. “They haven’t found a cyberterrorist or ‘bad boy’ for a while and it looks like they are trying to make an example in Gary’s case,” he said.

McKinnon should have been allowed to plead guilty in his own country and not be faced with the prospect of a long prison term in a US prison with “inhumane” conditions, Bevan argues.

He says the military systems McKinnon is accused of hacking remain vulnerable to attack. “I’m sure there are a lot of people on these machines, some of who the US authorities allow to get in.”

“The prosecution against Gary is about saving face for security lapses by the US military that remain as bad as they were 10 years ago,” Bevan said. “If this had happened with a corporation someone would have been sacked.”

He added that US authorities are keen to talk up the cyberterrorism threat in order to protect information security budgets.

McKinnon, unlike a US citizen who faced similar charges, is in a particularly bad situation. “The authorities are trying to rip him away from his family and ruin his life. Gary committed his alleged offences in the UK, and according to the Computer Misuse Act, jurisdiction lies here.

“Gary has suffered trial by media over the last five years, with everything weighed against him,” Bevan added.

Despite everything that’s happened to McKinnon, he reckons the case will fail to act as much of a deterrent to other would-be hackers. “Has it scared anyone? I shouldn’t think so,” Bevan said.
Final appeal

Lawyers for McKinnon are petitioning for leave to appeal to the House of Lords on grounds including the use of “deliberately coercive plea bargaining” tactics by US authorities during the course of the long running case. His lawyers argued that he had been subjected to “improper threats” that he would receive a much harsher sentence and be denied the opportunity to serve out the back-end of his jail term in the UK unless he played ball.

Appeal court judges Lord Justice Maurice Kay and Mr Justice Goldring criticised US prosecution tactics but said these didn’t offer enough grounds for appeal against the Home Secretary’s decision to confirm a 2006 ruling that McKinnon ought to be extradited to the US.

The unemployed sysadmin has had these charges over his head since March 2002 when he was arrested by officers from the UK’s National High Tech Crime Unit. The case against him lay dormant until July 2005 when extradition proceedings commenced. McKinnon has suffered ill health over recent months as a result of the stress caused by the case, according to his lawyers.

McKinnon’s supporters argue the case has wider political implications. “It is not just about Gary McKinnon, there are lots of other people, from computer hackers to legitimate businessmen, who will continue to fall foul of this sort of surrender of British sovereignty and obeisance before the extra- territorial demands of the US legal bureaucracy,” Mark, a member of London 2600 who runs the Free Gary blog, told us. “However the same lack of a requirement to show prima facie evidence also applies to European Union countries under the European Arrest Warrant,” he adds.

McKinnon’s lawyers chose not argue about whether he might be put on trial before a military tribunal but that this may well be argued in the House of Lords if leave to appeal (which is by no means guaranteed) is granted.

“Basically the judges have said ‘we have to trust the USA Government to act in good faith’, until they show that they have broken their promises – which will by then, of course, be too late for Gary McKinnon. Unlike Babar Ahmad or even any of the British citizens who were held without trial at Guantanamo Bay, Gary is actually accused of directly ‘attacking the US military’ systems,” Mark notes.

“Even if Gary faces a civilian court in the USA, his chances of being found not guilty or of getting a lenient sentence appear to be slim, given the prosecutions recommendations as to length of sentence.”

But the whole effort to try McKinnon in the US might backfire on the US military by putting its security shortcomings under the spotlight.

“If there is an actual trial in the USA, rather than a coerced or otherwise ‘plea bargain’, there are a large number of senior US military officers and civilian IT managers and auditors who are going to have to explain the incompetence or possible corruption or perhaps treason, which went on for years and months under their command, both before and after September 11,” Mark claims.

“Even if this is suppressed in court, it might lead to Congressional Committee hearings,” he adds. ®

For most people it must be hard to understand what confessed hacker Gary McKinnon is going through as the US attempts to extradite him to face trial.

But Mathew Bevan can definitely sympathise with Mr McKinnon because, ten years ago, he was in a very similar position.

As a teenager Mr Bevan became adept at breaking in to computer networks. At first any system was fair game but he soon started concentrating on those run by US military institutions.

Like Mr McKinnon he was caught, charged and threatened with extradition for what he had done.

Net losses

The knowledge he had built up hacking business, university and government computers helped find connections to military systems that he exploited to gain access.

