Gary McKinnon faces extradition, and a lifetime in prison, for
breaking into computers at the Pentagon and Nasa. He tells Geneviève
Roberts how it all started as a harmless prank
Published: 12 July 2006
Gary McKinnon, accused of the "biggest military hack of all time" by
US prosecutors, is sitting in his local, rolling a cigarette. Only
his shredded fingernails betray the fear he has lived through in the
past four years.
In that time, his former addiction to hacking has lost him his
girlfriend and career in IT, and is now threatening to incarcerate
him for the rest of his life. He faces 60 years in an American prison
after Home Secretary John Reid agreed last week to his extradition, a
decision he is appealing against.
The 40-year-old is accused of repeatedly hacking into dozens of
computers used by the Pentagon, Nasa, the US Army, Navy and Air Force
between February 2001 and March 2002.
Sitting in his north London bedroom, using a cheap computer and dial-
up modem, he allegedly caused £370,000 worth of damage. "They say I
took down an entire military facility in Washington, which I
certainly hope isn't possible," he says.
He admits breaking into the American systems - and says he "regrets
it absolutely" - but denies causing damage. His actions were
motivated simply by curiosity, he says, and none of the computers he
hacked into were password-encrypted. In fact, the security was so low
that he insists he could "give you an A4 sheet to tell you exactly
how to do it. It took my understanding to compile the tools and the
method, but I wasn't alone."
Every night when the IT worker accessed these computers with software
he bought legally online, he could see other unauthorised users
getting into the same networks, from China, Turkey, Holland and
Germany. "That is where they were routing themselves through. And
when I checked the IP addresses [the computer equivalent of a street
address], they did not belong to American military bases, so they
certainly were not authorised - just as I wasn't."
He believes the US wants to make an example of him. "Rather than have
attention drawn to their lack of security, they want to make me a
scapegoat. They want to say to other hackers, 'Step on our territory,
and this is what happens.' In this country, unauthorised access would
mean maybe six months in prison under the Computer Misuse Act 1990.
For it to be an extraditable offence to America, it has to be worth
one year in prison, and for it to be a cyber crime worth one year in
prison, you have to have done $5,000 worth of damage. So, lo and
behold, as if by magic, on every machine I have done $5,000 worth of
damage."
McKinnon lived in Scotland until he was six and became interested in
computer security after reading The Hacker's Handbook in 1985. He got
his first computer when he was 14, loved playing games and learnt to
use Basic, then machine code, the lowest-level programming language
made up entirely of numbers. "From about 14 to 17 I was completely
blinkered - learning programming, writing my own games. I was into
graphics and artificial intelligence."
For a few years, from the age of 17, he lost interest in computers
when he started going to pubs with friends. When his interest
revived, someone suggested he should get an IT qualification. He
failed his degree at the University of North London because he
struggled with further maths, but found a career in IT nonetheless.
Then, in 2000, he started hacking. He chose the US government and
military because he believes they have evidence of the existence of
UFOs. He accessed computers by running a port scanner. "A television
has channels, a computer has ports. The web is port 80, your e-mail
is port 110 for collecting and port 25 for sending. The port for
logging on to Windows machines is 139. Doing a scan where you're
looking for one port is really fast - I could scan 65,000 machines in
under nine minutes.
"The first scan would only identify Windows machines. After that you
run a secondary scan saying, 'OK, this is a Windows machine, but can
I actually talk to it across the port?' A few would go, and a few
would still be left open. Then after that, there's a third stage
where you say, 'OK, I can talk to them, is there a blank password?'
Then you do your harvesting, and you end up with a big list of
administrator-level, powerful accounts."
Once there, it became harder, as he wormed his way from one part of
the network to another, eventually gaining control of the whole
network and being able to search for files. "I was buying commercial
off-the-shelf software," he says. "I wrote one little script that
tied together all these other people's programmes. I just made the
glue."
So would it be easy for a terrorist to hack into computer systems in
this way? "I used to leave notes on the system administrator's
machine, mixed in with political diatribes, saying, 'Your security is
awful.'"
He found hacking addictive. "I wasn't even looking after myself at
the end, let alone being a bad boyfriend. I wasn't washing properly,
I was hardly seeing friends. It's a very unhealthy obsession," he
says. He split up with his girlfriend but continued to live with her.
"There is that aspect of the illicit thrill of being where you
shouldn't be," he says. "But the main thing that drove me on was, I
had to get something concrete, which is what happened in the end." He
lists his findings, the sort of thing that amount to proof for those
who want to believe in UFOs, but may fail to persuade others: a
spreadsheet headed "non-terrestrial officers", lists of transfers of
vehicles not registered to the US military. Also, something he says
was called the disclosure project, which included 400 testimonials of
UFO sightings, and photos which he speculates were airbrushed to
remove evidence of alien spacecraft.
While hacking, he had to be aware of the difference in time zones,
because eventually he had graphical control of machines - that is, he
could see the desktop of another computer in his web browser. "I got
caught because I had got the time zone wrong, and someone still in
the office saw the mouse move."
