Interview With Incarcerated NASA Hacker Jeremey Parker

jeremey_feat

On June 14th, 2011, Jeremey Parker was sentenced to 24 months in prison on charges of wire fraud. The sentence was the result of a plea agreement wherein Parker admitted he gained access to the servers of a subsidiary of Digital River Inc and siphoned approximately $275,000 into his personal bank account, and additionally, broke into two servers operated by NASA’s Goddard Space Flight Center which were responsible for recording oceanographic data from orbiting satellites.

With time served since his arrest in 2010, the end of his two year incarceration in Federal prison is coming up in just a few months. We were able to speak with Jeremey through the limited computer access he is allowed.

Early Hacking Career

The Powerbase: Jeremey, thanks for taking the time to talk with us. When did you get involved with the hacker scene, and what were some of the things that inspired you to go that route?

Jeremey: I became involved with the hacker scene around 1994. I think the inspiration that led me into that direction stems from my fascination towards anything that society considers forbidden. I’m the type of person who would respond to the statement “You can’t do that” with the question “Why not?”. That curiosity eventually led me to the path of hacking, and while that attribute makes me great at solving problems, it’s also gotten me into some trouble.

The Powerbase: In the early days of your hacking career, what were your thoughts on other hackers who had been criminalized, like Jonathan James or Kevin Mitnick?

Jeremey: Even in my younger days, I was skeptical enough of the press to know that demonizing Mitnick by portraying him as an evil genius who can whistle into phones to cause missles to launch would sell more newspapers than a story about a hacker’s unusual morals.

The Powerbase: What caused you to make the switch from hacking for the sake of challenge and exploration, to hacking for personal gain?

Jeremey: I wouldn’t say that I made a complete transition to hacking for personal gain because I did continue to hack solely for the challenge during (and after) the Digital River incident. The reason I decided to use my Digital River access to obtain money was simply that I needed some kind of income since I had lost my job. I’m not saying that that justifies what I did or that it was my only option, just stating my motive.

Investigation and Arrest

The Powerbase: How were you able to make money off of your access to Digital River?

Jeremey: Here’s an “Intrusion Summary” portion of an incident report written by three Digital River employees that answers this question:

An attacker who is currently under investigation by the FBI has exploited flaws within SWREG’s web-functionality allowing the execution of arbitrary Perl code. The execution of Perl scripts allowed the attacker to gain shell access to the SWReg web servers and connections to the SWREG database. The attacker used this access to analyze the source code of the SWReg application that is resident on the web server. Using this knowledge, as well as culled database server names and credentials, the attacker inserted falsified records into the database indicating payment should be made to defunct or falsified vendors/clients. When these records were imported into Navision, payments were automatically wired to the accounts specified with the SWREG client/vendor database.

The Powerbase: $275,000 is a lot of money, what kept you going instead of just pulling the plug after a few thousand and cleaning up your tracks? As the numbers got higher, you must have realized it was only more likely you would be detected.

Jeremey: $275,000 is a lot of money, but it seems like less when you receive it in $2,000 to $20,000 increments over a period of two years. After the first payment went through, I did start applying some logic by finding out how much other clients were being paid and keeping my amounts closer to theirs. Towards the end, I felt that stopping now wouldn’t be any different than stopping later if I were to get caught, so I kept receiving payments as long as possible.

The Powerbase: What about breaking into NASA? What was your motivation there? Did you believe there was money to be made, or where you just curious?

Jeremey: I never intended to steal anything from NASA. My only motive there was the challenge.

The Powerbase: How do you respond to the claim that it cost NASA $66,000 to repair their systems? Do you think it was a trumped-up charge?

Jeremey: I doubt NASA would trump-up something like that, but I do think it’s a bit pricey. The bug I exploited would have only needed one line of code to add some input validation and remove the vulnerability, but I did also install some backdoors that would have called for some type of forensic analyst to be hired to uninstall them. His services were probably where most of that $66,000 went.

The Powerbase: Where there any significant differences in the security between a privately owned company and a branch of the government?

Jeremey: In this case, both Digital River and NASA were guilty of similar insecure practices. However, because of this incident  Digital River has implemented much stronger security policies, and I’m sure that NASA server has too.

