
Florida programmer arrested for gaining unauthorized access to kernel.org - ashitlerferad
https://www.justice.gov/usao-ndca/pr/florida-computer-programmer-arrested-hacking
======
jrockway
40 years in prison plus a one million dollar fine? Might as well kill a few
people while he's out on bail, he already paid for it.

~~~
tptacek
There is absolutely no chance that this person will serve 40 years in prison,
or anything resembling that sentence. DOJ press releases add up the maximum
possible sentence for the _class_ of offense people are charged with. It's
terribly misleading.

In reality, for a non-remunerative first-time offense, even of this severity,
the guidelines suggest low single-digits.

~~~
wtvanhest
There is too much risk built in to the sentencing though. He will basically be
forced to take a plea of 10 years and hopefully get out in 5.

I would like to see a situation where the max penalty that can be issued by a
judge can only exceed a plea offer by 20%.

~~~
tptacek
He's not going to be offered 10 years. If he goes to trial and is convicted,
he'll likely serve less than 5.

Once again: 40 years is not in fact a sentence that is available to the judge;
the judge would have to discard the sentencing guidelines entirely, and that
sentence would fall apart on appeal.

Further, there is _simply no relationship_ between the number "40 years" and
the guidelines. It's not like the DOJ is marking up the guideline sentence by
X0%. They're instead using a ridiculous process to add the sentences for every
count of a crime up, which is simply not how federal sentencing works.

------
ryanlol
This took 5 years to prosecute and the guy has at least one shell company
mentioned in the panama papers.

Seems likely there's a little more to the story. (or they didn't find anything
for 5 years until the guy bragged to someone)

However by far the strangest thing here is how very specific the charges are,
one hack 5 years ago and no co-conspirators? How on earth didn't they find
anything else to charge him with? [1]

[1] Of course this all could be explained away by them having a weak case,
which they probably would have if they failed to seize his personal equipment

~~~
dhimes
My gut agrees with yours. What's the benefit? Was he working for someone, or
is this part of a plan to become Dr. Evil? Seems to be beyond a prankster act.

~~~
ryanlol
I couldn't easily figure out just who this guy was (i.e. handle) but it seems
somewhat unusual that he would've performed the hack alone. Especially given
the malware deployed[1] and information shared by the victims [2].

>What's the benefit?

Tons, having personally tried the same thing in the past :^) Being able to
serve backdoored copies of the kernel to targeted users would be all kinds of
useful, and you'd be in an unique position to target the kernel developers
themselves, allowing you to actually insert a backdoor into the kernel.

[1] Phalanx is by far one of the most advanced pieces of publicly analysed
linux malware [https://volatility-
labs.blogspot.de/2012/10/phalanx-2-reveal...](https://volatility-
labs.blogspot.de/2012/10/phalanx-2-revealed-using-volatility-to.html)

[2] Kernel.org folks claimed that they weren't the only target, which is to be
expected (people with no prior hacking experience rarely decide to
acquire/produce somewhat advanced linux malware and install it on kernel.org)

[2] ctrl+f credential-stealing
[https://lwn.net/Articles/464233/](https://lwn.net/Articles/464233/)

------
ashitlerferad
More discussion:

[https://lwn.net/Articles/699128/](https://lwn.net/Articles/699128/)

------
kevin_thibedeau
I wonder what evidence broke this. Did he blab about it or was this a
submarined parallel construction?

~~~
tptacek
For "parallel construction" to apply, the intelligence community would have
had to create the conditions in which a search _authorized for some other
reason_ would have uncovered evidence of the kernel.org rootkits.

The common example of parallel construction (because it's simple to explain,
not because there's evidence it's happened) is: unauthorized electronic
surveillance reveals that a drug transaction is going to happen at such-and-
such corner at such-and-such time. The surveillance is shared with the police,
who then station officers near the site of the transaction, and who are
therefore able to observe the crime as it takes place --- giving them probable
cause to effect the search themselves.

In other words, parallel construction is a way of allowing the police to be at
the "right place and right time".

So, to move the ball forward on the conspiracy theory that some 27 year old
doofus who rootkitted kernel.org with stolen credentials was so important to
the NSA that they monitored him and conspired with the FBI to ensure he was
charged, you must first come up with the set of circumstances in which the NSA
could have shared something with the FBI that would have enabled FBI to _de
novo_ generate probable cause for a search.

~~~
jimrandomh
Investigating a rootkit on kernel.org falls squarely within the NSA's
counterintelligence mission. Until they investigate, they don't know whether
it was done by a random 27 year old doofus or by a nation state.

~~~
tptacek
That's the first half of the argument. The second half is why and how the NSA
then set the 27 year old up to get searched by the FBI.

------
hackuser
Is this a sign of Linux' growing political influence when government agencies
are investigating crimes against it and enforcing them?

Would this crime have been handled by the federal government 10 years ago? 20?
Would an attack on your server get a response from the FBI and the DOJ?

That influence doesn't have to be the Linux Foundation; it could also be
corporate or other powerful entities that are heavily invested in it, such as
IBM.

------
ratsmack
I know that motive will sometimes play into the sentencing, so it will be
interesting to see what reason he had to gain access to the servers. I can't
imagine what monetary gain there may have been, so it must have been something
else.

------
hashin
One silver lining I would like to see is that public facing websites are
starting to use the word 'programmer' rather than the plain old 'hacker'
slang.

~~~
tsegers
I'm not quite sure if that's a silver lining, as it's usage in such a way
might do to the word "programmer" what it did to the word "hacker", namely
turn an innocent word into one with connotations people would rather not
associate themselves with.

------
gjolund
Why is him being from FL relevant?

------
raverbashing
Good

As much as technical solutions to security are important, there, the legal
aspect should not be forgotten

~~~
aviraldg
40 years, or even 10 years is not a reasonable sentence for cybercrime. It
should be no more than 2-3 years in the severest of cases.

~~~
lm2s
IMO it really depends on the cybercrime. Maybe in this instance 2-3 years
should be sufficient. I can, however, imagine scenarios where much longer
sentences should be applied. If a cybercrime results in human casualties, for
(a more extreme) example.

~~~
djsumdog
..and the board of directors of many major banks should all be in jail after
the 2008 financial crisis. They're not only free, many of them kept their
bonuses.

1% of Americans are in the incarnation system or out on parole. That's more
than all of the other high income countries.

Our legal system is hardly fair, and this is another example of it.

~~~
tptacek
Unfortunately for this argument, the framers of the Constitution were pretty
firm about the idea that for people to be sent to prison, they had to violate
a law _already on the books at the time the crime was committed_ , and that
the burden of proof for establishing the violation was on the prosecution, not
the defendant.

------
puppetmaster3
is kernel.org open source?

Why do you need to hack in to access it?

Is there something in kernel that is hidden I wonder.

------
soufron
Hacking hackers is a dangerous game.