Reading about how Mr McKinnon got started, Mr Bevan said he was amazed that security had improved so little between the time he had been exploring US military networks and when Gary McKinnon was hacking.

The same failings let both Mr Bevan and Mr McKinnon gain access to supposedly secure systems.

“It just shows that in 10 years nothing has changed,” he said.

The only difference is that in the time between the two cases the US government has been spending heavily to beef up computer security.

“Where have the budgetary increases actually been spent?” he asked.

Like Gary McKinnon, Mr Bevan was interested in information about UFOs and spent months combing networks in search of hidden data.

Mr Bevan can easily understand why Mr McKinnon kept hacking the same systems for so long when common-sense would have told him that his luck would run out sooner or later.

“You just feel like you are invincible really,” he said, describing the feeling he got when he successfully broke in to a network.

Once a hacker has won access to sensitive networks, the urge to keep on going to find more hidden information was hard to fight, he said.

“I liken it to perhaps the feeling that a parent might get if they find their child’s diary,” he said. “They know they should not read it, they know its wrong [but] they just cannot help themselves.”

Case closed

Eventually, US computer security investigators caught up with Mr Bevan, or Kuji as he was known, and he was arrested on 21 June 1996.

The US portrayed him as a dangerous potential spy rather than the teenager from Cardiff that he actually was.

He was held in a police station for 36 hours, charged under the Computer Misuse Act, and then freed to wait 18 months until the case came to trial.

It is a pity, said Mr Bevan, that the evidence against Mr McKinnon has not been exposed to scrutiny in court.

“I was almost gunning for my case to go to trial because of the amount of witnesses we had that were contradicting each other,” said Mr Bevan.

He added that there were “numerous” inconsistencies in the 40,000 pages of evidence submitted by the US that would have been good to mention in court.

“I can imagine that it would be the same in Gary’s case,” he said.

Although there were efforts made to extradite Mr Bevan, his case came to trial in the UK in 1998 but he was acquitted as it was judged not in the public interest to pursue the case. He now runs his own computer consultancy businesss.

Should Mr McKinnon face trial in the US and be sentenced to decades in jail, Mr Bevan feels such a sentence would be too harsh for what he has confessed to doing.

“Where is the leniency for admission of guilt?” he asked. “Let this guy talk to kids about how this trial has affected his life. Let this guy talk and discuss and explain, don’t send him to a punishment likely to be worse than he would receive in this country for murder.”

The verdict in the Gary Mckinnon extradition trial was really no shock to me considering the political climate. Lets face it, this is not about hacking or security this is about politics and money. Cynical? You bet I am, having been through an almost identical situation, very similar computer intrusions and similar motives – the only difference was I was pre-terrorism mania where everything and everyone is a suspect.

Think about this, almost a decade ago machines belonging to the military, navy, army etc were broken into and this was the proof Congress needed to show that cyber terrorism existed. An unknown spy running rings of computer hackers to steal secrets for foreign governments. The fact that I was not a spy, and certainly not “possibly the single biggest threat to world peace since Adolf Hitler” didn’t really make much of a difference to the fear machine that was put in place selling the idea that cyber terrorism was a real threat.

Millions of dollars in budget increases, that is where the difference occurred. If you take the threat to be real (which it certainly wasn’t back then and highly unlikely to exist today) then this raises questions, namely;

1. Where have the mega budgetary increases actually been spent?

Education cannot be one of them, as if machines are left in a state of ‘unpatched since install’, with unpassworded points of entry – I cannot see that the money has gone to the improvement of sysadmin skills or awareness of the problems of being online.

If you compare the awareness by consumers of security threats, people have seriously woken up to the fact that unprotected they are just sitting ducks to the onslaught of manual and automated attacks.

Phishing, hacking, spam, bots, virii, worms – the majority of home users now have firewalls, anti virus software, spyware checkers etc – all of which have a much lower budget than the military. I suspect that as governments, unlike corporate entities do not have shareholders to answer to. They do not have to explain why their machines were offline and money was lost, that in fact they can just blame budget instead of actually being proactive and moving with the times.

2. If in this case as in mine, there were clearly many other hackers

with access to the same systems at the same time, why have they not been prosecuted or even mentioned?

