Forgot your password?
typodupeerror
Security Idle Your Rights Online

Hacker Posts His Crime On YouTube, Lands In Jail 176

Posted by samzenpus
from the bad-ideas dept.
wiredmikey writes "A former contract security guard who admitted hacking into a hospital's computer systems (where he worked), was sentenced to 110 months in Federal prison. Why did he do it? He admits that he intended to use the bots and the compromised computers to launch DDoS attacks on the websites of rival hacker groups. The FBI says he posted video of himself hacking into the hospital computers on YouTube — While the theme of 'Mission Impossible' played, he described his hack, step by step, including the insertion of a CD containing the OphCrack program, which allowed him to bypass all security. The FBI found the CD containing the OphCrack program in McGraw's house and found the source code for the bot on his laptop."
This discussion has been archived. No new comments can be posted.

Hacker Posts His Crime On YouTube, Lands In Jail

Comments Filter:

  • "FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group’s leader in jail, according to a recently unsealed search warrant affidavit.

    Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlle

    • by chemicaldave (1776600) on Wednesday March 23, 2011 @03:55PM (#35591008)

      Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

      If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

      Why do articles even call them "security researchers"? Now if this guys job is to investigate hackers, then he should be called a "cyber crime investigator". It's disingenuous to call an a cyber crime investigator/cybercop detective a security researcher. What is with this trend?

      Who cares if the person was a "security researcher" or "cybercop detective"? What's it matter?

      And what is the official function of a security researcher? Are they informants? I'd think maybe not if they aren't pretending to be outlaw/blackhats, so I cannot put them in the obvious informant/snitch category that albert gonzalez [wikipedia.org] is in. An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.

      You took the term "security researcher", substituted your own definition of "confidential informant", and then hinted that the person might be a snitch...

      • The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

        And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

        • The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

          We're not talking about the mafia. This is a dumbass script kiddie.

          • by scubamage (727538)

            The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

            We're not talking about the mafia. This is a dumbass script kiddie.

            The problem is sometimes, we are talking about the mafia.In this case you're correct, its just a script kiddie, but not always.

        • by elucido (870205) *

          The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

          And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

          That is not the situation at all. Being a witness to a crime is not the same as being a snitch. A snitch knows the individuals who committed the crime, had the trust of these individuals, and betrayed them. I'm not saying the guy who found the photo and reported it to the FBI is a snitch like Albert Gonzalez and I'm not saying someone who witnesses a crime is snitching. You do risk your life and limb as a witness but it's not betraying anyone or harming your friendships to be a witness so the stigma is only

          • by avgjoe62 (558860)

            It's an old saying, but true none the less - there is no honor among thieves.

          • by khallow (566160)

            But if you are just a researcher then your interest is purely academic, so what would you have to gain by reporting every crime you see?

            As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.

            • As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.

              This seems to imply that there are crimes you don't report. Is there some sort of ethical standard for what gets reported and what doesn't or is it left to the judgement of the scientist?

              • by khallow (566160)

                This seems to imply that there are crimes you don't report.

                And that can indeed be the case. For example, I read of an economics researcher who studied a US street gang who was heavily involved in cocaine and crack dealing. One of the conditions for their cooperation with him was that he wouldn't report their involvement in a variety of crimes (such as drug possession, tax evasion, and violations of US labor law). I think he would still be ethically obligated to report to the police any serious crime he witnessed like assault and battery, murder, etc.

                Is there some sort of ethical standard for what gets reported and what doesn't or is it left to the judgement of the scientist?

                I doubt there's

          • by tehcyder (746570)

            So it's simple. If you are a cyber crime investigator, then don't pretend to just be a "researcher".

            Are you fucking retarded? Do you think undercover organized crime investigators should wear "Hi! I'm in the FBI!" t-shirts to avoid confusing the poor mafiosi?

        • by iamhassi (659463) on Wednesday March 23, 2011 @05:36PM (#35592318) Journal
          "The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?"

          But... he is a security researcher, here's his security [mcgrewsecurity.com] websites [dissectingthehack.com] and his LinkedIn says he has a PhD in Computer Science and works at the Mississippi State University Center for Computer Security Research (CCSR). [linkedin.com]

          I'd say he's qualified. I don't understand why parent automatically assumed he was just an informant. If you're a private detective and with PhD in Criminal Forensics and you see a felony take place wouldn't you call the police? Would /. then assume you're simply an informant instead of being the private detective that the article correctly identified you as being?
        • by cdrguru (88047)

          The way for inner city youth is to follow the rules: Stop Snitching.

