TinKode sentenced after hacking Oracle, NASA and others to expose weak security

Filed Under: Featured, Law & order, Vulnerability

TinKodeThe infamous hacker known as TinKode has been sentenced by a Romanian court, according to media reports.

Cernăianu Manole Răzvan was arrested in January 2012, after a series of high profile hacks of government and military websites, exposing their poor security and often publishing passwords and screenshots as evidence.

Past victims have included website belonging to the British Royal Navy, MySQL.com (which ironically fell foul of a SQL injection attack) and NASA servers.

Royal Navy website

To the relief of many, TinKode appeared to be inspired more by the desire to embarrass organisations into improving web security - rather than making money.

In an interview with Network World in 2011, TinKode compared his activities to a free security audit:

Until now, no. I don't do bad things. I only find and make public the info. Afterwards I send an email to them to fix the holes. It's like an security audit, but for free.

Nevertheless, his actions were illegal and led to his arrest by Romanian authorities earlier this year. Last month a Romanian court ordered Răzvan to pay 93,000 Euros (approximately $120,000) to cover the costs suffered by his breached victims, and gave him a two year suspended prison sentence.

That's a lesson that others would be wise to learn from if engaged in similar activities.

Free TinKode petition

An online petition, started by TinKode's sympathisers, failed to receive significant support (a hoped-for 5000 signatures has only reached 187 at the time of writing). It remains to be seen whether they will help the young Romanian pay his substantial fine.

It's no excuse for TinKode's criminal hacks, but if the websites had been properly secured in the first place they would have never found themselves embarrassed by the Romanian hacker.

If you haven't already done so, check out our free technical paper about "Securing websites", which discusses common ways web servers are attacked and the various ways that they can be protected.

, , , , ,

You might like

13 Responses to TinKode sentenced after hacking Oracle, NASA and others to expose weak security

  1. Coco · 1060 days ago

    Even if it was illegal and I'm not sure just how "embarrassed" the corporations were, but I think in the long run what this guy did was more beneficial than detrimental.

    Arresting him and punishing him when he (in his own way) was trying to do something good for society will only push this guy to start hacking for negative purposes.

  2. Sparky · 1060 days ago

    You get a heftier fine for causing public embarrassment (to high profile groups) than assault. How does that make sense?

    • There Is No Spoon · 1060 days ago

      The "powers that be" fear and ultimately hate any challenge to their monopoly of legitimized coercive power. They view such challenges as "destabilizing" to the established order of things. It makes plenty of sense, from their perspective. It is a high priority to make examples of anyone who reveals them as weak or incompetent.

  3. Andrew Covarrubias · 1060 days ago

    If he had really only been doing it to help them, he would've told them how to fix the holes, but not made the information public until afterwards (if at all). He was doing just as much for attention as to be helpful.

    • Nick · 1056 days ago

      The issue is that many corporations ignore these sort of emails until they are made public.
      Look at some of the older stories of large exploits being released publicly, and the fact publicised that the corporations knew of the exploits for months, and sometimes even years.

      Corporations do not take their own security seriously, until it is rammed in their faces, down their throats, and out their rear end.

  4. phoneyear · 1060 days ago

    They should hire the guy, not punish him and have an enemy for life, but governments are not very smart.

    • Paul · 1057 days ago

      I think they would be smart enough NOT to tell you if he became employed by the NSA. What do you think?

  5. Arie · 1060 days ago

    At least the address could go with the article: http://www.change.org/petitions/free-tinkode

  6. roy jones jr · 1058 days ago

    "It's no excuse for TinKode's criminal hacks, but if the websites had been properly secured in the first place they would have never found themselves embarrassed by the Romanian hacker."

    Let's say the sites weren't secure for whatever reason. The post that said he/she should have helped them FIRST is the right thing to do. Why is every hacker trying to oust someone and then turn around and say "well I was intending to help." No. You had a agenda that maybe involved YOUR form of "help". Don't skirt around the issue.

  7. sue · 1057 days ago

    If he was trying to help then he would not have told the world, just told the company. That is where they got him. Saying, after the fact, you were only trying to help were not shown my his actions. He hacked, send an email, then crowed to the world. Help would have sent more than one email, and even called them. His actions showed he did not think ahead of how bad it could turn out, and in this case did.

    • Nick · 1056 days ago

      So, you're arguing that the hackers should spend days, completely unpaid, to highlight security flaws that people who are paid incredibly well haven't bothered to fix.

      Everyone continues to blame the hackers, but it is not their job to do that. If companies really cared, they'd spend less money on lawsuits, and more on improving their own security and public relations. If you keep your clients updated on news of these embarrassing hacks, and pay more attention to the emails they receive informing them of security holes - despite the potential for misinformation - they would avoid these issues.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley