Patreon: https://patreon.com/whattheshell
Discord: https://discord.gg/mBPbWcVRYR
Twitter: https://twitter.com/shell_pod
Instagram: https://www.instagram.com/shell_pod/
Website: https://whattheshellpod.com
Intro
How far would you go to find out the truth about something you were so passionate about that it kept you up at night? Where would you draw the line? Maybe you'd stop after you spent some time doing a little searching on google or reddit. Maybe you'd go a step further and take a trip to your local library. If you were truly tenacious maybe you'd find someone involved and ask for a little bit of your time? Now we're getting into obsessive territory. I can see each step past this encroaching more and more onto the legal gray area.
In 2002, a British systems administrator reached a point very few of us had in his search for the truth about UFOs and other major secrets. He was on the hunt for information about free energy, alien life, and more….all in the pursuit of the publics right to information. Well, this mans search took him far over legal line and he wound up inside computer systems for agencies like NASA and the US military. But who was this champion for knowledge? Well, some of you listening might have already picked up on it but today we're taking a trip back to the early 00's. I'm John Kordis, and I'd like to invite you to join me while I ask the question: Who the Shell is Gary McKinnon?
Song
Giveaway
What I'm about to talk to you about before the show starts up is not an ad. And no, one is paying me to say this. I want to give several of you the opportunity to learn, hands on, what it takes it to do some of the stuff we've talked about in this show. I'm giving away several 6 month vouchers to a platform called TryHackMe. TryHackMe is an educational website where you can learn skills and test them straight in a lab environment and it's something I use really frequently. If you're on our discord you know that in our ctf talk group we post our streaks to keep eachother accountable and ask questions.
So what's the catch? Well, I'm asking that you join our discord and participate a bit in our community there. There will be a link in the description of the episode for you to use. Once you've done that, tag the show on instagram or twitter with your favorite episode. Then just let me know in the giveaway channel on our discord server and you'll be entered! The winners of the giveaway will be announced in episode 33! Oh and just so you know it's not just a tryhackme voucher you could win. The first winner will be given a voucher and any t-shirt from the show. The second will receive a voucher and one each sticker, and the third winner will just receive the voucher. So if you could, show the community some love and participate in this! I'd love to see it!
Alright how about we get started. As we go into the episode I want to let you know this one is going to be just a tad different from some of our other episodes. It's going to be a bit more editorial in that there isn't a whole lot of meat to the hacking portion of this, but there's still quite a lot to talk about.
Gary McKinnon Background
Let's take it all the way back to the beginning here. Gary McKinnon was born on February 10th 1965. So at the time of this episodes release? That puts him at about 58 years old. He was born in Glassgow but in his early years after his mother and father separated he and his mom would find their way to a life in North London.
As he grew up, Gary's story seems to mirror that of many a young hacker type in those days. Gifted a computer in his early teens he quickly took to some of the concepts around them. Many referred to him as a regular computer whiz, and as he started socializing online he ended up taking up the virtual moniker "Solo". Those first few years he'd be engraining himself in the concepts of computer technology but it seems like a lot of younger kids he still wasn't quite sure what he wanted to do with his life.
In his mid teens, McKinnon has stated in interviews that he was an avid reader, and he'd really like to chow down on books relating to science fiction, with some even surrounding conspiracy theories. It seemed to mesh really well with his love of technology. I mean at this point he's started teaching himself how to code, and has a nice set of hobbies but life at this point would still prove a bit challenging for him.
One thing about the benefit of telling stories like this in hindsight is that I can give context to things without waiting in real time. So with the years of backlogged interviews and information that's come out about him, I can tell you that one of the challenges that Gary faced was an undiagnosed aspergers syndrome. For anyone uncertain, that's a condition on the autism spectrum wherein with some it can be difficult to understand social cues and this can show itself heavily as social situations are entered. Gary has talked pretty openly about this, he's said that he struggled to connect with his peers when he was younger, that he often felt like an outsider.
