Hacker Posts His Crime On YouTube, Lands In Jail

wiredmikey writes "A former contract security guard who admitted hacking into a hospital's computer systems (where he worked), was sentenced to 110 months in Federal prison. Why did he do it? He admits that he intended to use the bots and the compromised computers to launch DDoS attacks on the websites of rival hacker groups. The FBI says he posted video of himself hacking into the hospital computers on YouTube — While the theme of 'Mission Impossible' played, he described his hack, step by step, including the insertion of a CD containing the OphCrack program, which allowed him to bypass all security. The FBI found the CD containing the OphCrack program in McGraw's house and found the source code for the bot on his laptop."

Security researchers or confidential informants?

[elucido]

"FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group’s leader in jail, according to a recently unsealed search warrant affidavit.

Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlle

Re:Security researchers or confidential informants

[chemicaldave]

Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

Why do articles even call them "security researchers"? Now if this guys job is to investigate hackers, then he should be called a "cyber crime investigator". It's disingenuous to call an a cyber crime investigator/cybercop detective a security researcher. What is with this trend?

Who cares if the person was a "security researcher" or "cybercop detective"? What's it matter?

And what is the official function of a security researcher? Are they informants? I'd think maybe not if they aren't pretending to be outlaw/blackhats, so I cannot put them in the obvious informant/snitch category that albert gonzalez [wikipedia.org] is in. An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.

You took the term "security researcher", substituted your own definition of "confidential informant", and then hinted that the person might be a snitch...

Re:

[Even on Slashdot FOE]

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

Re:

[chemicaldave]

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

We're not talking about the mafia. This is a dumbass script kiddie.

Re:

[scubamage]

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

We're not talking about the mafia. This is a dumbass script kiddie.

The problem is sometimes, we are talking about the mafia.In this case you're correct, its just a script kiddie, but not always.

Re:

[elucido]

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

That is not the situation at all. Being a witness to a crime is not the same as being a snitch. A snitch knows the individuals who committed the crime, had the trust of these individuals, and betrayed them. I'm not saying the guy who found the photo and reported it to the FBI is a snitch like Albert Gonzalez and I'm not saying someone who witnesses a crime is snitching. You do risk your life and limb as a witness but it's not betraying anyone or harming your friendships to be a witness so the stigma is only

Re:

[avgjoe62]

It's an old saying, but true none the less - there is no honor among thieves.

Re:

[khallow]

But if you are just a researcher then your interest is purely academic, so what would you have to gain by reporting every crime you see?

As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.

Re:

[Infernal Device]

As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.

This seems to imply that there are crimes you don't report. Is there some sort of ethical standard for what gets reported and what doesn't or is it left to the judgement of the scientist?

Re:

[khallow]

This seems to imply that there are crimes you don't report.

And that can indeed be the case. For example, I read of an economics researcher who studied a US street gang who was heavily involved in cocaine and crack dealing. One of the conditions for their cooperation with him was that he wouldn't report their involvement in a variety of crimes (such as drug possession, tax evasion, and violations of US labor law). I think he would still be ethically obligated to report to the police any serious crime he witnessed like assault and battery, murder, etc.

Is there some sort of ethical standard for what gets reported and what doesn't or is it left to the judgement of the scientist?

I doubt there's

Re:

[tehcyder]

So it's simple. If you are a cyber crime investigator, then don't pretend to just be a "researcher".

Are you fucking retarded? Do you think undercover organized crime investigators should wear "Hi! I'm in the FBI!" t-shirts to avoid confusing the poor mafiosi?

Re:Security researchers or confidential informants

[iamhassi]

"The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?"

But... he is a security researcher, here's his security [mcgrewsecurity.com] websites [dissectingthehack.com] and his LinkedIn says he has a PhD in Computer Science and works at the Mississippi State University Center for Computer Security Research (CCSR). [linkedin.com]

I'd say he's qualified. I don't understand why parent automatically assumed he was just an informant. If you're a private detective and with PhD in Criminal Forensics and you see a felony take place wouldn't you call the police? Would /. then assume you're simply an informant instead of being the private detective that the article correctly identified you as being?

Re:

[cdrguru]

The way for inner city youth is to follow the rules: Stop Snitching.

If they don't pay attention to the rules, they will run afoul of folks whose livelihood they are impacting. And probably end up as another statistic on how hazardous it is for minorities in the inner city.