          If they don't pay attention to the rules, they will run afoul of folks whose livelihood they are impacting. And probably end up as another statistic on how hazardous it is for minorities in the inner city.

          Of course, you are correct that the only way for law enforcement is to have snitches. If they are subsequently beaten, tortured or killed it isn't the fault of law enforcement but our own sick, twisted society. It comes down to who do y

          • by mug funky (910186)

            possibly because cops spend all day with robbers and quite often the robbers tend to get paid better, which opens the cops up to turning a blind eye to some of the robbers in return for protection from arrest...

        • by mug funky (910186)

          this.

          of course, there needs to be discretion.

          some crimes are so severe that if you have knowledge of them you need to report them to get the perpetrator off the street, or you'll be enabling the criminal.

          a script kiddie isn't in that category for me though. more like a rapist.

          • by tehcyder (746570)

            a script kiddie isn't in that category for me though.

            But a script kiddie fucking around with a hospital's systems is something else.

      • by bmo (77928)

        >If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

        It's not like calling in a break-in of someone's house. I've done that myself. Called it in while I was watching across the street, and identified the bad guys while talking on 911 and later as I sat in the police car and the cop shined a light on them (they were caught).

        Cops know how to deal with that. Clear cut, simple.

        But to call in a computer security problem? To people who d

    • Re: (Score:2, Interesting)

      I don't think you understand how whitehats think. They think they are talented superhero vigilante crime fighters. I've known a few in my time, and they are frequently the kind of Eagle Scout archetype of a neighborhood watch captain. They have no real official power, but they get off on being "the good guys" and will turn in anybody for anything. It's a terrible combination of boredom, a modicum of skill, and an underdeveloped legalist sense of ethics.

      At the same time, blackhats like GhostExodus are path
    • by doomy (7461)
      This seems to be their YT channel - http://www.youtube.com/user/XxxxETAxxxX [youtube.com]
    • by westlake (615356)

      An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.>/quote?> There is no honor among thieves.

      The hacker trades in secrets - and there is no bigger secret than the identity of other hackers.

      • by elucido (870205) *

        An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.>/quote?>
        There is no honor among thieves.

        The hacker trades in secrets - and there is no bigger secret than the identity of other hackers.

        If someone is a friend, or is family, and you know ratting them out will put them in prison where they'll be ass raped for a decade, what kind of person are you if you give their identity to the FBI?

    • Has "security researcher" become the code for for confidential informant?

      No. The guy is literally a PhD student who studies computer security.

      Why else would the "researcher" go out of his way to "inform" the FBI?

      I don't know why "inform" was in quotes. He did it because he saw that an HVAC system at a hospital was compromised, and thought that could pose a danger to human beings. He called the police and FBI with information about who had done it. And considering that the person with remote control of t

  • That's not that bad. People could get much worse for having the police catch them with crack in their home!

    • by elucido (870205) *

      Thats not bad? Do you know how many years that is? Thats terrible.
      He got caught so he has to do the time, but 110 months is around 9 years.

      • by Reilaos (1544173)

        Gonna kill a joke by explaining it, but dealing with crack cocaine can get you 6-20 years.

    • That's not that bad. People could get much worse for having the police catch them with crack in their home!

      Yeah, and in countries where they cut off your hands for stealing, you should be grateful they don't just cut off your head like in other places!

    • by WrongSizeGlass (838941) on Wednesday March 23, 2011 @04:26PM (#35591502)

      That's not that bad. People could get much worse for having the police catch them with crack in their home!

      That sentence is the least of his problems. Wait until the MPAA & RIAA find out he used the theme from 'Mission Impossible' in his YouTube posting without paying the appropriate licensing fees.

  • by gurps_npc (621217) on Wednesday March 23, 2011 @03:45PM (#35590844) Homepage
    Step 1) Post a video of yourself committing a crime

    Step 2) ????

    Step 3) Jail!

  • This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

    I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not

    • by Dr. Evil (3501)

      It's like accounting. Your superiors make the call, and you have an ethical decision if they don't do the right thing.

      Although.... accountants have tighter laws and professional bodies to revoke designations. Security will get to the same point in the next 10 or 20 years.

    • This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

      I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not understand the different inherent functions of these terms. At the same time you have obvious professional betrayers like Albert Gonzalez being called "agents" and "heroes" by the feds in one sentence and then later on the feds are locking him up and he's a dirty rotten snitch greedy scoundrel.

