Another suspected NASA hacker indicted

By Joris Evers, CNET News.com
Published on ZDNet News: December 1, 2006, 9:10 AM PT

A Romanian man was indicted Thursday for allegedly breaking into more than 150 U.S. government computers.

The indictment charges Victor Faur, 26, of Arad, Romania, with leading a hacking group called the "WhiteHat Team," according to a statement from the U.S. Attorney’s Office in Los Angeles. The group allegedly hacked into the government systems because of their reputation as some of the most secure in the world.

"After hacking into and taking control of the government computers, Faur allegedly caused the compromised machines to display screens that flaunted the computer intrusion," the U.S. Attorney's Office said.

Faur is charged with conspiracy and nine counts of computer intrusion. If convicted of all counts, he faces up to 54 years in federal prison, the prosecutors said.

However, a trial isn't likely to happen soon. Faur is currently in Romania, where he was arrested and then released on bond on separate, Romanian charges, Assistant U.S. Attorney Brian Hoffstadt said in an interview.

"The next step for us is to seek extradition from the Romanian government," he said. There is an extradition treaty between the U.S. and Romania, but an extradition procedure can take up to two years. "It takes a long time," Hoffstadt said.

Computers that were compromised included machines at NASA's Jet Propulsion Laboratory and Goddard Space Flight Center, the Sandia National Laboratory, and the U.S. Naval Observatory, according to prosecutors.

The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said.

Several suspected NASA hackers have been dealing with law enforcement recently. In Sweden, a teen suspected of hacking into systems belonging to the U.S. military, NASA and networking giant Cisco Systems was charged recently. Earlier this year, London resident Gary McKinnon lost a crucial battle in his fight to avoid prosecution in the U.S.

No charges have been filed against any other suspected members of the WhiteHat Team, Hoffstadt said. "But the charges against Faur may not be the last charges," he said.

U.S. warns of possible al-Qaida financial cyberattack

Reuters
Published on ZDNet News: November 30, 2006, 6:55 PM PT

The U.S. government warned American private financial services on Thursday of an al-Qaida call for a cyberattack against online stock trading and banking Web sites beginning on Friday, a source said.

The source, a person familiar with the warning, said the Islamic militant group aimed to penetrate and destroy the databases of the U.S. financial sites. The Department of Homeland Security confirmed an alert had been distributed but said there was no reason to believe the threat was credible.

The U.S. Computer Emergency Readiness Team issued a "situational awareness report to industry stakeholders," said Homeland Security spokesman Russ Knocke. The warning said the threat called for attacks to begin Friday and run through the month of December in retaliation for the United States keeping terrorism suspects at the Guantanamo Bay naval base in Cuba.

"Denial of service is what it called for," said a Homeland Security official who spoke on condition of anonymity.

A person familiar with the warning said the threat came from a group calling itself "ANHIAR al-Dollar." The effort was related to al-Qaida and intended to avenge "Muslim brothers in the crusaders' Guantanamo prison camp," the source said.

Reaction in the financial community was muted, with markets showing little or no reaction.

New York Republican Rep. Peter King, chairman of the House of Representatives Committee on Homeland Security, said the report was "nothing to panic over, but it will be looked at very carefully."

Robert Albertson, chief investment strategist at Sandler O'Neill & Partners in New York, said it was unlikely al Qaeda members could do serious harm to financial Web sites.

"I'm not saying there aren't precautions to be taken, but I just can't fathom how there would be serious havoc," he added.

Brian Jenkins, a terrorism expert with the RAND Corp., said that such threats were not unusual.

"There is a regular stream of Jihadist exhortations to attack various targets," he said. "Financial organizations stay at a fairly high level of readiness anyway because of regular assaults."

A government source said regulators were being briefed on the warning.

Alleged NASA hacker loses extradition ruling

By Colin Barker, ZDNet (UK)
Published on ZDNet News: May 10, 2006, 5:27 AM PT

Accused hacker Gary McKinnon has lost a crucial battle in his fight to avoid prosecution in the United States after a British judge ordered his extradition to America.

Judge Nicholas Evans, sitting at Bow Street Magistrates' Court, ruled on Wednesday morning that McKinnon must face U.S. courts.

McKinnon, who lives in London, is accused of hacking into 53 U.S. government computers, including some used by NASA, and causing $700,000 worth of damage.

Evans rejected the defense arguments that McKinnon would not face a fair trial in the U.S. or that he risked being treated as a terrorist suspect.

The two countries "have had extradition arrangements in place for over 150 years. I have no reason to believe that McKinnon will not receive fair treatment," Evans said.

McKinnon was instructed that he must prepare himself to be flown to America on May 17. However, he is likely to appeal the decision.

The final decision on whether McKinnon should be sent to the U.S. for trial rests with Home Secretary John Reid.

McKinnon has admitted accessing U.S. government networks but denies causing any damage. He has claimed that he was looking for, and found, evidence of UFOs and secret military technology.

Speaking outside the court, McKinnon indicated he was not hopeful about his future.

"Virginia (where his case will be heard) is famously conservative. I am practically hung and quartered there already," he said.

Most security tools not quite ready for Vista

By Joris Evers, CNET News.com
Published on ZDNet News: November 30, 2006, 2:54 PM PT

Microsoft released Windows Vista for businesses on Thursday, but most security companies look like they need more time to deliver tools to protect the new operating system.

Symantec, Trend Micro and CA are still working on products for Vista, representatives for the each of the companies said Thursday. McAfee is the only major security software maker that has products available now for the long-awaited Microsoft operating system.