This seems to me to be more proof of my theory that so-called super hackers are hauled in front of the courts when it is convenient for their cases to be used for ore proof of computer insecurity and the need for greater budgetary increases..

3. Where are the administrators and their bosses in this case?

In this political climate, one of the dark looming threat from the bad men all around us (as we are constantly reminded), to not secure machines properly they have committed federal offences. It is surely not good practice to have machines, sitting on the Internet, unfirewalled, unpassworded containing alleged sensitive information – and most likely a direct violation of their contract and training.

This is a sysadmins first job, to change any default passwords or to set ones where they are not needed – and certainly ensure that those machines are sitting behind a firewall. I am not trying to say that Gary was attempting to test their security, but if this was a corporate environment the sysadmin would have some major explaining to do.

4. Is the fact that the USA are fighting so hard for extradition a dig at our legal system?

Gary has admitted his guilt and wants his trial to be in the UK, so why can’t he be tried here? Could this be to do with the fact that most computer crime here (financial gain notwithstanding) is dealt with by means of fines. Do the USA see us as a soft touch? This brings the idea of two scenarios;

– Gary being tried by a jury of his peers. They hear the evidence and consider the fact that the machines were badly administrated and this is taken into consideration when sentencing.

– Gary being tried in a foreign country by a jury that hears he has ‘attacked their country’ this is bound to have a bearing on the sentencing.

A possible 70 years in prison, for what exactly? showing that in a decade the USA military have not learned, or at worst, blatantly ignored the security threats around them when it is they who tell us every day that we should be afraid.

In my case I was never debriefed by any of the authorities that I hacked, never asking how I did what I did – never asking me to comment on my peers or related community. Gary says he is guilty, why are we going to punish this man further by sending him to a foreign jail which are known for brutality against inmates: [http://www.hrw.org/reports/2001/prison/report.html]

– where is the leniency for admission of guilt? Let this guy talk to kids about how this trial has affected his life. Let this guy talk to governments.. Let this guy talk and discuss and explain.. don’t send him to a punishment likely to be worse than he would receive in this country for murder.

The extradition bill is being tested right in front of your eyes, it is a blatant decline in our civil liberties and a worrying step forward for our so-called democratic society.

Mathew Bevan
www.kujimedia.com

Criminal gangs taking over from amateur hobbyists

Owen Bowcott, Saturday June 11, 2005, The Guardian

Gary McKinnon is deemed to be so deviously manipulative at the keyboard that he has been banned from using the internet. He is not even allowed a passport. The peculiar bail conditions imposed this week on the 39-year-old computer systems administrator from Wood Green, north London, suggest that the law enforcement community stands in awe of his technological prowess.

Until his next court appearance, due on July 27, the tousle-haired programmer, who is fighting extradition to the United States, has been ordered to stay away from any computer connected to the web.

Mr McKinnon has gained international notoriety for his alleged ability to break into scores of sensitive US defence computers, steal secret passwords, sabotage email systems and delete military files. In the hi-tech world of online hacking, however, he is perceived as one of a dying breed of amateur hobbyists – those the Americans deride as “script-kiddies”.

Despite US prosecution claims that he perpetrated “the biggest military computer hack of all time”, Mr McKinnon’s supposed achievements are by no means unique. The attempt to extradite him to answer charges in Virginia and New Jersey is far more unusual. Systems run by Nasa, the Pentagon and the Department of Defence have long been hackers’ trophy targets. His misfortune, apparently, was to get caught, and to have carried out his explorations shortly after September 11.

According to security experts, US military sites are not the most heavily protected on the internet. They rely on the deterrent threat of legal action rather than deploying highly sophisticated software or enforcing best practice among military personnel.

Mathew Bevan, another British hacker arrested for breaches of security at Nasa and US Air Force sites, found himself similarly demonised by US lawyers as “the single biggest threat to world security since Adolf Hitler” back in 1994. The case against him eventually collapsed. Like Mr McKinnon, he was also hunting for evidence about UFOs hidden on military installations.

Mr Bevan, now 30, is an IT consultant and living in Wiltshire. “The security on US military machines is probably not much better than it was back then,” he said. “There were plenty of military machines with sensitive information that had account names with no passwords. Others had been left with the standard default passwords used by the manufacturers.

“University systems and corporations are much harder to break into than military machines: universities because there are always students testing their skills, and companies because they have shareholders demanding better security.”