      So which security researcher, hacker, or cyber crime investigator wants to clear up exactly the different functions and roles?

      Actions define people, not titles. You obviously already know this, why bother using it as an excuse to get on your soapbox? No one cares what they call themselves, except maybe them.

    • It likely has less to do with their title and more to do with who they work for. If they work for the federal government directly, at an agency, they might be compelled to submit this information. If they work for a government funded, third party organization, perhaps it's in a contract. They may work for a totally private organization or free-lance in which case they likely have full discretion. Or maybe the "informant" was just a disgruntled acquaintance.
      • that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

        Anyway if it's in the contract or a part of their job title and definition then nobody can accuse them of being an informant, and at the sam

        • that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

          How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

          • by elucido (870205) *

            that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

            How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

            Everything is public though. Thats not really fair.

            • by TeraCo (410407)

              Well, everything you record and upload to youtube for public release (bearing in mind you can upload private videos to youtube), certainly.

    • You posted what is, essentially, the exact same post content-wise 7 minutes before this one. Do you always repeat yourself, or only when you have an axe to grind?
    • by houghi (78078)

      When is it a good idea to inform the FBI of a crime?

      I would say: never.
      Once reported a child porn site and I had to come to the police office where they wanted to charge me with obstruction of the law, spreading child porn and and fraud.

      They asked to come by calling my employer and telling him they needed to speak to me concerning a child porn case. Yes I had used the companies computer to report it.

      Luckily I could convince the police they were idiots and luckily the people at my company where intelligent e

      • by LanMan04 (790429)

        This this a million times this. Stay as FAR AWAY from police as possible at all times. They're like a tornado of trouble and being in their vicinity, **even when you're doing good for society**, can damage you in all kinds of horrible ways.

        Not worth the risk, ever.

    • by Darinbob (1142669)

      If anyone sees a crime, they should report it. This has nothing to do with hackers or not, or the fictitious color of their hats. It is always a good idea to report it unless you have concerns about your own safety. Face it these guys are not boy scouts and they know they are committing serious crimes. Looking the other way is a serious breach of morality. Who cares about the roles. Their role as a public citizen should be enough to compel them to report a crime.

      Security researchers are not priests si

  • by Tigger's Pet (130655) on Wednesday March 23, 2011 @03:46PM (#35590856) Homepage

    Do we have a winner for the prize of "stupidest person alive"? Who, with the slightest semblance of common sense, would think that posting a video of themselves doing this was a good idea? This ranks up there with the guy who used a camera mounted to his motorbike to record himself doing 140mph+ in the UK, then posted it on YouTube with his face and licence-plate.

    • by Fnord666 (889225)
      Another contestant:

      HARRISBURG, Pa. - Police say a man tried to open an account before robbing a central Pennsylvania bank, but only after he'd already handed over two forms of identification.

      Harrisburg police say 35-year-old Daniel Rahynes walked into a bank on Sunday and told tellers he was interested in opening an account. After he gave bank employees his information, he declared that he was actually there to rob the bank.

      full article [msn.com]

  • Self-defense (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 23, 2011 @03:47PM (#35590862)

    This is exactly why we don't counter-attack those attempting to penetrate our network. While you *might* have some slim chance of reaching the attacker, chances are equally good you will end up attacking some systems in a hospital or something equally unacceptable.

  • The FBI found the source code for the bot on his laptop.

    Open source doesn't really work for hackers.

    • by elucido (870205) *

      Neither does closed source. Who knows whether or not an informant or undercover cop put a backdoor in the botnet.

      • by H0p313ss (811249)

        Neither does closed source. Who knows whether or not an informant or undercover cop put a backdoor in the botnet.

        Perhaps you should spend the rest of the day searching youtube to find out.

  • Stupid should hurt.

    That said, I think sentencing for most of these crimes is a little over the top, but still; if you ask to get busted, you're going to get busted.

  • There. I fixed it for you.

  • I'm assuming he wasn't part of 'Anonymous' then? ;-)
  • Did he know nothing about being evil?
    Never let them catch you monologuing!
  • I just looked up some details of Ophcrack [wikipedia.org] on Wikipedia.

    I can't help but wonder if this guy or his group shelled out for the full set of rainbow tables, or wether the hospital used alphanumeric-only passwords for their sensitive accounts.

    It in no way excuses this guy, but that would deserve a good slapping.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (8) I'm on the committee and I *still* don't know what the hell #pragma is for.

Working...