He says that Nasa contacted the National Hi-tech Crime Unit in
November 2001, and they monitored him until February. "They saw I was
not doing damage, but was exploring," he says.
Also, he used either his or his girlfriend's e-mail address to
download a trial copy of a programme used by IT administrators to
gain access to machines remotely. "It was stupid, but this stands in
my favour because it shows I am not a professional hacker, because
they would not do that," he says.
So how can you tell a professional hacker? "I don't know any, but I
would assume they are very good programmers who use the language of
the internet (TCP/IP), a very low-level language. And I would assume
they don't get caught."
At 8.30am in March 2002, the police arrived at the Crouch End home of
his former girlfriend's aunt, where he still lived. "I had been
asleep for an hour, having been up all night doing the usual. I
thought I was dreaming," he says. The police took his computer, his
former girlfriend's computer, her aunt's computer, and four other
computers he was fixing for people.
McKinnon was taken to Holloway police station, where he was
interviewed and admitted having accessed US military computers. He
was not charged, but in November 2002 he was indicted by the US
government. "The UK police asked me whether I was a member of al-
Qa'ida," he says. "But they realised I have no terrorist links and I
didn't make any money out of the thing."
I ask whether he is the "bumbling computer nerd" that has been
portrayed in the press. "I suppose I was bumbling, because I didn't
know where I was half the time. You get on to one military network to
exploit what they call a trust relationship - once you are on a
network that is trusted by another network, you have more access."
But he prefers to describe himself as someone who took the wrong road
to prove his case.
Are many computer networks easy to hack into? He says that out of
curiosity he did a scan of large financial institutions to see
whether they operated in a similar way, with blank passwords, and
found that they were vulnerable to hackers. With so many guides to
hacking on the internet, he says learning to be an amateur hacker is
not hard. "Even without IT training, I think that in a month you
could start doing something similar to what I did."
Late last year, the US began extradition proceedings. At McKinnon's
first hearing in April, the prosecution produced an unsigned note
from the US Embassy guaranteeing that he would not be tried under US
Military Order Number One, a trial behind closed doors intended for
terrorists. Because the note was unsigned, his lawyers have argued
this is not binding, and McKinnon is terrified he faces a secret
tribunal with no public appeal.
Last week, John Reid agreed to the extradition. McKinnon is appealing
against the decision. For now, he is constantly stressed. "Imagine if
you have a big worry - a huge bill that you cannot pay and may be
thrown out of your house for - it's constantly in the background, you
don't ever properly relax."
If the appeal is unsuccessful, he will be extradited under the same
treaty that means the NatWest Three are facing trial in the US rather
than England. McKinnon joins the scores of politicians and business
people who object to this law. "A treaty has to have at least two
signatories, but the only signature is Britain. The Senate hasn't
ratified it yet so it is a one-sided treaty, but we are extraditing
people on the strength of it. We cannot do the same to American
citizens. It is meant to be a fast-track law for terrorism, but it is
white-collar crime across the board," he says. His lawyer has argued
that he could just as effectively be tried in the UK, but says that
America is seeking administrative revenge.
No one in Britain has previously been extradited for hacking, but
McKinnon's case bears similarities with that of Mathew Bevan, who was
arrested for hacking into US military computers on a search for
evidence of UFOs a decade ago. Efforts were made to extradite Bevan,
but they failed. The case collapsed in 1997 after a British judge was
told he was no threat to security. Bevan now runs his own computer
consultancy.
Hacking into Pentagon computers may not elicit sympathy, but the
concern is whether McKinnon will receive a sentence proportionate to
the crime. He fears that the American government may choose to focus
its energy on imprisoning him until he's 100, rather than making sure
computers are protected by passwords to stop hacking by real
terrorists.
Meanwhile, the waiting continues. He cannot get a job, but hates not
working. He says that ironically, computers are saving him from
boredom because he is learning another programming language, C++. "I
have had to kind of turn myself off, just to get through it. I'm
bouncing off the bloody walls," he says. And what happens if his
appeal fails? "Apparently you get a letter saying please come to
Heathrow airport. I think in my case, I'll probably get two US
marshals at my door."
McKinnon's guide to beating Windows hackers
There are some computer programmes, a little like dictionaries, that
scan for passwords using combinations of letters. So make sure you
come up with a good password that is a mixture of numbers, letters
and punctuation marks.
Review your log-on and log-off times to check whether anyone else has
logged on.
Have good anti-virus software and a good firewall.
Turn off the remote registry service, which enabled McKinnon to do
his querying and set in place scans.
Turn off the messenger service - it's in the control panel under
administrative tools services, and anyone can access it. You know if
your messenger service is on because it gives pop-ups on the desktop
(not internet pop-ups) when nothing else is happening.
For anyone who thinks there is nothing sensitive on their computer,
and therefore no reason for hackers to access their machines, bear in
mind that hackers would "jump through" your machine to gain access to
a machine with information they do want.
