The disturbing case of Gary McKinnon


D. Lyon

Some of you may be familiar with Gary McKinnon, while others may not.
For those who need an introduction, read on….

The Crime
Between February 2001 and March 2002, Scotsman Gary McKinnon illegally accessed several computer systems belonging to the US Government.  His mission?  To discover classified evidence of the suppression of free energy technology, UFO cover-ups, and other high-level and equally fantastic conspiracies.

Specifically, it is said Mr McKinnon accessed systems belonging to the US Army, US Navy, Department of Defence, NASA, and the US Air Force.

I will draw your attention to the use of the word “accessed” in this article.  Most media outlets have tended to report that Mr McKinnon “hacked” these systems.

The trouble with this word is that the public, having watched The Matrix, Swordfish and countless other Hollywood cyber-thriller productions, tend to perceive this in an extremely negative way.  The perpetrators in those films are usually anarchists who desire to disrupt society, terrorise the population and/or cause mayhem from a distant secret lair.  They can write viruses to acquire your identity, steal millions of dollars, track you as you walk in the street, listen to your phone-calls, read your emails and all sorts of other things in a world of ‘hi-technophobia’ and paranoia.

It is a perception that has slowly penetrated the public consciousness and has become almost synonymous with any real-world reported computer ‘hack’.

Outwith computing parlance, the word “hack” literally means to attack something with a sharp instrument.  Thus, to the casual observer the ‘hack’ is the computing equivalent of a physical attack or assault, resulting in injury or serious damage to the victim.  Violence, harm, aggression and negativity.  This is what ‘hack’ says to many people.

This is a misconception and the result of lazy reporting by the media, and here’s why:

The Software Hack:
In reality, the expression ‘hack’ was originally coined to refer to a computer programmer modifying another programmer’s finished code.  The programmer would essentially dismantle the finished product with the intention of making minor modifications and improvements.  In doing so, he would ‘hack’ the original program to pieces, insert and modify his own hasty additions into the spaces, before stitching it back up for use.  It is often harmless and is usually a positive process to improve or re-use a piece of work.  It is the original software ‘hack’.

Of course, as we have observed, the word has evolved to take on a new meaning, partly confused by its use in other common contexts, but also by its overuse as a catch-all description for any and all computer-related crime.  Any time an unauthorised party breaches a computer system, ‘hack’ is trotted out by the tabloid press.  Those who are found trespassing are ‘hackers’. 

And so we return to the case of Gary McKinnon, who has become a victim of uninformed and often lazy reporting of a complex and technical subject.

Without any real details or specifics of what happened, the media are reporting that Mr McKinnon ‘hacked’ these systems.  He is currently facing extradition to the United States under anti-terror laws and could face years in an American prison.

But what is Gary McKinnon’s alleged crime?  What is the crime that merits such a harsh sentence?  Did he ‘hack’ the US Government?  Promote terror among the citizens?  Disrupt and threaten national security?  Endanger lives?

Did he crack a code?  Brute-force a password?  Evade a complex security protocol and force his way in?

Well, not quite.

Non Existent Security
Gary McKinnon used a simple automated program to discover that network security managers of certain US Government private networks were incompetent …. amazingly incompetent!!

As it turns out, the systems that Mr. McKinnon gained entry to were effectively open to anyone with the knowledge to find them.  Being completely insecure, there was no security to ‘hack’.

They were, as an IT engineer would put it, “visible from the internet” and “using blank or default passwords”.  They also used extremely simple usernames, such as “John” or “Brian”.

An appropriate analogy would be a house with several unlocked doors and a sign saying “Do not enter”.  Gary McKinnon pushed all of the doors, and discovered one was open, unlocked, and totally unsecured.  This was the extent of his so called ‘hack’.

To give a more technically accurate version of this ‘hack’, Mr. McKinnon wrote an simple script which automatically tried a large list of common user names with blank or default passwords.  Each time it recorded a failure, it tried another one.  With a computer, you can do this extremely fast. When a positive login is achieved, the details used are recorded.  It is known as a “brute-force” attack.

