Gary McKinnon: Inside the head of a super hacker
Gary McKinnon faces extradition, and a lifetime in prison, for breaking into computers at the Pentagon and Nasa. He tells Geneviève Roberts how it all started as a harmless prank
Published: 12 July 2006
Gary McKinnon, accused of the "biggest military hack of all time" by US prosecutors, is sitting in his local, rolling a cigarette. Only his shredded fingernails betray the fear he has lived through in the past four years.
In that time, his former addiction to hacking has lost him his girlfriend and career in IT, and is now threatening to incarcerate him for the rest of his life. He faces 60 years in an American prison after Home Secretary John Reid agreed last week to his extradition, a decision he is appealing against.
The 40-year-old is accused of repeatedly hacking into dozens of computers used by the Pentagon, Nasa, the US Army, Navy and Air Force between February 2001 and March 2002.
Sitting in his north London bedroom, using a cheap computer and dial-up modem, he allegedly caused £370,000 worth of damage. "They say I took down an entire military facility in Washington, which I certainly hope isn’t possible," he says.
He admits breaking into the American systems – and says he "regrets it absolutely" – but denies causing damage. His actions were motivated simply by curiosity, he says, and none of the computers he hacked into were password-encrypted. In fact, the security was so low that he insists he could "give you an A4 sheet to tell you exactly how to do it. It took my understanding to compile the tools and the method, but I wasn’t alone."
Every night when the IT worker accessed these computers with software he bought legally online, he could see other unauthorised users getting into the same networks, from China, Turkey, Holland and Germany. "That is where they were routing themselves through. And when I checked the IP addresses [the computer equivalent of a street address], they did not belong to American military bases, so they certainly were not authorised – just as I wasn’t."
He believes the US wants to make an example of him. "Rather than have attention drawn to their lack of security, they want to make me a scapegoat. They want to say to other hackers, ‘Step on our territory, and this is what happens.’ In this country, unauthorised access would mean maybe six months in prison under the Computer Misuse Act 1990. For it to be an extraditable offence to America, it has to be worth one year in prison, and for it to be a cyber crime worth one year in prison, you have to have done $5,000 worth of damage. So, lo and behold, as if by magic, on every machine I have done $5,000 worth of damage."
McKinnon lived in Scotland until he was six and became interested in computer security after reading The Hacker’s Handbook in 1985. He got his first computer when he was 14, loved playing games and learnt to use Basic, then machine code, the lowest-level programming language made up entirely of numbers. "From about 14 to 17 I was completely blinkered – learning programming, writing my own games. I was into graphics and artificial intelligence."
For a few years, from the age of 17, he lost interest in computers when he started going to pubs with friends. When his interest revived, someone suggested he should get an IT qualification. He failed his degree at the University of North London because he struggled with further maths, but found a career in IT nonetheless.
Then, in 2000, he started hacking. He chose the US government and military because he believes they have evidence of the existence of UFOs. He accessed computers by running a port scanner. "A television has channels, a computer has ports. The web is port 80, your e-mail is port 110 for collecting and port 25 for sending. The port for logging on to Windows machines is 139. Doing a scan where you’re looking for one port is really fast – I could scan 65,000 machines in under nine minutes.
"The first scan would only identify Windows machines. After that you run a secondary scan saying, ‘OK, this is a Windows machine, but can I actually talk to it across the port?’ A few would go, and a few would still be left open. Then after that, there’s a third stage where you say, ‘OK, I can talk to them, is there a blank password?’ Then you do your harvesting, and you end up with a big list of administrator-level, powerful accounts."
Once there, it became harder, as he wormed his way from one part of the network to another, eventually gaining control of the whole network and being able to search for files. "I was buying commercial off-the-shelf software," he says. "I wrote one little script that tied together all these other people’s programmes. I just made the glue."
So would it be easy for a terrorist to hack into computer systems in this way? "I used to leave notes on the system administrator’s machine, mixed in with political diatribes, saying, ‘Your security is awful.’"
He found hacking addictive. "I wasn’t even looking after myself at the end, let alone being a bad boyfriend. I wasn’t washing properly, I was hardly seeing friends. It’s a very unhealthy obsession," he says. He split up with his girlfriend but continued to live with her.
"There is that aspect of the illicit thrill of being where you shouldn’t be," he says. "But the main thing that drove me on was, I had to get something concrete, which is what happened in the end." He lists his findings, the sort of thing that amount to proof for those who want to believe in UFOs, but may fail to persuade others: a spreadsheet headed "non-terrestrial officers", lists of transfers of vehicles not registered to the US military. Also, something he says was called the disclosure project, which included 400 testimonials of UFO sightings, and photos which he speculates were airbrushed to remove evidence of alien spacecraft.
While hacking, he had to be aware of the difference in time zones, because eventually he had graphical control of machines – that is, he could see the desktop of another computer in his web browser. "I got caught because I had got the time zone wrong, and someone still in the office saw the mouse move."