In Britain, the hacking subculture that nurtured Mr McKinnon’s talents has been driven underground by diligent enforcement of the Computer Misuse Act, which since 1990 has criminalised those who gain unauthorised access to computer systems.

Mr Bevan typifies the career trajectory once pursued by teenage hackers. After years hunched alone over a computer screen, and an infamous brush with the law, he has graduated to running his own company, the Kuji Media Corporation, which offers security and technology advice.

“Hackers are a dying breed,” said Mr Bevan. “Organised criminals have cottoned on to the potential rewards. There’s viruses and trojan programs flooding out of places like Russia and Bulgaria these days.

“I get people asking, ‘Why is my machine running slowly?’ And when you look, there are 300 viruses, bits of adware [advertising programs] and trojans mucking up the system. Internet service providers should really be doing deals with security firms to provide virus-free connections.”

Mr Bevan said he spoke to Mr McKinnon in 2002, “after he was first busted”.

“He’s only been selected by US prosecutors because he’s an excellent scapegoat. Maybe the amount of recreational hacking is the same, but the volume of people on the net means far more are involved in genuinely nefarious activities.”

“Pharming”, for example, is the latest threat to the integrity of internet banking services. It has emerged from Estonia in the past few months. This cunning electronic fraud may force banks to issue customers with a new generation of identity devices.

Unlike “phishing” scams – which rely on the gullibility of those who receive emails urging them to log on to sites purporting to be their online bank and confirm passwords and account details – pharming is more insidious.

Customers’ computers are infected by a trojan program – either delivered through an innocent-looking email or inadvertently downloaded from a fake advert on the internet. When the user tries to log on to the online account, the hidden program diverts the web browser to a seemingly identical site operated by criminal gangs in eastern Europe. Their electronic identities are captured, then used to empty the accounts.

“There’s discussions about whether banks will eventually have to give out security devices for customers to plug into their computers,” said Sandra Quinn of APACS, the banking industry’s payments organisation. “Barclays have already carried out trials.”

Last year, online fraud cost British banks ?12m, an increase on previous losses. That figure was dwarfed, however, by the ?150m taken via what is known as “card not present” frauds, where goods are purchased over the telephone using stolen credit cards or simply their numbers.

The array of online threats grows all the time. Denial of service (DoS) attacks, where firms’ email systems are bombarded into overload, are frequently accompanied by blackmail demands for cash to switch off the onslaught. Last year, the bookmaker William Hill was targeted and then received a demand for $50,000 (?28,000).

“Bot” programs enable computers across the net to be hijacked by remote users who in effect turn them into “zombie” machines which can be used in DoS attacks. Keylogging programs can infiltrate computers and record the keystrokes customers make in typing in credit card numbers or passwords. The criminals behind these attacks are based mainly in eastern Europe, it is believed, because law enforcement there is relatively slack and there is a plentiful supply of skilled but poorly paid programmers.

“It’s a classic low-risk crime,” said Ms Quinn. “We have seen some police action, however, and now we are getting phishing attacks coming from China.”

Threats have also been made to call-centre staff working in the financial services sector in Britain, in an attempt to force them to record and hand over customer account details. Many companies now prevent staff from using pens or paper when they sit at their screens.

The difficulty in penetrating banks has encouraged gangs to combine online techniques with strongarm tactics. The reported theft of computer backup tapes from US financial institutions while in transit to storage facilities has generated concerns about the security of millions of customers’ accounts.

An attempt earlier this year to steal ?220m by electronic transfers from the London headquarters of the Japanese bank Sumitomo was foiled, but it sparked alarm about criminals infiltrating banks to carry out insider robberies.

“Gary McKinnon appears to be an example of the type of hacking that people have moved away from,” said Felicity Bull of the National Hi-Tech Crime Unit, which investigates major computer crime in Britain. “We know that organised crime is now hiring IT-literate workers.”

Some law enforcement agencies now question whether the Computer Misuse Act needs to be overhauled, enabling it to be used to prosecute those involved in DoS attacks.

In Washington, the secret service is the force responsible for combating online fraud and hacking. “There are still plenty of script-kiddies out there bragging about what they’re doing,” one agent, Jim Dobson, told the Guardian. Some were still at high school, he said, adding: “There’s a huge amount of information out there.”