Flashing forward a few years, at 17 he'd leave school not in pursuit of computer science or hacking…but to become a hairdresser. I know at this point you might be listening to this and thinking "What the hell is John talking about? Why are we talking about a hair dresser?" Well don't fret because this was a momentary stop on the train of Gary's life.
Yes it would seem like the hair dressing life didn't quite mesh with Gary and after some time and serious talks with friends he would return and showcase his desire for more by getting a qualification in computer science and begin working in the same field he'd started to develop a bit of a passion for.
What he did
Once that portion of his life was pretty much past him, Gary would take up time as a Systems Adminitrator. In the late 90s and early 2000s a SysAdmin as they're pretty frequently called was probably more of a catch all term than it is now. Responsibilities could have ranged anywhere from performing helpdesk like functions all the way up to deploying server infrastructure depending on where you were employed.
So now I'm starting to set the stage for you. You have someone that's been a bit of an outisder and who has struggled to find their place in the world with what they want to do. Gary is making his way into the corporate world and slowly but surely trying to acclimate to life in that environment. And eventually, he'd end up quitting job because he had issues working in the corporate life.
His fascination with UFOS
And as Gary was living these experiences he continued to stay interested in Scifi stories and conspiracy theories. And at this point, he's been involved in a group called Bufora, for several years. That's the British UFO Research Association. According to themselves, this is a nationwide network of, at this point, 300 people that are dedicated in the wide-range truth of UFOs.
So Gary, entrenched in the works of authors like Asimov and Heinlein, has been taking this love and starting to question the enormity of the world we live in, by way of asking about alien life. When a reporter confronted him about asking if he was beginning to believe in UFOs, he'd respond to the question "To hope that there might be something more advanced than us, keeping a friendly eye on us. Hopefully a friendly eye."
And at this point it seems like an earnest interest. He's not really being harmful with anything in regard to asking these questions. Just participating in the community and trying to expand his horizons a bit.
But then, after watching the movie War Games, a question popped into his head.
"Can you really do it? Can you really gain unauthorised access to incredibly interesting places? Surely it can't be that easy."
He'd started trying to be more actively involved in the hunt for answers but could this be it? The way to get the answers to the questions keeping him up at night? He seemed to think so because eventually in the mid 90s? He'd decide it was worth the risk.
So he began to explore his options. He was able to find a tool that would search for computers, fingerprinted their operating system as windows, and then looked for admin accounts with no passwords.
I want to stop here and close your jaw if you're as caught off guard by the idea to an admin account with no passwords as you should be. At the time, in the late 90s and early 2000s, password security wasn't anywhere near what it is right now. So you had people who were either lazy or willfully ignorant, setting the administrator accounts to not have a password at all.
What Gary is doing here is a kind of brute force attack. Relatively simple in that it's probably trying a small amount of usernames and just moving on if nothing comes of use. What he was looking for and would eventually be able to find by the boatload were US government or military affiliated companies that met that criteria. For better or worse, these machines would have an easy way in, the door was effectively wide open to anyone walking by.
When he talks about it, McKinnon said that it only got more exciting when he started to get access to places like the US Space Command.
So he'd keep a log of all the places that met that criteria for him, he'd test access, and keep a bit of a vigilant eye for new systems he could look at it too.
His strategy was this. He'd take the open door and start to looking around. He'd use whatever intel he had to make sure that he could do things like hop from secure network to network. He explicitly called out that he'd do things like start in a support network segment, and move his was over to logistics since support had access to that segment too, then he'd see what he could find after that. You could do this until either you hit a dead end or found something that looked juicy. He'd find something that looked a bit like it was a secret and catalog that.
So he does this for seven years or so. And now we get into the meat of our story. Because in 2002 McKinnon would allegedly gain access to not just one but many US Government, military, and military contractor systems. These would inlcude NASA, the Army, Navy, Airforce, Department of Defense, and companies like Boeing or Lockheed Martin. This is when the US government was able to start tying things back to him specifically, so you'd see that same year Gary was indicted by a federal grand jury on a couple different charges ranging from computer fraud, unauthorized access to government computers, and hacking. It was a bit of an a la carte charging menu from the Computer Fraud and Abuse Act. But if you remember back to the very first episodes of the show, Kevin Mitnick faced very similar charges and did not make out very well.
