Attacks/Breaches
12/17/2012
11:52 AM
50%
50%

Britain Declines To Prosecute Alleged NASA Hacker

After 10-year legal battle for allegedly hacking U.S. government computers in search of information on UFOs, British hacker Gary McKinnon is free.

The British government has declined to prosecute Gary McKinnon, 46, who had been accused of perpetrating "the biggest military computer hack of all time." As a result, more than a decade after the alleged crimes occurred, McKinnon is now a free man.

"I feel the 10 years have been grueling, it's been life-destroying. It's difficult to explain how bad it's been," McKinnon's mother, Janis Sharp, told The Guardian.

"To have this over is amazing. Gary's gone through enough," she said. "Other people have been accused of more serious hacking in this country and they've been given a 1,000-pound fine and a very short community sentence. Gary regrets what he's done. He wishes he hadn't done it. He wishes he hadn't upset the Americans. We all regret it. But I'm grateful to Theresa May that this is all over now."

Sharp said McKinnon's next step will be to seek a pardon from President Obama.

[ Operation Payback case highlights how U.S. and British hacker investigations differ. Read more at How U.K. Police Busted Anonymous Suspect. ]

McKinnon, who's been diagnosed with Asperger's syndrome and depression, was first arrested by U.K. police a decade ago for allegedly gaining unauthorized access to computers owned by the U.S. government, reportedly in search of evidence about UFOs. In 2004, the United States first sought his extradition, and in recent years, after McKinnon lost multiple appeals, it looked like he'd finally be extradited.

In October, however, British home secretary Theresa May, citing medical reports that McKinnon would be a suicide risk if he was extradited, said that Britain would not honor the extradition request. May also said that it would be up to the director of public prosecutions (DPP) to determine if a case against the alleged hacker should proceed in England and Wales.

Keir Starmer, the director of public prosecutions for the Crown Prosecution Service, and Mark Rowley, the assistant commissioner of the Metropolitan Police Service, in a joint statement released Friday, noted that it was unlikely that any prosecution of McKinnon in Britain would now succeed, especially because there's been no live investigation into his alleged crimes for many years. Notably, the U.S. Department of Justice, Metropolitan Police Service, and Crown Prosecution Service in 2002 jointly agreed that McKinnon should be tried not in Britain, but the United States, given that the required witnesses, and the vast majority of evidence, was located there.

"None of the reasons for the original decision in 2002 that the appropriate place for Mr. McKinnon to be tried was the United States have altered," said Starmer and Rowley. "So far as the evidence is concerned, the position in 2012 is the same as it was in 2002. Most of the witnesses are in the U.S., as is nearly all the physical evidence and the bulk of the unused material, some of which is sensitive."

Starmer and Rowley noted that the U.S. Department of Justice said it would cooperate with any U.K. investigation, but said that the related evidence-handling would be especially challenging. In addition, U.S. authorities said that they would only share some of the evidence, and not make every witness -- many are, or were, U.S. government employees -- available for a British trial.

McKinnon is far from the first hacker who's been indicted by U.S. authorities. Earlier this year, for example, alleged Anonymous and LulzSec participant Ryan Cleary was indicted by a Los Angeles federal grand jury on hacking charges. Unofficially, however, U.S. authorities have said they won't seek Cleary's extradition, most likely because he's already being prosecuted by authorities in Britain on charges of launching botnet-driven distributed denial-of-service (DDoS) attacks against the British Phonographic Industry website, as well as the United Kingdom's Serious Organized Crime Agency (SOCA) website.

More than half of federal agencies are saving money with cloud computing, but security, compatibility, and skills present huge problems, according to our survey. Also in the Cloud Business Case issue of InformationWeek Government: President Obama's record on IT strategy is long on vision but short on results. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/23/2012 | 11:02:49 PM
re: Britain Declines To Prosecute Alleged NASA Hacker
This is kind of a kick on the face I would think. Oh poor Gary has gone through so much, then Gary shouldnG«÷t have got caught trying to hack the US Government. I wonder how the British Government would feel if the shoe was on the other foot? Regardless of his intentions, meaning UFO information, does not make what he did a crime. By that rational a armed robber who is only committing the robbery because he/she needs to feed their family is ok because their intentions were good? Yeah ship him over here and let at the very least go through our court system at least out of common courtesy.
Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.