Other threats, such as gangs in Russia targeting financial institutions, or those in Asia carrying out intellectual property thefts, have eclipsed the old-style hacker community, he acknowledged.

The rise of mobile phone technology has provided fresh opportunities for a new generation of hackers.

Meanwhile, wireless computer networks have been found to be particularly vulnerable, said Paul Carratu, whose Surrey firm carries out penetration testing to assess security systems. “People are not using the encryption devices they should.”

Last month, two British hackers, Jordan Bradley, from Darlington, and Andrew Harvey, from Durham, who belonged to an Anglo-US group called the “Thr34t Krew”, pleaded guilty in Newcastle to computer crime offences. The TK worm they released exploited a weakness in web servers and caused up to ?5.5m damage to companies using the net. They now face possible prison sentences.

It may be too soon to write off the perverse ingenuity of British hackers.

The lingo and what to look out for

Trojan (horse) An innocent-looking program concealing destructive intentions.

Pharming Hijacking online bank customers by infecting web browsers. They are redirected to fake internet sites and asked to disclose account details.

Phishing Sending out emails telling online account customers they must reconfirm IDs and passwords. When they hit reply they are sent to a cloned web page.

Key logging Programs which record keystrokes and can be used to retrieve credit card and PIN numbers.

Malware Umbrella term for assorted malicious software programs which sabotage your computer.

Zombies Online computers that have been infected by trojans and can then be remotely controlled to churn out spam emails at targeted sites.

Bots Programs used to infect and control computers which are then turned into zombies.

By Margaret Ryan – BBC News

As a Briton faces possible extradition to the US for alleged computer crime, a former hacker, whose prosecution collapsed, talks about the lure of breaking into systems.

Matthew Bevan had stood accused of mounting a determined “information warfare” campaign against the US air force and leading defence contractors in 1994.

The case against Mr Bevan collapsed
US Senate hearings were initially told the security breaches were the work of highly skilled foreign agents.

Mr Bevan, whose hacker alias was Kuji, was charged with conspiracy and faced accusations of being an Eastern European spy.

But the truth was somewhat more prosaic, said the 30-year-old computer consultant.

“I was just a kid in my bedroom hunting for UFO information.”

Then a computer programmer for an insurance firm, he says he had previously been bullied and had felt ostracised by his peers.

“But the computer system was a place where I was king and showed power.

“In the real world I had none and I was quite defenceless. I didn’t deliberately cause any damage.”

Thrill of the chase

But the amateur hacker’s pastime landed him in court in the UK after his activities came to the attention of the US authorities and the British police tracked him down.

Mr Bevan can only talk about his own experiences – but his case, he believes, was overblown from the start as he was portrayed in the States as a spy running rings of spies.

It’s like a parent finding their child’s diary. You know you shouldn’t look at it but you just can’t help yourself

“At the time I was ‘the single biggest threat to world security since Adolf Hitler’,” he said.

By the time his case came to court the allegations made against him had died down.

The case against him finally collapsed in 1997 after the judge was told he posed no threat to security.

Another, a 16-year-old defendant, was fined £1,200 after admitting breaking into a number of US military systems.

Mr Bevan, who now lives in Wiltshire, freely admits that, for hackers, successfully breaking into systems provides an ego boost.

Reports claiming that UFO were being held secretly at American military installations had set the young hacker down the path of trying to find out more.

“It’s an adrenalin rush. It’s like a parent finding their child’s diary.

“You know you shouldn’t look at it but you just can’t help yourself.

“You know it’s wrong but you still do it. It becomes addictive,” he explained.

Competitive element

More than a decade on Mr Bevan understands the havoc hackers can cause in compelling companies to install more security, but resents the suggestion his actions were done out of malice.

“It’s like a spider’s web – once you break into one machine you can compromise a few accounts.

The search for UFOs prompted Mr Bevan’s hacking

“You may go into a machine not with the intent to find anything but just as a staging ground for another computer system.”

“It’s a case of ‘how many computers can I hack into in two hours?’ We used to have competitions.”

But he claimed hackers had been “tainted” by the rise in identity theft and viruses.

For the hacker, he argued there is an ethical code that information should be free and there are strict rules about using that information.

He believes companies have to accept some responsibility for hacking, arguing insurance firms would not generally pay out on insurance claims if it could be shown that not enough care had been taken in guarding against it.

To this day he believes his arrest was politically motivated, suggesting hacking cases make headlines when companies want funding to fight cyber crime.

“In my cynical view the powers that be decided ‘we’ll have you two and make a good example of you'”, he said.

Childhood pursuit

He says he had already left hacking behind him before the day he was arrested at work.

Since his case was dropped the world of hacking has changed but he believes the potential for disruption remains stronger than ever as young people become ever more computer literate.

“When I was doing it people didn’t have net access in the UK. I was dialling up to the States,” he said.

For many hacking is a young person’s pursuit that they eventually grow out of, he suggested, but before they do the potential for disruption is incalculable.

“They [children] are smart and can develop skills that adults can’t keep up with,” he said.

A British man who allegedly hacked into US military and Nasa computer networks has been arrested, say Scotland Yard.

Gary McKinnon, 39, of Wood Green, north London, faces extradition proceedings over claims he hacked into 53 military and Nasa computers in 2001 and 2002.

The US government believe tracking and correcting the alleged problems has cost around $1m (?570,000).

Mr McKinnon is being held at a central London police station and will appear at Bow Street Magistrates Court.

Mr McKinnon was arrested by officers from the Metropolitan Police Service Extradition Unit on Tuesday night around 1830BST.

Mr McKinnon is charged with the biggest military computer hack of all time

The unemployed computer systems administrator, who is known on the internet as `Solo’, is due to appear in court on Wednesday.

He is accused of hacking into computer networks operated by Nasa, the US Army, US Navy, Department of Defence and the US Air Force.

One of the networks belonged to the Pentagon.

If he is extradited and found guilty, Mr McKinnon faces a maximum penalty of five years in prison and a ?157,000 fine.

The Briton was indicted in 2002 by a Federal Grand Jury on eight counts of computer-related crimes in 14 different states.

It claimed that he hacked into an army computer at Fort Myer, Virginia, obtained administrator privileges and transmitted codes, information and commands.

Unauthorised access

He is accused of then deleting around 1,300 user accounts.

The indictment alleged Mr McKinnon also “deleted critical system files” on the computer, copied a file containing usernames and encrypted passwords for the computer, in addition to installing tools to gain unauthorised access to other computers.

A loss of over $5,000 (£2,725) to the Army stemmed from the alleged damage, according to the indictment.

At the time of the indictment, Paul McNulty, the US Attorney for the Eastern District of Virginia, said: “Mr McKinnon is charged with the biggest military computer hack of all time.”

http://news.bbc.co.uk/1/hi/uk/4071708.stm

Channel 4 – The Heist.. got 1.7 million viewers for each episode..

Wasn’t quite what I had hoped for, but hey.. you do the show you put your life in the hands of the directors and editors… wasnt too bad.. but apparently most of what I said and did had to be cut out for “legal reasons”… bah…. Look out for some snippets on this site someday of the bits “too hot for tv”… 80)

Ok, so I may be lazy and not update this site (All you studying A Levels– work harder than I did heh) I have been busy, and there is a three part channel 4 programme due soon.

Channel 4 broadcast date (may change) of Mon.July 12th 9pm. Programme will be called ‘Cat and Mouse’ or ‘The Heist Society’..

Basically a group of ‘experts’ are brought together and set a task of performing a robbery under strict conditions and as real life as possible. Very similar to performing penetration exercises, only the top brass know whats going on.. so essentially it *IS* a real life test of the organisation.

Each episode covers a different robbery/task… and in each I am the technology guru / hacker…. tune in and let me know… nothing like a bit of James bond — (G.Morgan would be proud !!)

Apart from that there are sure to be some interesting things popping up after that… I might digitise some of the older progs I have done and put them up, for old time’s sake..

By Ted Bridis, The Associated Press Apr 29 2003 2:08PM
British authorities arrested a man Tuesday believed to head a group of hackers known as “Fluffi Bunni,” which used a stuffed pink rabbit to mark attacks that humiliated some of the world’s premier computer security organizations.

Fluffi Bunni captured the attention of the FBI just days after the Sept. 11 terror attacks, when thousands of commercial Web sites were vandalized with a single break-in that included the message, “Fluffi Bunni Goes Jihad.”

The FBI characterized the act in a November 2001 report as an anti-American cyberprotest against the war on terrorism.