"The absence of security software from the major vendors will be another reason why business will not migrate to Vista right away," said Natalie Lambert, an analyst at Forrester Research. That's in addition to the lack of support for Vista in general applications, which are the tools businesses need to run their operations, she noted.

Microsoft celebrated the launch of Vista in New York on Thursday. It is the company's first major Windows client release since Windows XP shipped in 2001. On the back of Microsoft's announcement, Symantec, McAfee, Trend Micro and CA all put out news releases promoting software for Vista PCs. Yet none announced actual product availability, except McAfee.

"McAfee is the only major security vendor with products available today that support Vista right out of the gate," said Rees Johnson, McAfee's vice president of product management. McAfee VirusScan Enterprise 8.5 and McAfee AntiSpyware Enterprise 8.5 support Vista and are available now, the company said.

The other large security vendors plan to release their corporate products for Vista over the next months. Symantec plans to release an update to AntiVirus Corporate Edition by December 31; Trend Micro expects to have a new version of OfficeScan ready in the first half of 2007; and CA's new antivirus and antispyware is due out by early February.

"I really expect all vendors to have shipping solutions before the end of the first quarter," Lambert said. "But even then, Vista rollouts will be time-consuming." Forrester doesn't expect mass deployment of the new operating system until 2008, she said.

So, while lack of security tools for Vista could mean some people will hold off from upgrading right away, it is not a major issue for the majority of business users, Lambert said. "This is not a big deal, as we will not see enterprises switching to Vista immediately," she said.

Microsoft is more optimistic. The Redmond, Wash., company predicts that Vista will be adopted by companies at twice the speed as its predecessor, Windows XP. Twelve months after the release of Vista, Microsoft expects that usage share of the oft-delayed operating system in businesses will be double that of XP a year after it shipped, the company has said.

Microsoft has promoted Vista as the most secure version of Windows yet, but has also emphasized that users will still need to run security software to protect their PCs. For example, 3 of the top 10 types of malicious software that hit PC users today can bypass Vista's security defences, security company Sophos said on its Web site Thursday.

"Microsoft continues to encourage customers to follow all of the steps of the 'Protect Your PC' guidance of enabling a firewall, applying all software updates and installing antivirus software," a Microsoft representative said.

Die, C, die! 5 reasons to UN-learn C

November 28th, 2006
Posted by Ed Burnette @ 12:01 am

I've been programming in C for over 20 years now. I've written C compilers, C debuggers, other languages, games, clients, servers, you name it. Dog-eared editions of K&R and Steele decorate my shelves. So I know C. And yet, I'm sick of it. SICK.

So it was with some trepidation that I read a blog on why every programmer should learn C. Turns out it's good for a laugh if you're a professional developer, though the author probably didn't intend it that way. This rebuttal makes a bit more sense, but still doesn't capture the essence of why C should go the way of the dodo. So let me turn it around. Here are 5 reasons why developers who know and use C now should not just use something else, but UN-learn all the bad things they learned in C.

1. Memory allocation. I could write a whole article just on this one. A book. Maybe a small wing of the library. Memory allocation and deallocation is the bane of my existence. Either you allocate too little and write off the end, or too much and waste it. Then there's the question of whether to zero it or leave it uninitialized. But freeing memory is the worst. Entire toolkits have been written to help you make sure you have freed every little bit you allocated, never use it after freeing, and God forbid, never free it twice. To add insult to injury, allocations and frees are slow in C, very slow. I don't want to even think about all the special cases I've had to put in to *avoid* memory allocation and use stack or pre-allocated structure space if the problem size fit. Well, I've got better things to worry about. Whoever invented garbage collection should win a Nobel.

2. Multi-threading. I used to like C, really. Until I started to develop and maintain multi-threaded servers with it. C doesn't help you at all with protecting data from access by conflicting threads. Every intuition you had from single-threaded days is wrong. At least Java has the synchronized keyword, and a documented (but weird) memory model, but even that falls apart on massively parallel machines unless you use the new javax.concurrent stuff. Flashback - in C: 1 week standing up (true story) in a data center debugging a deadlock problem in a simulated production environment. In Java: Ctrl+Break! Ahhh.

3. Pointers. Pointers are insidiously evil; there's just no polite way to say it. Months of my life are just gone from debugging problems with wild pointers. I used to go for all the tricks, such as incomprehensible casts and unions and offsetof and reusing the last couple of bits for flags, and all that. It's just not worth it. Statically typed references are your friend.

4. Premature optimization. Speaking of tricks, have you ever wasted any brain cells wondering if *p++ was faster than p[i]? Have you spent time trying to do shifts instead of multiplies, or reversing for loops to try and make them run faster? Agonized over the speed of passing parameters as opposed to filling in a structure and passing that? STOP IT! Algorithms are the key to speed, and developer productivity is the key to algorithms. Get the idea that you can make your program any better or faster with little tweaks out of your head. Yeah, there are a few cases where maybe… no, just don't go there.

5. Tests. What's your favorite C unit testing tool? Umm….. can't think of one? Unit testing must not be important then, right? Or too much trouble. Hard to keep up to date. Waste of time. You could spend that time shaving .001% off your execution time. Or debugging that problem that only occurs with 100 simultaneous users, in the data center, on an optimized image with no symbols.

I could go on, but 5 is enough for now; I feel better already. C was wonderful… in 1984. It amazes me that new code is being written in C, even today. C++ is only marginally better if you ask me. If you want to learn something old, try Forth, Lisp, or APL. At least those can teach you some different and elegant ways of thinking about programming.