Of course, you are correct that the only way for law enforcement is to have snitches. If they are subsequently beaten, tortured or killed it isn't the fault of law enforcement but our own sick, twisted society. It comes down to who do y

Re:

[mug funky]

possibly because cops spend all day with robbers and quite often the robbers tend to get paid better, which opens the cops up to turning a blind eye to some of the robbers in return for protection from arrest...

Re:

[mug funky]

this.

of course, there needs to be discretion.

some crimes are so severe that if you have knowledge of them you need to report them to get the perpetrator off the street, or you'll be enabling the criminal.

a script kiddie isn't in that category for me though. more like a rapist.

Re:

[tehcyder]

a script kiddie isn't in that category for me though.

But a script kiddie fucking around with a hospital's systems is something else.

Re:

[bmo]

>If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

It's not like calling in a break-in of someone's house. I've done that myself. Called it in while I was watching across the street, and identified the bad guys while talking on 911 and later as I sat in the police car and the cop shined a light on them (they were caught).

Cops know how to deal with that. Clear cut, simple.

But to call in a computer security problem? To people who d

Re:

[chemicaldave]

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Ok...but in this case it's more like breaking into the hospital to steal drugs...

Re:

[elucido]

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Ok...but in this case it's more like breaking into the hospital to steal drugs...

And if I were the one who cracked the case then I would not be a security researcher, I would be a cyber crime investigator. I mean what is so difficult to understand? If someone does the police work or the police then the police don't have to pay anybody. This saves the police money but it does not necessary make us any safer. Whether or not we'd be safer would have to be decided on a case by case basis.

So what I'm saying is, if there really are cyber police or if there should be cyber police, shouldn't th

Re:Security researchers or confidential informants

[SuperKendall]

That depends on whose home it is. If it's a rich assholes home, probably not

You do realize that this means you, too, are an asshole, and that someone even lower on the moral chain than yourself will watch someone break into your house and do nothing for the same reason?

The chain of violence only stops when people like you stop demonizing based on external factors.

Re:Security researchers or confidential informants

[ElectricTurtle]

Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."

I always ask people, at what magical number does 'theft' become 'economic justice'?

Re:

[elucido]

Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."

I always ask people, at what magical number does 'theft' become 'economic justice'?

Justice is for the strong. What that means is that the rich typically get justice through the law and the poor do not.
The law does not treat rich and poor equally, you know this and I know this.

So if a rich strangers house is being broken into and burglarized I'm just not going to care about that rich persons junk. That rich person has more stuff than they need anyway, and I wouldn't want to spend my time sitting in court.

Now if the roles were completely reserved and I'm the rich person and I'm watching a g

Re:Security researchers or confidential informants

[ElectricTurtle]

This is the worst kind of thinking. 'The poor don't get justice so I'll make sure the rich don't get it either! Then we'll all be equal!' Equally fucked. Such an great thing to which to aspire. Equality is not the sacred thing you seem to think it is. To paraphrase Margaret Thatcher, it is better to have a higher standard of living for the majority in a society with a high disparity than it is to have a lower standard of living for the majority in a society of greater equality.

Re:

[Actually, I do RTFA]

Equality is not the sacred thing you seem to think it is. To paraphrase Margaret Thatcher, it is better to have a higher standard of living for the majority in a society with a high disparity than it is to have a lower standard of living for the majority in a society of greater equality.

You could go with Rawls (paraphrased): Inequalities are acceptable if they makes the worst off in the new system better off than the worst off without those inequalities.

So says the selfish rich

[elucido]

Give to us, protect our rights, die for us, give us justice.

But they can't give healthcare, a job, or an education.

Why should I give random rich people a handout?

Re:

[elucido]

Now if the roles were completely reserved and I'm the rich person and I'm watching a ghetto dwelling persons house getting broken into, maybe I'd decide to be a witness as a way to give back for what society has given me. In fact maybe I'd just give the unfortunate person some financial assistance, pay the legal fees, or give them a job.

No, you wouldn't.

You would likely feel you'd earned every penny you had and not owe anything back to society. You certainly wouldn't risk it for some poor person who could never pay you back and might expose you to personal risk.

Not if I were poor and became rich. If I were born rich you'd probably be right, but since I wasn't, I wont think rich.

When you are rich it's no personal risk to yourself to help a poor person but when you are poor there is great personal risk to yourself to help a rich person.

