The infamous hacker known as TinKode has been sentenced by a Romanian court, according to media reports.
Cernăianu Manole Răzvan was arrested in January 2012, after a series of high profile hacks of government and military websites, exposing their poor security and often publishing passwords and screenshots as evidence.
Past victims have included website belonging to the British Royal Navy, MySQL.com (which ironically fell foul of a SQL injection attack) and NASA servers.
To the relief of many, TinKode appeared to be inspired more by the desire to embarrass organisations into improving web security – rather than making money.
In an interview with Network World in 2011, TinKode compared his activities to a free security audit:
Until now, no. I don't do bad things. I only find and make public the info. Afterwards I send an email to them to fix the holes. It's like an security audit, but for free.
Nevertheless, his actions were illegal and led to his arrest by Romanian authorities earlier this year. Last month a Romanian court ordered Răzvan to pay 93,000 Euros (approximately $120,000) to cover the costs suffered by his breached victims, and gave him a two year suspended prison sentence.
That’s a lesson that others would be wise to learn from if engaged in similar activities.
An online petition, started by TinKode’s sympathisers, failed to receive significant support (a hoped-for 5000 signatures has only reached 187 at the time of writing). It remains to be seen whether they will help the young Romanian pay his substantial fine.
It’s no excuse for TinKode’s criminal hacks, but if the websites had been properly secured in the first place they would have never found themselves embarrassed by the Romanian hacker.
If you haven’t already done so, check out our free technical paper about “Securing websites”, which discusses common ways web servers are attacked and the various ways that they can be protected.
14 comments on “TinKode sentenced after hacking Oracle, NASA and others to expose weak security”
Even if it was illegal and I'm not sure just how "embarrassed" the corporations were, but I think in the long run what this guy did was more beneficial than detrimental.
Arresting him and punishing him when he (in his own way) was trying to do something good for society will only push this guy to start hacking for negative purposes.
Viva Romanian National Security.
He eventually started an IT security company and does the same as before, BUT PAID AND LEGAL. So now, if any of those previous “victims” wants to get hacked, they need to PAY.
You get a heftier fine for causing public embarrassment (to high profile groups) than assault. How does that make sense?
The "powers that be" fear and ultimately hate any challenge to their monopoly of legitimized coercive power. They view such challenges as "destabilizing" to the established order of things. It makes plenty of sense, from their perspective. It is a high priority to make examples of anyone who reveals them as weak or incompetent.
If he had really only been doing it to help them, he would've told them how to fix the holes, but not made the information public until afterwards (if at all). He was doing just as much for attention as to be helpful.
The issue is that many corporations ignore these sort of emails until they are made public.
Look at some of the older stories of large exploits being released publicly, and the fact publicised that the corporations knew of the exploits for months, and sometimes even years.
Corporations do not take their own security seriously, until it is rammed in their faces, down their throats, and out their rear end.
They should hire the guy, not punish him and have an enemy for life, but governments are not very smart.
I think they would be smart enough NOT to tell you if he became employed by the NSA. What do you think?
At least the address could go with the article: http://www.change.org/petitions/free-tinkode
"It's no excuse for TinKode's criminal hacks, but if the websites had been properly secured in the first place they would have never found themselves embarrassed by the Romanian hacker."
Let's say the sites weren't secure for whatever reason. The post that said he/she should have helped them FIRST is the right thing to do. Why is every hacker trying to oust someone and then turn around and say "well I was intending to help." No. You had a agenda that maybe involved YOUR form of "help". Don't skirt around the issue.
If he was trying to help then he would not have told the world, just told the company. That is where they got him. Saying, after the fact, you were only trying to help were not shown my his actions. He hacked, send an email, then crowed to the world. Help would have sent more than one email, and even called them. His actions showed he did not think ahead of how bad it could turn out, and in this case did.
So, you're arguing that the hackers should spend days, completely unpaid, to highlight security flaws that people who are paid incredibly well haven't bothered to fix.
Everyone continues to blame the hackers, but it is not their job to do that. If companies really cared, they'd spend less money on lawsuits, and more on improving their own security and public relations. If you keep your clients updated on news of these embarrassing hacks, and pay more attention to the emails they receive informing them of security holes – despite the potential for misinformation – they would avoid these issues.