We use the word “attack” loosely here, as no actual damage is done in this process.  The above door-pushing analogy is a “brute-force attack” in the same sense.  The “brute” at work here is simply the raw processing power of the computer that allows the task to be performed many times faster than a human could achieve.

If the administrators were competent in their profession, this would never have happened.  To go back to the analogy, the private property would have been properly secured with a door-lock; without a lock you are reliant on luck in order to maintain security and privacy.  Luck is not an infinite resource, as the US administrators have now discovered. 

Ordinarily an organisation would employ a piece of hardware called a ‘firewall’ to block inbound connections from public networks.  In layman’s terms, this means internet users would be prevented from accessing any resource on the private network.  It wouldn’t matter if they had a valid username and password, or any other details … a properly-configured firewall would block them unconditionally.

After all, why would you run the risk of allowing internet users to even see the door to your network, let alone push it?  It would make no sense,  you need only allow internal connections, connections to people who are inside the organisation.  They are the only ones who need access. 

Even then, you still employ properly secured and tested passwords as an additional layer of security.  The passwords can be rotated/changed every month, rendering the usability of any leaked security credentials time-limited before they become obsolete.

This is a simple multi-layered security protocol that virtually every large competent organisation on the planet employs.  Every organisation that is – except certain departments of the US Government.  They seem, or perhaps seemed, to think that simply hiding an open door in relative obscurity was sufficient.  Gary McKinnon proved them wrong.

Mr McKinnon claims that he did little more than look around, and leave notes … one a melodramatic text message:

US foreign policy is akin to Government-sponsored terrorism these days…
It was not a mistake that there was a huge security stand down on September 11 last year
I am SOLO. I will continue to disrupt at the highest levels …”

As any IT engineer will tell you, these kids love their dramatic speeches and cool names.  ‘SOLO’ left this one bogey-man threat somewhere in the US Government’s system.

This brings us in turn to the next point…
The Damage?
The official report cites the total cost of the damage caused by the intrusion as being $700,000.  What was it exactly that cost this meteoric sum of money to repair?

Let’s have a look at the official report, available on the UK Government website:

4.   The appellant is a 42 year old British citizen, an unemployed computer systems administrator. On 7 October 2004 the respondent government requested his extradition to the United States alleging that between 1 February 2001 and 19 March 2002 he had gained unauthorised access to 97 US Government computers from his home computer in London.

Yep.  He ‘hacked’ them.  Onward…

11.  Using his home computer the appellant, through the internet, identified US Government network computers with an open Microsoft Windows connection and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts he installed unauthorised remote access and administrative software called “remotely anywhere” that enabled him to access and alter data upon the American computers at any time and without detection by virtue of the programme masquerading as a Windows operating system. Once “remotely anywhere” was installed, he then installed software facilitating both further compromises to the computers and also the concealment of his own activities. Using this software he was able to scan over 73,000 US Government computers for other computers and networks susceptible to similar compromise. He was thus able to lever himself from network to network and into a number of significant Government computers in different parts of the USA.

He identified an “open Microsoft Windows connection”.  There’s the incompetence!!  He then used this to install a program that would let him easily remote control their system to open programs and look at files.  There then follows the most vague charge of them all:  He installed “software” that facilitated “further compromises”.
In other words, he “looked around”.  Doesn’t sound as dangerous when you put it that way, does it?

13.  Having gained access to these computers the appellant deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours, significantly disrupting Governmental functions; 2,455 user accounts on a US Army computer that controlled access to an Army computer network, causing these computers to reboot and become inoperable; and logs from computers at US Naval Weapons Station Earle, one of which was used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, deletion of these files rendering the Base’s entire network of over 300 computers inoperable at a critical time immediately.