It's been speculated that similar to how Mitnick was an example being set, McKinnon served a similar purpose to the international community. Because to face these charges he'd either need to show up willingly or face extradition since the US and UK had an extradition treaty.
What adds a little bit of weight to the idea that he was going to be made an example of was that Gary noticed something pretty crazy when he was on these systems and has talked pretty openly about it. He'd spend night after night on these machies and while he wasn't the hacker genius everyone labeled him as, he knew his way around things. So he'd run a command like netstat, which lists all the connections on that machine, and see connections stemming from Germany, Turkey, Thailand, and other countries. He wasn't the only one here….. but what he might have been, was the only one there that was easily locatable.
And you might be wondering right now, even still. Why were they going after him, what systems did he actually get into and what did he find?
I think it's crucial to understand his motives here. We know he's into UFOs and a little bit into conspiracy theories. So what we know is that his motivations here might not be singular. And that's exactly the case, he's talked about how he believed he'd not only find evidence of ufos, but of information on what he believes were things being covered up. Things like clean energy being pushed under the rug, or more information on 9/11.
Because again, it's 2002. We're just after the September 11th terrorist attacks. And we're starting to get to the point where people are asking questions about government wrongdoings involving the attack, or if there were coverups involved.
I remember this time very well. For me, it was one of the first experiences I had with a conspiracy theory unfolding in realtime. Sure we all joked about the moonlanding being fake growing up, but this was different. There was a huge culture around the idea that there were MAJOR coverups involving that day. Some raised, I think fair questions, but it quickly grew and spread into more and more outlandish claims. So when you've got this guy Gary McKinnon, and he's on the systems that could have information, he's of course gonna try to find what he can.
So Gary's looking and what does he find? Unsurprisingly not much on 9.11 or anything like that, but he does find quite a bit to tick off his UFO side. Here's a list of findings I've put together from some of his various interviews that he's allegedly seen on government systems
- Proof of aliens visiting earth
- Studies on objects that we don't understand flying in the sky
- Evidence of entire military departments and organizations that study those objects
- Images and videos of actual UFOs.
I've got an artist rendering of one of the images that Gary claims to have seen on the website, whattheshellpod.com in the episode transcript. What's even more interesting to him is that there are folders labeled filtered, unfiltered, raw, and process in the his search.
This lends credit to a belief that was given by a former nasa astronaut that he also believed, which was that NASA was scrubbing it's photos before granting access to the community.
And the last thing I'll put of note here is that he allegedly found a list of officers names under a document heading of "Non-terresrial officers". I was going to paraphrase what Gary said in an interview about this but I think the actual transcript is a better choice so here it is.
"I found a list of officers' names," he claims, "under the heading 'Non-Terrestrial Officers'."
"Non-Terrestrial Officers?" the reporter says.
"Yeah, I looked it up and it's nowhere. It doesn't mean little green men. What I think it means is not earth-based. I found a list of 'fleet-to-fleet transfers', and a list of ship names. I looked them up. They weren't US navy ships. What I saw made me believe they have some kind of spaceship, off-planet."
"The Americans have a secret spaceship?" the reporter replies.
"That's what this trickle of evidence has led me to believe."
"Some kind of other Mir that nobody knows about?"
"I guess so," says Gary.
"What were the ship names?"
"I can't remember," says Gary. "I was smoking a lot of dope at the time. Not good for the intellect."
So I'm going to put on two hats right now, skeptic and veteran. First an foremost, I don't like that this is coming from someone who is admitting from using a potential mind altering amount of drugs. You want to smoke that's fine by me but he basically said in that last line that it's possible the amount he was smoking was not good for remembering stuff like this. Second, after being a part of government and military I can tell you that I think he was just right with his first assumption. Non-terrestrial is probably to be taken in it's most literal meaning, not on earth. So that could be either officers in planes that are in the sky for extended periods or ships at sea, hell maybe even the ISS as well. But he's pretty adamant there that there were ships out there. So I'm going to ask the tech question that's on my mind. Like me, you might be wondering why he didn't download the videos and pictures. The easiest answer here is the right one, his connection was too slow. He'd periodically get a reset connection to the devices he was on and at just about 56KB/s that meant this stuff might not exist to him in any real capacity.