The Powerbase: What was your arrest like? Did you know ahead of time that you had been found out?

Jeremey: A search warrent was executed about a year before my arrest, so I wasn’t very suprised when it happened. What originally alerted Digital River to my presence was a botched MySQL statement that modified a column of every account on the system when I was only trying to alter the column on a single account.

Conviction and Sentence

The Powerbase: What is prison life like for a tech criminal? Do you feel your punishment has been appropriate given the crime?

Jeremey: Prison life for the tech criminal isn’t much different from any other type. If you treat others respectfully, (almost) every inmate will treat you respectfully in return. For the amount of money I took, I think that my two year sentence was appropriate.

The Powerbase: Having gone through the legal system and winding up in Federal prison for your crimes, do you believe the current laws and judicial processes are adequate to handle tech crime? As things like hacktivism and cyber warfare become increasingly commonplace, do you feel we need to rethink the way we charge and sentence these types of crimes?

Jeremey: I think that the current (U.S.) laws on tech crimes are not sufficiently specific. Intent is a major factor with most non-tech crimes, and should also be considered during sentencing for tech crimes (That is, if intent can be proven). However, the U.S. is sometimes more lenient in sentencing hackers than some other countries (These days at least).

The Powerbase: What are your thoughts on the idea of rehabilitation for those accused of tech crimes? For example, should the government try to use the skills of convicted hackers to improve its infrastructure?

Jeremey: The type of tech crime committed should affect the type of rehabilitation received (If any). Some hackers would benefit from probation or counseling while others might need to be sent to prison for a short while before understanding the consequences of their actions. As far as the government goes, I think that they’ve had plenty of time to secure the infrastructure without needing anymore outside assistance. Computers are no longer treated with the illogical fear and misunderstanding that was more common 15 years ago (After all, I am typing this on a physically secure computer inside of a federal prison while here for computer fraud). That being said, there are still many agencies that could benefit from an upgrade in their security policies.

Moving On

The Powerbase: What do you think life will be like once you are released? Do you know what you want to do with your skills?

Jeremey: I’m still not completely sure what’s in store for me when I leave here, but I would like to find a job where I can utilize the various skills I’ve obtained over the years.

The Powerbase: Do you have any message or advice for other hackers out there?

Jeremey: If you get into hacking just to learn how to break into computers (for whatever reason), then you’ll probably end up in prison. But if you learn because you’re interested in every aspect of networking/computing then you’ll probably have a future in it.

Sincere thanks to Jeremey for taking the time to answer our questions. It’s easy to make mistakes in a desperate situation, but the important thing is what is learned from them and how it shapes your character going forward. Everyone here at “The Powerbase” wishes Jeremey nothing but the best of luck upon his release.


Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .

Related posts

  • http://profiles.google.com/neotechni Techni Myoko

    “Jeremey: In this case, both Digital River and NASA were guilty of”

    Don’t blame the victim.
    It’s her fault she wasn’t wearing a bullet proof vest. I was just innocently shooting my gun off at her, testing for vulnerabilities. You know, minding my own business.

    • Redgrave Anthony

      @Techni Myoko it’s not the same. Don’t judge by making bad assumptions.
      If you own a wireless network and someone uses it to hack someone else, it’s your fault and you are responsible for not making it secure. See the point?

      • http://profiles.google.com/neotechni Techni Myoko

        ” it’s not the same. ”

        Yes it is the same. You’re saying it’s the victim’s fault.

        “If you own a wireless network and someone uses it to hack someone else, it’s your fault and you are responsible for not making it secure”

        Except 1) at this point, it’s impossible to secure a wireless network. They’re all hackable. The only safe computer is one not connected to the internet with all it’s ports filled with glue 2) You’re blaming the victim.

        See the point?

  • Pingback: Links 5/4/2012: Early Look at GNOME 3.4, Mageia 2 Postponed | Techrights

  • Pingback: Extreme WiFi Makeover | TechSNAP | Jupiter Broadcasting

  • http://www.facebook.com/dawgyg Tommy DeVoss

    As a convicted computer hacker myself, i agree with both Jeremy and Techni, my personal opinion is this, had it not been us, it would have been someone else. Better to have it local then foreign right?

Top