Here we have some specifics… but not much.  “Critical operating system files” could be anything, depending on the definition of “critical”.  No elaboration is given.  Everything can be “critical” for something, inside and outside of computing.  Your socks are “critical” to your movement to work, removing them would “disrupt” operation of your place of work in equally vague ways.  You wouldn’t be sent to Guantanamo Bay for it under anti-terror laws, though.
The systems rendered “inoperable”… why were they inoperable?  Was it because they had to assume the worst, and audit for possible damage?  It doesn’t say.

15.  The appellant’s conduct was alleged to be intentional and calculated to influence the US Government by intimidation and coercion. It damaged computers by impairing their integrity, availability and operation of programmes, systems, information and data, rendering them unreliable. The cost of repair was alleged to total over $700,000. 

Uh… yeah.  The Google toolbar can do this to a computer.  Do they owe every user $700,000 in damages as well?

Here’s the only specific breakdown of part of the cost:
“As was made clear, upon a plea of guilty, the prosecutor was prepared to put the damage resulting from the appellant’s actions (the extent of the damage being of substantial relevance to the points calculation) in a lower bracket ($400,000 – $1m) than they believed they could prove. The lower figure is based merely on calculating the hours it took employees to conduct a damage assessment and to restore the compromised computer systems, multiplying the hours by the employee’s hourly wage.”

In other words, their systems were compromised, and they had to pay people to assess them for possible damage, without confirmation that any damage had taken place, and also had close the security holes left by their own administrators.

So, to cut a long story short, the US Government’s system administrators failed in their duty to maintain the security and integrity of their network from outside intruders.  In doing so, they cost their employer a large sum of money to perform audits and assessments of possible damage.

The only specifics of what actually occurred after he accessed the system have come from Mr. McKinnon himself.  The claims made by the US Government are simply too vague to be taken seriously.  Certainly not enough to warrant the extradition of this man, whose only ‘crime’ was allowing his curiosity to get the better of him, with the aid of a few incompetent and lazy network administrators who have somehow escaped any sort of consequence.
The Punishment
Now, as we come to the end, I have a question:  Why is Gary McKinnon being extradited for the failures of US Government employees?  Why is he shouldering the blame and punishment for their incompetence?

The answer is as simple as his crime is terrible:  Gary McKinnon embarrassed the United States. 

That is Gary McKinnon’s real crime.  Uncle Sam’s ego is his most sensitive organ, it would seem, and he gave it a pounding.  He walked into their system, looked around, and walked back out.  He did it for months, under the nose of the most powerful nation on Earth.

There are two possible ways to deal with this:

1. Fire the incompetent employees who caused the mess, and recruit smarter people to do the job properly.  Pay for the clean-up, accept fault, and learn from the mistake.  Be thankful that the individual was not malicious and did not cause any real damage.

2. Refuse to recognise your fault.  Instead, make an example out of the intruder, shift the blame onto him through vague and baseless claims with no proof offered.  Ruin his life as punishment for daring to expose the truth of the incompetence of the US Government.

The United States has, unfortunately, opted for option 2 and the UK Government has supported this travesty of justice.

One has to wonder if they even understand anything of what has apparently transpired?  The facts of the case involve technical details of computer systems.

Did Jack Straw really understand the nature of these charges?  Did he simply assume that someone, somewhere would have spoken up were they false?  That the details of the case would have passed in front of at least one person who understood it, and would have spoken up on realising it a farce? 

If a smaller country made a similar demand with similar reported details of a crime, would this extradition be going ahead in this manner, or is it simply a case of yielding to someone bigger than you?

When all has been said and done, one thing is for sure… with nobody prepared to take a stand and examine the case properly, UFOs and concealment of free energy are now the least of Gary McKinnon’s worries.

Gary McKinnon also suffers from Asperger’s syndrome.

But at least he found some UFOs.

If you found this article interesting why not make a small contribution in order to help keep the site going – see the paypal button on the right.