But I'll admit, it's hard not to get inquisitive and curious when things like this are mentioned. It's easy to want to believe everything that he's saying here. But like it or not, and even with the best of intentions, he's crossed the legal line by a long shot. And now he's having to deal with the consequences.
So we're in 2002, and he's been indicted by a grand jury. I know I have a lot of listeners outside the united states so if you don't know a grand jury is a group of citizens who are selected to determine whether there is enough evidence to indict a person and bring them to trial. The grand jury proceedings are conducted in secret, and the jurors hear evidence presented by the prosecutor to determine whether a person should be charged with a crime.
And the Computer Fraud and Abuse Act (CFAA) that they're pulling these charges from is a US federal law that criminalizes various computer-related activities. These activities include accessing a computer without authorization or in excess of authorization, damaging or altering a computer system, and using a computer to commit fraud or obtain sensitive information.
Gary McKinnon was charged with several offenses under the CFAA related to his alleged hacking. The charges included accessing US government computers without authorization, stealing and destroying files, and causing damage to computer systems. McKinnon was also accused of leaving threatening messages on the US government's computer systems.
The US government alleged that McKinnon's actions caused significant harm to national security and resulted in substantial financial losses. The charges against McKinnon carried the possibility of significant prison time and fines. I believe they were looking to try and get him with about 70 years jail time. Which is absolutely insane to me. They were really stepping it up for him here.
But we're still faced with this problem. McKinnon isn't in the US. So the US government, in 2005, formally requested that McKinnon be extradited from the UK to face the charges.
Now this is a slow process. It took from 2002 to 2005 to get that extradition request done. And in 2006, Gary started fighting it! It didn't instantly happen, he had time to get things started on a defense..
Ultimately the defense would need to be prepared on multiple fronts because in 2008, the UK joined in and charged him with several offenses of the same nature relating to the Computer Misuse Act of 1990.
Gary is up to his head in legal action but it's not without being noticed. His story was getting a lot public attention but not for the reason you might think. As McKinnon continued to fight extradition to the US, he argued that he could face a lengthy prison sentence and potentially harsh treatment due to his Asperger's syndrome and other mental health problems. He also argued that the extradition treaty between the US and UK was unbalanced and did not provide sufficient protection for UK citizens.
This case started to shine a light on the unfair treatement of those with mental health problems in the justice systems and many people rallied around that. There were fundraisers, news shows, and more dedicated to this.
What's so surprising about this all is that it would work. Several years later the extradition process and the charges were dropped entirely. There were a couple key factors that contributed to the decision to drop the extradition proceedings against him. One was the significant public and political pressure that had been brought to bear on the case, with many arguing that the extradition treaty between the US and UK needed to be reevaluated.
Another factor was concern about McKinnon's mental health and the potential harm that extradition could cause to his well-being. Several high-profile figures, including singer Sting and politician Boris Johnson, spoke out in support of McKinnon and called for the extradition proceedings to be dropped.
And so it was over for him, at least in the way of not having to go to jail. But he started speaking publically about it because one of the things we all found in this process was that the extradition treaty was sketchy to say the least.
Example number one here, to be extraditable back then 5k us dollars worth of damage would need to have been done. A curious thing was that the amount of damage he seemingly inflicted was listed as exactly that much. While it's possible that was the exact amount, it's curious that this is where they settled things.
The treaty was rather old at this point so it didn't really have a great metric on computer damage. It seemed like this was just a catch all way to get him sent over. But even when probed the Crown process wasn't given any real evidence for why he needed to get handed over. The Crown initially came to his defenses saying that this was all heresay.
Honestly you can see where maybe not a conspiracy theorist being targeted for his views, this was a case of "don't mess the US government, especially after 9/11". Personally it sounded like they were concerned that this was going to be a commonplace attack after 9/11 and wanted to make sure that the world knew it shouldn't be. Cut to me talking about the hundreds of times since then the government has been hacked, but okay.