Re:

[elucido]

Society is something I tolerate. I did not ask to be born into this society. I do not have any emotional attachment to this society. It's not all good.

There are good people who matter to me. I care about those people. The social contract isn't real and does not exist. People pretend it exists just as they pretend human rights exist and just as they adopt American exceptionalism.

You think the world owes you all it's natural resources because you are an American? You think lives in foreign countries don't mat

Re:

[Lehk228]

let's start with anyone making more than 128 times the national median income.

Re:

[Actually, I do RTFA]

Exactly. As Cullen Hightower said: "There's always somebody who is paid too much, and taxed too little - and it's always somebody else."

I'm not paid too much, but I am taxed too little. I would gladly raise my own tax rates by 5% if it applied to everyone making as much as I am or more (esp. if it applied to Warren Buffet, etc. who currently have their salaries as investment income.)

I always ask people, at what magical number does 'theft' become 'economic justice'?

That stupid rhetorical device has been don

Re:

[elucido]

That depends on whose home it is. If it's a rich assholes home, probably not

You do realize that this means you, too, are an asshole, and that someone even lower on the moral chain than yourself will watch someone break into your house and do nothing for the same reason?

The chain of violence only stops when people like you stop demonizing based on external factors.

If I don't know anything at all about a person, never met the person in my life, I don't have any responsibility to care about the person.

And no I don't assume a majority of rich persons care about me. My decision of whether or not to be a witness would depend on factors such as whether or not I knew them, whether or not I want to sit in court for weeks or months, but it's still my decision to make.

Just like if someone decides to give to charity or give a donation, it's their decision to make. Nobody should

Re:

[sycodon]

Baed on your attitude, I'm surprised that anyone cares about you...even your mother.

Re:

[elucido]

Just because you would die for a random rich person, does not mean a random rich person would save your life.

So if you want to die for some rich asshole, go ahead and be my guest. The only people who matter are the people who you actually know. You think otherwise? Maybe you should have stopped the troops from bombing Iraq and stealing the oil and maybe you should have saved the Soviet Union from the cold war, and maybe you should have helped save the children.

But if you want to be realistic, if you are a r

Re:

[Attila Dimedici]

Not all research is academic. I with a large number of research scientists, very few of them are doing anything academic. This particular security researcher is someone who makes his living by providing his skills to companies and other organizations in return for money. He researches security risks and ways to compromise computer systems and develops tools to combat them (my interpretation of the information on his business website). The overlap between what he does as a security researcher and what a cybe

Re:

[elucido]

If they knew me I would expect them to have compassion. If they don't then I wouldn't expect any compassion just as most of you don't have compassion for people dying in foreign countries.

You are right I am amoral. Just like a corporation, a government, etc.

Re:

[ElectricTurtle]

I don't think you understand how whitehats think. They think they are talented superhero vigilante crime fighters. I've known a few in my time, and they are frequently the kind of Eagle Scout archetype of a neighborhood watch captain. They have no real official power, but they get off on being "the good guys" and will turn in anybody for anything. It's a terrible combination of boredom, a modicum of skill, and an underdeveloped legalist sense of ethics.

At the same time, blackhats like GhostExodus are path

I do know how they think, I know them.

[elucido]

But I'm trying to figure out why they think that way.

Re:

[doomy]

This seems to be their YT channel - http://www.youtube.com/user/XxxxETAxxxX [youtube.com]

Re:

[westlake]

An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.>/quote?> There is no honor among thieves.

The hacker trades in secrets - and there is no bigger secret than the identity of other hackers.

Re:

[elucido]

An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.>/quote?>
There is no honor among thieves.

The hacker trades in secrets - and there is no bigger secret than the identity of other hackers.

If someone is a friend, or is family, and you know ratting them out will put them in prison where they'll be ass raped for a decade, what kind of person are you if you give their identity to the FBI?

Re:

[Actually, I do RTFA]

Has "security researcher" become the code for for confidential informant?

No. The guy is literally a PhD student who studies computer security.

Why else would the "researcher" go out of his way to "inform" the FBI?

I don't know why "inform" was in quotes. He did it because he saw that an HVAC system at a hospital was compromised, and thought that could pose a danger to human beings. He called the police and FBI with information about who had done it. And considering that the person with remote control of t

110 Months

[Reilaos]

That's not that bad. People could get much worse for having the police catch them with crack in their home!

Re:

[elucido]

Thats not bad? Do you know how many years that is? Thats terrible.
He got caught so he has to do the time, but 110 months is around 9 years.