He says that Nasa contacted the National Hi-tech Crime Unit in November 2001, and they monitored him until February. "They saw I was not doing damage, but was exploring," he says.
Also, he used either his or his girlfriend’s e-mail address to download a trial copy of a programme used by IT administrators to gain access to machines remotely. "It was stupid, but this stands in my favour because it shows I am not a professional hacker, because they would not do that," he says.
So how can you tell a professional hacker? "I don’t know any, but I would assume they are very good programmers who use the language of the internet (TCP/IP), a very low-level language. And I would assume they don’t get caught."
At 8.30am in March 2002, the police arrived at the Crouch End home of his former girlfriend’s aunt, where he still lived. "I had been asleep for an hour, having been up all night doing the usual. I thought I was dreaming," he says. The police took his computer, his former girlfriend’s computer, her aunt’s computer, and four other computers he was fixing for people.
McKinnon was taken to Holloway police station, where he was interviewed and admitted having accessed US military computers. He was not charged, but in November 2002 he was indicted by the US government. "The UK police asked me whether I was a member of al-Qa’ida," he says. "But they realised I have no terrorist links and I didn’t make any money out of the thing."
I ask whether he is the "bumbling computer nerd" that has been portrayed in the press. "I suppose I was bumbling, because I didn’t know where I was half the time. You get on to one military network to exploit what they call a trust relationship – once you are on a network that is trusted by another network, you have more access." But he prefers to describe himself as someone who took the wrong road to prove his case.
Are many computer networks easy to hack into? He says that out of curiosity he did a scan of large financial institutions to see whether they operated in a similar way, with blank passwords, and found that they were vulnerable to hackers. With so many guides to hacking on the internet, he says learning to be an amateur hacker is not hard. "Even without IT training, I think that in a month you could start doing something similar to what I did."
Late last year, the US began extradition proceedings. At McKinnon’s first hearing in April, the prosecution produced an unsigned note from the US Embassy guaranteeing that he would not be tried under US Military Order Number One, a trial behind closed doors intended for terrorists. Because the note was unsigned, his lawyers have argued this is not binding, and McKinnon is terrified he faces a secret tribunal with no public appeal.
Last week, John Reid agreed to the extradition. McKinnon is appealing against the decision. For now, he is constantly stressed. "Imagine if you have a big worry – a huge bill that you cannot pay and may be thrown out of your house for – it’s constantly in the background, you don’t ever properly relax."
If the appeal is unsuccessful, he will be extradited under the same treaty that means the NatWest Three are facing trial in the US rather than England. McKinnon joins the scores of politicians and business people who object to this law. "A treaty has to have at least two signatories, but the only signature is Britain. The Senate hasn’t ratified it yet so it is a one-sided treaty, but we are extraditing people on the strength of it. We cannot do the same to American citizens. It is meant to be a fast-track law for terrorism, but it is white-collar crime across the board," he says. His lawyer has argued that he could just as effectively be tried in the UK, but says that America is seeking administrative revenge.
No one in Britain has previously been extradited for hacking, but McKinnon’s case bears similarities with that of Mathew Bevan, who was arrested for hacking into US military computers on a search for evidence of UFOs a decade ago. Efforts were made to extradite Bevan, but they failed. The case collapsed in 1997 after a British judge was told he was no threat to security. Bevan now runs his own computer consultancy.
Hacking into Pentagon computers may not elicit sympathy, but the concern is whether McKinnon will receive a sentence proportionate to the crime. He fears that the American government may choose to focus its energy on imprisoning him until he’s 100, rather than making sure computers are protected by passwords to stop hacking by real terrorists.
Meanwhile, the waiting continues. He cannot get a job, but hates not working. He says that ironically, computers are saving him from boredom because he is learning another programming language, C++. "I have had to kind of turn myself off, just to get through it. I’m bouncing off the bloody walls," he says. And what happens if his appeal fails? "Apparently you get a letter saying please come to Heathrow airport. I think in my case, I’ll probably get two US marshals at my door."
McKinnon’s guide to beating Windows hackers
There are some computer programmes, a little like dictionaries, that scan for passwords using combinations of letters. So make sure you come up with a good password that is a mixture of numbers, letters and punctuation marks.
Review your log-on and log-off times to check whether anyone else has logged on.
Have good anti-virus software and a good firewall.
Turn off the remote registry service, which enabled McKinnon to do his querying and set in place scans.
Turn off the messenger service – it’s in the control panel under administrative tools services, and anyone can access it. You know if your messenger service is on because it gives pop-ups on the desktop (not internet pop-ups) when nothing else is happening.
For anyone who thinks there is nothing sensitive on their computer, and therefore no reason for hackers to access their machines, bear in mind that hackers would "jump through" your machine to gain access to a machine with information they do want.