Lynn Htun, 24, was arrested by Scotland Yard detectives on outstanding forgery charges while attending a prominent trade show in London for computer security professionals, InfoSecurity Europe 2003, authorities said.

British authorities did not mention of Htun’s alleged hacking. A U.S. official, speaking on condition of anonymity, said Htun is wanted in America in connection with a series of high-profile hacking cases blamed on Fluffi Bunni. Investigators believe Htun was the group’s leader and referred to himself as Fluffi Bunni, the official said.

Authorities in London indicated they would release more information Wednesday about Htun’s arrest, although the continuing investigation into Fluffi Bunni hackers was sensitive and other arrests could be possible.

Fluffi Bunni embarrassed leading Internet security organizations by breaking into their own computers and replacing Web pages with a message that “Fluffi Bunni ownz you” and a digital photograph of a pink rabbit at a keyboard. The attacks, which began in June 2000, lasted about 18 months, then stopped mysteriously and created one of the Internet’s most significant hacker whodunits in years.

“I thought he’d never be caught,” said Jay Dyson, a consultant who formerly helped run one of the victim Web sites. “He was clever and had the patience of a saint. The targets he chose were ones that were really high profile, and ones you’d think would be above reproach when it comes to issues of security.”

Victims have included the Washington-based SANS Institute, which offers security training for technology professionals; Security Focus, now owned by Symantec Corp.; and Attrition.org, a site run by experts who formerly tracked computer break-ins. Other victims included McDonald’s Corp. and the online security department for Exodus Communications Inc., now part of London-based Cable & Wireless plc.

“The guy was playing a game of `gotcha.’ He wanted to prove that even firms that specialize in security can be hacked,” said Mark Rasch, chief security counsel for Solutionary Inc. and a former Justice Department cybercrime prosecutor. “It’s like someone who robs banks to prove that banks can be robbed.”

Brian Martin, who ran the Attrition site with Dyson and others, said Fluffi Bunni quickly generated a fearsome reputation across the underground because of the group’s choice of targets. Martin determined that a hacker broke into another user’s computer, allowing him to assume that person’s digital identity and briefly take over the Attrition site with a Fluffi Bunni message.

“He would break into companies that are there to secure you,” said Martin, who never reported the crime to the FBI. “It’s a challenge, and there’s some irony behind it.”

Targets frequently were attacked indirectly. Instead of trying to break into the heavily protected Security Focus Web site, someone hacked an outside computer that displayed advertisements on the site. The ads were replaced with taunting messages and images of the pink rabbit at the keyboard.

Copyright 2003 Associated Press. All rights reserved.
This material may not be published, broadcast, rewritten, or redistributed.

http://www.securityfocus.com/news/4320

By John Bynorth and Hugh Muir, Evening Standard
13 November 2002

A London computer expert conducted a spectacular operation to hack into systems at the Pentagon and throughout the American military, it is claimed today.

Jobless programmer Gary McKinnon, 36, is facing extradition for prosecution and could be sentenced to five years in the US over what is being described as the “biggest hack of military computers ever”.

His activities are said to have cost the US government $1million. He faces eight charges of computer-related crimes after being accused in federal courts in Virginia and New Jersey. These include break-ins over 12 months at 92 US military and Nasa networks across 14 states.

McKinnon, known on
the internet as “Solo,” is also accused of hacking into the networks of six private companies and organisations. Prosecutors say he gained access to sensitive files causing the shutdown of the entire network that serves 2,000 people in Washington’s military district.

McKinnon, who until recently lived in a flat in Hornsey, north London, is also alleged to have broken into two army computers at the Pentagon, other military intelligence computers, and is suspected of crashing systems at a navy base after the 11 September terror attacks last year. He could also be fined ?157,000 if found guilty.

A specialist British police squad helped with the operation to charge McKinnon, who investigators believe acted alone and does not have terrorist links.

It is rare for extradition proceedings to be sought in hacking cases but US prosecutors say these crimes are so serious that they have little option.

Neighbours today claimed McKinnon has fled to a secret address in London.

US attorney Paul McNulty, who outlined the charges at a press conference in Washington yesterday, alleged McKinnon searched for US military and Nasa computers that were “open for attack”.

But some civilian experts expressed astonishment that so many US military systems were so vulnerable to techniques derided by many hackers as simplistic.