Re:

[Reilaos]

Gonna kill a joke by explaining it, but dealing with crack cocaine can get you 6-20 years.

Re:

[chemicaldave]

That's not that bad. People could get much worse for having the police catch them with crack in their home!

Yeah, and in countries where they cut off your hands for stealing, you should be grateful they don't just cut off your head like in other places!

Re:110 Months

[WrongSizeGlass]

That's not that bad. People could get much worse for having the police catch them with crack in their home!

That sentence is the least of his problems. Wait until the MPAA & RIAA find out he used the theme from 'Mission Impossible' in his YouTube posting without paying the appropriate licensing fees.

Re:

[Isaac Remuant]

You reckon we can ask them to fine him with twice of Google's revenue?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sycodon]

"People who do this deserve to be shot."

Fixed.

Re:

[cusco]

Right, because nurses and maintenance people have lots and lots of time to learn new operating systems, new GUIs, and the new programming conventions that come with an OS change. The X-ray machine will use Red Hat with gnome, the climate control system will be Suse with KDE, the pharmacy will be OS-X and the MRI will be DRDOS with some piece of crap interface that Philips cobbles together. Truly something to look forward to.

When you graduate and get out in the real world you're going to find that stand

Re:

[cos(0)]

If only there was a Linux distribution whose target audience is hospitals, government, education, etc., and whose goals include API/ABI stability and long-term support. Perhaps we can call it "Enterprise Linux." I'll email Red Hat.

Re:

[fredclown]

Being in the medical IT field I can tell you that almost all medical software is written for Windows. And last I checked I don't think you can arrest anyone for developing for the windows platform. Just because the system is on Windows doesn't automatically make it insecure. There are a number of things that could have been done to mitigate this such as ... super-gluing the USB ports, securing door access, group policy to lock down what can be run. If best practice security was followed this guy would h

I think he knows the underwear gnomes.

[gurps_npc]

Step 1) Post a video of yourself committing a crime

Step 2) ????

Step 3) Jail!

Re:

[pinkushun]

You only need 3 steps to profit [southparkstudios.com]

The role and ethics of security researchers:

[elucido]

This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not

Re:

[Dr. Evil]

It's like accounting. Your superiors make the call, and you have an ethical decision if they don't do the right thing.

Although.... accountants have tighter laws and professional bodies to revoke designations. Security will get to the same point in the next 10 or 20 years.

Re:

[Anonymous Psychopath]

This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not understand the different inherent functions of these terms. At the same time you have obvious professional betrayers like Albert Gonzalez being called "agents" and "heroes" by the feds in one sentence and then later on the feds are locking him up and he's a dirty rotten snitch greedy scoundrel.

So which security researcher, hacker, or cyber crime investigator wants to clear up exactly the different functions and roles?

Actions define people, not titles. You obviously already know this, why bother using it as an excuse to get on your soapbox? No one cares what they call themselves, except maybe them.

Re:

[chemicaldave]

It likely has less to do with their title and more to do with who they work for. If they work for the federal government directly, at an agency, they might be compelled to submit this information. If they work for a government funded, third party organization, perhaps it's in a contract. They may work for a totally private organization or free-lance in which case they likely have full discretion. Or maybe the "informant" was just a disgruntled acquaintance.

If it's in their contract

[elucido]

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

Anyway if it's in the contract or a part of their job title and definition then nobody can accuse them of being an informant, and at the sam

Re:

[chemicaldave]

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

Re:

[elucido]

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

Everything is public though. Thats not really fair.

Re:

[TeraCo]

Well, everything you record and upload to youtube for public release (bearing in mind you can upload private videos to youtube), certainly.

Re:

[BJ_Covert_Action]

You posted what is, essentially, the exact same post content-wise 7 minutes before this one. Do you always repeat yourself, or only when you have an axe to grind?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LanMan04]

This this a million times this. Stay as FAR AWAY from police as possible at all times. They're like a tornado of trouble and being in their vicinity, **even when you're doing good for society**, can damage you in all kinds of horrible ways.

Not worth the risk, ever.

Re:

[Darinbob]

If anyone sees a crime, they should report it. This has nothing to do with hackers or not, or the fictitious color of their hats. It is always a good idea to report it unless you have concerns about your own safety. Face it these guys are not boy scouts and they know they are committing serious crimes. Looking the other way is a serious breach of morality. Who cares about the roles. Their role as a public citizen should be enough to compel them to report a crime.

