NASA and Pentagon hacker TinKode receives two-year suspended jail sentence

Romanian court orders him to pay over US$120,000 to Oracle, NASA and the U.S. Department of Defense

Romanian national Manole Rzvan Cernianu, known online as TinKode, received a two-year suspended prison sentence for hacking into computer systems owned by Oracle, NASA, the U.S. Army and the U.S. Department of Defense and was ordered to pay damages totalling more than US$120,000.

According to Cernianu's case file summary on the Romanian Ministry of Justice Web portal, he was sentenced on Sept. 26 and received six prison sentences of one or two years for separate computer-related offenses.

The offenses included: gaining unauthorized access to a protected computer system; transferring data from a computer system without authorization; affecting the normal operation of a computer system by deleting, modifying or sending electronic data; creating, selling or distributing a devices or a computer program designed to be used in computer crimes; creating, selling or distributing a password or access code without authorization that could be used to access a computer system with the intention of committing a computer crime.

Because the offenses were committed concurrently, the court ruled that Cernianu should serve only the lengthiest prison sentence of two years. Furthermore, the three months spent in arrest between January and April 2012 were subtracted from the two-year prison sentence and its execution was suspended in favor of four years of probation.

In addition, Cernianu was ordered to pay $59,002 to Oracle, $52,575 to NASA, $5,025 to the U.S. Department of the Army and $7,348 to the U.S. Department of Defense. The court's decision can be appealed within 10 days of being issued.

Under the online alias TinKode, Cernianu took credit for hacking into many high-profile websites including some belonging to the U.S. Army, NASA, the U.K. Royal Navy, the European Space Agency, MySQL -- now owned by Oracle -- and Google.

In some cases the hacker made efforts to notify the affected parties before publishing information about the security vulnerabilities he found, which earned him a spot in Google's Security Hall of Fame. In other cases he engaged in full disclosure and even posted confidential information taken from the compromised servers on his blog.

TinKode said in the past that his intentions had never been malicious, but some of the companies and organizations whose computers he targeted claimed that his actions resulted in damage.

"To the relief of many, TinKode appeared to be inspired more by the desire to embarrass organisations into improving web security - rather than making money," Graham Cluley, a senior technology consultant at antivirus vendor Sophos said Friday in a blog post. "Nevertheless, his actions were illegal and led to his arrest by Romanian authorities."

"That's a lesson that others would be wise to learn from if engaged in similar activities," Cluley said.

Members of the Romanian Security Team (RST) forum -- the largest online hacker community in Romania, where TinKode was a high-ranking member before his arrest -- took notice of the court's decision on Thursday. Some of them expressed relief that he received a lenient sentence, some felt that the amount of money he has to pay is too large and questioned his prospects of finding work with a criminal record, while others felt that he did wrong by seeking publicity which eventually led to his arrest.

TinKode's story should make hackers ask themselves whether what he did was worth it, an RST forum moderator said.

"It's no excuse for TinKode's criminal hacks, but if the websites had been properly secured in the first place they would have never found themselves embarrassed by the Romanian hacker," Cluley said.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place