Penetration Testing mailing list archives

Re: Default Admin Account

From: pand0ra <pand0ra.usa () gmail com>
Date: Tue, 10 Feb 2009 13:07:30 -0700

My .02 is that the govt failed to do their due diligence, here's the
sign for them for being stupid (if it really was because of default
passwords). On the other side, Gary knew he was not authorized on the
system(s) he broke into. He knew he was committing a crime. He did not
report any of the security issues to the govt either to show a concern
for the problem. Additionally, he is stating in his note that his goal
is to disrupt something, showing his intentions to be a miscreant. If
it was 1 computer system and didn't leave a stupid note then I could
see the "I didn't know" excuse but here it seems that he was attacking
the systems. The "damages" most likely had come from the forensics and
recovery of his actions. No one knows what he did or to how many
systems so it will cost money to get people to look into that.


http://en.wikipedia.org/wiki/Gary_McKinnon

"The Glasgow-born systems administrator who attended Highgate Wood
Secondary School in north London, is accused of hacking into 97 United
States military and NASA computers in 2001 and 2002. The computer
networks he is accused of hacking include networks owned by NASA, the
US Army, US Navy, Department of Defense, and the US Air Force. The US
estimates claim the costs of tracking and correcting the problems he
allegedly caused were around $700,000 but he has always denied causing
any damage and disputes the financial loss claimed by the US. He did
admit leaving a note on one computer:

    US foreign policy is akin to government-sponsored terrorism these
days... It was not a mistake that there was a huge security stand-down
on September 11 last year... I am SOLO. I will continue to disrupt at
the highest levels. "




On Mon, Feb 2, 2009 at 9:48 AM, J.Hart, Elec.Eng.Tech.
<starnetmaster () gmail com> wrote:

Hey all,

I have been following the Gary McKinnon case for years now.
My interest is in the legal area of penetration testing and the
evolution of cyber law.
What do IT Security experts and pen-testers think about the default
administration account on the US Military machines? You can read about
the case here http://freegary.org.uk/

--
"For the best in web site design - StarNET
http://www.s-t-a-r.net

Current thread:

RE: Default Admin Account, (continued)
- - - RE: Default Admin Account Prodigi Child (Feb 10)
    - Re: Default Admin Account David Howe (Feb 11)
  - Message not available
    - Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
    - Re: Default Admin Account Paul Slade (Feb 10)
    - RE: Default Admin Account Levenglick, Jeff (Feb 10)
    - Re: Default Admin Account R. DuFresne (Feb 10)
    - Re: Default Admin Account M.D.Mufambisi (Feb 10)
    - Re: Default Admin Account J. Oquendo (Feb 11)
    - Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 11)
    - Re: Default Admin Account pand0ra (Feb 11)
- Re: Default Admin Account pand0ra (Feb 11)
- RE: Default Admin Account jay . tomas (Feb 10)