Security researchers are not priests si

Ladies and Gentleman

[Tigger's Pet]

Do we have a winner for the prize of "stupidest person alive"? Who, with the slightest semblance of common sense, would think that posting a video of themselves doing this was a good idea? This ranks up there with the guy who used a camera mounted to his motorbike to record himself doing 140mph+ in the UK, then posted it on YouTube with his face and licence-plate.

Re:

[Fnord666]

Another contestant:

HARRISBURG, Pa. - Police say a man tried to open an account before robbing a central Pennsylvania bank, but only after he'd already handed over two forms of identification.

Harrisburg police say 35-year-old Daniel Rahynes walked into a bank on Sunday and told tellers he was interested in opening an account. After he gave bank employees his information, he declared that he was actually there to rob the bank.

full article [msn.com]

Re:

[CCarrot]

There are plenty of dumber people in the world who kill themselves by trying to accomplish something truly stupid every year.

All hail the Darwin Awards [darwinawards.com]...

Self-defense

[Anonymous Coward]

This is exactly why we don't counter-attack those attempting to penetrate our network. While you *might* have some slim chance of reaching the attacker, chances are equally good you will end up attacking some systems in a hospital or something equally unacceptable.

Let it be a lesson

[microbee]

The FBI found the source code for the bot on his laptop.

Open source doesn't really work for hackers.

Re:

[elucido]

Neither does closed source. Who knows whether or not an informant or undercover cop put a backdoor in the botnet.

Re:

[H0p313ss]

Neither does closed source. Who knows whether or not an informant or undercover cop put a backdoor in the botnet.

Perhaps you should spend the rest of the day searching youtube to find out.

Three words:

[sstamps]

Stupid should hurt.

That said, I think sentencing for most of these crimes is a little over the top, but still; if you ask to get busted, you're going to get busted.

Re:

[diskofish]

A part of me feels sorry for this fool.

No, that's pity, not sorrow.

[zooblethorpe]

A part of me feels sorry for this fool.

As in, I pity the fool...

Sometimes actually I miss the 80s.

Cheers,

Re:

[HeckRuler]

Yeah, but you have to remember that he'll probably be out on parole in a year or two.

Should read: Dumbass posts his crime on Youtoob...

[ehintz]

There. I fixed it for you.

So.....

[carbonUnit42]

I'm assuming he wasn't part of 'Anonymous' then? ;-)

Did he know nothing about being evil?

[asdf7890]

Did he know nothing about being evil?
Never let them catch you monologuing!

Hmm...

[vegiVamp]

I just looked up some details of Ophcrack [wikipedia.org] on Wikipedia.

I can't help but wonder if this guy or his group shelled out for the full set of rainbow tables, or wether the hospital used alphanumeric-only passwords for their sensitive accounts.

It in no way excuses this guy, but that would deserve a good slapping.

Yes, 10 Years!!!!

[www.sorehands.com]

They added the stupidity multiplier. It is there so the pollution of the gene pool by really stupid criminals is reduced.

Re:

[RajivSLK]

Not only that- but he was also hacking a hospital. If his poorly crafted script kiddie hack had compromised the functions of even the administrative computers patients treatment could be compromised. This is a place of healing. If you fuck with a hospitals functions you should get 10 years.

Re:

[sdguero]

He won't do more than 5 unless he shanks someone.

Re:

[HornWumpus]

Federal time. He is fucked.

He will do almost all of it. Someone will come along to explain but IIRC 'good time' on gets you something like 5% off.

The oft repeated meme 'never talk to the police' goes double for feds. Telling them a fishing story is a 10 year offense.

Re:Seems a bit excessive

[Nikker]

The network he had access to was a hospital's LAN. He wanted to use it to DDOS which would result in saturating much of the hospital's LAN to begin with and possibly screwing with equipment in the mean time. If he hacked into a Starbucks or a McDonalds to do the same I wouldn't care as much but his stupidity overreached on this one.

Re:Seems a bit excessive

[Americano]

Why is it excessive? From TFA:

While hacking into the HVAC computer, McGraw knew the risk of affecting the facility’s temperature, and the treatment and recovery of vulnerable patients. In addition, he could have affected the efficacy of all temperature-sensitive drugs and supplies. Although he denies, it, access to the nurses’ station computer could have opened the door to patient records.