So I'm sitting here at the end of the story. Gary has been a strong vocal champion of the rights in the ethical trials and with stories around UFOs. He's got a lot of interesting interview online that I suggest listening to but utlimately this wasn't a super hacking heavy episode.
What I wanted to deliver you all was a story of how easy it is to go off the rails with hacking. Because logically what happened here was someone was passionate about something and they kept pursuing learning about it. Eventually that led them to an easily accessible tool that was able to be used to scan for credentials. That person doesn’t really know the full ins and outs of the consequences of using this information but it gets him what he wants.
And while yes this is a full grown adult here, today the game is different. It goes back to the interview I did with Jack from Darknet Diaries. We talked pretty heavily about kids not knowing where the line is with this stuff. But here we are giving them pretty free reign to the tools that could get them in to so many different places. Hell if a kid really wanted to they could start a spearphishing campaign with an active exploit with moderate success today.
It's easy to see how someone can just get so into what they're doing that before they realize it they're over the legal line and it's because they had such easy access to get there.
A simple bruteforcing attack is all it took for Gary, for a lot kids free ddos tools and exploit packs are all they'll need to get there. Where do you think the line is? Let me know, because I'd love to hear what you think.
That's it for Gary and this story, but that's definitely not it for this episode. I've got one new thing I want to try. I've said it before and I'll say it again, whoever is listening up to this point, you the audience, I want to be engaging for you. On the shows discord a while back I took some ideas for quick discussion prompts. Just a little thing that I can tack on at the end of the episode where you can see what my opinion is on something and more importantly, in the discord after the episode we can talk about it a bit.
The very first suggestion comes from @ActualSudoShiaLaBeouf on the discord. He asked me this: "Do you think it's okay to hack back a hacker?"
I almost didn't want to do this one because I don't want to endorse hacking back in any capacity. It's a boring, corporate answer, but no. I really don't think it's a good idea. You see a lot of success stories of people going after scam centers and hacking them back, protecting people from being scammed again. People purposely playing along to bait a connection they can use against someone else.
But these are professionals, and people who fully understand the risk that they're taking on. Sometimes, even making sure the proper authorities are involved before they do. What do you, as an individual, stand to gain from going after someone who went after you? You could maybe feel better that you made them go through some pain too, but you also risk being a continued target, maybe them upping the ante a bit to come back after you if they can narrow it down to you being the reason. I think I've stressed it enough but in todays world, the right tools to do a lot of damage online are too easy to find. So, in my opinion, you gotta treat this like you can't restore from a backup post ransomware and just start over. Let it be, move on, and be better next time.
Now, I'm sure a lot of you have some ideas about why that's not always a good case. And you know what? I want to hear them, so go into the episode discussion on the discord and let me know what you think.
I'm John Kordis and that's it for me explaining Who the Shell Gary McKinnon is, and what he went through.
Don't forget, that giveaway is still going strong so enter it! And if you want to support the show in some other fashion you can alawys go store.whattheshellpod.com and check out what we've got there. I recently put some new stickers and shirts up, including one where I'm donating half of my proceeds to a good cause, the Trevor Project. If that's not up your alley there's always patreon, and that's at Patreon.com/whattheshell. Get bonus content, request a mini episode, or just add a little discord flair to your profile depending on how much you want to support. And while all that really does help the show, honestly just spreading it word of mouth is enough for me. I'm happy I'm making something that got you listening to this point, so share it with others if you think that's something they'd listen to as well.
Thanks to my patrons that are supporting the show still. You guys are the champions of the show:
So K1lby, J, Frank Aponte, both Johns…with and without an H, Adon, Krisian Odie, Ben M, Benjamin Sweetnam, Tyus Ashworth, Chris Finik, pferd, pseudo, and the myth, the legend, mr. "I use pot of greed to draw three additional cards from my deck". Thank you all. I truly, truly appreciate each and every one of you.
I''ll see you all in two weeks for another episode.