Given the fact that his actions could have breached confidentiality of medical records, or, you know, even killed someone due to the HVAC system going haywire and not controlling the temperature in a patient's room, or a storeroom containing temperature-sensitive medications, I'd say that 9 years and 2 months (probably being served in a minimum-security federal prison camp) doesn't sound all that unreasonable.

Re:Seems a bit excessive

[betterunixthanunix]

Are we going to imprison the people who decided to use Windows as the operating system for a critical, safety-sensitive computer? Why are we acting like the problems here end with this guy? Computers are not some magical object that dark wizards vie for control over; the fact that this guy could have endangered hospital patients because he was interacting with the HVAC computer (and ultimately, that is what he was doing: interacting with the computer) says more about the problems with the HVAC controller than about the hacker.

Re:

[Americano]

(and ultimately, that is what he was doing: interacting with the computer)

Yeah, if "interacting with the computer" involves breaking into a locked room, removing security controls on a computer with a sensitive function, and then planning to use it to launch DDoS attacks against other "rival groups." This isn't like, "What, I was just at the mall, using a touchscreen kiosk to find directions to the Urban Outfitters store!"

Considering he apparently needed both physical access (in a locked room) to the compu

Re:

[betterunixthanunix]

On the other hand, why was the HVAC system left open to these sorts of attacks? If it is as safety sensitive and critical as the FBI is claiming, one would think that Windows should be low on the list of operating systems to choose.

Re:Come on, dude.

[Hatta]

Don't be too hard on them. Any HVAC system can be circumvented using windows.

Re:

[cusco]

Building maintenance computers are expected to last for a decade or more, which is probably longer than the building maintenance people will stay on their job. These systems are written for Windows because the new guy can come in, poke around a bit, and because he understands the basic MS programming conventions be productive in his new position almost immediately.

Re:

[RandomJoe]

I install HVAC control systems for a living. Almost all of them rely on Windows at some point along the way anymore, either for setup software or the user interface software (if it doesn't use a web interface).

However, most do NOT require the Windows computer in order to function properly. The systems either have a dedicated embedded-style building controller, or use a peer-to-peer arrangement with each device handling its own schedules and talking to each other directly to integrate. It's entirely possi

Re:

[Actually, I do RTFA]

"So what if I mess around with the HVAC controller in this hospital? I have SERIOUS HACKER BUSINESS to conduct!"

He had been experimenting with fucking with the HVAC controls on purpose (turning off automated alarms for temperature levels, shutting down AC), and was going to fuck up the hospitals air conditioning, in Dallas, TX, on July 4th.

Fuck him right in the ear.

Re:You are ridiculous

[DurendalMac]

Accidentally hitting someone with a car and accidentally hitting someone with a car after you've swilled half a bottle of Gold Schlager would be treated differently. Accidents happen. Deliberately fucking with hospital systems in a way that you KNOW could cause damages and even get someone killed is not an accident.

Re:

[nobodylocalhost]

You are missing "EPIC" in front of that "FAIL"

Re:

[Actually, I do RTFA]

This nimrod's just a script-kiddie with delusions of grandeur.

Hey, he assembled a mighty 14-large computer cluster to DDoS rival group Anonymous. He was totally gonna kick their ass!

Re:

[1s44c]

I remember when he originally posted that video. about all I could do was /facedesk multiple times. I couldn't believe how someone of his obvious intelligence could be so incredibly stupid (not about the video or even posting it, but the fact that he actually endangered lives by his actions). It is people like him who give governments cause to intrude into our lives as much as they do.

I can't believe he thought they would not find him and call the cops. He was cracking computers at the place where he worked. It was a freaking hospital with computers full of personal data. The guy intended to launch a DOS from hospital computers leaving a clear trail of network traffic back to him.

The guy was a dumbarse, no wonder he was working as a security guy and not in IT. In my experience if anything goes missing, gets broken, or gets unexpectedly altered overnight the security staff did it. Did I t

Re:

[1s44c]

correction: script kiddie ;) although securing against someone with physical access is impossible without full disk encryption

Even hard disk encryption sn't enough. He could have plugged in a cheat keylogger and waited or used a fireware memory reader, or any of a large number of other attacks.

Re:

[pinkushun]

BWHA HA HA HA!

Re:

[pinkushun]

He forgot to thank the person responsible for encrypting their drives and covering their trac... oh wait. Never mind.